View
219
Download
1
Category
Tags:
Preview:
Citation preview
Corporate Governance – The Role of the Audit
CommitteeBA 427 – Assurance and Attestation
Services James D. ParkinJanuary 10, 2007
2
Agenda
•Corporate governance roles– Board of Directors– Audit Committee– Management– Auditor
•Key governance rules– Sarbanes-Oxley Act 2002– COSO Internal Control Framework
•Auditor communications
3
Corporate Governance Roles
Copyright © 2005 Deloitte Development LLC. All rights reserved. 4
Copyright © 2005 Deloitte Development LLC. All rights reserved. 5
Name Audit Compensati
on Finance
Governance &
Nominating
AntitrustComplia
nce
Mr. Gates
Mr. Ballmer
Dr. Cash X X X*
Ms. Dublon X X
Mr. Gilmartin X* X
Mrs. Korologos X* X
Mr. Marquardt X X
Mr. Noski X* X
Dr. Panke X
Mr. Shirley X*
Total meetings in fiscal year 2006 9
5 4 4 4
Microsoft Board of Directors
Copyright © 2005 Deloitte Development LLC. All rights reserved. 7
Name Audit Compensation Finance
Governance &Nominatin
g
AntitrustComplianc
e
Mr. Gates
Mr. Ballmer
Dr. Cash X X X*
Ms. Dublon X X
Mr. Gilmartin X* X
Mrs. Korologos X* X
Mr. Marquardt X X
Mr. Noski X* X
Dr. Panke X
Mr. Shirley X*
Total meetings in fiscal year 2006
9
5 4 4 4
Microsoft Board of Directors - AC
8
Audit Committee Responsibilities
•Oversee accounting and financial reporting functions
•Monitor the effectiveness of internal controls•Monitor accounting principles, methods and
estimates, including “quality”•Oversee internal audit function•Selection of independent auditor•Oversee auditor’s planning, performance
and completion of audits
9
Audit Committee Responsibilities (cont.)
•Assess auditor independence •Pre-approve auditor services•Discuss with auditor certain required items
(discussed later)
10
The current environment has heightened expectations of the audit committee, prompting more penetrating questions.
What risks could have a significant impact on the company?
What risks could have a significant impact on the company?
How is management addressing those risks?
How is management addressing those risks?
Can we be assured that risks are being managed appropriately?
Can we be assured that risks are being managed appropriately?
Do we have a process to assess the quality, not just the acceptability, of accounting policies, financial reporting processes, and internal controls?
Have we obtained an understanding of the processes used by management and the external auditors to identify and monitor risk?
How are we assessing the effectiveness and qualifications of the internal and external auditors?
Have we evaluated the independence of the external auditors?
Have we evaluated the quality of the finance, accounting, and internal audit organizations?
How do we, as an audit committee, assess our own effectiveness?
Heightened Expectations
11
Interaction Between Management, the Audit Committee, and the External
Auditors Has Changed
Best practices:
Discussions should be three-way
Discussions should be open and frank, allowing audit committee members to gain an understanding beyond GAAP
Heightened Expectations
12
13
Sarbanes-Oxley Act 2002 – Sec. 301
The audit committee of each issuer, in its capacity as a committee of the board of directors, shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer…
14
Audit Committee Composition
•Number of members•Independence•Financial literacy•Financial expert•Demographics•How many meetings?•How long are the meetings?
15
Microsoft Audit Committee Members
• James I. Cash Jr., Ph.D., 58, has been a director of the Company since 2001. Dr. Cash is formerly … Harvard Business School…Dr. Cash is also a member of the board of directors of The Chubb Corporation, General Electric Company, Phase Forward Incorporated, and Wal-Mart Stores, Inc.
• Dina Dublon, 53, has been a director of the Company since 2005. From December 1998 until her retirement in September 2004…Executive Vice President and Chief Financial Officer of JPMorgan Chase…Prior to joining Chemical Bank, Ms. Dublon worked for the Harvard Business School and Bank Hapoalim in Israel. Ms. Dublon is also a member of the board of directors of Accenture Ltd. and PepsiCo, Inc.
• Charles H. Noski, 54, has served as a director of the Company since 2003. From December 2003 to March 2005, Mr. Noski served as Corporate Vice President and Chief Financial Officer of Northrop Grumman Corporation and served as a director from November 2002 to May 2005. Mr. Noski joined AT&T in 1999 as Senior Executive Vice President and Chief Financial Officer and was named Vice Chairman of AT&T’s Board of Directors in 2002…Prior to joining AT&T, Mr. Noski was President, Chief Operating Officer, and a member of the board of directors of Hughes Electronics Corporation…Mr. Noski is also a director of Air Products and Chemicals, Inc., and Morgan Stanley.
16
Role of Management
•Prepare and maintain the financial records including preparation of financial statements
•Evaluate the effectiveness of the company’s internal control over financial reporting (ICFR)
•Resolve timely deficiencies in ICFR (both significant and material)
17
Role of External Auditor
•Audit/Review management’s financial statements
•Audit management’s ICFR•Required communications to the audit
committee (discussed later)•Communicate deficiencies in ICFR (significant
and material to audit committee)•Become a Trusted Technical Advisor (versus
trusted business advisor)
18
Key Governance Rules
19
Evolution of Governance
Mid-1970sWatergate Scandal and Investigation
1977Foreign Corrupt Practices Act (FCPA)
Early-1980sIncreased Focus on Internal Control and Compliance
1985National Commission on Fraudulent Financial Reporting – Treadway Commission
1992Committee Of Sponsoring Organizations (COSO) published Internal Control – Integrated Framework
1990s – 2000Continued Focus on Internal Control, Risk Management and Responsibilities(Blue Ribbon Commission, Competency Framework for Internal Audit, Others)
19801970 1990 2000
2002Sarbanes-Oxley Act of 2002
21
Sarbanes-Oxley Act Titles
The Act includes 11 titled sections:
Title I Public Company Accounting Oversight Board
Title II Auditor Independence
Title III Corporate Responsibility
Title IVEnhanced Financial Disclosures
Title V Analyst Conflicts of Interest
Title VICommission Resources and Authority
Title VII Studies and Reports
Title VIII Corporate and Criminal Fraud Accountability
Title IX White Collar Crime Penalty Enhancements
Title X Corporate Tax Returns
Title XICorporate Fraud and Accountability
22
Impact to Auditors
• Formation of the PCAOB• Auditor independence
– Certain nonaudit services are specifically prohibited by the act, many of which were previously prohibited
– Audit partner rotation periods shortened and extended to concurring review partners and partners serving significant subsidiaries
• Client relationships– Auditor now reports directly to the audit committee– Expanded audit committee reporting requirements
• Auditor attestation of internal controls (Section 404)
23
Impact to Audit Committees• Preapproval of nonaudit services
– Applies to nonaudit services that are not specifically prohibited by the act
– Can be achieved through explicit approval of all nonaudit services, policies for preapproving certain classes of services, or combination of both
• Disclosure of audit committee financial expert– The final rule included less stringent requirements than the
proposed rule – Requires the board to make the determination– Requires disclosure that at least one member meets the
requirements, and further requires disclosure of the person’s name• Audit committee independence
– Expands prohibited relationships• Audit committee responsibilities
– Requires direct oversight of the auditor and the company’s process for receiving and handling complaints (“whistleblower” processes)
– Provides the audit committee with the ability to retain advisors
24
Impact to Management
• Expanded disclosure requirements– Management’s Discussion and Analysis must include disclosure of
off-balance-sheet arrangements and known contractual agreements• Rules on the use of non-GAAP financial measures are expanded• Required disclosure of the company’s code of ethics
– Management must disclose if a code of ethics exists, and must make the code publicly available through its Web site or SEC filings
– Waivers to the code must be reported and disclosed• Cooling-off period for hiring former employees of the external auditor• Executive officer certification requirements:
– Section 302: Certifications related to financial reports and disclosure controls
– Section 404: Certification related to financial reporting controls accompanied by auditor attestation report
– Section 906: Certification that the financial statements comply with the appropriate Securities Exchange Act and present fairly, in all material respects, the financial condition and results of operations of the issuer
25
Overview of Internal Control Requirements
Section 302 Certification Overview
• CEO and CFO to make specific certifications as of the end of each quarterly and annual reporting period, including:– Report contains no untrue
statements – Report is fairly presented
in all material respects– Responsibility for design
and maintenance of disclosure controls and procedures as well as internal controls over financial reporting
Section 404 Certification Overview
• CEO and CFO to certify as of the end of every annual reporting period:– Their responsibility for
establishing and maintaining effective internal controls over financial reporting
– Their assessment of internal controls, accompanied by the independent auditors’ attestation report
26
SOX Internal Control Definitions
DisclosureControls
Internal Controls over Financial Reporting
• Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC.
• Include controls and procedures to help ensure that information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure.
•Controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles.
27
Disclosure Controls vs. Financial Reporting Controls
Company
Notes
Cash Flow
Income Statement
BalanceSheet
FinancialStatements
Internal Controls Over Financial Reporting
FinancialStatements
Business
Properties
LegalProceedings
Annual Report onForm 10-K
Disclosure Controls Procedures
Section 302 Section 404
28
COSO Internal Control – Integrated Framework
•COSO offers an integrated framework that defines internal control by five interrelated components:– Control Environment– Risk Assessment– Control Activities– Information &
Communication– Monitoring
29
Control Environment
• The control environment is the control consciousness of an organization; it is the environment in which people conduct business activities and fulfill their control obligations.
• The control environment includes both intangible and tangible elements:– Integrity and ethical values– Commitment to competence– Governance and organization structure– Management philosophy and operating style– Assignment of authority and responsibility– Human resource policies and practices
• An effective control environment exists when employees understand their responsibilities, authority, and are committed to acting ethically.
• Management influences an organization’s control environment through setting the standard through actions and effectively communicating written polices and procedures, a code of ethics, and standards of conduct – “tone at the top.”
30
Linking Internal Control and Risk Management
RISK
Possibility of an adverse event that may negatively affect the ability of an
organization to achieve its objectives.
RISK MANAGEMENT
Process to increase confidence in the ability of an organization to anticipate, prioritize, and overcome
obstacles to the attainment of its goals.
INTERNAL CONTROL
A process designed to provide reasonable assurance regarding the achievement of business objectives.
• Effectiveness and efficiency of operations• Reliability of financial reporting
• Compliance with applicable laws and regulations
31
Control Environment - Roles and Responsibilities
• Executive Management– Sets the standard for the control environment– Maintains ultimate accountability for internal control and
risk management enterprisewide– Supports control and risk management activities
throughout the organization• Operating Management
– Directly responsible and accountable for business operations effectiveness and internal control related to business objectives
– Periodically assesses and asserts on risk management and control environment
– Develops and implements action plans for improvement
32
Control Environment - Roles and Responsibilities (cont.)
• Finance Management– Involved in financial implications of operating management
responsibilities– Provides guidance to design, establishment, execution, and
monitoring of adequate internal controls• Internal Audit
– Provides support for risk and control assessment activities– Monitors exposure of the organization and makes
recommendations relating to risk and control activities– Designs internal audit plan based on strategic risk
assessment– Tests adequacy and effectiveness of controls– Challenges and validates management control environment
assertions– Reports independent findings and provides
recommendations
33
Control Environment - Roles and Responsibilities (cont.)
• Audit Committee– Focuses board attention – Evaluates overall risk exposure– Reviews adequacy of overall control environment– Provides oversight and advice
• External Audit– Evaluates the effectiveness of internal control to determine
the scope of external audit procedures– Issues management commentary reports– Issues an opinion on the consolidated financial statements– Reviews control environment and uses results of risk
assessments as input to develop external audit plan
34
Auditor Communications
35
Required Communications with AC
•SAS 61 (as amended by SAS 89 & 90) – Communication with Audit Committees
•ISB No. 1•SEC Regulation S-X, Rule 2-07•NYSE/NASDAQ listing standards
36
Required Communications – SAS 61
•Our responsibility under GAAS•Significant accounting policies•Management judgments and accounting
estimates•Disagreements with management•Consultation with other accountants•Major issues discussed with management
prior to retention•Other information in documents containing
audited financial statements
37
Required Communications – SAS 61 (cont.)
•Fraud•Independence•Uncorrected misstatements•Audit adjustments•Judgments about the quality of the
accounting principles•Alternative accounting treatments•Difficulties encountered during the audit and
management’s response
Thanks!
Recommended