Management’s report on internal control over financial reporting

EXECUTIVE SUMMARY

PUBLIC COMPANIES INCREASINGLY INCLUDE management reports on internal controls in their annual reports even though no regulators require them. SINCE ACCOUNTANTS AND AUDITORS ARE DIRECTLY involved in auditing financial statements and reviewing internal controls, they are in a good position to suggest what degree of reporting is appropriate. MANAGEMENT REPORTS ON INTERNAL CONTROLS provide a unique opportunity for management to discuss issues and concerns not communicated elsewhere in the annual report. SINCE THESE REPORTS FIRST STARTED APPEARING, there is a growing consensus as to what the contents should include: financial statement presentation; purpose, nature and components of internal controls; and the roles of internal audit, the independent auditor and the audit committee. Also, unique programs can be emphasized. COMPANIES ARE CAREFUL TO POINT OUT the inherent limitations of internal controls. A significant number of the companies studied acknowledge that “the systems are designed to provide only a reasonable assurance of meeting stated objectives.” IF INDEPENDENT ATTESTATION OF MANAGEMENT reports were required, such a mandate would have a significant impact on the roles of both the independent auditor and management. Unless specifically engaged to evaluate a company’s internal control system, the auditor typically is not giving an opinion on the adequacy of the controls.

David M. Willis, CPA, Ph.D, is an assistant professor of business administration at Illinois Wesleyan University, Bloomington. His e-mail address is . Susan S. Lightle, CPA, Ph.D, is an associate professor of accountancy at Wright State University, Dayton, Ohio. Her e-mail address is .

urn to page xx of a publicly traded company’s annual report. If there’s a section where management discusses its internal controls, that company has found a venue to communicate with its shareholders—current and potential—about the strategies and policies it has adopted to ensure that the company is “under control.” Public companies increasingly include management reports on internal controls in their annual reports as a good corporate governance practice. At least for now, management has considerable latitude in deciding what it wishes to address in these reports.

Should management be required to report on internal controls, and should independent auditors have to attest to such reports? Although neither the SEC nor FASB require them, these reports have existed for more than a decade; the debate on their mandatory inclusion has been waged for more than 20 years. There are, of course, varying opinions as to whether the needs of financial statement users are being met by existing reporting requirements. Since accountants and auditors are the professionals directly involved in auditing financial statements and reviewing internal controls, they may be in the best position to suggest what degree of reporting is appropriate.

Importance of Information Sources In a global survey released earlier this year, 69% of investment professionals said the overall quality of financial information disclosed by most publicly traded companies had improved. Nearly three out of four respondents pointed to executive interviews as key sources of information, followed by annual reports and financial news releases.

Source: Corporate Disclosure Survey, Association for Investment Management and Research, Charlottesville, Virginia, www.aimr.org/standards .

According to the 1999 edition of Accounting Trends and Techniques, approximately 58% of public companies included management reports in their 10K. This is the one place in an annual report where management can focus readers’ attention on issues not systematically discussed elsewhere. A content analysis can help both the writers and users of the reports, as well as the outside auditors, in determining what specific items warrant inclusion.

The content of the reports varies considerably. While the focus in general is on the effectiveness of internal controls, the specific components of internal control are by no means consistent across companies. The differences noted in the reports may reflect the variations in how companies structure their internal control systems or they may reflect the differences in the companies’ reporting philosophies.

Since the reports first started appearing about 10 years ago, preparers have reached agreement on some of the routine items to be included, and now discuss the features of their overall control systems that are unique or of special significance.

Management reports typically discuss the following topics:

• Financial statement presentation.

• The purpose, nature and components of the company’s internal controls.

• The role of internal audit.

• The role of the audit committee.

• The role of the independent auditor.

FINANCIAL STATEMENT PRESENTATION

An analysis of the annual reports of the 1998 Fortune 100 revealed 78 companies had included management reports, virtually all of which began with a statement that management took responsibility for the presentation of the reports in this study of the financial statements. Ninety-seven percent said the financial statements conformed to GAAP and 15% said the financial statements represented fairly the company’s financial position and results of operations (see exhibit 1 ).

PURPOSE AND NATURE OF INTERNAL CONTROLS

All but 2 of the 78 companies said they maintained a system of internal control. Most noted the purpose of that system: 87% identified reliable financial reporting and 81%, safeguarding of assets (see exhibit 2 ). Just over half of the reports—54%—said the objective was encouraging adherence to management’s prescribed policies and procedures, while 51% linked internal controls and ethical conduct. A few of the reports specifically cited the objective of preventing or detecting fraudulent financial reporting. One company, General Electric, identified a sound, dynamic system of internal controls as “a vital ingredient” for the company’s quality programs.

Several reports identified specific components of their internal control structures (see exhibit 3 ). The most frequently cited was the existence of an internal audit function (78%), followed by the maintenance of policies and procedures (63%), the selection and training of good personnel (43%) and segregation of duties (42%). Also mentioned were continuous review and revision of internal controls and a strong control environment or ethical climate. Almost half of the reports referred to a company code of conduct or ethics policy. Several of the reports noted that the policy addressed such elements as conflict of interest, compliance with applicable laws and confidentiality concerns.

Improve Business Reporting by Evaluating Internal Controls

The report, Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992, did not give an opinion on whether internal control reports by management and independent attestation of them should be required. However, the report did indicate that company management should continuously and periodically evaluate the effectiveness of its internal controls. In 1994, the AICPA examined the information needs of professional investors and creditors and their advisers, and noted, “Although users are not enthusiastic about expanding the scope of audits, one exception relates to internal control. They believe that business reporting would benefit from increased auditor involvement in internal accounting controls” (from Improving Business Reporting—A Customer Focus: Meeting the Information Needs of Investors and Creditors, page 105. For other information, see “Letter From the Chairman of the AICPA Special Committee on Financial Reporting,” JofA, Oct.94, page 39).

Seven reports referred to a review process for assuring compliance with ethical standards. For example, an important part of International Paper Co.’s internal controls system was its ethics program and long-standing policy on ethical business conduct, including a telephone “compliance line” to report suspected violations of law or company policy and its newly established office of ethics and business practices. To ensure that personnel continued to understand the internal control system and policies governing prudent business practices, Merck said it had an ongoing “management stewardship program” for key management and financial personnel and had implemented an ethical business practices program to reinforce its commitment to high ethical standards in conducting its business. CIGNA provided each employee with a copy of the corporate policy addressing business ethics and required that all officers, directors and certain other employees sign the policy statement annually. These statements suggest myriad ways in which corporate managements are seeking to share with outsiders their companies’ commitment to ethical principles.

POINT OUT LIMITATIONS

Companies also were careful to point out the inherent limitations of internal controls. Eighty-six percent of the reports acknowledged the systems’ designs provided only “reasonable assurance” of meeting stated objectives. Thirty-five percent said the internal controls’ cost should not exceed anticipated benefits. Sears, for example, explained that the “concept of reasonable assurance is based on the premise that the cost of internal controls should not exceed the benefits derived.”

A number of reports spelled out the limitations. One of the most extensive clarifications came from Enron: “It should be recognized, however, that there are inherent limitations in the effectiveness of any system of internal control. Accordingly, even an effective internal control system can provide only reasonable assurance with respect to the preparation of financial statements and safeguarding of assets. Further, because of changes in conditions, internal control system effectiveness may vary over time.”

In spite of these limitations, managements often tried to assure statement readers of the soundness of their internal controls. Although about half of the companies in the study asserted specifically that their internal controls were effective or strong, they did not address the basis for this assessment. Only three of the Fortune 100— Freddie Mac, Halliburton and Ameritech—said their assessments were based on recognized criteria for internal control, with Ameritech the only one specifically listing the five components of internal control defined by the COSO Internal Control Integrated Framework:

• Control environment.

• Risk assessment.

• Control activities.

• Information and communication.

• Monitoring.

INTERNAL AUDIT’S ROLE

The most frequently cited functions of the internal audit department were monitoring compliance with the internal control structure and assessing its effectiveness. Seventeen percent noted internal audit provides recommendations to improve controls and correct deficiencies. One company, Procter & Gamble, pointed out its use of a self-assessment program to help “individual organizations…evaluate the effectiveness of their controls” and suggested this program supplemented the internal audit function.

Jack Dierkes, assistant director of the company’s internal audit unit, offered this perspective: “P&G believes that controls are the responsibility of the line organization. One role of internal auditing is to audit the line organization, identify gaps and ensure the appropriate action plans are put in place. Since our audit cycle is about three years, we find it helpful to supplement the audits with self-assessments [which] are led by the line organization and conducted about once a year. The internal controls group is available as needed to help the line organization conduct an effective self-assessment. Ideally, problems are identified and fixed before internal auditing conducts official audits.”

Most of the reports did not define the reporting structure of the internal audit department, although Merrill Lynch said its corporate audit department reported directly to the audit and finance committee of the board of directors; P&G noted that internal audit ultimately reported to the CFO, and two organizations, Fannie-Mae and General Electric, said internal audit was organizationally independent of the activities it reviewed.

Why Include a Report of Management in the Annual Report?

According to Ameritech’s general auditor, Bruce Adamec, “the principal reason for including the management report on controls in [our] annual report is to inform investors about the roles management and the Board Audit Committee play in the financial reporting process.”

“Management and the board believe it is paramount that we acknowledge that the financial statements are the company’s and that top management explicitly takes responsibility for the company’s financial reporting process and its system of internal controls. Additionally, an important disclosure is the extent to which management assures itself and the board that the controls are effective.”

Adamec sees the report of management as a signal to investors that management and the board place a high priority on internal controls. He also points out that the report communicates the same message to employees, helping to set the appropriate “tone at the top,” in the terminology of Report of the National Commission on Fraudulent Financial Reporting (the Treadway report). He further notes that the management report has had a positive impact on the audit committee and management itself. “Signing the report has given top management and the board audit committee a heightened awareness and interest in performing their internal control responsibilities.”

THE AUDIT COMMITTEE’S ROLE

Seventy-four (95%) of the reports referred to an audit committee. Of these, 92% said its members were independent or not part of management and that the audit committee regularly met with the independent auditor (81%), the internal audit director (78%) and management (76%) (see exhibit 4 ). Of the seventy-four companies, in 69% the independent auditor had full and free access to the audit committee and in 60% the internal audit director had the same access. It is not surprising that many management reports addressed the role of audit committees in light of work of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (see “Blue-Ribbon Panel Issues Its 10 Commandments,” JofA, Apr.99, page 4). Incidentally, of the reports reviewed in this study, none referred to all the committee’s recommendations, and the nature and extent of the information provided varies. (See “Audit Committee Rules to Improve Disclosure,” JofA Apr.00, page 15.)

Management reports identified the following responsibilities of the audit committee; the percentages in parentheses refer to the portion of the 74 companies with an audit committee.

• Oversight of financial reporting process (78%).

• Review of internal controls (81%).

• Review the scope and results of internal and independent audits performed (69%).

• Oversight of the internal and independent audit functions (27%).

• Make recommendations concerning the selection of the independent auditor (26%).

• Oversight of management (20%).

Two reports (those of Merrill Lynch and J.C. Penney) said the audit committee had responsibility for compliance with acceptable business standards and ethics; J.C. Penney’s reviewed audit and nonaudit services and fees. Ameritech said its audit committee was responsible for “assuring the independence” of the independent auditor. A few reports in exhibit 4 discussed the size of the committee and frequency of its meetings.

Seven Effective Uses of Management Reports

Including management reports in the company’s annual report is one of the steps public companies have taken to improve corporate and financial disclosure to their shareholders and interested third parties. There are good reasons to use these reports:

• Communicate how your company provides an effective system of internal controls.
• Discuss how your company uses internal controls to help protect its resources and reach its strategic goals. Identify the components of internal controls that are especially important to you, and reassure the users of the report that your system of controls is working.
• Point out the ways internal audit assures overall goals and objectives are being met.
• Clarify the audit committee’s role. Use the report to emphasize its enhanced functions.
• Explain how your company uses its independent auditors to help manage or assess its control systems.
• Take advantage of the location of the management report in the annual report to explain how your company’s practices compare with other leading companies in industry.
• Highlight what’s unique about your company. For example, if you’ve adopted a code of ethical conduct for your employees, advertise that here.

WHAT THE INDEPENDENT AUDITOR DOES

Most of the management reports (85%) referred to the independent audit of the company, with 44% referring to the audit report in the annual report (see exhibit 5, page 64). Several (40%) said the audit was conducted in accordance with GAAS, including appropriate tests of accounting procedures and records. A few noted that all financial records and minutes were made available to the independent auditor or that the representations made to the independent auditor were valid.

Half of the reports said the independent auditor had included some consideration of internal controls. The wording used to describe the nature of this consideration varied. Most common was the term review of internal controls, followed closely by evaluation or assessment of, consideration of, and obtaining an understanding of. Also used were study, testing and examination of internal controls. Only half of the reports referring to the external auditor’s consideration of internal controls explained that the purpose of such consideration was to assist in the design of the audit and not to provide support for an opinion on the adequacy of controls.

DRAWING DISTINCTIONS

If independent attestation of management reports were required, such a mandate would have a significant impact on the roles of both the independent auditor and management in this process. In traditional auditing and attestation services, the profession draws a sharp line between an “audit” and a “review.” Specific standards guide the practitioner in providing these differentiated services. Perhaps equally critically, the audit and review reports themselves attempt to clarify for the readers the nature and extent of the work performed.

The management reports usually do not make similar distinctions. A statement in a management report that the independent auditor has “considered” “reviewed” or “examined” the company’s internal controls unintentionally might cause a reader to infer that the auditor has indicated the internal control system is working effectively. In most cases, such an inference would be misleading since the auditor was not engaged to express an opinion on the adequacy of the controls. Unless specifically engaged to assess or evaluate a company’s internal control system, independent auditors examine internal controls only for the purpose of designing their overall audit tests of the financial records. Beyond that, no testing of internal controls is required. For this reason the language that is used may merit closer scrutiny.

Auditing standards require that the auditor read other information in a document which may be relevant to the audit or to the propriety of the report. SAS no. 8, Other Information in Documents Containing Audited Financial Statements, cautions the auditor to discuss the information with the client if he or she becomes aware that such information conflicts with his or her knowledge of such matters, or if a material misstatement of fact exists, the auditor should consider notifying the client in writing of his or her views concerning the information and consulting legal counsel.

Since management reports are typically included in companies’ annual reports, which contain audited financial statements, the auditor is required to read them. “In reading such information, the auditor should evaluate specific references by management that deal with the auditor’s consideration of internal controls in planning and performing the audit of the financial statements, particularly if such reference would lead the reader to assume that the auditor had performed more work than required under generally accepted accounting standards or would lead the reader to believe the auditor was giving assurances on internal control” (from AICPA, Professional Standards, AU section 9550.14, Other Information in Documents Containing Audited Financial Statements: Auditing Interpretations of Section 550 ).

The findings of this study indicated that the word most commonly used to describe the nature of the auditor’s consideration of the company’s internal controls was “reviewed.” Because “a statement by management that the auditors had ‘reviewed’ the company’s internal controls would be inappropriate,” (see footnote to AU section 9550.14), auditors may need to more closely scrutinize clients’ management reports to comply with the standard’s guidance (see exhibit 5 ).

The profession should consider the results of this study in the debate on whether to mandate management reports of publicly traded companies and, if so, what those reports should include. Management reports can be another vehicle to improve corporate governance structures. The strength of the management report is the unique opportunity it affords management to address in a focused part of its annual report those concerns it believes are especially important for its company. The report becomes a vehicle for defining management’s control strategy, for explaining how its practices compare with those of other companies, and for highlighting where its efforts may represent cutting-edge attempts to make its company more profitable and efficient. Companies with innovative programs can use these reports to emphasize how important these initiatives are.

What must be included in management's report on the company's internal controls?

What do management's internal control responsibilities include?

What does section 404 require of management's internal control report?

What is the common usual internal control framework used when assessing internal control over financial reporting initials are OK )?