At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
QUESTION 1
How do you reconcile internal auditing being a necessary part of the control framework, when Section 404 testing performed by internal audit clearly could not be part of the control framework? That is, how can testing your control framework be part of your control framework?
ANSWER 1
Travis Drouin—This question is best answered by first agreeing on what the internal audit function is within an organization. Internal auditing has existed since long before the advent of the Sarbanes-Oxley Act, and therefore should not be confused with compliance under Section 404 of SOX or the COSO framework. It might help to compare the IA function to other functional areas within an organization, such as human resources. The HR department exists to mitigate risk exposures within an organization, and serves a necessary management function within the company. The company’s management team and board rely on the functional areas of the business—such as human resources—to execute in a manner that promotes efficiency, mitigates risk, and contributes to the company’s strategic goals and objectives. In this regard, the IA function is no different than any other functional area of an organization.
All functional areas of a company are inherently a part of the COSO control framework. The framework, however, does not state that internal audit is a necessary part of the control framework; it does require that management implement controls to test and monitor the effectiveness of the control environment. This could be accomplished in a number of ways, and the establishment of an IA function is only one of them. The IA function acts as a control environment mechanism to assuage an organization’s risk profile and to provide management with independent statistics on the effectiveness of its critical functions. Assuming that the IA function is established along the lines of good practices, and subscribes to standard protocols, it can independently test each functional area (except itself) to ensure that that function is performing well and executing its responsibilities. It is the board’s responsibility to assess the effectiveness of the IA function, and facilitate the internal management assessment process.
QUESTION 2
If these are two distinct efforts, and internal audit’s Section 404 testing was found to be inadequate, shouldn’t that inadequacy then be judged as a possible impairment in management’s ability to assess controls—and, consequently, perhaps result in an unfavorable Section 404 opinion, rather than a possible material weakness required to be disclosed under Section 404?
ANSWER 2
Drouin—It is important to preface this response by noting that the Securities and Exchange Commission’s recently proposed guidance in December 2006 will eliminate the auditor’s Section 404 reporting requirements relative to management’s assessment process. Still, until that happens, we will proceed under the rules that exist today.
Your question implies that an outside party such as the company’s external auditor will assess the internal audit department’s Section 404 testing process, and may deem such testing to be inadequate and an impairment to management’s control evaluation process. It is management’s responsibility to ensure that the necessary 404 testing is performed to support its assessment of the company’s internal controls over financial reporting, and adequacy of such testing is arguably a matter of professional judgment. One might argue that an affirmation of an organization’s internal controls over financial reporting by way of management’s Section 404 assessment, by definition, implies that management’s 404 testing was deemed adequate by the company’s management team. It is incumbent upon the external auditor to argue that management’s internal 404 testing process, whether or not performed by the internal auditors, is insufficient, resulting in a possible material weakness disclosure.
Without a specific fact pattern, covering all possible scenarios is difficult. However, consider this hypothetical fact pattern: A company assesses certain financial reporting controls as low-risk areas and performs limited or no testing of such areas. The external auditor then performs its audit procedures and deems one of those management-assessed low-risk areas as a high-risk audit consideration. The external auditor might then argue that management’s ability to assess its internal controls over financial reporting is inadequate. But if the risk assessment is well documented and takes into account all relevant facts and considerations, one might argue that management’s ability to assess its own internal controls is not inadequate, and the external auditor should consider its own test results of that area before deciding whether management’s assessment and testing process may lead to a material weakness disclosure.
QUESTION 3
Paragraph 140 of Auditing Standard No. 2 states that the lack of an effective internal audit function or risk assessment function generally should be regarded as at least a significant deficiency. But if internal audit’s main function is 404 testing, and if you make a distinction between internal audit testing and 404 testing, then, in effect, there is no internal audit function—and if there is also no formal risk assessment function, then does a significant deficiency or worse exist by default?
ANSWER 3
Your question assumes that an internal audit department that exists solely to facilitate Section 404 testing is not deemed to be an effective internal audit function, as considered in paragraph 140 of AS2. However, Paragraph 140 states, in part:
The following “should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists: The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective monitoring or risk assessment component, such as for very large or highly complex companies.”
A company’s audit committee can selectively direct the efforts of the internal audit function. As such, it may deem steering those efforts towards Section 404 compliance to be in the company’s best interests. One can certainly argue that the IA function exists; as to its effectiveness, and how much the organization depends on the IA function for effective monitoring of internal controls over financial reporting, that may still be a matter of debate depending on your fact pattern.
No comments yet