Norman Marks asked me to write an article for Internal Auditor’s June 2010 issue.
Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP’s BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
This article is reprinted by permission with additional hyperlinks added that were not available in print editions.
Asking The Difficult Questions
Audit committees must proactively probe management and the auditors to gain insight and to make necessary oversight decisions.
by Francine McKenna
Audit committees have specific responsibilities with regard to their organization’s external auditors as a result of the U.S. Sarbanes-Oxley Act of 2002. The IIA’s Sample Audit Committee Charter emphasizes the importance of reviewing the proposed audit scope and approach for the audit, including coordination with internal auditing. Audit committees are expected to review the auditors’ performance and exercise final approval of their appointment or discharge. External auditor independence is required, thus any nonaudit services provided must be reviewed. Finally, audit committees are expected to hold regular private meetings with the external auditors to discuss important concerns.
External auditors also are required to communicate consistently and effectively with the audit committee. In the United States, the Public Company Accounting Oversight Board (PCAOB). Interim Auditing Standard AU 380 requires auditors to determine whether all audit-related matters are communicated to the committee:
- The auditor’s responsibility under Generally Accepted Auditing Standards (GAAS)
- Significant accounting policies
- Management judgments and accounting estimates
- Audit adjustments
- The auditor’s judgments about the quality of the entity’s accounting principles
- The quality of the management discussion and analysis (MD&A)
- Disagreements with management
- Consultation with other accountants
- Major issues discussed with management before retention
- Difficulties encountered in performing the audit
Audit committees too often rely on the auditors’ required disclosures without comment. They sometimes lack the independence, experience, or determination to ask the probing questions. It’s critical, however, that audit committees seek answers to vexing questions and not accept the response, “But that’s the way management has always done it.”
When audit committees take for granted that important issues will be raised without prompting, they risk failing to exercise business judgment, which can be personally and professionally damaging. The issue is so important that the PCAOB is considering a proposed audit standard on communications with audit committees and related amendments to its interim standards. From the audit committee perspective, the most sensitive and highly challenging issues it will ever likely deal with are:
- Responding to reports of possible fraud by senior executives
- Responding to whistleblower reports
- Evaluating the likelihood of management override of internal controls
According to the Powers Report of the Special Investigation Committee of the Board of Directors of Enron Corp., the Enron board and its committees needed to significantly improve their monitoring of executives and the internal and external auditors: “The board, and in particular the audit and compliance committee, has the duty of ultimate oversight over the company’s financial reporting. While the primary responsibility for financial reporting abuses discussed in the report lies with management, the participating members of the committee believe those abuses could and should have been prevented or detected at an earlier time had the board been more aggressive and vigilant.”
It’s very difficult to detect management override of internal controls. Audit committees can address this risk by:
- Maintaining an appropriate level of skepticism
- Continually strengthening the committee’s understanding of the business
- Brainstorming with the internal and external auditors about fraud risks
- Using the code of conduct/ethics to assess the financial reporting culture
- Ensuring the support of a vigorous whistleblower program
- Developing a broad information and feedback network that includes the internal and external auditors
It’s essential to implement the automatic and direct submission of all complaints involving senior management, including whistleblower complaints, to the audit committee to effectively monitor management override of controls. This means direct access without filtering by management or the internal or external auditors.
A whistleblower hotline is a statutory responsibility of the audit committee and cannot be delegated to company officials. Section 301 of Sarbanes-Oxley requires that audit committees establish effective whistleblowing procedures. Unfortunately, a recent Ethics Resource Center survey that examines how employees choose to report misconduct reveals that only 3 percent take their complaints to a hotline.
When allegations are made, the audit committee must decide whether to initiate a formal investigation. Under U.S. Securities and Exchange Commission (SEC) rules, the committee can engage the external audit firm to carry out a forensic/fraud investigation. However, this may not be the best course of action.
The Lehman Bankruptcy Examiner’s Report says the Lehmann audit committee asked Ernst & Young (E&Y) to support Internal Audit’s investigation of allegations made in a May 16, 2008, “whistleblower” letter sent to senior management. On June 12, 2008, Lehman’s Matthew Lee informed E&Y about his company’s alleged use of “Repo 105” transactions to move US $50 billion temporarily off the balance sheet at the end of the second quarter of 2008. Lee stated that these transactions created a misleading picture of the firm’s financial condition. According to the bankruptcy examiner, E&Y failed to disclose that allegation to the audit committee at a meeting the following day (Lehman bankruptcy report, v3, page 945).
Lehman Brothers’ Internal Audit vice president was in charge of the investigation, not E&Y. Lehman “naturally” asked its trusted adviser, E&Y, to help. However, it’s poor practice to request that the external auditor lead or assist with internal investigations of potential fraud or illegal acts by top executives. In the Siemens’ U.S Foreign Corrupt Practices Act case, Siemens’ external auditor, KPMG, was initially asked to assist with the internal investigation of bribery and corruption of foreign officials. KPMG subsequently became a target of internal and SEC investigations and a defendant in shareholder lawsuits.
In the Lehman case, E&Y had reviewed the company’s policy with respect to the accounting for these off-balance sheet devices. Reportedly, they concurred with management’s proposed treatment. However, they did not inform the audit committee of the transactions, or their growing volume and materiality with respect to the financial statements — and key indicators of the company’s health, such as their liquidity ratios.
They also did not, according to the bankruptcy examiner’s report, require the company to disclose the accounting treatment and the magnitude of the transactions in reports filed with the SEC. The Lehman bankruptcy examiner did not find fault with the board or audit committee, because the information needed to understand the fact and extent of the misleading financial statements was supposedly withheld from them.
It is no longer sufficient for audit committee members to listen passively to general management and auditor presentations three or four times a year. Audit committee members are required to proactively probe management, internal auditors and external auditors to gain insight and to make oversight decisions that will hold up, if necessary, in court.
Audit committees need sufficient expertise and experience to ask the external auditors relevant questions and probe as needed into the answers.
Questions for the External Auditors
- What are the most significant risks to financial reporting at this company?
- How are you addressing the risks? What level of assurance do your procedures provide with respect to the annual financial statements?
- What level of assurance do your procedures provide with respect to the quarterly financial statements?
- How do you assess the competence of company personnel engaged in financial reporting and related processes? What influence does that have on your procedures, and how will you communicate your assessment to the audit committee?
- Does staff working on the higher risk areas have sufficient experience, training, and understanding of the business to perform quality work?
- How do you ensure your staff members and their managers understand the
- business and perform quality audit procedures?
- How do you ensure managers and partners reviewing the audit apply the appropriate judgment in more complex situations?
- When and how do you engage your specialists, including those with higher levels of technical knowledge and experience in IT, tax, technical accounting, and other matters?
- What is your process if one of your team members suspects inappropriate or fraudulent activity? At what point do you inform the audit committee?
- How do you coordinate and supervise work performed at other locations, including associate firms overseas?
- What is your process if you determine that although the financial statements comply with Generally Accepted Accounting Principles, they are not a fair presentation of the company’s results and financial condition?
- What is the purpose of your review of MD&A in the filings with the regulator? How and when will you communicate any concerns to the audit committee?
To read Norman Marks’ blog on governance issues, visit www.InternalAuditorOnline.org, and click on “Marks on Governance.”
The following additional points did not make it into the published article due to space limitations.
Citigroup’s audit committee chairman, Michael Armstrong, stepped down in April of 2008 following accusations from shareholders that he failed to adequately oversee their risk-management process. Critics claimed that Armstrong was partly to blame for the bank’s mistakes and losses. Other Citigroup directors admitted they were unaware of the bank’s exposure until significant write-downs started accumulating.
Independence, perceived and actual, is often an especially difficult standard for Audit Committee members to achieve. A study published in March of 2009 entitled, Are Independent Audit-Committee Members Objective? Experimental Evidence, says Audit Committee members compensated with current rather than restricted stock prefer aggressive financial reporting. The National Association of Corporate Directors (NACD) currently encourages stock-based compensation for directors. Many companies compensate directors, including Audit Committee members, with both current and restricted stock grants to theoretically align their incentives with shareholders’.
Professional standards, however, ban auditors from owning stock in their audit clients to preserve independence. If owning stock can bias the external auditor can it also bias an Audit Committee Member? If auditors can’t own client stock, why don’t the same standards apply to Audit Committee members?
In August of 2008, the Financial Executives International (FEI) Task Force on Monitoring (TFM) responded to Guidance on Monitoring Internal Control Systems, a COSO Exposure Draft:
“In conducting its oversight role, the board should be proactive in seeking information from management, particularly on critical matters, in considering management’s assertions, and seeking information from other sources as appropriate. Importantly, the board should review all such information with requisite skepticism.”
The AICPA’s document, Managing the Business Risk of Fraud, tells us:
“An audit committee of the board that is committed to a proactive approach to fraud risk management…provides external auditors with evidence that [they are] committed to fraud risk management…”
Main page image was found here.