(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
Federal Reserve Governor
Examines Internal Auditor Functions
Noting that the Sarbanes-Oxley Act
is a wake-up call for internal auditors, Federal Reserve Board Governor Susan
Schmidt Bies exhorted them to " step up to the plate "and help
corporate risk officers and managers reinvigorate the risk assessment and
control process over financial reporting. As part of this effort, she continued,
internal auditors must demonstrate independence from management and loyalty to
the audit committee. She warned them not to become roaming internal management
consultants because going down that path would lead to loss of independence. In
remarks at the Institute for Internal Auditors, Ms. Bies also emphasized that
the board of directors and senior management cannot delegate the responsibility
for having an effective system of internal control.
Section 404 of the Sarbanes-Oxley
Act requires management to present its assessment of the effectiveness of the
company's internal controls in the annual report. In addition, the company's
outside auditor must attest to management's assessment of internal controls as
an integral part of its audit report. Section 404 is modeled on provisions in
the Federal Deposit Insurance Corporation Improvement Act requiring an annual
management report on the quality of internal controls and outside auditor
attestation to that control evaluation.
According to the Federal Reserve
official, the message that the Sarbanes-Oxley Act delivers to internal auditors
is that they are uniquely positioned within the company to ensure that its
corporate governance, financial reporting and disclosure controls, and
risk-management practices are functioning effectively. Although internal
auditors are not specifically mentioned in Sarbanes-Oxley, they have within
their purview of internal control the responsibility to evaluate all of an
entity's systems, processes, operations, functions, and activities.
In the view of Gov. Bies, since
directors do not serve full time, it is important that the internal auditor
establish an annual agenda for boards and audit committees to focus their
attention on the high-risk and emerging risk areas, while ensuring that there
are effective preventive controls over the low-risk areas. The challenge of the
auditor is to ensure that the internal audit staff has the expertise and ongoing
training to meet the specific and changing risks of the organization.
Boards of directors are
responsible for ensuring an effective audit process and adequate internal
controls. In her view, the reporting lines of the internal audit function should
be such that the information that directors receive is impartial and not unduly
influenced by management. Internal audit is a key element of management's
responsibility to validate the strength of internal controls.
Gov. Bies believes internal
controls are the responsibility of line managers, who must determine the
acceptable level of risk in their line of business and assure themselves that
the combination of earnings, capital, and internal controls is sufficient to
compensate for the risk exposures. Supporting functions such as accounting,
internal audit, risk management, credit review, compliance, and legal should
independently monitor the control processes to ensure that they are effective
and that risks are measured appropriately.
The results of these independent
reviews should be routinely reported to executive management and the board.
Directors should be sufficiently engaged in the process to determine whether
these reviews are in fact independent of the operating areas and whether the
auditors conducting the reviews can speak freely. In addition, she stressed that
directors must demand that management fix problems promptly and provide
appropriate evidence to internal audit confirming this. Gov. Bies advised
internal auditors that they will not be effective unless they report directly to
the audit committee, adding that the company's entire quality assurance and
monitoring program will be tainted if internal auditors are not accountable to
the audit committee.
If an audit committee asks for
recommendations on how to improve independence, she continued, the internal
auditor's response should be that the test for any recommended change is whether
it makes management more accountable for the ongoing effectiveness of internal
controls and makes the internal audit function more effective in both monitoring
and process validation. If the audit committee is not ready for accommodation on
this point, she advised that the issue be raised with the full board and the
outside auditor.
She also urged internal auditors
to abandon the idea of becoming the roaming general management consultant within
the company, adding that auditors lose their independence when they perform
management consulting roles for which they later will have to render an opinion.
Auditors uniquely have both the ability and responsibility to look across all of
the management silos within the company and make sure that the system of
internal controls has no gaps and that the control framework is continually
reviewed to keep up with corporate initiatives and reorganizations.
Finally, she noted that internal
auditors are the independent eyes and ears of the audit committee around the
organization. They know which managers and which projects are likely to entail
greater weaknesses in controls. By helping senior management address these risks
before losses occur, reasoned Gov. Bies, internal auditors help protect the
reputation of managers and the company as well as increasing their own
credibility. Prompt reporting to the audit committee and timely resolution of
audit findings will build additional credibility with the committee, she
believes, provided that internal auditors follow through to ensure that managers
are taking control and governance issues seriously.
|