ViewPoints. Internal controls over financial reporting

Transcription

1 Issue 27: 28 April 2011 TAPESTRY NETWORKS, INC Internal controls over financial reporting On 5 6 April 2011, members of the European Audit Committee Leadership Network (EACLN) convened in Brussels for their 15th stand-alone meeting. 1 In one session, members discussed the audit committee s oversight of internal controls over financial reporting. contains a summary of the key points raised during the discussion, along with selected perspectives that members shared before and after the meeting. 2 For further information about the network, see About this document, on page 8. For a full list of participants, see Appendix 1, on page 9. Executive summary Overseeing internal controls over financial reporting is a core activity of audit committees at all public companies. Gauging the effectiveness of internal controls and reporting on these controls to shareholders and the public present a number of challenges, and several themes emerged from audit chairs discussions of their efforts: Audit chairs say Sarbanes-Oxley has significantly improved internal controls (Page 2) Many jurisdictions have enacted laws and codes involving internal controls, but the US Sarbanes- Oxley Act (SOX) has arguably been the most influential for large, global public companies. Despite early concerns about its cost, and in a sharp turnaround from opinions expressed in their first meeting in 2004, EACLN members today consider its impact to have been very positive, resulting in more effective controls and better reporting. They report that the SOX approach has brought muchneeded process discipline and cultural change to their companies. Nevertheless, European companies and audit chairs still struggle with the quantity of information they must absorb to monitor controls effectively. Members are therefore interested in their external auditor s perspective on best-practice examples of reports to the board on internal controls. Audit chairs seek to broaden oversight of internal controls (Page 4) Audit chairs raised the question of whether it would be beneficial to implement a more systematic approach to internal controls beyond those involved in financial reporting, such as to those involved in non-financial reporting and even operational controls. Audit chairs noted that non-financial reporting, including key performance indicators, has become increasingly important, justifying better controls and more scrutiny by the external auditor. The same argument may apply to financial communications that are not currently audited, such as press releases and presentations for investor meetings. The control environment remains a key concern (Page 6) Audit chairs see the control environment as a perennial challenge, especially the cultural aspects that guide ethical behavior. EACLN members emphasized the importance of enforcing a favorable tone at 1 In another session, members discussed the European Commission s green papers on corporate governance and audit policy with Mr Jonathan Faull. See European Audit Committee Leadership Network, Audit committee perspectives on the European Commission s green papers,, 28 April reflects the network s use of a modified version of the Chatham House Rule whereby names of members and guests and their company affiliations are a matter of public record, but comments made before, during and after meetings are not attributed to individuals or corporations. All member quotes appear in italics.

2 the top by insisting that the CEO and his or her direct reports comply with the letter and spirit of laws and regulations. They also discussed other ways in which boards can help instill an ethical culture throughout the organization, such as by conducting direct discussions with middle management, ensuring that everyone (including the board) receives training and insisting on clear repercussions when violations occur. Members are also interested in their external auditor s perspective on the control environment. Appendix 2, on page 10, includes a list of discussion questions for audit committees. Audit chairs say Sarbanes-Oxley has significantly improved internal controls A key factor in how companies, boards and audit committees approach internal controls is the regulatory framework, including the demands of regulators and the guidance provided by corporate governance codes. Over the past 15 years, policymakers and regulators have shown considerable interest in internal controls. Two regulatory initiatives have been especially broad in their impact: Nearly a decade ago, the United States passed the influential Sarbanes-Oxley Act, setting up a rigorous system of internal controls and oversight for SEC-registered companies. The law has influenced nonregistered companies globally as well. 3 Five years ago, the European Union implemented revisions to the 4th, 7th, and 8th directives that included several general provisions involving internal controls. 4 In addition, European countries have been active in revising corporate governance codes and introducing laws and guidance on how to approach and oversee internal controls. Though some European corporate governance codes (such as the Dutch one) are more specific than others, the focus in Europe has generally been on principles rather than specific rules. 5 Coupled with the comply-or-explain approach, this focus has given companies flexibility to apply systems of oversight tailored to their specific needs, though it has also created more uncertainty regarding how best to implement and report on control systems. 6 The Sarbanes-Oxley Act and the associated guidance from the SEC are much more rules based, which caused considerable concern among companies when they first began to comply with the Act. Nearly 10 years later, however, EACLN members noted a shift in attitudes towards the law, though they also highlighted the efforts required to monitor controls effectively. Benefits of a SOX-like approach Members reflected on the impact of the Sarbanes-Oxley Act, not only on companies that must comply with it, but also on those that ultimately delisted from US stock exchanges. Members generally saw the law s impact as very positive, even though the effort and cost of compliance are significant. One member described the impact in specific numerical terms as well as organizationally: SOX changed everything in [our company]... It has been a long journey. We are more advanced than we have been on entity-level and process-level controls. The devil has been in the details. We had 20,000 control issues when we started; 3 The complete text of the Sarbanes-Oxley Act of 2002 is available online from several sites. 4 European Union, Directive 2006/46/EC of the European Parliament and of the Council of 14 June 2006, Official Journal of the European Union, 16 August 2006, page 2; European Union, Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006, Official Journal of the European Union, 9 June 2006, page Katrien Van de Poel and Ann Vanstraelen, Management reporting on internal control and earnings quality: Insights from a low cost internal control regime, Working Paper, November The European Commission is currently evaluating the effectiveness of the comply-or-explain approach as part of its review of corporate governance policy. See European Commission, The EU Corporate Governance Framework (Brussels: European Commission, 2011). Internal controls over financial reporting 2

3 now we have 13,000. We have gone from 18,000 deficiencies to about 1,000 by We set up assurance certification a traffic light system for 50,000 controls, [including] 650 certificates signed by 4,000 reporting units in 96 countries in eight regions. Several members whose companies had delisted from the New York Stock Exchange noted that the Sarbanes-Oxley requirements were not the reason for the delisting. Indeed, some companies not only maintained the systems and processes implemented to comply with the law, but actually strengthened their internal controls after delisting, both because they saw the value of that increased rigor and because the reporting regimes in their own jurisdictions encouraged it. One member explained: The discipline that SOX brought to the company which had gone through tough times on internal controls created a completely different culture in the company. It was important to avoid any thought in the internal organization that SOX was behind the delisting. We have pretty tough legislation in [my country] on a comply-or-explain basis. The bottom-up certification that internal controls are working is absolutely a must to allow management to make a statement on internal controls. Some members whose companies were never listed in the United States noted that it was not necessarily cost-effective to implement Sarbanes-Oxley in full, even if the benefits merited consideration. One member described evaluating an implementation: In [my] non New York listed companies, we recommended applying SOX, but the investment was too big, and it was much too detail oriented. The deficiencies we had were at the corporate level, not at the detail level for example, liquidity issues. Continuing challenges of monitoring control deficiencies The focus on detail required to oversee internal controls over financial reporting whether in a SOXcompliant company or otherwise continues to challenge audit committees, which are struggling to find the right balance between adequate scrutiny and excessive involvement and information overload. A member noted, We have [many] deficiencies that could become a significant deficiency or a material weakness. If you are not [involved] in the detail, you cannot trace it, and you cannot ask why it happened. You need to [understand it] at the lowest level to ask about it. In pre-meeting conversations, several members brought up the challenge of grasping so much detail in the limited amount of time available to audit committees. In Brussels, a member described the dilemma: We are clear that we are interested in a view of what is going on in the company as the audit committee. We have three sessions a year for an hour each. How do you get a good idea in three hours a year? If you only look at the company level and get external certification, is that sufficient? Is it the only way? I don t know. Members mentioned a variety of practices their audit committees use to ensure that the audit committee and the board as a whole receive adequate reporting on deficiencies: Asking for more information from internal audit. A member described interacting with internal audit: I formalized the opinion of the internal audit report. We push them to explain failures to the organization An individual failure is not significant, but how widespread is it? What does it tell us about the company? How is it being fixed, and by when? Asking for reports to be formatted for more clarity. A member said, Every report is circulated to the board and the audit committee with every deficiency highlighted. You see it if they reappear, or Internal controls over financial reporting 3

4 become systemic, or where IT is deficient. Another member said, We ask for a summary to the committee every quarter, with color coding. Asking for more frequent reports. Audit chairs ensure that, if necessary, they get reports outside the usual reporting cycle. A member noted, A report is sent directly to the audit committee chairman if something serious happens in between [the quarterly reports]. Assessing relevant IT systems Since internal controls are closely tied to IT systems, IT-related challenges often lead to challenges implementing, maintaining and overseeing internal controls. Members raised this issue several times during pre-meeting calls. One member noted that every company I m involved in has problems with IT internal controls it s the most common general control issue. Another member asked, How do you gain assurance on internal controls on specific technology issues that very few people in the organization understand? It s unlikely that the people you ask to provide assurance have the same skills as those they are checking on. Problems can also stem from the number of IT systems a company has in place, which may be the result of acquisitions: Deficiencies [in internal controls] are linked to IT systems, and we now have 20 systems down from 80! In the long run, we want to have 10 systems, but if we acquire other firms, you once again have the same problem. The role of the external auditor For companies complying with Sarbanes-Oxley, the external auditor must attest that management has adequately reported on internal controls. For other companies, the role of the external auditor in the oversight of internal controls is less clear. The 8th Directive states that the statutory auditor should report to the audit committee on material weaknesses in internal control related to the financial reporting process, 7 but it does not impose the same level of obligation on the external auditor as Sarbanes-Oxley. The corporate governance code of the Netherlands goes farther in its requirements than other European codes, but it does not require the external auditor to attest to management s report on the adequacy of internal controls. 8 EACLN members seek assistance from the external auditor in conducting their oversight. In a pre-meeting conversation, a member underlined the role of the external auditor in alerting the audit committee to deficiencies: The one thing [audit committees] need to tell their auditors is that as soon as you find something fishy that could turn into a material weakness, you call or run to the audit committee chairman and inform them. Several members commented that external auditors could provide examples of bestpractice reporting on internal controls to the board. For example, a member said, [Our external auditor] should advise us on how to structure a dashboard for the audit committee. Audit chairs seek to broaden oversight of internal controls While the focus of audit committees has been to oversee the internal controls over audited financial reporting, EACLN members asked whether a more systematic approach should also be extended to internal 7 European Union, Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006, page See Corporate Governance Code Monitoring Committee, Dutch Corporate Governance Code (The Hague: Corporate Governance Code Monitoring Committee, 2008). Internal controls over financial reporting 4

5 controls in other areas, such as non-financial reporting, other types of financial communications and operations. Non-financial reporting and other types of financial communications A member remarked, Sarbanes-Oxley was about internal controls over financial reporting. Financial reporting is defined as financial statements of the company as opined on by the external auditor. But the reporting model has changed. There are things in the report and accounts that are disclosed but not audited. Indeed, research by Tapestry Networks and Ernst & Young has shown that non-financial information and metrics such as key performance indicators (KPIs) have become increasingly important to investors. 9 One member described a more comprehensive approach: My company has a disclosure committee that applies the same standard to the whole report. It approves and certifies [the entire report] using the same process. A systematic standard could be applied to several components of reporting: Key performance indicators. An investor interviewed for an issue of InSights remarked, I spend 15% or less of my time on accounting and financial information [I spend the remainder] on how the markets are developing, looking at non-accounting information such as [KPIs], which are very useful, and on [broader] changes which are driving [my] industry. 10 The unaudited part of the annual report. One member said, Investors rely on the information in the front half of the report that is not audited. Shouldn t we have an equivalent standard [for this information]? This information includes the management discussion and analysis and the operating and financial review. Other types of financial communications. Audit committees are reviewing communications such as press releases and presentations at investor meetings more frequently. Concerns include not only the internal controls that underpin the reliability of any metrics presented, but also tone, interpretation, and consistency across messages. 11 Operational controls A few members warned that a focus on internal controls related to reporting should not lead to a neglect of internal controls more broadly. Internal controls are an integral element of risk management in general. As a member explained in a pre-meeting conversation, Sarbanes-Oxley is focused on the integrity of financial reporting. It s not broad. For example, if you re about to design a product that might be a liability, Sarbanes-Oxley won t flag it you haven t sold it yet. But you could be about to blow up the company. At the meeting, a member noted, We go further than SOX. SOX is not enough in a production environment. The role of the external auditor Members discussed the appropriate role of the external auditor vis-à-vis non-financial information and the state of internal controls outside of financial reporting: Does the external auditor look at it? They look at 9 Tapestry Networks and Ernst & Young, The Financial Communication Challenge, InSights, November 2009, page Ibid. 11 See European Audit Committee Leadership Network, The Audit Committee Role in Financial Communication,, 8 May Internal controls over financial reporting 5

6 financial reporting obligations, but what about the opinion of the external auditor in looking at internal controls overall? One member was skeptical about broadening the formal audit of the annual report: I m not sure if we need the whole report to be audited. The auditors read the whole report and can ask questions. But another member believed that the external auditor should help the audit committee be more thorough in reviewing non-regulated information and sections of the report, as well as other materials provided to the public: The audit committee looks at the financial statements, but what investors and the public use is the slide presentation of 30 pages that is not reviewed by the external auditor and could be misleading. Now we review that at the audit committee level. We can t check every line and number. We use non-gaap indicators. They should be checked by the external auditor. The press release summarizes all this in two pages. Who checks the accuracy of the press release? We could be more organized about this. The control environment remains a key concern Despite the successes achieved through implementing Sarbanes-Oxley and improving internal controls, maintaining a good control environment continues to be a challenge. Worries over bribery and corruption contribute to this focus on the control environment. The ethical culture of the organization is a chief concern because culture is critical to success, yet hard to change. Tone at the top Members brought up the role of the CEO and other senior managers: The audit committee should start with tone at the top. Where are the CEO and his direct reports on the subject? If they are not communicating throughout the organization that they are serious about internal controls, then they are not serious. We had a frank discussion at the board level that the management team will comply with the spirit and letter of the law or they will have to go. The board made it a fundamental cultural change for the organization. A member remarked on the impact of a new CEO with a fresh stance: It was a turning point when the new CEO said that accounting and internal control systems are important. He did not want any surprises. That went through the organization. Tone in the middle and other aspects of the control environment Members also emphasized the importance of various other measures for ensuring discipline on internal controls. One member described the importance of shaping attitudes deeper in the organization: We are having serious discussions with middle management, and we have a zero-tolerance culture. This is the only way. Even with zero tolerance, it s [difficult] at the lower levels. You need a strong tone at the top and systematic procedures. Structural and procedural features of a program at one member s company, many of which were mentioned by other members as well, included the following: Compliance training. We get all the employees trained on compliance. A whistleblower line. We have a whistleblower line. We created an ombudsman in every country to encourage use of the line and also to receive complaints directly. We track calls and visits to the ombudsmen. A chief compliance officer. We appointed a chief compliance officer and created a global staff. Internal controls over financial reporting 6

7 Business ownership of compliance. The big change was to move compliance from the CEO and general counsel into the business. Now the CEO gets a compliance report every month from his direct reports. They are responsible for compliance in their business unit. Members also described a number of tactics that they were either using or considering in their audit committees to promote a strong culture of ethics and compliance: Summoning managers to the audit committee. If there is an unsatisfactory audit report, the manager has to come to the audit committee. That is a major slap. You will get fundamental culture change very quickly. Communicating results. We circulate a list of recurring deficiencies together with who has left [the company]. People learn from other people. Participating in training. All the board took the training, like everyone else. One member noted, It is mandatory. Linking results to remuneration. At some point, the audit committee should contribute to the remuneration committee s decisions on bonuses so they reflect less-than-satisfactory audit reports. The message would be that it comes with a cost Seeking insight from the external auditor. In a pre-meeting conversation, a member noted the importance of executive sessions with the external auditor: There are very direct and candid discussions with the external auditor. Warning signs of problems in the control environment Ernst & Young s audit committee member toolkit includes a section on internal controls that describes warning signs of possible problems in the internal control system. Regarding the control environment, the toolkit mentions a number of warning signs involving the integrity and behavior of key executives, management s operating style and commitment to competence, the board s oversight, organizational structure and human resources policies. A selection of these warning signs includes the following: 12 Lack of a written code of conduct, or a code that exists but is not communicated to all employees. Management does not take appropriate action in response to departures from approved policies. Management has an aggressive tendency with respect to selecting accounting principles and determining accounting estimates. Accounting, finance, and IT personnel do not have the competence and training needed to deal with the nature and complexity of the entity s business. The assignment of responsibilities is not clear within the entity (including responsibilities specific to information systems processing and program development). The entity does not have adequate procedures for establishing and communicating policies and procedures to personnel at decentralized locations (including foreign operations). 12 Ernst & Young, Audit Committee Member Toolkit (Ernst & Young Global Limited, 2009), pp Internal controls over financial reporting 7

8 Conclusion The last decade has seen a marked improvement in how companies manage and report on internal controls over financial reporting, a core area of oversight for audit committees. EACLN members assign a good deal of the credit to the Sarbanes-Oxley Act of 2002, which they view as having a major impact on the way internal controls are handled by large companies, including some companies that have never been listed in the United States. The rules-based approach of the Sarbanes-Oxley has established a high standard for companies and boards, and audit committees have developed a variety of practices to ensure that their oversight is effective. Audit chairs believe these practices and a more systematic approach could beneficially be extended to cover controls on non-financial reporting and operations, as well as currently unaudited financial communications. Meanwhile, audit chairs continue to worry about the control environment, especially the ethical culture of the organization. EACLN members pointed to the importance not only of ensuring the right tone at the top, but also of reaching out to middle management and insisting on incentive structures and other measures that support the proper culture throughout the organization. About this document The European Audit Committee Leadership Network is a group of audit committee chairs drawn from leading European companies committed to improving the performance of audit committees and enhancing trust in financial markets. The network is convened by Ernst & Young and orchestrated by Tapestry Networks to access emerging best practices and share insights into issues that dominate the new audit committee environment. is produced by Tapestry Networks to stimulate timely, substantive board discussions about the choices confronting audit committee members, members of management and their advisers as they endeavor to fulfill their respective responsibilities to the investing public. The ultimate value of lies in its power to help all constituencies develop their own informed points of view on these important issues. Anyone who receives may share it with those in their own network. The more board members, members of management and advisers who become systematically engaged in this dialogue, the more value will be created for all. The views expressed in this document represent those of the European Audit Committee Leadership Network, a group of audit committee chairs drawn from Europe s leading companies committed to improving the performance of audit committees and enhancing trust in financial markets. They do not reflect the views nor constitute the advice of network members, their companies, Ernst & Young or Tapestry Networks. Please consult your advisers for specific advice. Ernst & Young refers to all members of the global Ernst & Young organization. This material is copyright Ernst & Young and prepared by Tapestry Networks. It may be reproduced and redistributed, but only in its entirety, including all copyright and trademark legends. Internal controls over financial reporting 8

9 Appendix 1: Meeting participants The members of the network participating in the meeting sit on the boards of over 25 large-, mid- and small-capitalization public companies. Network members participating in all or part of the meeting included: Mr Aldo Cardoso, Audit Committee Chair, GDF SUEZ Mr Per-Olof Eriksson, EACLN Alumni Member, Biotage Mr Lou Hughes, Audit Committee Chair, ABB Mr Brendan Nelson, Audit Committee Chair, BP and RBS Mr Pierre Rodocanachi, Audit Committee Member, Vivendi Mr Hans-Joerg Rudloff, Audit Committee Chair, Rosneft Ms Guylaine Saucier, Audit Committee Chair, Areva and Danone Mr Tom de Swaan, Audit Committee Chair, Ahold and GlaxoSmithKline Dr Bernd Voss, Audit Committee Chair, Continental, and Audit Committee Member, ABB Mr Mario Zibetti, Internal Control Committee Chair, Fiat Group Ernst & Young was represented by: Mr Pieter Jongstra, Sub Area Managing Partner, Belgium and the Netherlands Mr Mark Otty, Area Managing Partner, EMEIA Mr Felice Persico, Assurance Managing Partner, EMEIA Mr Grady Summers, Principal, Advisory Services Internal controls over financial reporting 9

10 Appendix 2: Discussion questions for audit committees? Overall, what impact have regulations and guidance on internal controls had on your company? Which have been the most challenging or costly to implement? Does the financial crisis suggest that more could be done to improve internal controls?? What reports or other communications do you receive from management on internal controls and deficiencies in these controls? How do you focus on what s most important? How do you work with the internal auditor in overseeing controls? What particular challenges do IT systems present?? How do you work with the external auditor on internal controls? What additional support from the external auditor would be helpful?? Should more systematic oversight of internal controls be extended to non-financial reporting and other types of financial communications? What role should the external auditor play vis-à-vis these communications?? What aspects of the control environment do you worry about the most? How do you satisfy yourself that these aspects are sound?? How do you assess the leadership exercised by senior executives on internal controls? How do you ensure discipline on internal controls deeper down in the organization? Internal controls over financial reporting 10