Transcript Speaker: James Parkin, Partner, Deloitte Touche

Corporate Governance –
The Role of the Audit
Committee
BA 427 – Assurance and Attestation
Services
James D. Parkin
January 10, 2007
Agenda
• Corporate governance roles
– Board of Directors
– Audit Committee
– Management
– Auditor
• Key governance rules
– Sarbanes-Oxley Act 2002
– COSO Internal Control Framework
• Auditor communications
2
Corporate Governance Roles
3
Copyright © 2005 Deloitte Development LLC. All rights reserved.
4
Microsoft Board of Directors
Audit
Compensati
on
Dr. Cash
X
X
Ms. Dublon
X
Name
Finance
Governance
&
Nominat
ing
Antitrust
Complia
nce
Mr. Gates
Mr. Ballmer
X*
X
Mr. Gilmartin
X*
Mrs. Korologos
X*
Mr. Marquardt
Mr. Noski
X
X
X*
X
X
X
Dr. Panke
X
Mr. Shirley
X*
Total meetings in fiscal year 2006
9
Copyright © 2005 Deloitte Development LLC. All rights reserved.
5
4
4
4
5
Microsoft Board of Directors - AC
Audit
Compensation
Dr. Cash
X
X
Ms. Dublon
X
Name
Finance
Governance &
Nominatin
g
Antitrust
Complianc
e
Mr. Gates
Mr. Ballmer
X*
X
Mr. Gilmartin
X*
Mrs. Korologos
X*
Mr. Marquardt
Mr. Noski
X
X
Dr. Panke
X
Mr. Shirley
Total meetings in fiscal year 2006
X
X
X*
X
X*
9
5
Copyright © 2005 Deloitte Development LLC. All rights reserved.
4
4
4
7
Audit Committee Responsibilities
• Oversee accounting and financial reporting
functions
• Monitor the effectiveness of internal controls
• Monitor accounting principles, methods and
estimates, including “quality”
• Oversee internal audit function
• Selection of independent auditor
• Oversee auditor’s planning, performance
and completion of audits
8
Audit Committee Responsibilities (cont.)
• Assess auditor independence
• Pre-approve auditor services
• Discuss with auditor certain required items
(discussed later)
9
Heightened Expectations
The current environment has heightened expectations of the
audit committee, prompting more penetrating questions.
What risks could
have a significant
impact on the
company?
How is management
addressing those
risks?
Can we be assured
that risks are being
managed
appropriately?
Do we have a process to assess the quality, not just the acceptability, of
accounting policies, financial reporting processes, and internal controls?
Have we obtained an understanding of the processes used by management and
the external auditors to identify and monitor risk?
How are we assessing the effectiveness and qualifications of the internal and
external auditors?
Have we evaluated the independence of the external auditors?
Have we evaluated the quality of the finance, accounting, and internal audit
organizations?
How do we, as an audit committee, assess our own effectiveness?
10
Heightened Expectations
Interaction Between Management, the
Audit Committee, and the External
Auditors Has Changed
Best practices:
Discussions should be three-way
Discussions should be open and
frank, allowing audit committee
members to gain an understanding
beyond GAAP
11
12
Sarbanes-Oxley Act 2002 – Sec. 301
The audit committee of each issuer, in its
capacity as a committee of the board of
directors, shall be directly responsible for the
appointment, compensation, and oversight of
the work of any registered public accounting
firm employed by that issuer…
13
Audit Committee Composition
• Number of members
• Independence
• Financial literacy
• Financial expert
• Demographics
• How many meetings?
• How long are the meetings?
14
Microsoft Audit Committee Members
• James I. Cash Jr., Ph.D., 58, has been a director of the Company
since 2001. Dr. Cash is formerly … Harvard Business School…Dr. Cash
is also a member of the board of directors of The Chubb Corporation,
General Electric Company, Phase Forward Incorporated, and Wal-Mart
Stores, Inc.
• Dina Dublon, 53, has been a director of the Company since 2005.
From December 1998 until her retirement in September
2004…Executive Vice President and Chief Financial Officer of JPMorgan
Chase…Prior to joining Chemical Bank, Ms. Dublon worked for the
Harvard Business School and Bank Hapoalim in Israel. Ms. Dublon is
also a member of the board of directors of Accenture Ltd. and PepsiCo,
Inc.
• Charles H. Noski, 54, has served as a director of the Company since
2003. From December 2003 to March 2005, Mr. Noski served as
Corporate Vice President and Chief Financial Officer of Northrop
Grumman Corporation and served as a director from November 2002
to May 2005. Mr. Noski joined AT&T in 1999 as Senior Executive Vice
President and Chief Financial Officer and was named Vice Chairman of
AT&T’s Board of Directors in 2002…Prior to joining AT&T, Mr. Noski was
President, Chief Operating Officer, and a member of the board of
directors of Hughes Electronics Corporation…Mr. Noski is also a director
of Air Products and Chemicals, Inc., and Morgan Stanley.
15
Role of Management
• Prepare and maintain the financial records
including preparation of financial statements
• Evaluate the effectiveness of the company’s
internal control over financial reporting
(ICFR)
• Resolve timely deficiencies in ICFR (both
significant and material)
16
Role of External Auditor
• Audit/Review management’s financial
statements
• Audit management’s ICFR
• Required communications to the audit
committee (discussed later)
• Communicate deficiencies in ICFR (significant
and material to audit committee)
• Become a Trusted Technical Advisor (versus
trusted business advisor)
17
Key Governance Rules
18
Evolution of Governance
1970
1980
Mid-1970s
Watergate
Scandal and
Investigation
1990
Early-1980s
Increased
Focus on
Internal
Control and
Compliance
1977
Foreign
Corrupt
Practices
Act (FCPA)
1985
National
Commission on
Fraudulent
Financial
Reporting –
Treadway
Commission
1992
Committee
Of
Sponsoring
Organization
s (COSO)
published
Internal
Control –
Integrated
Framework
2000
2002
Sarbanes-Oxley
Act of 2002
1990s – 2000
Continued Focus on
Internal Control,
Risk Management
and Responsibilities
(Blue Ribbon
Commission,
Competency
Framework for
Internal Audit,
Others)
19
Sarbanes-Oxley Act Titles
The Act includes 11 titled sections:
Title I
Public Company Accounting Oversight Board
Title II
Auditor Independence
Title III
Corporate Responsibility
Title IV
Enhanced Financial Disclosures
Title V
Analyst Conflicts of Interest
Title VI
Commission Resources and Authority
Title VII
Studies and Reports
Title VIII
Corporate and Criminal Fraud Accountability
Title IX
White Collar Crime Penalty Enhancements
Title X
Corporate Tax Returns
Title XI
Corporate Fraud and Accountability
21
Impact to Auditors
• Formation of the PCAOB
• Auditor independence
– Certain nonaudit services are specifically prohibited by the
act, many of which were previously prohibited
– Audit partner rotation periods shortened and extended to
concurring review partners and partners serving significant
subsidiaries
• Client relationships
– Auditor now reports directly to the audit committee
– Expanded audit committee reporting requirements
• Auditor attestation of internal controls (Section 404)
22
Impact to Audit Committees
• Preapproval of nonaudit services
– Applies to nonaudit services that are not specifically prohibited by
the act
– Can be achieved through explicit approval of all nonaudit services,
policies for preapproving certain classes of services, or combination
of both
• Disclosure of audit committee financial expert
– The final rule included less stringent requirements than the
proposed rule
– Requires the board to make the determination
– Requires disclosure that at least one member meets the
requirements, and further requires disclosure of the person’s name
• Audit committee independence
– Expands prohibited relationships
• Audit committee responsibilities
– Requires direct oversight of the auditor and the company’s process
for receiving and handling complaints (“whistleblower” processes)
– Provides the audit committee with the ability to retain advisors
23
Impact to Management
• Expanded disclosure requirements
– Management’s Discussion and Analysis must include disclosure of
off-balance-sheet arrangements and known contractual agreements
• Rules on the use of non-GAAP financial measures are expanded
• Required disclosure of the company’s code of ethics
– Management must disclose if a code of ethics exists, and must
make the code publicly available through its Web site or SEC filings
– Waivers to the code must be reported and disclosed
• Cooling-off period for hiring former employees of the external auditor
• Executive officer certification requirements:
– Section 302: Certifications related to financial reports and
disclosure controls
– Section 404: Certification related to financial reporting controls
accompanied by auditor attestation report
– Section 906: Certification that the financial statements comply with
the appropriate Securities Exchange Act and present fairly, in all
material respects, the financial condition and results of operations
of the issuer
24
Overview of Internal Control Requirements
Section 302 Certification
Overview
• CEO and CFO to make
specific certifications as of
the end of each quarterly and
annual reporting period,
including:
– Report contains no untrue
statements
– Report is fairly presented
in all material respects
– Responsibility for design
and maintenance of
disclosure controls and
procedures as well as
internal controls over
financial reporting
Section 404 Certification
Overview
• CEO and CFO to certify as of
the end of every annual
reporting period:
– Their responsibility for
establishing and
maintaining effective
internal controls over
financial reporting
– Their assessment of
internal controls,
accompanied by the
independent auditors’
attestation report
25
SOX Internal Control Definitions
Disclosure
Controls
Internal Controls over
Financial Reporting
• Designed to ensure that
• Controls that pertain to the
required disclosed information
preparation of financial
is recorded, processed,
statements for external
summarized, and reported
purposes that are fairly
within the time periods
presented in conformity with
specified by the SEC.
generally accepted
accounting principles.
• Include controls and
procedures to help ensure that
information is accumulated and
communicated to executive
management to allow timely
decisions regarding required
disclosure.
26
Disclosure Controls vs. Financial Reporting
Controls
Company
Financial
Statements
Business
Properties
Legal
Proceedings
Annual
Report on
Form 10-K
Disclosure Controls
Procedures
Section 302
Notes
Cash Flow
Income
Statement
Balance
Sheet
Financial
Statements
Internal Controls Over
Financial Reporting
Section 404
27
COSO Internal Control – Integrated
Framework
• COSO offers an integrated framework that
defines internal control by five interrelated
components:
–
–
–
–
Control Environment
Risk Assessment
Control Activities
Information &
Communication
– Monitoring
28
Control Environment
• The control environment is the control consciousness of an
organization; it is the environment in which people conduct business
activities and fulfill their control obligations.
• The control environment includes both intangible and tangible
elements:
– Integrity and ethical values
– Commitment to competence
– Governance and organization structure
– Management philosophy and operating style
– Assignment of authority and responsibility
– Human resource policies and practices
• An effective control environment exists when employees understand
their responsibilities, authority, and are committed to acting ethically.
• Management influences an organization’s control environment through
setting the standard through actions and effectively communicating
written polices and procedures, a code of ethics, and standards of
conduct – “tone at the top.”
29
Linking Internal Control and Risk
Management
RISK
Possibility of an adverse event that may
negatively affect the ability of an
organization to achieve its objectives.
RISK MANAGEMENT
Process to increase confidence in the ability of an
organization to anticipate, prioritize, and overcome
obstacles to the attainment of its goals.
INTERNAL CONTROL
A process designed to provide reasonable assurance regarding the
achievement of business objectives.
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
30
Control Environment - Roles and Responsibilities
• Executive Management
– Sets the standard for the control environment
– Maintains ultimate accountability for internal control and
risk management enterprisewide
– Supports control and risk management activities
throughout the organization
• Operating Management
– Directly responsible and accountable for business
operations effectiveness and internal control related to
business objectives
– Periodically assesses and asserts on risk management
and control environment
– Develops and implements action plans for improvement
31
Control Environment - Roles and Responsibilities
(cont.)
• Finance Management
– Involved in financial implications of operating management
responsibilities
– Provides guidance to design, establishment, execution, and
monitoring of adequate internal controls
• Internal Audit
– Provides support for risk and control assessment activities
– Monitors exposure of the organization and makes
recommendations relating to risk and control activities
– Designs internal audit plan based on strategic risk
assessment
– Tests adequacy and effectiveness of controls
– Challenges and validates management control environment
assertions
– Reports independent findings and provides
recommendations
32
Control Environment - Roles and Responsibilities
(cont.)
• Audit Committee
– Focuses board attention
– Evaluates overall risk exposure
– Reviews adequacy of overall control environment
– Provides oversight and advice
• External Audit
– Evaluates the effectiveness of internal control to determine
the scope of external audit procedures
– Issues management commentary reports
– Issues an opinion on the consolidated financial statements
– Reviews control environment and uses results of risk
assessments as input to develop external audit plan
33
Auditor Communications
34
Required Communications with AC
• SAS 61 (as amended by SAS 89 & 90) –
Communication with Audit Committees
• ISB No. 1
• SEC Regulation S-X, Rule 2-07
• NYSE/NASDAQ listing standards
35
Required Communications – SAS 61
• Our responsibility under GAAS
• Significant accounting policies
• Management judgments and accounting
estimates
• Disagreements with management
• Consultation with other accountants
• Major issues discussed with management
prior to retention
• Other information in documents containing
audited financial statements
36
Required Communications – SAS 61
(cont.)
• Fraud
• Independence
• Uncorrected misstatements
• Audit adjustments
• Judgments about the quality of the
accounting principles
• Alternative accounting treatments
• Difficulties encountered during the audit and
management’s response
37
Thanks!