By now Boards of Directors, Audit Committees and management should be aware of the impact of the U.S. Sentencing Guidelines, Sarbanes-Oxley Act, NYSE Listing Standards, COSO Framework for Enterprise-Risk Management and PCAOB Audit Standard No. 2 on the evolving roles and responsibilities of Boards of Directors and, in particular, Audit Committees, regarding compliance, risk management and internal controls. As a result of these developments, there has been a significant expansion of the roles and responsibilities of management, the Board of Directors and the Audit Committee in these areas. In addition, the continuing evolution of the traditional duties of care, loyalty and good faith and the director settlements in the MCI and Enron litigations should have focused the attention of Boards of Directors on the importance of compliance.
It is important to note that each of these developments focuses on culture and tone at the top and moves away from a formalized rigid approach on policies and procedures.
After briefly summarizing each of these developments, this article will suggest that the first critical step in response to them is to undertake a thorough risk and compliance assessment. The article will then outline a risk assessment methodology to review and assess a corporation's compliance program within the context of an overall enterprise risk management program.
The DOJ Sentencing Guidelines
Understanding the DOJ Sentencing Guidelines requires a review of the original Guidelines, the Holder and Thompson Memoranda, and the changes to the original Guidelines based on the October 7, 2003 Advisory Group Report.
The original DOJ Sentencing Guidelines compliance program requirements included the following:
1. establish written standards, policies and procedures,
2. assign overall responsibility to oversee compliance with the standards and policies to a senior officer,
3. effectively communicate standards and policies to all employees through training and dissemination of explanatory written materials,
4. utilize monitoring, testing and audit systems to assess and assure compliance with standards and policies,
5. establish and publicize a reporting system for employees to report violative conduct without fear of retaliation,
6. enforce the standards and policies consistently through appropriate disciplinary and enforcement mechanisms, and
7. take reasonable steps after detection of violations of law to respond to the violation to prevent future occurrences, including modification of the compliance program.
The U.S. Sentencing Commission promulgated revised sentencing guidelines for corporations pursuant to the recommendation of an Advisory Group. The Advisory Group Report concluded that although the United States Sentencing Guidelines have induced many corporations to focus on compliance programs, changes were necessary to provide additional guidance regarding effective compliance program to prevent and detect violations of law. Accordingly, the Report recommended revising the Sentencing Guidelines to include the following compliance program requirements:
1. emphasize the importance within the Guidelines of an organizational culture that encourages a commitment to law,
2. provide a definition of "compliance standards and procedures,"
3. specify the responsibilities of an organization's governing authority and organizational leadership for compliance,
4. emphasize the importance of adequate resources and authority for individuals within organizations with the responsibility for the implementation of the program,
5. replace the current terminology of "propensity to engage in violations of law" with language that defines the nature of an organization's efforts to determine when an individual has a reason to know of, or history of engaging in, violations of law,
6. include training and the dissemination of training materials and information within the definition of an "effective program,"
7. add "periodic evaluations of the effectiveness of a program" to the requirement for monitoring and auditing systems,
8. require a mechanism for anonymous reporting,
9. include the phrase "seek guidance about potential or actual violations of law" within the criteria in order to more specifically encourage prevention and deterrence of violations of law as part of compliance programs, and
10. provide for the conduct of ongoing risk assessments as part of the implementation of an "effective program."
Sarbanes-Oxley Act (Section 404) Management Assessment Of Internal Controls
An effective compliance and risk management program is a critical component of a corporation's compliance with Section 404 of the Sarbanes-Oxley Act. Section 404 requires corporations to:
include in their annual report a management report on the effectiveness of its internal controls over financial reporting as well as an independent accounting firm's attestation report on management's assessment of the company's internal controls and
disclose in their quarterly reports any material changes to its internal controls that occurred during the period covered by the report.
NYSE Corporate Governance Listing Standards
The NYSE corporate governance listing standards specifically assign responsibility for internal controls and compliance with legal and regulatory requirements to the Audit Committee. Specifically, they provide that:
The Audit Committee must review major issues as to the adequacy of the company's internal controls and any special audit steps adopted in light of material control deficiencies.
The Audit Committee has responsibility for confirming the company's compliance with legal and regulatory requirements.
COSO Framework On Enterprise Risk Management Standard For Evaluation Of Risk Management ("COSO Framework")
COSO (popularly known as the "Treadway Commission") is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. The COSO Framework defines enterprise risk management ("ERM") as a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise. ERM should be designed to identify and assess all potential events and risks that may affect the company, manage risk, and provide reasonable assurance regarding the achievement of company objectives. The COSO Framework lists the following eight components of ERM:
1. Internal Environment
2. Objective Setting
3. Event Identification
4. Risk Assessment
5. Risk Response
6. Control Activities
7. Information and Communication
The key to implementing ERM is process and the internal environment. The COSO Framework identifies a company's internal environment as the foundation for all other components of enterprise risk management. The internal environment encompasses:
1. Risk management philosophy
2. Risk culture
3. Role of the Board of Directors
4. Integrity and ethical values
5. Commitment to competence
6. Integration of management's philosophy and operating strategy
7. Risk appetite
8. Organizational structure
9. Assignment of authority and responsibility
10. Human resources policies and practices
Public Company Accounting Oversight Board Audit Standard No. 2
The Auditing Standard for Audits of Internal Controls by the Public Company Accounting Oversight Board ("PCAOB") places responsibility on management and the Audit Committee for effective internal controls and requires the external auditor to evaluate effective Audit Committee oversight of the internal control process. The Auditing Standard establishes requirements applicable to an auditor's audit of management attestation of the effectiveness of internal controls over financial reporting. In particular, the auditor is directed to evaluate all controls that address material risk of fraud. These controls include:
1. a company's risk assessment processes;
2. a company's code of ethics/conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts, and the monitoring of the code by management and the Audit Committee of the Board;
3. the adequacy of the company's internal audit activity and whether the internal audit function reports directly to the Audit Committee as well as the extent of the Audit Committee's involvement and interaction with the internal audit; and
4. the adequacy of the company's procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.
The Auditing Standard suggests that it may be appropriate for the auditor to test and evaluate the design effectiveness of company-level controls which include the following:
1. Controls within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs such as codes of conduct and fraud prevention, that apply to all locations and business units.
2. Monitoring components of internal control over financial reporting and ensuring the existence of an effective Audit Committee helps to set a positive tone at the top. However, although the Audit Committee plays an important role, management is responsible for maintaining effective internal control over financial reporting. The Audit Standard does not suggest that this responsibility has been transferred to the Audit Committee.
The Auditing Standard goes on to state that while the company's board of directors is responsible for evaluating the performance and effectiveness of the Audit Committee, the auditor should assess the effectiveness of the Audit Committee as part of understanding and evaluating the monitoring of internal controls. In evaluating the effectiveness of the Audit Committee's oversight of the company's external financial reporting and internal control and the company's external financial reporting and internal control over financial reporting, the auditor is directed to review the following factors:
1. the independence of the Audit Committee members from management;
2. the clarity with which the Audit Committee's responsibilities are articulated;
3. how well the Audit Committee and management understand those responsibilities;
4. the Audit Committee's involvement and interaction with the independent auditor and with internal auditors;
5. the Audit Committee's interaction with key members of financial management, including the chief financial officer and chief accounting officer;
6. whether the right questions are raised and pursued with management and the auditor; and,
7. the responsiveness by the Audit Committee to issues raised by the auditor.
The Auditing Standard concludes that "Ineffective oversight by the Audit Committee of the Company's external financial reporting and internal control over financial reporting should be regarded as at least a significant deficiency and is a strong indicator that a material weakness in internal control over financial reporting exists."
The Audit Committee and management should be aware of these new responsibilities and develop compliance and enterprise risk management systems in response to them. These increased responsibilities in the areas of risk management, compliance and internal controls should result in a much more proactive Audit Committee as it responds to the increased responsibilities. There are a number of questions that Audit Committees should be asking management.
Part II of this Article will provide some questions that the Audit Committee should be asking and an outline of a basic legal and compliance assessment that should be considered by corporations as part of an on-going risk management assessment methodology.
Robert E. Bostrom is Head of the Financial Services Practice Group and a Partner in the Corporate Department of Winston & Strawn LLP in New York City.