urn to page xx of a publicly traded company’s annual report. If there’s a section where management discusses its internal controls, that company has found a venue to communicate with its shareholders—current and potential—about the strategies and policies it has adopted to ensure that the company is “under control.” Public companies increasingly include management reports on internal controls in their annual reports as a good corporate governance practice. At least for now, management has considerable latitude in deciding what it wishes to address in these reports.
Should management be required to report on internal controls, and should independent auditors have to attest to such reports? Although neither the SEC nor FASB require them, these reports have existed for more than a decade; the debate on their mandatory inclusion has been waged for more than 20 years. There are, of course, varying opinions as to whether the needs of financial statement users are being met by existing reporting requirements. Since accountants and auditors are the professionals directly involved in auditing financial statements and reviewing internal controls, they may be in the best position to suggest what degree of reporting is appropriate.
According to the 1999 edition of Accounting Trends and Techniques, approximately 58% of public companies included management reports in their 10K. This is the one place in an annual report where management can focus readers’ attention on issues not systematically discussed elsewhere. A content analysis can help both the writers and users of the reports, as well as the outside auditors, in determining what specific items warrant inclusion.
The content of the reports varies considerably. While the focus in general is on the effectiveness of internal controls, the specific components of internal control are by no means consistent across companies. The differences noted in the reports may reflect the variations in how companies structure their internal control systems or they may reflect the differences in the companies’ reporting philosophies.
Since the reports first started appearing about 10 years ago, preparers have reached agreement on some of the routine items to be included, and now discuss the features of their overall control systems that are unique or of special significance.
Management reports typically discuss the following topics:
FINANCIAL STATEMENT PRESENTATION
An analysis of the annual reports of the 1998 Fortune 100 revealed 78 companies had included management reports, virtually all of which began with a statement that management took responsibility for the presentation of the reports in this study of the financial statements. Ninety-seven percent said the financial statements conformed to GAAP and 15% said the financial statements represented fairly the company’s financial position and results of operations (see exhibit 1 ).
PURPOSE AND NATURE OF INTERNAL CONTROLS
All but 2 of the 78 companies said they maintained a system of internal control. Most noted the purpose of that system: 87% identified reliable financial reporting and 81%, safeguarding of assets (see exhibit 2 ). Just over half of the reports—54%—said the objective was encouraging adherence to management’s prescribed policies and procedures, while 51% linked internal controls and ethical conduct. A few of the reports specifically cited the objective of preventing or detecting fraudulent financial reporting. One company, General Electric, identified a sound, dynamic system of internal controls as “a vital ingredient” for the company’s quality programs.
Several reports identified specific components of their internal control structures (see exhibit 3 ). The most frequently cited was the existence of an internal audit function (78%), followed by the maintenance of policies and procedures (63%), the selection and training of good personnel (43%) and segregation of duties (42%). Also mentioned were continuous review and revision of internal controls and a strong control environment or ethical climate. Almost half of the reports referred to a company code of conduct or ethics policy. Several of the reports noted that the policy addressed such elements as conflict of interest, compliance with applicable laws and confidentiality concerns.
Seven reports referred to a review process for assuring compliance with ethical standards. For example, an important part of International Paper Co.’s internal controls system was its ethics program and long-standing policy on ethical business conduct, including a telephone “compliance line” to report suspected violations of law or company policy and its newly established office of ethics and business practices. To ensure that personnel continued to understand the internal control system and policies governing prudent business practices, Merck said it had an ongoing “management stewardship program” for key management and financial personnel and had implemented an ethical business practices program to reinforce its commitment to high ethical standards in conducting its business. CIGNA provided each employee with a copy of the corporate policy addressing business ethics and required that all officers, directors and certain other employees sign the policy statement annually. These statements suggest myriad ways in which corporate managements are seeking to share with outsiders their companies’ commitment to ethical principles.
POINT OUT LIMITATIONS
Companies also were careful to point out the inherent limitations of internal controls. Eighty-six percent of the reports acknowledged the systems’ designs provided only “reasonable assurance” of meeting stated objectives. Thirty-five percent said the internal controls’ cost should not exceed anticipated benefits. Sears, for example, explained that the “concept of reasonable assurance is based on the premise that the cost of internal controls should not exceed the benefits derived.”
A number of reports spelled out the limitations. One of the most extensive clarifications came from Enron: “It should be recognized, however, that there are inherent limitations in the effectiveness of any system of internal control. Accordingly, even an effective internal control system can provide only reasonable assurance with respect to the preparation of financial statements and safeguarding of assets. Further, because of changes in conditions, internal control system effectiveness may vary over time.”
In spite of these limitations, managements often tried to assure statement readers of the soundness of their internal controls. Although about half of the companies in the study asserted specifically that their internal controls were effective or strong, they did not address the basis for this assessment. Only three of the Fortune 100— Freddie Mac, Halliburton and Ameritech—said their assessments were based on recognized criteria for internal control, with Ameritech the only one specifically listing the five components of internal control defined by the COSO Internal Control Integrated Framework:
INTERNAL AUDIT’S ROLE
The most frequently cited functions of the internal audit department were monitoring compliance with the internal control structure and assessing its effectiveness. Seventeen percent noted internal audit provides recommendations to improve controls and correct deficiencies. One company, Procter & Gamble, pointed out its use of a self-assessment program to help “individual organizations…evaluate the effectiveness of their controls” and suggested this program supplemented the internal audit function.
Jack Dierkes, assistant director of the company’s internal audit unit, offered this perspective: “P&G believes that controls are the responsibility of the line organization. One role of internal auditing is to audit the line organization, identify gaps and ensure the appropriate action plans are put in place. Since our audit cycle is about three years, we find it helpful to supplement the audits with self-assessments [which] are led by the line organization and conducted about once a year. The internal controls group is available as needed to help the line organization conduct an effective self-assessment. Ideally, problems are identified and fixed before internal auditing conducts official audits.”
Most of the reports did not define the reporting structure of the internal audit department, although Merrill Lynch said its corporate audit department reported directly to the audit and finance committee of the board of directors; P&G noted that internal audit ultimately reported to the CFO, and two organizations, Fannie-Mae and General Electric, said internal audit was organizationally independent of the activities it reviewed.
THE AUDIT COMMITTEE’S ROLE
Seventy-four (95%) of the reports referred to an audit committee. Of these, 92% said its members were independent or not part of management and that the audit committee regularly met with the independent auditor (81%), the internal audit director (78%) and management (76%) (see exhibit 4 ). Of the seventy-four companies, in 69% the independent auditor had full and free access to the audit committee and in 60% the internal audit director had the same access. It is not surprising that many management reports addressed the role of audit committees in light of work of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (see “Blue-Ribbon Panel Issues Its 10 Commandments,” JofA, Apr.99, page 4). Incidentally, of the reports reviewed in this study, none referred to all the committee’s recommendations, and the nature and extent of the information provided varies. (See “Audit Committee Rules to Improve Disclosure,” JofA Apr.00, page 15.)
Management reports identified the following responsibilities of the audit committee; the percentages in parentheses refer to the portion of the 74 companies with an audit committee.
Two reports (those of Merrill Lynch and J.C. Penney) said the audit committee had responsibility for compliance with acceptable business standards and ethics; J.C. Penney’s reviewed audit and nonaudit services and fees. Ameritech said its audit committee was responsible for “assuring the independence” of the independent auditor. A few reports in exhibit 4 discussed the size of the committee and frequency of its meetings.
WHAT THE INDEPENDENT AUDITOR DOES
Most of the management reports (85%) referred to the independent audit of the company, with 44% referring to the audit report in the annual report (see exhibit 5, page 64). Several (40%) said the audit was conducted in accordance with GAAS, including appropriate tests of accounting procedures and records. A few noted that all financial records and minutes were made available to the independent auditor or that the representations made to the independent auditor were valid.
Half of the reports said the independent auditor had included some consideration of internal controls. The wording used to describe the nature of this consideration varied. Most common was the term review of internal controls, followed closely by evaluation or assessment of, consideration of, and obtaining an understanding of. Also used were study, testing and examination of internal controls. Only half of the reports referring to the external auditor’s consideration of internal controls explained that the purpose of such consideration was to assist in the design of the audit and not to provide support for an opinion on the adequacy of controls.
If independent attestation of management reports were required, such a mandate would have a significant impact on the roles of both the independent auditor and management in this process. In traditional auditing and attestation services, the profession draws a sharp line between an “audit” and a “review.” Specific standards guide the practitioner in providing these differentiated services. Perhaps equally critically, the audit and review reports themselves attempt to clarify for the readers the nature and extent of the work performed.
The management reports usually do not make similar distinctions. A statement in a management report that the independent auditor has “considered” “reviewed” or “examined” the company’s internal controls unintentionally might cause a reader to infer that the auditor has indicated the internal control system is working effectively. In most cases, such an inference would be misleading since the auditor was not engaged to express an opinion on the adequacy of the controls. Unless specifically engaged to assess or evaluate a company’s internal control system, independent auditors examine internal controls only for the purpose of designing their overall audit tests of the financial records. Beyond that, no testing of internal controls is required. For this reason the language that is used may merit closer scrutiny.
Auditing standards require that the auditor read other information in a document which may be relevant to the audit or to the propriety of the report. SAS no. 8, Other Information in Documents Containing Audited Financial Statements, cautions the auditor to discuss the information with the client if he or she becomes aware that such information conflicts with his or her knowledge of such matters, or if a material misstatement of fact exists, the auditor should consider notifying the client in writing of his or her views concerning the information and consulting legal counsel.
Since management reports are typically included in companies’ annual reports, which contain audited financial statements, the auditor is required to read them. “In reading such information, the auditor should evaluate specific references by management that deal with the auditor’s consideration of internal controls in planning and performing the audit of the financial statements, particularly if such reference would lead the reader to assume that the auditor had performed more work than required under generally accepted accounting standards or would lead the reader to believe the auditor was giving assurances on internal control” (from AICPA, Professional Standards, AU section 9550.14, Other Information in Documents Containing Audited Financial Statements: Auditing Interpretations of Section 550 ).
The findings of this study indicated that the word most commonly used to describe the nature of the auditor’s consideration of the company’s internal controls was “reviewed.” Because “a statement by management that the auditors had ‘reviewed’ the company’s internal controls would be inappropriate,” (see footnote to AU section 9550.14), auditors may need to more closely scrutinize clients’ management reports to comply with the standard’s guidance (see exhibit 5 ).
The profession should consider the results of this study in the debate on whether to mandate management reports of publicly traded companies and, if so, what those reports should include. Management reports can be another vehicle to improve corporate governance structures. The strength of the management report is the unique opportunity it affords management to address in a focused part of its annual report those concerns it believes are especially important for its company. The report becomes a vehicle for defining management’s control strategy, for explaining how its practices compare with those of other companies, and for highlighting where its efforts may represent cutting-edge attempts to make its company more profitable and efficient. Companies with innovative programs can use these reports to emphasize how important these initiatives are.