(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

Fed Gov. Bies Examines Audit Committees, Internal Controls

Audit committees must pave the way for quality assurance over the internal audit, declared Federal Reserve Board Governor Susan Schmidt Bies, and they should provide for the utmost independence, objectivity and professionalism of the internal audit process. The audit committee sets the tone, she continued, and the goal for internal audit should be to have no internal control surprises.

In remarks before a conference of state bank supervisors in Asheville, North Carolina, she discussed the Sarbanes-Oxley Act requirements that management present its assessment of the effectiveness of the company's internal controls and that the outside auditor attest to management's assessment. This is because she can relate the experience under similar federal banking law provisions mandating a management report on the quality of internal controls and outside auditor attestation to that control evaluation. The SEC has just adopted rules implementing the Sarbanes-Oxley Act internal controls provisions.

Experience under the banking law attestation requirement, on which the Sarbanes-Oxley Act provisions were modeled, reveals that notable deficiencies crept into the quality of the work performed by management over time as businesses grew and new products were added. Management became less vigilant in the internal control area because of increased performance pressures. According to Ms. Bies, this behavior is counterintuitive when dealing with internal controls. As the business grows and new products are added, she emphasized, that is precisely the time when management needs to ensure that adequate controls are in place to mitigate risks.

Further, risk-focused audit programs should be reviewed regularly to ensure audit resources are focused on the higher-risk areas as the company grows and produces and processes change. As lower-risk areas come up for review, auditors should do enough transaction testing to be confident in their risk rating. Audit committees should receive reports on all breaks in internal controls to determine where the auditing process can be strengthened.

In addition, before a company moves into new or higher-risk areas, the board of directors and management should receive assurances from internal audit that the tools are in place to ensure that the basics of sound governance will be followed. The audit committee, said Gov. Bies, should actively engage the internal auditor to ensure that risk assessment and control process over financial reporting are vigorous. Many of the companies that have seen their reputations tarnished in the past two years, she noted, have not considered emerging conflicts of interest when adding new products and lines of business. Thus, she emphasized the importance of making sure that appropriate firewalls are in place before the product or activity begins.

The audit committee should also require the highest possible level of independence for the internal audit process and eliminate any threats to this independence, she emphasized, such as the tendency for some internal auditors to act as management consultants within the organization. Internal auditors add value by being effective independent assessors of the quality of the internal control framework and processes. Auditors lose their independence when they perform management consulting roles for which they later will have to render an opinion.

Turning to a discussion of the outside auditors who must attest to the effectiveness of internal controls, Gov. Bies said that some auditors have a tendency to gloss over internal control deficiencies or simply ignore significant control deficiencies because they are immaterial. But, in her view, it is not meaningful for auditors to apply a financial statement concept of materiality to an attestation engagement on internal controls. From a supervisory perspective, the Fed would consider the existence of a series of such immaterial deficiencies to be useful information in assessing the quality of the internal and external audit process. This mindset in the auditing community must change, she cautioned.

A secondary cause of audit failures is lax professional standards. Examples in the banking area are the professional standards for attestation engagements. Currently, the standards don't require auditors to perform any independent testing of controls. Under the current standards, auditors can simply rely on the work of internal audit as the basis for issuing an attestation report on management's report on the effectiveness of internal controls. There is virtually no guidance on the criteria auditors should use to issue a qualified opinion.

The Federal Reserve Board believes that the professional standards in this area need to be more robust. Ms. Bies vowed that the Federal Reserve will work with the newly created Pubic Company Accounting Oversight Board to ensure that high-quality professional standards are created and that a robust process for ensuring audit quality is implemented.