(The news
featured below is a selection from the news covered in the Federal Securities
Report Letter, which is distributed to subscribers of the Federal
Securities Law Reports.)
Fed Gov. Bies Examines Audit
Committees, Internal Controls
Audit committees must pave the way
for quality assurance over the internal audit, declared Federal Reserve Board
Governor Susan Schmidt Bies, and they should provide for the utmost
independence, objectivity and professionalism of the internal audit process. The
audit committee sets the tone, she continued, and the goal for internal audit
should be to have no internal control surprises.
In remarks before a conference of
state bank supervisors in Asheville, North Carolina, she discussed the
Sarbanes-Oxley Act requirements that management present its assessment of the
effectiveness of the company's internal controls and that the outside auditor
attest to management's assessment. This is because she can relate the experience
under similar federal banking law provisions mandating a management report on
the quality of internal controls and outside auditor attestation to that control
evaluation. The SEC has just adopted rules implementing the Sarbanes-Oxley Act
internal controls provisions.
Experience under the banking law
attestation requirement, on which the Sarbanes-Oxley Act provisions were
modeled, reveals that notable deficiencies crept into the quality of the work
performed by management over time as businesses grew and new products were
added. Management became less vigilant in the internal control area because of
increased performance pressures. According to Ms. Bies, this behavior is
counterintuitive when dealing with internal controls. As the business grows and
new products are added, she emphasized, that is precisely the time when
management needs to ensure that adequate controls are in place to mitigate
risks.
Further, risk-focused audit
programs should be reviewed regularly to ensure audit resources are focused on
the higher-risk areas as the company grows and produces and processes change. As
lower-risk areas come up for review, auditors should do enough transaction
testing to be confident in their risk rating. Audit committees should receive
reports on all breaks in internal controls to determine where the auditing
process can be strengthened.
In addition, before a company
moves into new or higher-risk areas, the board of directors and management
should receive assurances from internal audit that the tools are in place to
ensure that the basics of sound governance will be followed. The audit
committee, said Gov. Bies, should actively engage the internal auditor to ensure
that risk assessment and control process over financial reporting are vigorous.
Many of the companies that have seen their reputations tarnished in the past two
years, she noted, have not considered emerging conflicts of interest when adding
new products and lines of business. Thus, she emphasized the importance of
making sure that appropriate firewalls are in place before the product or
activity begins.
The audit committee should also
require the highest possible level of independence for the internal audit
process and eliminate any threats to this independence, she emphasized, such as
the tendency for some internal auditors to act as management consultants within
the organization. Internal auditors add value by being effective independent
assessors of the quality of the internal control framework and processes.
Auditors lose their independence when they perform management consulting roles
for which they later will have to render an opinion.
Turning to a discussion of the
outside auditors who must attest to the effectiveness of internal controls, Gov.
Bies said that some auditors have a tendency to gloss over internal control
deficiencies or simply ignore significant control deficiencies because they are
immaterial. But, in her view, it is not meaningful for auditors to apply a
financial statement concept of materiality to an attestation engagement on
internal controls. From a supervisory perspective, the Fed would consider the
existence of a series of such immaterial deficiencies to be useful information
in assessing the quality of the internal and external audit process. This
mindset in the auditing community must change, she cautioned.
A secondary cause of audit
failures is lax professional standards. Examples in the banking area are the
professional standards for attestation engagements. Currently, the standards
don't require auditors to perform any independent testing of controls. Under the
current standards, auditors can simply rely on the work of internal audit as the
basis for issuing an attestation report on management's report on the
effectiveness of internal controls. There is virtually no guidance on the
criteria auditors should use to issue a qualified opinion.
The Federal Reserve Board believes
that the professional standards in this area need to be more robust. Ms. Bies
vowed that the Federal Reserve will work with the newly created Pubic Company
Accounting Oversight Board to ensure that high-quality professional standards
are created and that a robust process for ensuring audit quality is implemented.
|