When Internal Audit Is Impotent or Absent – What Is The Board’s Role?By Francine • Sep 9th, 2008 • Category: Pure Content
On August 18, 2008, Edith Orenstein’s FEI Blog reported on actions by FEI’s Task Force on Monitoring (TFM). In a comment letter filed on Aug. 15, 2008, FEI urged the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to revise the proposed description of the role of the board of directors in its Exposure Draft entitled, “Guidance on Monitoring Internal Control Systems.”
FEI seeks to clearly state the role of the Board of Directors as one of oversight, and to better distinguish the Board’s role with respect to internal control from that of management.
“Companies should endeavor to establish controls that would prevent and detect potential fraud perpetrated by senior management, all the way up to the CEO,” said the FEI TFM letter on COSO’s ED. Additionally, “In conducting its oversight role, the board should be proactive in seeking information from management, particularly on critical matters, in considering management’s assertions, and seeking information from other sources as appropriate. Importantly, the board should review all such information with requisite skepticism,” noted the FEI TFM letter.
“However,” noted FEI TFM, “the wording in COSO’s ED as currently written implies that if internal audit is not present, or even potentially in situations when it is, that the board must directly engage in ‘monitoring’ senior management in the same manner that senior management monitors other functions at the company. We do not see this as practical or as being within the bounds of the oversight role of boards.”
It seems this approach is consistent with major listing standards, such as the NYSE Listed Company Manual. Additionally, the FEI TFM had informal discussions with research staff at the National Association of Corporate Directors(NACD), citing usage from the NACD Blue Ribbon Commission series, as well as informal discussions with legal experts Marty Lipton of Wachtell, Lipton, Rosen & Katz and Ira Millstein of Weil, Gotshal & Manges LLP, they (NACD research staff, Lipton and Millstein) concurred that it would be preferable for COSO to retain use of the word ‘oversight’ to describe the role of the board within its monitoring guidance – consistent with COSO’s description of the role of the board in COSO’s 1992 framework as being ‘governance, guidance and oversight’ – vs. describing the role of the board as ‘monitoring,’ given the specificity with which ‘monitoring’ is described in this guidance.
Well, this may seem like a non-starter to you, but it sounded funny to me. In particular, I was struck by the language above that refers to the role of the Board when there is no internal audit function. I have seen situations where there is no internal audit function or when internal audit is a part of the problem (at a material weakness level,) and not part of the solution.
I have written about these cases extensively. They include Sirva, Ceridian, Navistar, and now Siemens, (although as I have written, Siemens has a general culture of corruption and their auditors, lawyers and consultants are no help.) The granddaddy of all conflicted, non-helpful internal audit departments is Enron. You may not realize it, but in addition to being their external auditor and chief consultant, Arthur Andersen was also Enron’s outsourced internal audit department. How convenient…
The question: Should the Board of Directors take a more active “management role” in insuring internal controls are in place when there is no internal audit or it is deficient such as in Siemens, Navistar, Ceridian, Sirva?
Chief Audit Executives (CAE) – Regardless of their ethics, and particularly in a poor economy, CAE’s have careers to safeguard and families to feed. As a result of SOx, most CAE’s officially report to the Audit Committee. However, in most cases, there is a “not so dotted” line to the CFO who, more likely than not, is responsible for the CAE’s annual performance appraisal.
The Big 4 – Given the immense pressure that Big 4 partners are under to produce, no Big 4 partner wants to be the one to lose a Fortune 100/500/1000 client, whether it is an audit client, tax client, or consulting client (internal audit, SOX, etc.) over a “silly thing” like internal controls. Of course, no partner wants to be held accountable for a re-statement, so firms have been more willing to put their foot down in this arena post-SOx.
The Audit Committee and the Board – Board member oversight usually consists of 4-10 meetings per year with management to review rehearsed, often sanitized, presentations prepared by management to accomplish two things: a) to get Board approval for any items requiring Board approval b) to keep the board happy and not “rock the boat” or upset the board in any way. In addition, the Board meets with the external auditors (Big 4 partners from above), and the CAE (above).
Over the past few years various changes in the environment post-Enron have increased Board Member liability and the overall “Fear Factor”, but what is really at risk? Most board members don’t really need the income from their participation in boards. It’s primarily a power and prestige ego trip. Board members are covered by various insurance policies and Corporate SEC counsels are careful to make sure each Board and Committee complies with all their legal requirements to avoid being considered negligent, which is the only time an insurance policy might not pay.
SOx made some effort to limit the extent to which corporate senior executives and the external audit partners became less than independent by requiring the rotation of audit partners, but it did no such thing to prevent the same thing from occurring on corporate boards and audit committees. Perhaps such a requirement would help reduce this possibility.
So back to your original question – I believe Boards and Audit Committee’s need to take a more active role, but may often lack the independence, determination or reliable means to do so.