Audit Committees Have Role in Section 404 IC Regime

As nearly everyone knows by now, one of the most significant provisions of Sarbanes-Oxley is "Management Assessment Of Internal Controls," known to most firms as "SOX 404."

Section 404 requires that annual reports be accompanied by a statement clarifying that company management is responsible for creating and maintaining adequate internal controls, and that management has assessed the the effectiveness of those controls.

And, of course, the company's auditor must subsequently attest to the IC assessment.

Implementation

The SEC has implemented SOX 404 by requiring management's annual internal control report to contain, among other things, two key components:

A statement of management's responsibility for establishing and maintaining adequate internal control over corporate financial reporting, and

A statement identifying the framework used by management to evaluate the effectiveness of this internal control.

There must also be a management assessment of the effectiveness of the internal control as of the end of the company's most recent fiscal year, as well as a statement that its auditor has issued an attestation report on management's assessment.

Audit Committee Impact

There is no doubt that the new Section 404 mandate will have an impact on Audit Committees and internal auditors.

Although internal auditors are not specifically mentioned in the Sarbanes-Oxley Act, they have within their purview of internal control the responsibility to examine and evaluate all of a company's systems, processes, operations, functions, and activities.

Thus, they are subject to a number of challenges in the Sarbanes-Oxley era.

Direct Line

The Audit Committee has a role to play in ensuring that the company has robust internal and reporting controls. The new regulatory regime helps the Committee in this regard by requiring that officers assess the company's controls, and certify that they have disclosed any significant deficiencies to the Audit Committee.

To foster additional support for internal auditors and to help meet the requirements of the Act for handling complaints relating to internal controls, SEC Commissioner Cynthia Glassman has advised that the head of internal audit should have a direct line of communication to the Audit Committee.

Similarly, even before the passage of Sarbanes-Oxley, then SEC Chief Accountant Robert Herdman noted the importance of the Audit Committees' understanding of the companies' internal control structure and its assessment of the internal audit's effectiveness.

And Federal Reserve Board Governor Susan Schmidt Bies believes that, in order to be effective, internal auditors should report directly to the Audit Committee since the company's entire quality assurance and monitoring program will be tainted if the internal auditors are not accountable to the Audit Committee.

Independence From Management

With all this in mind, as a best practice, the Audit Committee should actively engage the internal auditor to ensure that risk assessment and control process over financial reporting are vigorous.

In addition, the issue of internal auditor independence directly involves the Audit Committee.

The internal auditor should demonstrate independence from management and loyalty to the Audit Committee, and not just the appearance of independence. In turn, the Audit Committee should require the highest possible level of independence for the internal audit process and eliminate any threats to this independence, such as the tendency for some internal auditors to act as management consultants within the organization.

Eyes and Ears

Internal auditors can play a valuable role as the independent eyes and ears of the Audit Committee around the organization. As they work throughout the organization, they know which managers and which projects are likely to entail greater weaknesses in controls.

Prompt reporting to the Audit Committee and timely resolution of audit findings will build credibility with the Committee.

The question of how granular Audit Committee oversight over the internal control process should be is inherently difficult. Beyond the strict regulatory requirements, the clear thrust of the rules is that Audit Committee members need to be inquisitive, which means they should put their financial literacy to good use.

This does not mean, however, that Audit Committee members have to re-audit the financial statements or re-design internal controls.

According to Commissioner Glassman, it does mean that they should have a healthy skepticism and pursue issues until they are satisfied they have received adequate information to make an informed judgment. This is especially true with respect to instances that involve real or potential conflicts of interest for management or auditors.

Regular Review

As a best practice, risk-focused audit programs should be reviewed regularly to ensure audit resources are focused on the higher-risk areas as the company grows and products and processes change.

As lower-risk areas come up for review, auditors should do enough transaction testing to be confident in their risk rating. Audit Committees should receive reports on all breaks in internal controls to determine where the auditing process can be strengthened.

In a broad sense, there is the belief that Audit Committees must pave the way for quality assurance over the internal audit and provide for the utmost independence, objectivity, and professionalism of the internal audit process.

The Audit Committee sets the tone for the internal audit, in the view of Gov. Bies.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.