1. Corporate Governance & Internal Control Flashcards
After all the frauds of the Enron era, SOX addressed corporate governance, and related topics such as financial reporting and fraud prevention in some detail.
If corporate governance is to be effective, the responsibilities of the various players (officers, directors, and employees) must be efficiently organized, carefully executed, and diligently monitored.
Sarbanes-Oxley’s Article III contains several provisions dealing with responsible corporate governance that have an important impact upon the accuracy of firms’ financial reporting.
- Audit committees –
- Officer certification of financial statements –
- Misleading auditors –
Other SOX provisions even more directly impact financial reporting practices:
- Financial statement deceit – SOX contains several provisions to limit financial improper conduct:
a. Off-balance-sheet transactions –
b. Pro forma financial statements – - Internal financial controls –
- CFO Code of Ethics –
- Accounting expertise –
Because boards of directors during the Enron era often were not up to the task of detecting even massive accounting frauds, SOX requires that at least one member of the audit committee be a “financial expert,” someone who through education and experience - as a public accountant, auditor, CFO, comptroller, or a position involving performance of similar functions has:
a. An understanding of GAAP and financial statements;
b. Experience in preparing or auditing financial statements of comparable companies and application of such principles in connection with accounting for estimates, accruals, and reserves;
c. Experience with internal auditing controls; and
d. An understanding of audit committee functions.
Enron-era financial scandals prompted Congress to encourage whistleblowing. The Sarbanes-Oxley Act of 2002 did three things along this line.
- First, SOX directed public company audit committees to install procedures for ensuring that whistleblowers’ complaints are properly directed.
- Second, SOX provided a civil damages action for public company whistleblowers who suffer retaliation for providing information in an investigation or participating as a witness or otherwise in a proceeding involving federal securities law violations. The statute allowed for employees to file complaints with the Department of Labor’s Occupational Safety & Health Administration (OSHA), as long as the complaints are filed within 90 days (amended to 180 days) of a discriminatory event related to whistleblowing. Discriminatory events include termination of employment, demotion, suspension, and harassment. OSHA’s decisions may be appealed to the Office of Administrative Law Judges (ALJ) and then to the Administrative Review Board (ARB). If OSHA has not made a final decision within 180 days of the initial filing, the whistleblower can remove the case to federal district court. This provision is much less important after Dodd-Frank.
- Third, SOX made it a crime punishable by fine and/or imprisonment of not more than 10 years to retaliate against an informant who provided truthful information relating to the commission of any federal offense to a law enforcement officer (not just federal securities law violations).
Dissatisfaction with SOX’s provisions for civil damages action and another round of scandals arising from the sub-prime situation prompted Congress to amend the SOX antiretaliation provision in Dodd Frank in 2010. Sections 922 and 929A of Dodd Frank provide the following:
- Extend the time to file a complaint with OSHA from 90 days to 180 days.
- Extend the right to sue to whistleblowing employees of private subsidiaries of public companies if the subsidiary is owned more than 51% by the public parent and its financial information is consolidated in the public parent’s financial statements. The parent company is the liable party, not the subsidiary.
- Prohibit pre-dispute mandatory arbitration agreements that might derail a whistleblower’s right to sue.
- Grant whistleblowers the right to a jury trial if a case is properly filed in federal district court.
Additionally, Dodd-Frank created an entirely new anti-retaliation provision that whistleblowers are likely to use instead of the SOX provision (even as amended), because:
- Whistleblowers may sue directly in federal district court without going through the Department of Labor complaint process.
- Whistleblowers may recover two times the amount of back pay owed with interest and attorneys’ fees if they establish that they are victims of retaliation.
- The statute of limitations is much longer - whistleblowers must file within three years of when they knew, or should have known, they had the right to sue and within six years of the violation.
- Note that the SEC can also sue to punish such retaliation.
Section 922 of Dodd Frank amended an SEC bounty program that predated SOX to require the Commission, in any case where it imposes sanctions in excess of $1 million, to compensate whistleblowers who voluntarily provide original information leading to the successful enforcement of the action with between 10% and 30% of the sanctions imposed.
- “Original information” is information coming from the whistleblower’s own independent knowledge or analysis and not derived solely from public sources that is not already known to the SEC. The information must be about federal securities law violations. Information about violations of state or foreign law would not count.
- Whistleblowers are encouraged to report violations to their firms first in that this is one of several factors the SEC can consider in determining the amount of a bounty. However, whistleblowers are not to be penalized for failing to report internally if they feared retaliation or had another legitimate basis.
- If an accountant learns such original information while acting as an internal auditor, or while working for a public accounting firm performing a mandated audit, he or she is disqualified from receiving a bounty. Auditors are already duty-bound to report such information and as such they are viewed as not needing the incentive of a bounty to fulfill their obligation. However, the SEC inserted an exception in the rules stating that such accountants (as well as lawyers and top corporate officials) may still be allowed to claim a bounty if:
a. They have a reasonable basis to believe that disclosure of information to the SEC is necessary to prevent the firm from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the firm or investors.
b. They have a reasonable basis to believe that the firm is engaging in conduct that will impede an investigation of the misconduct; or
c. At least 120 days has elapsed since they provided the information to the firm’s audit committee, chief legal officer, chief compliance officer, or their supervisor and the information has not been passed on to authorities. - Note that the anti-retaliation provisions may protect whistleblowers even if they do not qualify for a bounty.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as follows:
Internal control is a process—effected by the entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
a. Effectiveness and efficiency of operations;
b. Reliability of financial reporting;
c. Compliance with applicable laws and regulations.
Categories of Controls
The classifications of accounting controls discussed in this lesson are different ways of looking at controls. These classifications can be useful in developing and evaluating the benefits and limitations of these controls.
Preventive, Detective, and Corrective Controls: This classification focuses on the timing of the control relative to the potential error: that is, when the controls are applied. A well-controlled system balances preventive and detective controls and includes corrective controls as needed.
- Feedback and feed-forward controls: focus on changing inputs or processes to promote desirable outcomes by comparing actual results (feedback) or projected results (feed-forward) to a predetermined standard.
- General controls and application controls: Its focus is on the functional area of the control: that is, where the control is applied rather than when it is applied.
Institute of Internal Auditors’ (IIA) International Professional Practices Framework
Mandatory guidance consists of three elements
a. Definition of internal auditing –
b. Code of ethics –
c. International standards –
Strongly recommended guidance
a. Position papers – Provide guidance in understanding important governance, risk, or control issues relevant to internal auditing.
b. Practice advisories – Address internal auditing approaches, methodologies, and other considerations, but not detailed processes or procedures.
c. Practice guides – Provide detailed guidance for internal audit activities, including audit programs, and other tools and techniques.
The IIA Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The IIA Code of Ethics
Four principles and twelve rules of conduct
The twelve rules of conduct – These categorized rules establish the minimum requirements for conduct.
- Integrity –
- Objectivity –
- Confidentiality –
- Competency –
International Standards for the Professional Practice of Internal Auditing (“Standards”) are issued by the IIA’s Internal Auditing Standards Board (IASB).
Standards are presented in two categories
1. Attribute standards – Involving the characteristics (“attributes”) of organizations and individuals performing internal audit services.
2. Performance standards – Involving the quality criteria to evaluate the performance of internal audit services.
Implementation Standards are provided within the Attribute and Performance Standards to differentiate requirements applicable to “assurance” activities (indicated by the letter A) and “consulting” activities (indicated by the letter C).