February 18, 2003
Mr. Jonathan G. Katz
Re: File Number S7-02-03
This comment letter relates to the Proposed Rule: Standards Relating to Listed Company Audit Committees.
The first matter I wish to comment on is the following question, which is stated in the release and for which comments are solicited:
"Should the audit committee be directly responsible for the appointment, compensation, retention and oversight of an issuer's internal auditor?"
The ongoing, daily oversight of the work of the internal auditor would be beyond the reasonable expectations of the duties or responsibilities of an audit committee or any member thereof, even under the requirements of Sarbanes-Oxley. Ongoing oversight would generally require physical presence, attention to projects in progress and other functions that exceed the reasonable requirements of Board members.
A more practical approach to internal auditor reporting responsibilities would be the following; On a day-to-day basis, the internal auditor should report to the CEO of the corporation. The internal auditor should also have direct reporting responsibility to the Audit Committee in the following areas: Audit planning, coordination with independent auditors, periodic reporting (quarterly or monthly) of results of audit projects, periodic reporting of management responses to audits, periodic evaluation of internal controls, periodic risk assessment, audit staff qualifications and adequacy and review of SEC quarterly and annual reports. Reports by the internal auditor to the Audit Committee in each of these areas would provide information to the Audit Committee which would help it carry out its responsibilities and supplement the work of the independent auditor in certain areas. Such reporting would also provide a framework for the Audit Committee to judge the internal auditor's performance. Day to day reporting to the CEO would ensure that the internal auditor remains accountable, within the corporate environment, for carrying out his or her responsibilities in an appropriate, professional manner. The internal auditor could also be a resource for the CEO to utilize with respect to the certifications required under Sarbanes-Oxley. Compensation of the internal auditor should also be the primary responsibility of the CEO, however the Audit Committee should review the recommendation of the CEO in light of compensation of other employees.
As a final comment in this area, I do not believe that an internal audit function that reports to the CFO or the Chief Accounting Officer can ever be considered an independent function. Audit Committees should be counseled against allowing such reporting lines.
The second issue that I would like to comment on is the issue of how the Audit Committee can achieve "oversight" of the independent auditors, including dealing with disagreements between the independent auditor and management.
Additional guidance is needed from the Commission staff regarding suggested mechanisms for accomplishing the oversight objective. In this regard, I refer to the Commission staff recommendation of a "disclosure committee" in the context of achieving an appropriate level of disclosure controls.
In the absence at this point of any specifics in this area, I have the following additional comment. An effective and independent internal audit function could assist an audit committee in achieving some level of "oversight" of the independent auditors, including consideration of disagreements. The principal factor in achieving "oversight" would likely be clear and effective communication. The internal auditor should in many cases be able to help achieve one level of oversight by facilitating communications.
I am a former Partner in a "Big Four" firm and I am currently Vice President and Chief Internal Auditor of an SEC registrant with reporting responsibility to the CEO and the Audit Committee. I am also an investor in a number of companies.
I can be reached at (479) 494-6823 or by e-mail at email@example.com.
Thank you for the opportunity to submit comments.