Red asociada a la central de ciclo combinado Norte III (Juárez)

8.1 Role of the Audit

Committee 171

8.2 Audit Committee Organization and

Charters 173 8.3 Audit Committee’s

Financial Expert and

Internal Audit 178

8.4 Audit Committee Responsibilities for

Internal Audit 180

(a) Appointment of the

Chief Audit Executive 181

(b) Approval of Internal

Audit Charter 182

(c) Approval of Internal Audit Plans and

Budgets 183

(d) Review and Action on Significant Audit

Findings 184 8.5 Audit Committee and

External Auditors 186 8.6 Whistleblower Programs

and Codes of Conduct 187 8.7 Other Audit Committee

Roles 188

8.1 ROLE OF THE AUDIT COMMITTEE

A significant step in organizing an effective internal audit function is to obtain authorization and approval by the organization’s audit committee of the board of directors. The audit committee provides this broad authorization for an internal audit function through a formal audit charter document. An audit committee also approves internal audit’s overall plans for continuing activities through the cur-rent period and beyond. As one of the several operating committees established by the board, the audit committee has a rather unique role compared to other board committees. It consists of only outside directors—giving it independence from management—and should be composed of a specially qualified group of outside directors who understand, monitor, coordinate, and interpret the internal control and related financial activities for the entire board. As was discussed in Chapter 3, “Internal Audit in the Twenty-First Century: Sarbanes-Oxley and Beyond,” one of those audit committee members must be designated as a “finan-cial expert” per Sarbanes-Oxley Act (SOA) rules. In order to fulfill its responsibili-ties to the overall board of directors, to the stockholders, and to the public, an

audit committee needs an internal audit function to become an independent set of

“eyes and ears” inside of the organization, providing assessments of internal con-trols and other matters.

The comments in this chapter are based on a corporate structure tion such as a company with SEC registered stock. Other nonpublic organiza-tions will benefit from this audit committee structure as well. For example, many not-for-profit private organizations are large enough to have a formal board of directors and an internal audit function. Although not mandated by SOA and SEC rules, these types of organizations will benefit from a board audit committee of only independent directors. An internal auditor in that form of organization would benefit both the internal audit function and the overall organization man-agement by suggesting this type of audit committee approach.

While external auditors have a prime responsibility to an organization’s board of directors for attesting to the accuracy and fairness of financial state-ments, internal audit has an even larger role in assessing internal controls over the reliability of financial reporting, the effectiveness and efficiency of opera-tions, and the organization’s compliance with applicable laws and regulations.

Corporate boards of directors have had formal audit committees for some time, and internal audit has always had a long-term reporting relationship to their board of directors’ audit committee. However, much has changed since the introduction of SOA in mid-2002. In past years, many audit committees met only quarterly for often brief sessions in conjunction with regular board meetings;

those meetings were often limited to little more than approving the external auditor’s annual plan, their quarterly and year-end reports, and reviewing inter-nal audit activities on what appeared to be little more than a perfunctory basis.

While NYSE rules, even prior to SOA, required that audit committees consist of only outside directors, many audit committee directors in the past often appeared to be “buddies” of the CEO with apparently little independent action.

While internal audit’s chief audit executive (CAE) has always had a direct reporting relationship to the audit committee, this often was little more than a theoretical relationship in which the CAE had limited contact with the audit committee beyond scheduled board meetings. SOA has now changed all of that!

A major issue that evolved from the collapse of Enron and related financial scandals at that time was the publicity and testimony that boards and their audit committees were not exercising a sufficient level of independent corporate gov-ernance. The Enron audit committee was frequently highlighted as an example of what was wrong. It was reported to have met some 30 minutes per calendar quarter prior to the fall of Enron. Given the size of the corporation at that time and the many directions it was pursuing, the Enron audit committee’s attention appeared to be limited at best.

Even before the fall of Enron, the SEC was becoming interested in seeing audit committees acting as more independent, effective managers of a com-pany's external and internal auditors. Also, what was called the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees was formed in 1999 by the NYSE, SEC, AICPA, and others. It issued a series of rec-ommendations on improving the independence, operations, and effectiveness of audit committees. The stock exchanges then adopted new independent director

audit committee standards as listing requirements to be phased in over the next 18 months, and the then Auditing Standards Board of the AICPA raised stan-dards for external auditors with respect to their audit committees. The subse-quent financial failure of Enron and other companies showed that these earlier audit committee initiatives were not enough. The result was the legislative work that led to SOA.

This chapter discusses the expansion of the responsibilities of board of directors’ audit committees since the passage of SOA and how an internal audit function can best serve its audit committee. Although an audit committee will typically have regular contacts primarily with the CAE, all internal auditors should have an understanding of this very important relationship. We will dis-cuss heightened audit committee responsibilities and how internal audit can better work with an audit committee under SOA rules.

8.2 AUDIT COMMITTEE ORGANIZATION AND CHARTERS An audit committee is an operating component of the board of directors with responsibility for internal controls and financial reporting oversight. Because of this oversight responsibility, audit committee members must be indepen-dent directors with no connection to organization management. There are no size restrictions, but a full board with 12 to 16 members will often have a 5- or 6-member audit committee. An audit committee may invite members of man-agement or others to attend audit committee meetings and even to join in on the committee’s deliberations. However, any such invited outside guests cannot be full voting members. An organization’s board of directors is a formal entity given the responsibility for the overall governance of that audit committee for its investors or lenders. All members of the board can be held legally liable through their actions on any issue, and a board and its committees enact most of its for-mal business through resolutions, which become matters of organization record.

The organization of the board’s various committees, including the audit com-mittee, is established through such a resolution. Exhibit 8.1 is a sample board resolution to establish an audit committee. This type of resolution is docu-mented in the records of the board and not revised unless some circumstances require a change.

The Exhibit 8.1 resolution authorizing the audit committee is an example of the manner a board of directors sets rules for itself. Such resolutions are an example of corporate governance—setting the rules by which a corporation operates. Really not published in annual reports and the like, the existence of appropriate board resolutions only becomes an issue in matters of regulation and litigation when a board needs to rely on an authorizing resolution. Many corporate board audit committee authorizing resolutions were updated in 2002 to make them compliant with SOA.

While not a necessary requirement, many corporate internal audit func-tions regularly operate through a formal audit charter, a document approved by the board audit committee and senior management that outlines internal audit’s role and responsibilities. Although the IIA provided some guidance for drafting an internal audit charter, these internal audit charters did not follow

any specific standards or format but formally stated, among other matters, that internal audit had full access to all records and facilities within the organiza-tion. Internal audit charters are discussed in Chapter 1, “Foundations of Internal Auditing,” and cover an internal audit function but not the corporate board audit committee. The NYSE had suggested proposed board audit committee

EXHIBIT 8.1

Board Resolution Example: Authorizing the Audit Committee

ExampleCo Corp Board of Directors Board Resolution No. XX, MM DD, 20YY

The Board of Directors authorizes an audit committee to consist of five directors who are not officers of ExampleCo. The Board will designate one member of Audit Committee as a Financial Expert, per the requirements of the Sarbanes-Oxley Act, and elect one member to serve as its chair for a term of three years. The ExampleCo Chief Executive Officer may attend Audit Committee meetings as a nonvoting member at the invitation of the Audit Committee.

The ExampleCo Audit Committee is responsible for:

• Determining that ExampleCo internal controls are effective and formally reporting on the status of those controls on an annual basis with quarterly updates.

• Recommending an external auditor to be selected on an annual basis through a vote by the shareholders.

• Taking action, where appropriate, on significant control weaknesses reported by internal audit, the external auditors, and others.

• Approving an annual plan and budget submitted by the external auditor.

• Approving annual audit plans to be submitted by the outside auditor as well as by inter-nal audit.

• Approving the appointment and ongoing service of Internal Audit’s Chief Audit Executive.

• Approving the annual internal audit plan and recommending areas for additional audit work as appropriate.

• Reviewing and distributing the audited financial statements submitted by the outside auditor.

• Establishing an ExampleCo whistleblower program that allows officers, employees, and other stakeholders to report financial accounting errors or improper actions and to inves-tigate and resolve those whistleblower calls without any retribution to the original whistleblower.

• Circulating a Code of Ethics to senior officers and obtaining their assent on a quarterly basis.

• Initiating appropriate actions based upon any recommendations by the outside auditor or the Director of Internal Audit.

• Maintaining records on other consulting activities as mandated by the Sarbanes-Oxley Act.

An Audit Committee meeting will be held at least concurrently with each Board meeting and at other times as required.

The Audit Committee will meet privately with the outside auditor or the Chief Audit Executive to assess the internal control environment and to evaluate the independence of the audit function.

Approved: Corporate Secretary

charters in December 1999 but with no requirement that an audit committee should have such a charter. SOA has now mandated that each audit committee must develop a formal audit charter to be published as part of the annual proxy statement.

The purpose of a board audit committee charter is to define the audit com-mittee’s responsibilities regarding:

• The identification, assessment, and management of financial risks and uncertainties

• The continuous improvement of financial systems

• The integrity of financial statements and financial disclosures

• Compliance with legal and regulatory requirements

• The qualifications, independence, and performance of independent out-side auditors

• The capabilities, resources, and performance or the internal audit department

• The full and open communication with and among the independent accountants, management, internal auditors, counsel, employees, the audit committee, and the board

The audit committee is required to go before the overall board of directors and obtain authorization, through this charter document, for board audit com-mittee activities just as the CAE, representing the corporate internal audit func-tion, has regularly gone before the board audit committee. This audit committee charter is to be published annually as part of the organization’s annual meeting proxy statement.

While some may look on this audit charter requirement as just some addi-tional pages to add bulk to the proxy statement, it is a formal commitment by the board audit committee to ensure the integrity of financial statements and to supervise the internal and external audit functions. There is no single required format for this audit committee charter document, but the NYSE has published a model charter that has been adopted by many public corporations today. While formats vary from one corporation to another, audit committee charters gener-ally include the following sections:

1. Purpose and Power of Audit Committee 2. Audit Committee Composition

3. Meetings Schedule

4. Audit Committee Procedures 5. Audit Committee Primary Activities

a. Corporate Governance b. Public Reporting

c. Independent Accountants

d. Audits and Accounting e. Other Activities

6. Discretionary Activities a. Independent Accountants b. Internal Audits

c. Accounting

d. Controls and Systems e. Public Reporting

f. Compliance Oversight Responsibilities g. Risk Assessments

h. Financial Oversight Responsibilities

i. Employee Benefit Plans Investment Fiduciary Responsibilities 7. Audit Committee Limitations

Although audit committee charters vary, many contain descriptions of these areas. Some appear to have been developed by corporate legal counsels with language to cover every possible contingency, while others are more clear and succinct. An excellent example of an easy-to-follow charter is Microsoft Corpo-ration’s 2003 audit committee charter, part of their Web site and shown in Exhibit 8.2. Although not included in our exhibit, the full text of that charter also outlines some 30 specific activities for the audit committee. For example, num-ber 29 in that list states, “Meet with the General Auditor in executive sessions to discuss any matters that the Committee or the General Auditor believes should be discussed privately with the Audit Committee” and highlights the fact that this activity will occur two times per year.

Not every corporation is a Microsoft Corporation in terms of its size, sophis-tication, and resources, but all corporations with SEC registration must conform to SOA rules. Smaller entities will not have the resources or need to release a Microsoft-like Web-based audit committee charter. But, the smaller corporation must still have an independent director’s audit committee, as mandated by SOA, as well as an audit committee charter. This is the type of board of directors’

resolution document that would be part of corporate records.

Whether large or small, an organization still needs to have effective internal controls as well as an internal audit function. This is important today because a limited internal audit resource can no longer rely on its external auditors to per-form required tasks that it had expected them to do in the past. The CAE for that small corporation should review materials published by the IIA, ISACA, or the AICPA and work with internal auditors from other small firms in the auditor’s community to develop ideas and approaches. The local IIA chapter will typically have as members CAEs from other nearby similar-sized companies who should be willing to share thoughts and ideas.