With market volatility, complexity, and ongoing political and regulatory changes, internal audit (IA) functions have more opportunities to contribute to businesses in a meaningful way, according to the PwC US Internal Audit State of the Profession 2013 survey.
According to survey respondents, internal audit must continue to evolve its focus and significantly improve its performance or risk losing relevance as other internal risk functions become more vital contributors in the risk management area.
According to the survey, audit committees and management should ask if they are expecting enough from IA or if they are settling for a function that audits to their capabilities and not to their risks.
The survey also found that there is a huge opportunity for internal audit functions to be relevant contributors to protecting stakeholder value and the business from the most critical risks. However, for internal audit functions to maximize their value to the organization, they must ensure alignment on multiple levels.
The survey also outlines the key steps audit committees can take to enhance the value internal audit can and should deliver to organizations. Those steps include audit committees asking:
The New York City Bar’s financial reporting committee has asked the New York Stock Exchange to reconsider its 2003 rule that requires audit committees to discuss policies regarding risk assessment and risk management.
The attorney group, which has more than 24,000 members, believes risk assessment and management oversight should be elevated to the whole board, It is concerned about how much this rule has increased the workload of audit committees and that there is a lack of clarity over audit committees’ responsibility regarding risk oversight.
“We would encourage the NYSE to revisit whether Rule 303A.07 reflects an optimum approach to board-level oversight of risk management,” the Bar said in a March 5 letter to the NYSE’s regulation arm. “In particular, we would ask the NYSE to consider that, while audit committees should certainly retain responsibility for the oversight of those risks associated with financial reporting, the audit committee should not be required to assume broader risk management oversight responsibility.”
The Bar goes on to state that if the whole board was required to “discuss policies with respect to risk assessment and risk management” then the whole board could use its judgment to delegate certain or all aspects of risk management oversight to the audit committee or other committees as the board deemed appropriate.
The NASDAQ Stock Market recently filed with the SEC a proposed rule that would require listed companies to establish and maintain an internal audit function that would go into effect the end of this year. Currently, the NYSE has such a requirement.
If approved, the rule would require that listed companies and those listed on the exchange before June 30 would have to establish an internal audit function by December 31, 2013. For those companies listed after June 30, they would have to have such a function prior to listing.
Under the proposed rule, the company may choose to outsource the function to a third-party service provider other than the independent auditor. Also, the rule would require the audit committee to:
As of April 4, there have been 35 comment letters filed with the SEC. A large majority of the letter writers (27) are against the rule, while only three are in favor. There were four that asked it be amended to either exempt smaller companies or specify that there be an emphasis on an effective internal audit function.
Of those against the rule, the Society of Corporate Secretaries and Governance Professionals writes: “We suggest that the proposed rule: (1) be clarified to limit its scope to financial reporting risk and internal controls over financial reporting risk only; (2) allow outsourcing of the internal audit function to multiple providers (whether or not the scope is limited); and (3) have an effective date no earlier than the end of the first full calendar year following the year in which the rule is approved.”
The Institute of Internal Auditors (IIA), writes that the organization supports the internal audit function requirement, but that it recommends the rule require such functions “follow globally recognized professional standards.” It also states that it is best practice for audit committees to periodically hold a private executive session with the chief internal audit executive without management present.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission announced at its March 20 meeting that it expects to issue its updated Internal Control – Integrated Framework: 2013. Also, the framework will include a volume of Illustrative Tools for Assessing Effectiveness of a System of Internal Control.
Additionally, COSO expects to issue simultaneously Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, which has been developed to assist users when applying the Framework to external financial reporting objectives. The framework compendium was written by PwC as part of the framework update. It illustrates how the principles in the framework can be applied in designing, implementing and conducting internal control over financial reporting. [To read the draft versions of the compendium, the revised framework, and the illustrative tools, click here.]
The COSO board also announced that it will continue to make available the original framework during the transition period extending to December 15, 2014, after which time COSO will consider it as having been superseded.
For more information on the updated COSO framework, directors may want to read page 3 of the March 21 PwC Flashline.
On March 26 the Public Company Accounting Oversight Board (PCAOB) issued for public comment a proposal for the reorganization of PCAOB auditing standards, as well as certain related amendments to its rules and standards.
Among the proposed changes, all PCAOB auditing standards would be grouped into the following categories: general auditing standards, audit procedures, auditor reporting, matters relating to filings under federal securities laws, and other matters associated with audits.
Comments on the proposal are due by May 28, 2013.
For more information about the PCAOB auditing standards proposal, directors may want to read PwC’s March 29 In brief: PCAOB proposes framework for reorganization of PCAOB auditing standards.