Corporate Governance – The Role of the Audit

CommitteeBA 427 – Assurance and Attestation

Services James D. ParkinJanuary 10, 2007

2

Agenda

•Corporate governance roles– Board of Directors– Audit Committee– Management– Auditor

•Key governance rules– Sarbanes-Oxley Act 2002– COSO Internal Control Framework

•Auditor communications

3

Corporate Governance Roles

Copyright © 2005 Deloitte Development LLC. All rights reserved. 4

Copyright © 2005 Deloitte Development LLC. All rights reserved. 5

Name    Audit  Compensati

on   Finance  

Governance &

Nominating  

AntitrustComplia

nce

Mr. Gates           

Mr. Ballmer           

Dr. Cash    X   X       X*

Ms. Dublon    X     X    

Mr. Gilmartin          X*   X

Mrs. Korologos      X*       X

Mr. Marquardt        X   X  

Mr. Noski    X*     X    

Dr. Panke      X      

Mr. Shirley        X*    

                    

Total meetings in fiscal year 2006           9          

        5                   4                   4                   4        

                    

Microsoft Board of Directors

Copyright © 2005 Deloitte Development LLC. All rights reserved. 7

Name    Audit   Compensation   Finance  

Governance &Nominatin

g  

AntitrustComplianc

e

Mr. Gates          

Mr. Ballmer          

Dr. Cash    X   X       X*

Ms. Dublon    X     X    

Mr. Gilmartin         X*   X

Mrs. Korologos     X*       X

Mr. Marquardt       X   X  

Mr. Noski    X*     X    

Dr. Panke     X      

Mr. Shirley       X*    

                    

Total meetings in fiscal year 2006

  

        9          

        5                   4                   4                   4        

                    

Microsoft Board of Directors - AC

8

Audit Committee Responsibilities

•Oversee accounting and financial reporting functions

•Monitor the effectiveness of internal controls•Monitor accounting principles, methods and

estimates, including “quality”•Oversee internal audit function•Selection of independent auditor•Oversee auditor’s planning, performance

and completion of audits

9

Audit Committee Responsibilities (cont.)

•Assess auditor independence •Pre-approve auditor services•Discuss with auditor certain required items

(discussed later)

10

The current environment has heightened expectations of the audit committee, prompting more penetrating questions.

What risks could have a significant impact on the company?

What risks could have a significant impact on the company?

How is management addressing those risks?

How is management addressing those risks?

Can we be assured that risks are being managed appropriately?

Can we be assured that risks are being managed appropriately?

Do we have a process to assess the quality, not just the acceptability, of accounting policies, financial reporting processes, and internal controls?

Have we obtained an understanding of the processes used by management and the external auditors to identify and monitor risk?

How are we assessing the effectiveness and qualifications of the internal and external auditors?

Have we evaluated the independence of the external auditors?

Have we evaluated the quality of the finance, accounting, and internal audit organizations?

How do we, as an audit committee, assess our own effectiveness?

Heightened Expectations

11

Interaction Between Management, the Audit Committee, and the External

Auditors Has Changed

Best practices:

Discussions should be three-way

Discussions should be open and frank, allowing audit committee members to gain an understanding beyond GAAP

Heightened Expectations

12

13

Sarbanes-Oxley Act 2002 – Sec. 301

The audit committee of each issuer, in its capacity as a committee of the board of directors, shall be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by that issuer…

14

Audit Committee Composition

•Number of members•Independence•Financial literacy•Financial expert•Demographics•How many meetings?•How long are the meetings?

15

Microsoft Audit Committee Members

• James I. Cash Jr., Ph.D., 58, has been a director of the Company since 2001. Dr. Cash is formerly … Harvard Business School…Dr. Cash is also a member of the board of directors of The Chubb Corporation, General Electric Company, Phase Forward Incorporated, and Wal-Mart Stores, Inc.

• Dina Dublon, 53, has been a director of the Company since 2005. From December 1998 until her retirement in September 2004…Executive Vice President and Chief Financial Officer of JPMorgan Chase…Prior to joining Chemical Bank, Ms. Dublon worked for the Harvard Business School and Bank Hapoalim in Israel. Ms. Dublon is also a member of the board of directors of Accenture Ltd. and PepsiCo, Inc.

• Charles H. Noski, 54, has served as a director of the Company since 2003. From December 2003 to March 2005, Mr. Noski served as Corporate Vice President and Chief Financial Officer of Northrop Grumman Corporation and served as a director from November 2002 to May 2005. Mr. Noski joined AT&T in 1999 as Senior Executive Vice President and Chief Financial Officer and was named Vice Chairman of AT&T’s Board of Directors in 2002…Prior to joining AT&T, Mr. Noski was President, Chief Operating Officer, and a member of the board of directors of Hughes Electronics Corporation…Mr. Noski is also a director of Air Products and Chemicals, Inc., and Morgan Stanley.

16

Role of Management

•Prepare and maintain the financial records including preparation of financial statements

•Evaluate the effectiveness of the company’s internal control over financial reporting (ICFR)

•Resolve timely deficiencies in ICFR (both significant and material)

17

Role of External Auditor

•Audit/Review management’s financial statements

•Audit management’s ICFR•Required communications to the audit

committee (discussed later)•Communicate deficiencies in ICFR (significant

and material to audit committee)•Become a Trusted Technical Advisor (versus

trusted business advisor)

18

Key Governance Rules

19

Evolution of Governance

Mid-1970sWatergate Scandal and Investigation

1977Foreign Corrupt Practices Act (FCPA)

Early-1980sIncreased Focus on Internal Control and Compliance

1985National Commission on Fraudulent Financial Reporting – Treadway Commission

1992Committee Of Sponsoring Organizations (COSO) published Internal Control – Integrated Framework

1990s – 2000Continued Focus on Internal Control, Risk Management and Responsibilities(Blue Ribbon Commission, Competency Framework for Internal Audit, Others)

19801970 1990 2000

2002Sarbanes-Oxley Act of 2002

21

Sarbanes-Oxley Act Titles

The Act includes 11 titled sections:

Title I Public Company Accounting Oversight Board

Title II Auditor Independence

Title III Corporate Responsibility

Title IVEnhanced Financial Disclosures

Title V Analyst Conflicts of Interest

Title VICommission Resources and Authority

Title VII Studies and Reports

Title VIII Corporate and Criminal Fraud Accountability

Title IX White Collar Crime Penalty Enhancements

Title X Corporate Tax Returns

Title XICorporate Fraud and Accountability

22

Impact to Auditors

• Formation of the PCAOB• Auditor independence

– Certain nonaudit services are specifically prohibited by the act, many of which were previously prohibited

– Audit partner rotation periods shortened and extended to concurring review partners and partners serving significant subsidiaries

• Client relationships– Auditor now reports directly to the audit committee– Expanded audit committee reporting requirements

• Auditor attestation of internal controls (Section 404)

23

Impact to Audit Committees• Preapproval of nonaudit services

– Applies to nonaudit services that are not specifically prohibited by the act

– Can be achieved through explicit approval of all nonaudit services, policies for preapproving certain classes of services, or combination of both

• Disclosure of audit committee financial expert– The final rule included less stringent requirements than the

proposed rule – Requires the board to make the determination– Requires disclosure that at least one member meets the

requirements, and further requires disclosure of the person’s name• Audit committee independence

– Expands prohibited relationships• Audit committee responsibilities

– Requires direct oversight of the auditor and the company’s process for receiving and handling complaints (“whistleblower” processes)

– Provides the audit committee with the ability to retain advisors

24

Impact to Management

• Expanded disclosure requirements– Management’s Discussion and Analysis must include disclosure of

off-balance-sheet arrangements and known contractual agreements• Rules on the use of non-GAAP financial measures are expanded• Required disclosure of the company’s code of ethics

– Management must disclose if a code of ethics exists, and must make the code publicly available through its Web site or SEC filings

– Waivers to the code must be reported and disclosed• Cooling-off period for hiring former employees of the external auditor• Executive officer certification requirements:

– Section 302: Certifications related to financial reports and disclosure controls

– Section 404: Certification related to financial reporting controls accompanied by auditor attestation report

– Section 906: Certification that the financial statements comply with the appropriate Securities Exchange Act and present fairly, in all material respects, the financial condition and results of operations of the issuer

25

Overview of Internal Control Requirements

Section 302 Certification Overview

• CEO and CFO to make specific certifications as of the end of each quarterly and annual reporting period, including:– Report contains no untrue

statements – Report is fairly presented

in all material respects– Responsibility for design

and maintenance of disclosure controls and procedures as well as internal controls over financial reporting

Section 404 Certification Overview

• CEO and CFO to certify as of the end of every annual reporting period:– Their responsibility for

establishing and maintaining effective internal controls over financial reporting

– Their assessment of internal controls, accompanied by the independent auditors’ attestation report

26

SOX Internal Control Definitions

DisclosureControls

Internal Controls over Financial Reporting

• Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC.

• Include controls and procedures to help ensure that information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure.

•Controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles.

27

Disclosure Controls vs. Financial Reporting Controls

Company

Notes

Cash Flow

Income Statement

BalanceSheet

FinancialStatements

Internal Controls Over Financial Reporting

FinancialStatements

Business

Properties

LegalProceedings

Annual Report onForm 10-K

Disclosure Controls Procedures

Section 302 Section 404

28

COSO Internal Control – Integrated Framework

•COSO offers an integrated framework that defines internal control by five interrelated components:– Control Environment– Risk Assessment– Control Activities– Information &

Communication– Monitoring

29

Control Environment

• The control environment is the control consciousness of an organization; it is the environment in which people conduct business activities and fulfill their control obligations.

• The control environment includes both intangible and tangible elements:– Integrity and ethical values– Commitment to competence– Governance and organization structure– Management philosophy and operating style– Assignment of authority and responsibility– Human resource policies and practices

• An effective control environment exists when employees understand their responsibilities, authority, and are committed to acting ethically.

• Management influences an organization’s control environment through setting the standard through actions and effectively communicating written polices and procedures, a code of ethics, and standards of conduct – “tone at the top.”

30

Linking Internal Control and Risk Management

RISK

Possibility of an adverse event that may negatively affect the ability of an

organization to achieve its objectives.

RISK MANAGEMENT

Process to increase confidence in the ability of an organization to anticipate, prioritize, and overcome

obstacles to the attainment of its goals.

INTERNAL CONTROL

A process designed to provide reasonable assurance regarding the achievement of business objectives.

• Effectiveness and efficiency of operations• Reliability of financial reporting

• Compliance with applicable laws and regulations

31

Control Environment - Roles and Responsibilities

• Executive Management– Sets the standard for the control environment– Maintains ultimate accountability for internal control and

risk management enterprisewide– Supports control and risk management activities

throughout the organization• Operating Management

– Directly responsible and accountable for business operations effectiveness and internal control related to business objectives

– Periodically assesses and asserts on risk management and control environment

– Develops and implements action plans for improvement

32

Control Environment - Roles and Responsibilities (cont.)

• Finance Management– Involved in financial implications of operating management

responsibilities– Provides guidance to design, establishment, execution, and

monitoring of adequate internal controls• Internal Audit

– Provides support for risk and control assessment activities– Monitors exposure of the organization and makes

recommendations relating to risk and control activities– Designs internal audit plan based on strategic risk

assessment– Tests adequacy and effectiveness of controls– Challenges and validates management control environment

assertions– Reports independent findings and provides

recommendations

33

Control Environment - Roles and Responsibilities (cont.)

• Audit Committee– Focuses board attention – Evaluates overall risk exposure– Reviews adequacy of overall control environment– Provides oversight and advice

• External Audit– Evaluates the effectiveness of internal control to determine

the scope of external audit procedures– Issues management commentary reports– Issues an opinion on the consolidated financial statements– Reviews control environment and uses results of risk

assessments as input to develop external audit plan

34

Auditor Communications

35

Required Communications with AC

•SAS 61 (as amended by SAS 89 & 90) – Communication with Audit Committees

•ISB No. 1•SEC Regulation S-X, Rule 2-07•NYSE/NASDAQ listing standards

36

Required Communications – SAS 61

•Our responsibility under GAAS•Significant accounting policies•Management judgments and accounting

estimates•Disagreements with management•Consultation with other accountants•Major issues discussed with management

prior to retention•Other information in documents containing

audited financial statements

37

Required Communications – SAS 61 (cont.)

•Fraud•Independence•Uncorrected misstatements•Audit adjustments•Judgments about the quality of the

accounting principles•Alternative accounting treatments•Difficulties encountered during the audit and

management’s response

Thanks!