The compliance revolution after the passage of the Sarbanes-Oxley Act of 2002 (SOX) was accomplished in large part with the help of the internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO’s framework became part of a worldwide movement to enhance periodic accounting and reporting of financial results. Coupled with the global convergence to IFRS, this should provide for a new age of financial information reliability and comparability.
In the past few years, COSO has remained active, providing new guidance regarding monitoring, enterprise risk management (ERM), enhanced board oversight, and quantifying risk appetites for corporate America. In December, COSO released an exposure draft and several related discussion questions that convert the 20-year-old COSO model to an upgraded and enhanced 2.0 version. The ED is available at coso.org. The previous model has been effective since SOX was signed into law in July 2002, but clearly needed updating and modifying for relevance to today’s business environment.
Changes in the business and operating environment that drove this change noted by COSO are as follows:
- Expectations for governance oversight.
- Globalization of markets and operations.
- Changes in business models.
- Demands and complexities in laws, rules, regulations, and standards.
- Expectations for competencies and accountabilities.
- Use of, and reliance on, evolving technologies.
- Expectations relating to preventing and detecting corruption.
Audit committee chairmen and their members need to invest time to consider the new ED, which is scheduled to be issued in final form in the first quarter of 2013. The complete package of materials will include the framework, a document with more information on internal control over external financial reporting, and a document on evaluation tools. Audit committees should consider the following during this interim exposure and finalization period:
- Ensure that audit committee members read the COSO executive summary and related discussion questions. Encourage those with a greater appetite to read the 150-plus pages of the new framework.
- Develop a plan with the CFO, internal audit department, and independent accounting firm over the remaining months in 2012 to discuss the impact the new ED will have on the registrant.
- Provide to the full corporate board of directors summary reports of the key concepts in the ED and how they may affect the company in future years.
- Consider other COSO guidance for monitoring compliance with internal accounting controls and ERM, as well as how the audit committee is integrating this new guidance to provide a comprehensive assessment of the regulation.
- Ensure that the audit committee members understand the new codification set forth in the ED.
Since the audit committee is a key component to the control environment of any corporation, members should consider the five embedded principles applicable to the “control environment.” COSO describes those as follows:
- Demonstrate commitment to integrity and ethical values.
- Exercise oversight responsibility.
- Establish structure, authority, and responsibility.
- Demonstrate commitment to competence.
- Establish accountability.
The updated COSO framework will provide refreshed objectives. It will increase focus on operations, compliance, and nonfinancial reporting objectives. Accordingly, the audit committee will need to educate itself about the enhanced framework. Audit committees should spend time with the CFO, accounting department, internal audit, and external audit management to translate the new 2.0 model into actionable and measurable enhancements in the company. This will strengthen resistance to fraud, material weaknesses, and significant errors in financial reporting.
Stephen G. Austin ( email@example.com ) is a firm managing partner of Swenson Advisors LLP in San Diego.
Tips From the Audit Committee Chair
Olivia Kirtley is a nonexecutive director for U.S. Bancorp and Papa John’s International. She is also the chair of the audit committee of both companies. She was the AICPA’s first chairman from business and industry. She offers the following tips for efficient and effective operation of audit committees:
The audit committee should have both high expectations and robust processes for receiving information relating to the period under review on all critical areas, including significant issues, judgments, and transactions. It should receive written materials in advance of the meeting, setting forth all the important matters so that the meeting can focus on the most significant issues, whether these are revenue recognition, accounting for unusual transactions, or other matters. It is up to the CFO to be proactive in understanding the expectations of the audit committee and in developing the package of materials to be provided to committee members.
The audit committee and, particularly, its chair should develop a good working relationship with the CFO, seeking frank discussions about issues and challenges. This can be done by encouraging dialogue when important issues arise, and not just at general meetings. In addition, the chair should have a premeeting call to review materials and discuss matters that the committee should focus on during its meeting. The chair can ask any questions not evident from the advance meeting materials that may require additional review or work, allowing finance staff to prepare for questions that are likely to arise at the meeting. This helps build a collaborative, trusting relationship.
The audit committee discussions will be held with both the external auditors and the CFO in the room, so it is an opportunity to gain and test the views of both. In addition to its responsibilities with respect to the financial statements, the committee also has a role in mergers-and-acquisitions activity. It should focus on the results of due diligence on issues such as the internal control environment at the target company; planned timelines for the integration of systems and reporting; IT security and controls; and risk management processes. In short, it will need to consider anything that could impact the integrity of financial reporting and controls.
Interim financial reports are just as important, as are annual statements for investors, analysts, debt holders, and others, so the audit committee should follow its basic processes to oversee this and related disclosures. Although the review procedures by the external auditors are limited for interim reports, they still provide a level of review that is quite valuable through inquiry and the review of significant issues and transactions, and the audit committee members should discuss their findings and observations.
Audit committees should perform their review before the company releases the interim financial reports, which would include not only discussions with external and internal auditors, but also reviewing significant issues and judgments for the period with management. The audit committee should be satisfied that any communications between the company and analysts, or others, is consistent with these discussions, and that the company issued reports regarding financial matters and disclosures.
Beyond the Financial Statements: The Evolving Role of Public Company Auditors
Changes in the role served by public company auditors could include expanded communication with audit committees and more involvement with earnings releases, according to a report by the Center for Audit Quality.
The CAQ, which is affiliated with the AICPA, held a workshop with investors, buy-side analysts, auditors, audit committee members, and preparers on March 12 in New York City. Participants discussed how the auditor’s role could evolve to meet investors’ needs, focusing on information management communicates outside of audited financial statements. The report is available at tinyurl.com/889znkw.
Investors said non-GAAP disclosures are increasingly important in their decision-making process. They would like more consistency in non-GAAP measures reported by management from period to period in management discussion and analysis (MD&A) and earnings releases. Investors also desire comparability in non-GAAP key performance indicators across companies in specific industries. There was agreement at the workshop that the consistency should be driven by industry groups at the outset “although adoption of a more formal framework by the SEC ultimately may be needed,” according to the CAQ report. Some participants said “regulated” disclosures could become less flexible and candid.
More auditor involvement with MD&A is unnecessary, investors said, but a majority would like some level of auditor involvement with earnings releases. Although participants said public reporting by the auditor would be unnecessary, a majority supported a requirement for the auditor to read the earnings release and thoroughly discuss the contents with the audit committee. Such reviews currently are recognized as a best practice, but they are not required.
The feedback was consistent with 2011 workshop results in which investors expressed a desire for streamlined and balanced reporting with content focused on effectively communicating companies’ financial results rather than complying with regulatory requirements. Participants also said education is needed to close the expectation and information gap by helping capital market participants understand the role of auditors and the checks and balances in the financial reporting system. In response, the CAQ intends to expand its education programs and collaborative efforts accordingly.
“We hope to advance further consideration of these issues by all interested parties through publication of this workshop summary and through continued dialogue with stakeholders and policymakers,” said CAQ Executive Director Cindy Fornelli. “It is vitally important that investors understand and continue to trust the work that auditors perform—and have confidence in our financial reporting system and the checks and balances that underlie the system.”
- “Two Years and Counting,” June 2007, page 74
- “A Sarbanes-Oxley Meditation,” Jan. 2007, page 16
- “Beyond Sarbanes-Oxley,” Aug. 2006, page 69
- “Regulations Under the Sarbanes-Oxley Act,” Oct. 2002, page 33
- Beyond Sarbanes-Oxley Compliance: Effective Enterprise Risk Management (#WI726265)
- Forensics and Financial Fraud: Real World Issues and Answers (#733205)
- Fraud and the Forensic Accountant: Tackling Fraud From Start to Finish (#753643)
- Internal Control Essentials for Financial Managers, Accountants and Auditors (#159820)
- Manager’s Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud (#WI569755)
- Sarbanes-Oxley and the Board of Directors: Techniques and Best Practices for Corporate Governance (#WI736082)
- Sarbanes-Oxley and the New Internal Auditing Rules (#WI483060)
- Sarbanes-Oxley for Nonprofits: A Guide to Building Competitive Advantage (#WI697885)
- The Sarbanes-Oxley Section 404 Implementation Toolkit Practice Aids for Managers and Auditors, 2nd edition (#WI169315)
- National Audit Committee Forum, July 30–31, New York City
- Controllers Workshop, Nov. 8–9, Atlanta
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.