Institute of Internal Auditors

February 18, 2003

William G. Bishop III, CIA
President
Tel: +1 407 937 1200
wbishop@theiia.org

Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549-0609

Transmitted via electronic mail: rule-comments@sec.gov

File No. S7-02-03
Proposed Rule: Standards Relating to Listed Company Audit Committees

Dear Mr. Katz:

The Institute of Internal Auditors (IIA) supports the efforts of the Securities and Exchange Commission (SEC) to improve corporate governance processes of listed companies by specifying standards for audit committees. The IIA endorses the SEC's proposed rulemaking that requires a national securities organization to stop listing the securities of an issuer that is not in compliance with the stated standards of responsibilities for its audit committee or that has one or more audit committee members who fail to satisfy the independence criteria.

The IIA agrees with the basic tenets of the standards for an audit committee in the SEC's proposed rules. They are consistent with The Institute's position on the key responsibilities of an effective audit committee, except that the SEC proposal is silent on the committee's responsibility for oversight of the internal auditor. An appropriately structured relationship between the audit committee and internal auditor is essential and needs to be made explicit in the SEC's standards for audit committees. The Federal Financial Institutions Examination Council, representing the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Federal Reserve Board, and Office of Thrift Supervision, have already recognized the importance of this relationship and issued policy guidance to their examiners that, ideally, the chief internal auditor should report directly and solely to the audit committee regarding both audit issues and administrative matters.

In Section 2B of the SEC's discussion of the proposed changes, the question is posed about "whether the audit committee should be directly responsible for the appointment, compensation, retention and oversight" of the internal auditor? The IIA's answer is "Yes" and recommends that the SEC should include the following duties among the audit committee's responsibilities.

The audit committee should approve:

  1. Decisions for hiring, retaining, or dismissing a chief internal audit executive as well as proposed performance evaluations and compensation changes.

  2. Internal audit's charter, annual plans and budget, number of personnel allocated to the function, and the overall conclusion on the results of its work.

  3. Management and internal audit's plans to evaluate the effectiveness of the organization's internal control processes, including the entity's criteria for assessing internal control.

The IIA's guidance to its 83,000 members amplifies ways in which the chief audit executive and the internal audit activity can support the audit committee with the responsibilities recommended above. Those guidelines state that the chief audit executive should report functionally to the audit committee or other appropriate committee of the governing board. The term "functional reporting" is defined on the basis that an effective audit committee must be responsible for:

  • Approving the overall charter of the internal audit activity.

  • Approving all decisions regarding the appointment or removal of the chief internal audit executive.

  • Approving the annual compensation and salary adjustment of the chief audit executive as well as review of the annual performance evaluation.

  • Approving internal audit's risk assessment and related audit plan.

  • Receiving communications from the chief audit executive on the results of the internal audit activities and other matters and conducting, periodically, private meetings with the chief audit executive without management personnel present.

  • Making appropriate inquiries of management and the chief audit executive to determine whether there are planning concerns or budgetary limitations that impede the ability of the internal audit activity in executing its responsibilities and audit plans.

These guidelines offered above are based on The IIA Research Foundation's publication Audit Committee Effectiveness - What Works Best, 2nd Edition, prepared by PricewaterhouseCoopers, LLP. A sample audit committee charter is attached to this letter as a "best practice" example.

To reiterate, The IIA supports the extraordinary efforts the SEC is making to improve corporate governance. Restoration of confidence in that process and the fairness of the publicly released reports must include diligence, competency, and conscientious effort by directors, management executives, internal auditors, and public accountants.

To further strengthen and support these critical governance initiatives, The IIA strongly encourages the SEC to approve proposed amendments to listing standards submitted by the New York Stock Exchange calling for all listed companies to have an internal audit function. To ensure that internal auditing serves audit committees as intended, internal audits should be required to be performed by competent staff in accordance with The Standards for the Professional Practice of Internal Auditing (Standards). Internal auditors can demonstrate professional competence by compliance with the Standards, obtaining the Certified Internal Auditor designation, and implementation of a quality assurance program with periodic external assessments of the internal audit activity.

The audit committee carries out a critical component of the board's role and responsibilities. This proposed SEC rulemaking that specifies the requirement of independence for all audit committee members and standards for audit committee performance are important steps forward. We recommend that the SEC add to the audit committee's responsibilities the oversight of the issuer's internal audit activity.

The IIA is pleased to have this opportunity to suggest changes and provide comments on the proposed SEC rules. If we can be of any assistance or provide additional explanations to assist the Commissioners and staff, we welcome your telephone calls or written communications.

Sincerely,

William G. Bishop III, CIA

Enclosure

Sample Audit Committee Charter

The following sample charter captures many of the best practices used today. Of course, no sample charter encompasses all activities that might be appropriate to a particular audit committee, nor will all activities identified in a sample charter be relevant to every committee. Accordingly, this charter must be tailored to each committee's needs and governing rules.

Audit Committee Charter

PURPOSE

To assist the board of directors in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company's process for monitoring compliance with laws and regulations and the code of conduct.

AUTHORITY

The audit committee has authority to conduct or authorize investigations into any matters within its scope of responsibility. It is empowered to:

  • Appoint, compensate, and oversee the work of any registered public accounting firm employed by the organization.

  • Resolve any disagreements between management and the auditor regarding financial reporting.

  • Pre-approve all auditing and non-audit services.

  • Retain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation.   

  • Seek any information it requires from employees-all of whom are directed to cooperate with the committee's requests-or external parties.

  • Meet with company officers, external auditors, or outside counsel, as necessary.

COMPOSITION

The audit committee will consist of at least three and no more than six members of the board of directors. The board or its nominating committee will appoint committee members and the committee chair.

Each committee member will be both independent and financially literate. At least one member shall be designated as the "financial expert," as defined by applicable legislation and regulation.

MEETINGS

The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will invite members of management, auditors or others to attend meetings and provide pertinent information, as necessary. It will hold private meetings with auditors (see below) and executive sessions. Meeting agendas will be prepared and provided in advance to members, along with appropriate briefing materials. Minutes will be prepared.

RESPONSIBILITIES

The committee will carry out the following responsibilities:

Financial Statements

  • Review significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas, and recent professional and regulatory pronouncements, and understand their impact on the financial statements.      

  • Review with management and the external auditors the results of the audit, including any difficulties encountered.

  • Review the annual financial statements, and consider whether they are complete, consistent with information known to committee members, and reflect appropriate accounting principles.

  • Review other sections of the annual report and related regulatory filings before release and consider the accuracy and completeness of the information.

  • Review with management and the external auditors all matters required to be communicated to the committee under generally accepted auditing Standards.

  • Understand how management develops interim financial information, and the nature and extent of internal and external auditor involvement.

  • Review interim financial reports with management and the external auditors before filing with regulators, and consider whether they are complete and consistent with the information known to committee members.

Internal Control

  • Consider the effectiveness of the company's internal control system, including information technology security and control. 

  • Understand the scope of internal and external auditors' review of internal control over financial reporting, and obtain reports on significant findings and recommendations, together with management's responses.

Internal Audit

  • Review with management and the chief audit executive the charter, plans, activities, staffing, and organizational structure of the internal audit function. 

  • Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or dismissal of the chief audit executive. 

  • Review the effectiveness of the internal audit function, including compliance with The Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing. 

  • On a regular basis, meet separately with the chief audit executive to discuss any matters that the committee or internal audit believes should be discussed privately.

External Audit

  • Review the external auditors' proposed audit scope and approach, including coordination of audit effort with internal audit. 

  • Review the performance of the external auditors, and exercise final approval on the appointment or discharge of the auditors. 

  • Review and confirm the independence of the external auditors by obtaining statements from the auditors on relationships between the auditors and the company, including non-audit services, and discussing the relationships with the auditors. 

  • On a regular basis, meet separately with the external auditors to discuss any matters that the committee or auditors believe should be discussed privately.

Compliance

  • Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management's investigation and follow-up (including disciplinary action) of any instances of noncompliance. 

  • Review the findings of any examinations by regulatory agencies, and any auditor observations. 

  • Review the process for communicating the code of conduct to company personnel, and for monitoring compliance therewith. 

  • Obtain regular updates from management and company legal counsel regarding compliance matters.

Reporting Responsibilities

  • Regularly report to the board of directors about committee activities, issues, and related recommendations. 

  • Provide an open avenue of communication between internal audit, the external auditors, and the board of directors. 

  • Report annually to the shareholders, describing the committee's composition, responsibilities and how they were discharged, and any other information required by rule, including approval of non-audit services. 

  • Review any other reports the company issues that relate to committee responsibilities.

Other Responsibilities

  • Perform other activities related to this charter as requested by the board of directors. 

  • Institute and oversee special investigations as needed. 

  • Review and assess the adequacy of the committee charter annually, requesting board approval for proposed changes, and ensure appropriate disclosure as may be required by law or regulation. 

  • Confirm annually that all responsibilities outlined in this charter have been carried out. 

  • Evaluate the committee's and individual members' performance on a regular basis.