February 18, 2003
Jonathan G. Katz, Secretary
RE: File S7-02-03
Dear Mr. Katz:
I am a Certified Internal Auditor and proud member of The Institute of Internal Auditors (The IIA). The IIA represents approximately 82,000 members.
I currently serve and have previously served as the head of Corporate Internal Audit for two publicly listed multinational companies, with revenues ranging from $400 million to $1.2 billion respectively. I have served in this capacity for about 5 years reporting to senior management, and with ultimate accountability to the Audit Committee.
I have also worked as an external auditor with one of the "Big 4" firms, and have other corporate internal audit experience in a large internal audit department for another publicly listed multinational company, with over $5 billion in revenues.
I have read The IIA's comments with respect to File No. S7-49-02, and I am in complete concurrence with the comments stated therein. I believe that many of us who work in internal audit, specifically those of us who lead internal audit departments of publicly listed companies, agree with the recommendation that the SEC endorse the IIA's Standards for the Professional Practice of Internal Auditing (Standards), as The IIA is uniquely qualified to offer best practices as Standards that serve as relevant guidance to Audit Committees, management, internal auditors and external auditors.
Furthermore, I would like to emphasize two points that I believe are critical as part of the Audit Committee's responsibilities in their oversight over a company's financial reporting and internal controls processes, and which in my professional judgment should be required:
Although chief audit executives (CAE's) are wise to operate under an internal audit charter approved by management and the Audit Committee, and which describes the accountability of the CAE, I believe that there is a current disconnect between the CAE being accountable to the Audit Committee, and yet the CAE's performance review and compensation being determined only by management. The CAE is in a unique position to identify and report timely on significant deficiencies to efficient, and most importantly effective financial reporting and internal control processes, for which management is responsible, and which management may view as a "personal" attack. Because of this, management may attempt to influence the CAE's reporting to the Audit Committee by controlling and "dangling the compensation carrots" over the CAE. Thus, this disconnect could potentially bias the CAE's reporting because of the potential personal impact to their career or compensation.
These requirements do not eliminate management's important involvement in the hiring, removal or compensation of the CAE. Management's recommendation to the Audit Committee with respect to hiring, removal or compensation will still be very influential, as it should be. Additionally, these requirements can readily be implemented with minimal or no cost to a company.
These requirements are also not meant to act as job security to the CAE, but rather they will serve to address the disconnect of accountability to the Audit Committee, but compensation being determined solely by management. For example, if the Audit Committee determines from the CAE's performance evaluation that the CAE is not performing satisfactorily, in which management had a significant influence, then the Audit Committee can properly ask for the CAE to be replaced. However, if management is attempting to bias or influence the reporting of the CAE by impacting the CAE's performance evaluation or compensation, and yet the Audit Committee determines that the CAE's is performing satisfactorily, this may lead the Audit Committee to probe deeper.
CAE's walk a fine line between partnering with management in a consultant's capacity, to identify financial and operational opportunities, and having to report objectively and timely to the Audit Committee significant deficiencies in financial reporting and internal control processes of their organizations.
Thus, I strongly believe that the sound proposals by The IIA, in particular the two points emphasized above, will only serve to effectively clarify and strengthen the Audit Committee's oversight responsibilities in a very cost-beneficial manner, with the ultimate beneficiaries being the investing public and other stakeholders, to which we all owe a fiduciary responsibility.