External Audit and the Audit Committee

Transcription

1 External Audit and the Audit Committee Beyond the basics Audit and Compliance Committee Conference Kim Griffin-Hunter Deloitte LLP An audit committee or audit committee member can not insulate himself or herself from liability by burying his or her head in the sand. In every financial reporting matter we investigate, we will look at the audit committee Stephen Cutler Former SEC Director of Enforcement 1

2 Agenda The basics A review of roles and responsibilities Beyond the basics Practices for improved effectiveness Current status and lessons learned The hard way Hot topics IFRS, Top Board Concerns and Risk Intelligence 2 The Basics Audit Committee Reform Key Areas of Responsibility: Composition and Competencies Oversight of External Auditor Oversight of Financial Reporting Risk Oversight Ethics and Compliance 3 2

3 Timeline of Reform Mid 1970 s Watergate Scandal and Investigation 1977 Foreign Corrupt Practices Act (FCPA) Early 1980 s Increased Focus On Internal Control and Compliance 1985 National Commission On Fraudulent Financial Reporting Treadway Commission 1992 Committee of Sponsoring Organizations (COSO) Internal Control Integrated Framework 1990 s 2000 Continued Focus on Internal Control, Risk Management and Responsibilities (Blue Ribbon Commission, Competency Framework for Internal Audit, Others) 2002 Sarbanes-Oxley Act of SEC/PCA OBAS NO Stock Exchange Governance Listing Standards 2004 PCAOB Auditing Standard No. 2 4 Common Audit Committee responsibilities Oversee the integrity of the financials Review financial-related disclosures Hire and oversee the external auditor, including selection of the lead partner Oversee internal audit Review internal controls Monitor risk exposures and ensure adequate disclosure Manage relationships among management, internal audit and independent auditors Review related-party transactions Whistleblower compliance Consider adequacy/quality of finance organization Oversight of compliance w/laws and regulations (NYSE) Deloitte Resource: Audit Committee Performance Evaluation 5 3

4 Composition and Competency Sarbanes Oxley Act Specific requirement for at least one audit committee financial expert Board independence requirements, which also apply to the audit committee Stock exchanges Additional independence requirements Reiterated financial literacy requirements for all members of the audit committee Annual performance assessments required (NYSE only) SEC Item 407 of Regulation S-K Enhanced disclosure of director business relationships Deloitte Resources: New Corporate Governance Listing Standards; Deloitte Dbrief, What Do the New SEC Rules on Executive Compensation Mean for your Company? 6 Auditor Oversight SEC Rule 10A and Sarbanes Oxley Section 301 & 204 Appoint, compensate, retain, and oversee independent auditor Preapproval on nonaudit services Hold timely discussions with the auditor regarding: Critical accounting policies and practices Alternative accounting treatments Material, written communications between the auditor and management NYSE listing standards Meet periodically with the external auditor in executive session Set clear hiring policies Review quality control processes and results of practice/peer reviews Confirm auditor independence Deloitte Resource: New Corporate Governance Listing Standards 7 4

5 Evaluating the External Auditor To consider when choosing an external auditor: Independence and quality control Example: What are the firm s processes for addressing compliance with independence and conflicts? Firm and industry capabilities What are the firm s stats (size, industry presence, service capability, etc.) Engagement team Professional background of engagement team Communications and service approach Approach to communicating with audit committee, how often, what types of communication? Engagement planning and risk assessment Approach for assessing risk, how does the assessment impact the audit procedures? Consultation and technical matters Process for resolving difficult or controversial issues Fee structure How is the fee determined, what services are included? Technology and value-added benefits How will use of technology provide value-added service Auditor change and transition What is the firm s transition plan for taking over the audit Deloitte Resource: Checklist for Gathering Information About the External Auditor 8 Oversight of Financial Reporting Sarbanes Oxley Act Audit committee reviews and discusses with management all Section 302 and 906 certifications Audit committee reviews management s report on internal control and the independent auditor s attestation on management s assertion Stock exchanges Explicit requirements for charter includes responsibility for oversight of the accounting and financial reporting process Deloitte Resource: New Corporate Governance Listing Standards 9 5

6 Financial Reporting Who s responsible? Management responsibilities Responsible for financial reporting, accounting, internal controls Includes selection of accounting standards, judgments and estimates, adequate disclosure Must make certain quarterly and annual certifications Auditor responsibilities Responsible for attestation of audited financial statements, and internal controls (for public companies subject to Section 404 of Sarbanes) Required to communicate certain items to the audit committee Audit Committee responsibilities Responsible for oversight of financial reporting, internal controls, external and internal audit Consider quality and adequacy of finance organization 10 Oversight of Ethics and Compliance Sarbanes-Oxley requirements Oversight of whistleblower programs Code of ethics for senior financial management Require public disclosure of waivers to the code Stock exchange requirements Extend code of ethics to employees and directors Federal sentencing guidelines 2004 amendments Multiple requirements for the board Oversight of program, including monitoring of effectiveness Delegation of authority Board education on its compliance responsibilities D&T Resource: Questions the Board Should Ask About Ethics and Compliance Programs 11 6

7 Risk Oversight Stock Exchange Audit Committee responsibilities (NYSE) Discuss and consider risk assessment and management policies Meet with internal audit to discuss ongoing risk processes and systems of internal control SEC s MD&A guidance Include in MD&A Insight into material opportunities, challenges and risks Known material trends and uncertainties Source: Interpretation Commission Guidance Regarding Management's Discussion and Analysis of Financial Condition and Results of Operations; Securities and Exchange Commission; 17 CFR Parts 211, 231 and 241; [Release Nos ; ; FR-72] 12 Suggested Questions for Audit Committees to consider The audit committee might consider asking the following: Has management evaluated the impact of the SEC s guidance on current efforts? How does management evaluating risk? What procedures and programs are in place to mitigate risks identified? Is additional controls rationalization necessary to facilitate a focus on the highest risk, key control areas? How does management plan to change its documentation and testing strategies as a result of the SEC guidance? Are there opportunities for the audit team to re-scope work? Has the audit team coordinated efforts with management s plans to implement the SEC guidance? Are there any areas where the auditor will not achieve efficiencies to the greatest extent because of efforts that management will/will not (did/did not) do? 13 7

8 Other Basic Practices Audit Committee performance assessments Periodic self-assessment Include financial literacy considerations Auditors (indirectly) required to consider audit committee in the context of entity level controls Continuing education Full committee or for individual members Public forums vs. customized training Extensive reporting of relationships Annual director questionnaire to identify potential conflicts of interest Deloitte Resource: Audit Committee Performance Evaluation (see also AICPA Conducting an Audit Committee Self-Evaluation) 14 Beyond the Basics Key areas of focus Risk Intelligence Fraud Risk 15 8

9 Risk Aversion vs. Risk Intelligence Risk aversion Risk intelligence Risk aversion ignores the basic principle of risk vs. reward Companies should be averse to unrewarded risks (e.g., ethical and non-compliance risks) 16 Understanding the Company s Risk Profile Board of directors Oversight of major organizational risks Determine extent and type of acceptable risk Monitor management process for various types of business risk Identify early warning indicators Keep pace with the changing strategic environment and key business risks Understand management s mitigation of risks Financial Risk vs. Financial Reporting risk Source: Report of the NACD Blue Ribbon Commission on: Audit Committees 17 9

10 Understanding the Company s Risk profile (cont.) Audit Committee Oversight of financial risk Understand organization s principal financial reporting risks Assess organization s internal controls Objectives Areas for remediation Management override considerations Foster a strong internal control environment Oversight of fraud risk assessment 18 Fraud Oversight Responsibilities Fraud risk assessment Oversee the management s processes and understand identified fraud risks Antifraud control environment Strong tone emphasizing ethical behavior Design and implementation of antifraud programs and control activities Oversee management s process for matching control activities with fraud risks Communicating and sharing information Company s philosophy on fraud prevention Monitoring activities Ongoing assessment of quality and effectiveness Deloitte Resource: Fraud and the Role of the Audit Committee 19 10

11 If something goes wrong? Questions that will be asked with the benefit of hindsight. Was the committee sufficiently involved or simply listeners? Did they demonstrate an appropriate level of skepticism? Was the whistleblower hotline effective or simply in place to comply with regulatory requirements? Were they simply checking the box? Did it even occur to the audit committee that those who design the control processes can override them? Source: AICPA Management Override of Internal Controls: The Achilles Heel of Fraud Prevention 20 Audit Committee Effectiveness Blockers Responsibility for establishing the Audit Committee meeting agendas is delegated to management Meeting materials distributed without enough time for thoughtful review Meeting scheduled at same time as other board committee meetings Executive sessions with the auditor are on an as-needed basis Meeting timeline is too tight important topics breezed over in the interest of time Management screens materials and topics suggested by external auditor 21 11

12 Hot Topics Key areas of focus IFRS Top board concerns in 2008 Risk Oversight and Risk Intelligence 22 Hot Topics IFRS Globally there is a significant movement towards a single financial reporting standard International Financial Reporting Standards (IFRS) Ongoing evolution of regulatory standards International Accounting Standards Board (IASB) and the Financial Accounting Standards Board (FASB) have reaffirmed convergence efforts Greater cooperation amongst regulators on IFRS application issues Movement in the U.S. to simplify financial reporting SEC Proposing Release regarding use of IFRS by U.S. issuers Considerable movement towards mutual recognition of financial reporting frameworks between the U.S. and the EU U.S. GAAP in EU Equivalence Initiative IFRS in U.S. IFRS Roadmap 23 12

13 Hot Topics IFRS (cont.) Recent regulatory developments: SEC concept release on allowing U.S. issuers a choice between IFRS and U.S. GAAP Elimination of U.S. GAAP reconciliation for foreign private Issuers using IFRS FASB panel discussion of U.S. moving to IFRS Encouragement from stakeholders for the SEC to set a definitive timeline for conversion to IFRS SEC IFRS roundtable August 2008 Discussion on performance of IFRS and U.S. GAAP during credit crisis Consensus that IFRS held up well, if not better than U.S. GAAP Fair value still remains a challenge under both standards Discussion on areas where continued convergence is needed 24 Hot Topics IFRS (cont.) SEC proposing release sets the stage for possible mandatory adoption of IFRS by U.S. issuers beginning with fiscal years ending after December 15, 2014 for large accelerated filers Roadmap contains certain milestones to be achieved SEC Commission to review milestone progress in 2011 before issuing a final rule for mandatory adoption Proposed rule to permit certain U.S. issuers the option to use IFRS for fiscal years ending after December 15, 2009 Three years of financial statements must be presented Issuers must be in the top 20 companies in their industry based on market capitalization, and their industry peer group must predominantly report under IFRS 25 13

14 Hot Topics IFRS (cont.) Several internal and external drivers are strengthening the case for voluntarily adopting IFRS. The key drivers of interest are as follows: Opportunity to streamline a disjointed financial reporting process Internal drivers Ability to reduce cost of statutory reporting by developing standardized training programs and to reduce third party fees related to statutory reporting Availability and more efficient use of resources Opportunity to improve internal controls, since statutory reports are often prepared as a manual conversion from U.S. GAAP Regulatory developments SEC may allow US companies to report in IFRS External drivers Concern the competition may adopt IFRS thus creating an expectation from analysts and shareholders that IFRS information is necessary and/or required Globalization of capital markets A single, global set of accounting standards can facilitate easy access to foreign capital markets lowering the cost of borrowing for companies 26 Hot Topics IFRS (cont.) Long term strategy for management Management s development of the right long-term implementation strategy is very important for a successful IFRS conversion. Important considerations include: Tentative IFRS transition and reporting dates, which will likely differ Alignment with other finance transformation or accounting initiatives may impact the implementation plans Training/deployment of the right resources may require substantial lead time 27 14

15 Hot Topics IFRS (cont.) Illustrative multi-year strategy Reporting date Transition date 2012 IFRS competence 2008 Awareness Assessment Planning Roadmap Initial Training Statutory Implementations Select Exemptions under IFRS 1 Preparation of IFRS Opening Balance Sheet Dry Runs 2011 US GAAP and IFRS Opening Balances Quarterly IFRS Reporting Investor Communications Audit Procedures Transition to IFRS Quarterly Reporting Investor Communications Convert Systems Rationalization and standardization of statutory reporting 28 Top Board Concerns in 2008 Risk Oversight & Risk Intelligence 29 15

16 Hot Topics Top Board concerns Concerns clouded 2008 proxy season horizon: Top four influencers for 2008 Credit Crisis Focus on risk management, compensation and board accountability The impact of the credit crunch and market conditions on financial institutions and other market participants 2008 Election Year Impact Presidential contenders tap populist anger on executive pay Changes at SEC Global Convergence of Standards Imports: Majority Voting, Say on Pay, Special Meetings Climate change and sustainability Director Election Reforms More meaningful elections (majority voting, access) Investors on board (rise of hedge fund activism) 30 Hot Topics Risk oversight Six years ago, the Sarbanes-Oxley Act caused companies to focus much time and effort on financial reporting risk Today, many companies have a much better understanding of financial reporting risk exposures and have made great strides in implementing appropriate controls Attention is turning to a broader set of enterprise risks Executives are expected to create value as well as protect it Failure to do so can negatively impact shareholder value and reputation Creating value means managing rewarded risks 31 16

17 Hot Topics Risk oversight (cont.) Audit Committee leading practices and trends Increase focus on risk intelligence and assessment, particularly for financial statement and IT risks Avoid having risk monitoring become overly dependent on forms or tools Periodically reassess the list of top risks, determining who in management and which committee of the board owns them Focus on IT milestones and reporting against them, especially IT transformation Review acquisitions, including risks, relevant integration milestones, and return on investment 32 Hot Topics Getting to Risk Intelligence Performing the Risk Assessment Putting the various assessments together Information sharing to create Risk Intelligence Finance Sales and Marketing Operations Finance Sales and Marketing Operations Information Technology Legal / Corporate Compliance Information Technology Risk Intelligence Legal / Corporate Compliance Human Resources Supply Chain Human Resources Supply Chain 33 17

18 Hot Topics Risk Oversight The Changing Business Risk Environment Enterprise Business Risk Unprecedented regulatory complexity Higher standards of accountability Increased public disclosure Lower risk tolerance Regulation Sarbanes-Oxley SEC NASDAQ Governance Board and Audit Committee Expectations Capital Markets Investors Analysts Lenders Other Competitive Pressure Public Perception Networked Economy 34 Hot Topics Risk Intelligence fundamentals In a Risk Intelligent Organization; A common definition of risk, which addresses both value preservation and creation, is consistently used A common risk framework supported by appropriate standards is used to manage risk. Key roles, responsibilities, and authority relating to risk management are defined and delineated A common risk management infrastructure is used to support the business unites and functions in their risk responsibilities Governing bodies (e.g., Boards, Audit Committees) have transparency and visibility into the organizations risk management practices Executive Management is charged with responsibility for designing, implementing and maintaining an effective risk program Business Units are responsible for the performance of their business and management of risks they take within the established risk framework Certain functions (e.g., Finance, IT, Legal, HR) have a pervasive impact and provide support to the business units as it relates to the risk program Certain functions (e.g., Internal Audit, Risk Management, Compliance) provide objective assurance as well as monitor and report on the effectiveness of the risk program to Governing Bodies and Executive Management 35 18

19 Deloitte Resources Corporate Governance Audit Committee Resource Guide Audit Committee Performance Evaluation (sample questionnaire) Dbriefs Webcasts Available series focused on Audit Committee and governance trends and developments: Center for Corporate Governance Web Site: Publicly available site to access key resources on governance and related issues. Provides the latest research and information on leading practices for directors and board committees 36 Deloitte Resources Risk Intelligence For further assistance with the Risk Intelligence Map: Risk Intelligence Map Development Team: US AERS Risk Intelligence Map Visit the Risk Intelligence Map Homepage ( 9202) Additional Risk Intelligence materials 37 19

20 Thank you for your time today! About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. 20