options to the audit committee representative.
• These services are brought to the attention of the audit committee and approved by them prior to the completion of the audit.
These exceptions give the external audit firm and the audit committee some flexibility. However, the nature and accumulated dollar value of these additional nonaudit services must be carefully monitored throughout the course of a fiscal year to maintain a level of compliance. The CAE should become involved in this process to help ascertain that all provided extra services continue to be in com-pliance with the SOA rules. In addition, when an audit committee approves any nonaudit services, these must be disclosed to investors through the annual proxy statement.
SOA allows that the audit committee may delegate this nonaudit services preapproval authority to one or more of the outside directors on the audit com-mittee. This would reduce the strain of handling lengthy audit committee busi-ness matters, but will put even more responsibility on a few audit committee members over and above the many new legal responsibilities mandated by SOA.
Chapter 8 discusses potential roles for internal audit to better serve their audit committees in much greater detail.
(iii) External Audit Partner Rotation. Another section of SOA Title II makes it unlawful for a public accounting firm’s lead partner to head an audit engage-ment for over five years. This is a matter that the major public accounting firms had self-corrected well before SOA. Lead partners from the major firms had been rotated on a regular basis, although there may have been exceptions with smaller firms and smaller engagements. While lead partner rotation had been common, SOA makes the failure of a firm to not rotate a criminal act.
SOA does not really address the common practice in audit partner rotation where a given person will play the lead on an audit and then continue to serve in an advisory role after his or her term. That advisory role partner can often main-tain the same level of responsibility as the designated lead partner. If the CAE sees this situation as a potential violation of SOA rules, the matter should be dis-cussed with the chair of the audit committee for possible action.
Full audit partner rotation may bring a challenge to the internal audit func-tion. Internal audit may have been working comfortably with the designated audit partner and the associated team. Internal audit practices for working with a new audit team or responsible audit partner are discussed later in this chapter.
(iv) External Auditor Reports to Audit Committees. External auditors have always communicated regularly with their audit committees in the course of the audit engagement as well as for other matters of concern. In the aftermath of Enron and other corporate scandals, however, the level of communication was often found to have been limited. Prior to SOA, a member of management might negotiate a “pass” from the public accounting partner on a suggested accounting treatment change, but the matter often was only reported to the audit committee in the most general of terms if at all.
SOA has changed this. External auditors now are required to report on a timely basis all accounting policies and practices to be used, alternative treat-ments of financial information discussed with management, alternative financial
accounting treatments, and the approach preferred by the external auditor. The whole idea here is that external auditors must report to the audit committee any alternative accounting treatments, the approach preferred by the external auditors, and management’s approach. This really says that if there are disputed accounting treatments, the audit committee should be well aware of the actions taken.
This requirement really points to the need for good audit committee docu-mentation. While board members not serving on the audit committee may not be accustomed to this SOA level of required documentation, the CAE can assist here by suggesting the types of documentation approaches that internal audit uses on a regular basis. Chapter 8 discusses audit committee responsibilities under SOA and areas where internal audit can be of help.
(v) Conflicts of Interest and Mandatory Rotations of External Audit Firms.
As discussed previously, it had been common for members of the external audit firm team to get offers to move to their audit client firms as a CFO or other senior financial positions. SOA Title II, Section 206 now prohibits external audi-tors from providing any audit services to a firm where the CEO, CFO, or chief accounting officer participated as a member of that external audit firm on the same audit within the last year. This really says that an audit partner cannot leave an audit engagement to begin working as a senior executive of that same firm that was just audited. There were some really outrageous examples of this switching of roles as part of the Enron scandal. As discussed at the beginning of this chapter, Enron was the perhaps most notorious of corporate wrongdoers, and many of the questionable actions that Enron took became a playbook for SOA regulations.
The SOA prohibition is limited to public accounting partners, and external audit staff members and managers can still move from the public accounting firm team to various positions in the auditee’s organization. In addition, the CAE is not included in this prohibition. There continues to be value for some persons beginning their careers in public accounting and then moving to junior or mid-level management positions at organizations where they were assigned as auditors.
Initial drafts of SOA proposed, in addition to required partner rotation, mandatory audit firm rotation. It was initially proposed that an organization was required to change its external auditors periodically. That was met with massive objections from the major public accounting firms and from many cor-porations. Today, many organizations retain their external audit firms for decades.
Both sides feel that such long relationships foster a better understanding of the organization being audited. In addition, when an organization changed audi-tors under the auditing standards in the past, it often raised investor questions.
The feeling of many audit partners as well as corporate executives was that continuous audit services to one organization built up a level of trust to pro-mote more efficient and better audits. While organizations do not change audi-tors that regularly, the fall of Andersen saw its past clients searching for a new external auditor.
In the final versions of SOA, mandatory auditor rotation was put on hold.
The General Accounting Office (GOA) was mandated to perform a one-year
review and study the potential effects of mandatory auditor rotation. The GOA study was released in December 2003 with recommendations for mandatory rotation. The result of this study was a series of howls from public accounting critics, no rotation at present, and perhaps some changes in the future.
(c) SOA Title III: Corporate Responsibility
While SOA Title II set up new rules for external auditor independence, Title III, prescribes audit committee performance standards and a large set of new rules, and some major regulatory changes for audit committees that were not all that regulated until recently. This is an area where internal auditors should have a greater level of interest as well as a role. New York Stock Exchange–listed com-panies as well as banks have been required to have audit committees composed of independent directors, and NASDAQ has passed similar rules in late 2003.
However, beyond that, there were few governance rules covering corporate audit committees. SOA has changed all of that!
SOA Title III established a wide range of new rules for audit committees.
The audit committee that in the past did little more than approve internal and external audit annual plans now has some significant responsibilities. In some respects, the SOA legislation raised the role of the audit committee to a very high status in the organization. Internal audit should recognize this role and provide support whenever appropriate.
(i) Public Company Audit Committee Governance Rules. Under SOA, all listed companies in the United States are required to have an audit committee com-posed of only independent directors. The firm’s external audit firm is to report directly to the audit committee, who is responsible for their compensation, over-sight of the audit work, and the resolution of any disagreements between exter-nal audit and management. While major corporations in the United States have had audit committees for some years, these rules have tightened and have very much changed. Many other companies with smaller boards of directors, often dominated by insiders, have had to make some major adjustments. Internal audit department have had a reporting relationship to their audit committees for some years as well. However, that was often a weak link in the past. The CAE often had a nominal direct line reporting relationship to the audit committee with a very strong dotted line to the CFO. Internal audit reported to and met with the audit committee on a quarterly basis, concurrent with board meetings, but with limited interim communications. That reporting link must now be much stronger and active.
Each member of the board’s audit committee must be a totally independent director. To be considered independent, an audit committee member must not accept any consulting or other advisory fees from the organization and cannot be affiliated with any subsidiary or related unit of the organization. In the past, some corporations have lavished “consulting fees” on their outside directors as a means of compensation or reward. Since they now cannot pay these consulting fees to audit committee directors, the total extent of these often-lavish corporate director rewards will almost certainly decline.
SOA and SEC regulations regarding audit committee members now require that at least one member of the audit committee be a "financial expert.” Per cur-rent SEC regulations, a “financial expert” is a person who, through education and experience:
• Understands GAAP and financial statements
• Is experienced in preparing or auditing financial statements of compara-ble companies and applying these principles in connection with account-ing for estimates, accruals, and reserves
• Is experienced with the structure and nature of internal controls
• Has had experience with audit committee functions or operations These are rather stiff rules for audit committee member qualifications since many independent board member candidates, who might otherwise be natural candidates to serve on an audit committee, would have difficulty qualifying as such a ”financial expert.” These qualification rules will almost certainly be some-what relaxed over time.
Audit committees are to establish procedures to receive, retain, and treat complaints and to handle whistleblower information regarding questionable accounting and auditing matters. This really says an audit committee must become effectively almost an ongoing separate entity rather that a subset of the board that flies to some location and meets quarterly. While SOA allows the audit committee to hire independent counsel and other advisors, an organiza-tion’s internal audit function can be a good resource to help establish these pro-cedures. Internal audit is a truly independent resource within an organization and can be a major resource in helping the audit committee become SOA compliant.
An ethics department is another often quasi-independent function that exists in many larger corporations that can help an audit committee launch a whistleblower function. These corporate ethics functions are built around corpo-rate codes of conduct and often have a hotline-type function to allow employees to point out a reported theft or to complain about some form or harassment.
Both the U.S. Sentencing Commission’s Organizational Sentencing Guidelines, introduced in Chapter 9, “Whistleblower Programs and Codes of Conduct,” and the COSO internal control standards, covered in Chapter 4, talk about the need for strong ethics standards in an organization. Internal audit can be a natural resource to help launch and facilitate effective ethics and whistleblower func-tions for the audit committee.
The whistleblower function described in SOA covers reported information regarding questionable accounting and auditing matters. SOA is trying to address an issue reported during the Enron debacle where an accounting department employee tried to get the attention of the external auditors or an Enron financial officer to recognize some improper accounting transactions. The employee’s concerns were rebuffed. An ethics whistleblower or hotline function can often provide help in this type of situation. Today, ethics functions are often tied to the human resources department or are otherwise not viewed as independent of senior management. Internal audit can act as a conduit for SOA accounting and auditing whistleblower reports.
(ii) Corporate Responsibility for Financial Reports. Prior to SOA, organiza-tions filed their financial statements with the SEC and published the results for investors, but the responsible corporate officers who authorized those reports were not personally responsible. The bar has now been raised! The CEO, the principal financial officer, or other persons performing similar functions must certify for each annual and quarterly report filed that:
• The signing officer has reviewed the report.
• Based on that signing officer’s knowledge, the financial statements do not contain any materially untrue or misleading information.
• Again based on the signing officer’s knowledge, the financial statements fairly represent the financial conditions and results of operations of the organization.
• The signing officers are responsible for:
1. Establishing and maintaining internal controls.
2. Have designed these internal controls to ensure that material infor-mation about the organization and its subsidiaries is made known to the signing officers during the period when the reports are prepared.
3. Have evaluated the organization’s internal controls within 90 days prior to the release of the report.
4. Have presented in these financial reports the signing officer’s evalua-tion of the effective of these internal controls as of that report date.
• Signing officers have disclosed to the auditors, audit committee, and other directors:
1. All significant deficiencies in the design and operation of internal controls that could affect the reliability of the reported financial data and have, further, disclosed these material control weaknesses to organization’s auditors.
2. Any fraud, whether or not material, that involves management or other employees who have a significant role in the organization’s internal controls.
• Have indicated in the report whether there were internal controls or other changes that could significantly affect those controls, including corrective actions, subsequent to the date of the internal controls evaluation.
Given that SOA imposes criminal penalties of fines or jail time on individual violators of the act, these signer requirements place a heavy burden on responsi-ble corporate officers. Corporate officers must take all reasonaresponsi-ble steps to make certain that they are in compliance. There is a provision here that these require-ments still apply even if the organization has moved its headquarters to outside of the United States. In 2000 and 2001, there were numerous U.S. corporations that moved corporate registration to offshore locations, such as Bermuda, prima-rily for income tax purposes.
This personal sign-off requirement has raised major concerns from corpora-tion CEOs and CFOs. This requirement will cause a major amount of addicorpora-tional
work for the accounting and finance staffs preparing these reports as well as signing officers. An organization needs to set up detailed paper-trail procedures so that the signing officers are comfortable that effective processes have been used and the calculations to build the reports are all well documented. The orga-nization may want to consider using an extended sign-off process where staff members submitting the financial reports sign-off on what they are submitting.
Internal audit should be able to act as an internal consultant and help senior officers establish effective processes here. The audit workpaper model, with exten-sive cross-references, might be a good approach. Exhibit 3.5 provides an example Officer Disclosure Sign-Off type of statement that officers would be requested to sign. This exhibit is not an official PCAOB form, but is based on an SEC docu-ment, showing the types of things as officer will be asked to certify. We have highlighted a couple of important phrases here in bold italics. Under SOA, the CEO or CFO is asked to personally assert to these representations and could be held criminally liable if incorrect. While the officer is at risk, the support staff—
including internal audit—should take every precaution possible to make certain the package presented to the senior officer is correct.
EXHIBIT 3.5
Sample Officer Disclosure Signoff CERTIFICATE OF AN OFFICER REGARDING
SARBANES-OXLEY COMPLIANCE
Certification: Understanding that we intend to rely upon these statements, the undersigned hereby certifies, represents, and warrants to each of them and to the Company as follows:
1. I have read those portions of the accompanying draft of the covered filing that relate directly