Internal Controls: What We Can Learn from Regulators

John P. Beavers
Partner, Bricker & Eckler LLP
June 2003

Recognition and understanding of the internal audit function has slowly developed. In recent years, federal banking regulators¹ have led the way in recognizing the importance of and providing guidelines for the establishment and implementation of the internal audit function. Congress and the SEC have learned and are likely to continue learning from these federal banking regulators. Companies other than financial institutions can learn from the guidance of these regulators, too.

Requirement for internal accounting controls

The first recognition of the internal audit function came when Congress adopted the Foreign Corrupt Practices Act in 1978. Congress believed that American businesses were falsely characterizing as tax-deductible expenses payments that the Internal Revenue Service viewed as non-deductible bribes of foreign officials. The Foreign Corrupt Practices Act added section 13(b) to the Securities Exchange Act of 1934 requiring public reporting companies (i.e., companies required to file period annual reports with the SEC on Form 10-K or 10-KSB) to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:

1. Transactions are executed in accordance with management's general or specific authorization;

2. Transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets;

3. Access to assets is permitted only in accordance with management's general or specific authorization; and

4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

The Foreign Corrupt Practices Act, however, did not delegate responsibility for establishing and maintaining internal controls except to the company as a whole. In 1979, the SEC attempted to require limited responsibility of directors and officers when it adopted Rule 13b2-2. Rule 13b2-2 provides that no director or officer of an issuer shall, directly or indirectly:

1. Make or cause to be made a materially false or misleading statement; or

2. Omit to state, or cause another person to omit to state, any material fact necessary in order to make statements made, in light of the circumstances under which such statements were made, not misleading to an accountant in connection with:

   1. Any audit or examination of the financial statements of the issuer required to be made pursuant to this subpart; or

   2. The preparation or filing of any document or report required to be filed with the Commission pursuant to this subpart or otherwise.

Banking regulators’ delegation of responsibility for internal control

Although neither Congress nor the SEC focused on delegating responsibility for internal control before Sarbanes-Oxley, banking regulators did in 1997. The banking regulators found that effective internal control is a foundation for the safe and sound operation of a financial institution. These regulators then admonished that both the board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively.

Blue Ribbon Committee’s recognition of the importance of the internal audit function

The Blue Ribbon Committee on Improving the Effectiveness of Audit Committees was the first to publicly recognize the importance of the internal audit function when it issued its report in 1999. The report states that:

A proper and well-functioning system exists, therefore, when the three main groups responsible for financial reporting -- the full board including the audit committee, financial management including the internal auditors, and the outside auditors -- form a "three-legged stool" that supports responsible financial disclosure and active and participatory oversight.

Management responsibility for internal controls under Sarbanes-Oxley

Although in 1978 Congress required public reporting companies to establish and maintain a system of internal accounting controls, Congress did not delegate responsibility for establishing and maintaining those controls to any particular constituency within companies until the Sarbanes-Oxley Act of 2002. As a result of the accounting scandals involving Enron and Worldcom, Congress believed that the most responsible officers of American businesses were avoiding responsibility for establishing and maintaining internal accounting controls required of companies by the Foreign Corrupt Practices Act. Congress did so by requiring both the CEO and the CFO of public reporting companies periodically to certify that they:

• Are responsible for establishing and maintaining internal controls;

• Have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

• Have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report;

• Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

• Have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function) that:

  1. all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and

  2. any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls.²

Not only does Sarbanes-Oxley require the CEO and CFO to be responsible for establishing and maintaining internal controls, but more importantly for periodically evaluating the effectiveness of those controls.

The model for the Sarbanes-Oxley CEO and CFO certifications was existing legislation. Similar certifications were required of federally insured financial institutions pursuant to the Federal Deposit Insurance Corporation Act and regulations thereunder.

SEC’s post-Sarbanes expansion into disclosure controls and procedures

The SEC’s rules implementing this provision of Sarbanes-Oxley require that the periodic evaluation of internal controls must be carried out under the supervision and with the participation of the issuer's management, including the issuer's principal executive officer or officers and principal financial officer or officers, or persons performing similar functions, of the effectiveness of the design and operation of the issuer's disclosure controls and procedures. The SEC has also broadened the concept from “internal accounting controls” to “internal controls over financial reporting” intending to include both controls for reporting financial information as well as controls for reporting non-financial information.³

Again, the model for the broadened concept came from banking regulations. In 1997, federal banking regulators found internal controls to be the “foundation for the safe and sound operation” and broadly defined the required system of these controls as having the objectives of efficient and effective operations, including safeguarding of assets; reliable financial reporting; and, compliance with applicable laws and regulations.

On May 27, 2003, the SEC announced its final rules on internal controls. These final rules define internal controls as a process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

• Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;

• Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and

• Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements.

Pursuant to those rules, public reporting companies are required to report in their Forms 10-K or 10-KSB:

• A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

• A statement identifying the framework used by management to evaluate the effectiveness of this internal control;

• Management's assessment of the effectiveness of this internal control as of the end of the company's most recent fiscal year; and

• A statement that its auditor has issued an attestation report on management's assessment.

Under the new rules, management must disclose any material weakness and will be unable to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in such control. Furthermore, the framework on which management's evaluation is based will have to be a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.

Learning from federal banking regulators

Because Congress and the SEC are learning from federal banking regulators, all companies, not just financial institutions, can learn from guidance offered by these regulators on internal controls and the internal audit function in a joint policy statement issued on March 17, 2003.

Responsibility for Internal Controls. The federal banking regulators have pinpointed responsibility for internal controls to boards as well as management since 1997. This continues in the March 17, 2003 policy statement which states that:

The board of directors and senior management are responsible for having an effective system of internal control and an effective internal audit function in place at their institution. They are also responsible for ensuring that the importance of internal control is understood and respected throughout the institution. This overall responsibility cannot be delegated to anyone else. They may, however, delegate the design, implementation and monitoring of specific internal controls to lower-level management.

Definition of Internal Controls. Although no uniform definition of internal controls exists, the March 17, 2003 policy statements indirectly define internal controls by specifying their objectives as:

A process designed to provide reasonable assurance that the institution will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and, compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process: control environment, risk assessment, control activities, information and communication, and monitoring activities.

Up-the-Ladder Self-Assessments Not Sufficient. The March 17, 2003 policy recognizes that many financial institutions have implemented their evaluation of internal controls by up-the-ladder self-assessments wherein business line managers and their staff evaluate the performance of internal controls within their purview and report their assessments up-the-ladder to the CEO and CFO. Although the up-the-ladder self-assessments help to underscore management's responsibility for internal control, the federal banking regulators warn that these self-assessments are not impartial and also may not be timely in identifying control weaknesses until they have become costly problems.

Importance of Non-Business Line Testing and Evaluations of Internal Controls. Accordingly, the federal banking regulators believe that their regulated institutions should have their internal controls tested and evaluated by units without business-line responsibilities, such as internal audit groups in accordance with professional standards, such as the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal Auditing. The regulators also state that the internal audit function should be headed by an internal audit manager who understands the function and has no responsibility for operating the system of internal control.

Direct Reporting to the Audit Committee. The federal banking regulators state that ideally the internal audit manager should report directly and solely to the audit committee regarding both audit issues and administrative matters, e.g., resources, budget, appraisals, and compensation. This would be a change, however, in reporting functions for many companies in which the internal audit manager has a dual reporting arrangement: functionally accountable to the audit committee on issues discovered by the internal audit function, while reporting to another senior manager on administrative matters. Nevertheless, the regulators admonish those desiring to maintain a dual reporting arrangement where the CFO, controller, or other similar officer is responsible for overseeing the internal audit activities even in a dual role. For institutions believing a dual reporting role is necessary, the banking regulators recommend that the objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the CEO, rather than the CFO.

Reporting of Deficiencies. The March 17, 2003 policy statement states that the internal auditor should immediately report any internal control deficiencies to the appropriate level of management as soon as they are identified and promptly report any significant matters directly to the board of directors or its audit committee.

Internal Auditing Outsourcing. Internal audit function outsourcing can take many forms from helping the internal audit staff complete reconciliations, providing technical expertise, such as electronic data processing, to performing virtually all the procedures or tests of the internal controls. Under any of these arrangements, the federal banking regulators admonish that board and senior management must maintain ownership of the internal audit function and provide active oversight of outsourced activities. In order to distinguish its duties from those of the outsourcing vendor, the banking regulators advise that the institution should have a written engagement letter including provisions that:

• Define the expectations and responsibilities of both parties;

• Set the scope and frequency of, and the fees to be paid for, the work to be performed by the vendor;

• Set the responsibilities for providing and receiving information, such as the type and frequency of reporting to senior management and directors about the status of contract work;

• Establish the process for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract;

• State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the outsourcing vendor;

• Specify the locations of internal audit reports and the related workpapers;

• Specify the period of time (for example, seven years) that vendors must maintain the work papers;

• State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related work papers prepared by the outsourcing vendor;

• Prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and vState that the outsourcing vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with AICPA, the SEC, Public Company Accounting Oversight Board, or regulatory independence guidance.

Conclusion

Federal banking regulators have had as much experience with internal controls and the internal audit function as any other regulatory group. It is likely that Congress and the SEC will continue to follow these regulators’ lead with respect to internal controls and the internal audit function. Likewise, companies other than financial institutions can also learn from the guidance of these regulators.

_________________________________

Footnotes

1. The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

2. See §302 of Sarbanes-Oxley.