Institute of Internal Auditors

William G. Bishop III, CIA
Tel: +1 407 937 1200

November 27, 2002

Jonathan G. Katz, Secretary
U.S. Securities and Exchange Commission
450 Fifth Street, NW
Washington, DC 20549-0609
VIA E-Mail:

RE: File No. S7-40-02

Proposed Rule: Disclosure Required by Sections 404, 406 and 407 of the
Sarbanes-Oxley Act of 2002

Dear Mr. Katz:

The Institute of Internal Auditors (IIA) is very interested in and supportive of the SEC's efforts to improve disclosures and financial reporting processes. The 80,000 internal auditors represented by The IIA routinely perform independent assurance, risk management, and consulting services for executive management and directors in order to support disclosures and financial reports. We believe we are uniquely qualified to offer comments about the impact of certain provisions of the proposed rule on the internal auditing profession and have accordingly focused the majority of our response in this area. Accordingly, we would like to offer comments on the proposed rule amendments regarding Sections 404, 406, and 407 of the Sarbanes-Oxley Act of 2002.

Proposed Definition of "Financial Expert"

Section 407 of the Sarbanes-Oxley Act requires the Commission, in defining the term "financial expert," to consider whether a person has gained certain specific knowledge and understanding "through education and experience as a public accountant or auditor or a principal financial officer, controller, or principal accounting officer of an issuer, or from a position involving the performance of similar functions."

Based upon the specific criteria within the proposed definition of "financial expert," we believe that individuals with experience in internal auditing can be exceptionally well qualified to serve as audit committee members. The proposed definition, however, does not specifically state that experience in both internal and external auditing qualifies as experience "as a public accountant or auditor," and no further explanation is given for the phrase "or from a position involving the performance of similar functions."

Based upon all of our past interactions, we are confident that the SEC considers internal audit executives to be financial experts. Unfortunately, though, the proposed rule does not specifically clarify this point. We therefore believe that the proposed rule should offer further guidance or examples regarding qualifying experience.

We also note that the proposed rule states companies should consider a variety of factors in determining whether a potential financial expert has all of the requisite attributes, including whether the person is certified or otherwise identified as having accounting or financial experience by a recognized private body that establishes and administers standards in respect of such expertise. We believe that this provision refers to certifications such as the Certified Internal Auditor designation, but the wording may be unclear to some readers. Like Certified Public Accountants, Certified Internal Auditors are subject to professional standards, a code of ethics, and continuing education requirements. In the case of Certified Internal Auditors, the standards and code of ethics are internationally recognized as authoritative. We believe that, just as specific mention of Certified Public Accountants is appropriate within the proposed rule, the rule could be further enhanced by inclusion of Certified Internal Auditors.

We believe that the above recommendations to clarify the definition of "financial expert" are particularly important because of the shrinking pool of potential candidates and the need to ensure that corporate boards are encouraged to consider a wide range of qualified candidates, including internal audit executives. In making these recommendations, we note the SEC's statement that the proposed rule sets forth "several fairly specific and objective standards to limit the pool of potential financial expert candidates." As noted in the SEC's discussion, "one size doesn't fit all." Although the proposed rule is not intended to establish a "bright-line" test for making the financial expert determination, the attributes listed do have that effect. Omission of Certified Internal Auditors as potential qualified financial experts could further limit the pool of candidates.

Description of the Proposed Code of Ethics Disclosure Requirements

Section 406 of the Sarbanes-Oxley Act requires the Commission to adopt rules that require companies to disclose whether a code of ethics has been adopted. While the IIA supports such rules, The IIA strongly believes that there is merit in expanding the concept of the code of ethics to be part of a Code of Corporate Governance that would be used to define and communicate the expectations of senior management and the board throughout the organization. As an example, the 21st Century Governance Principles for U.S. Public Companies, promulgated by the Corporate Governance Center at Kennesaw State University in Kennesaw, Georgia adds to the elements defined in the proposed rule and provides a basis not only for violations of ethical consideration but the positive promotion of good governance within the organization. While we do not suggest that the rule should prescribe the contents of the code of governance for each entity, we believe that each company should develop and communicate these values to all members of the organization. IIA experience with its global members has shown that Codes of Governance are increasingly used around the world to codify the elements necessary to protect various stakeholders in the publicly held company.

The SEC's Request for Comment asks whether the description of the proposed code of ethics disclosure requirements should cover a broader group of officers. We believe that it should. Although the proposed wording states that disclosure requirements would apply to "persons performing similar functions" as well as to the principal executive officer, principal financial officer, and principal accounting officer or controller, we believe that code of ethics requirements should be clarified to state specifically that they apply to an organization's chief audit executive. We believe that the internal audit function's unique position within corporate governance processes make it imperative that the same high ethical principles expected of principal executive officers and principal financial officers should also be required of chief audit executives who are responsible for the internal auditing function.

Internal Controls and Procedures for Financial Reporting

The proposed rule for implementing Section 404 of the Sarbanes-Oxley Act presents a well- documented history of the evolution in the understanding of internal control within the United States during the past 50 years. The discussion of the Proposed Rule points out that there are a variety of different definitions of the term "internal controls." We agree that the term is open to misinterpretation and that clarification is needed, especially in the context of the phrase "internal controls and procedures for financial reporting." To avoid confusion and to clarify the SEC's intent, we recommend that the phrase be changed to "internal controls over financial reporting and procedures that relate to financial reporting." This change would make it clear that internal control disclosures are limited only to controls related to financial reporting.

The most widely accepted definition of internal control is the one offered by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO"). As a founding organization of COSO, The IIA is a strong supporter of the broader understanding of internal control endorsed by COSO. We note the SEC's endorsement of the AICPA's Codification of Statements on Auditing Standards (AU) Section 319 and support this endorsement as AU §319 is based on COSO's definition and description of internal control. You have stopped short, however, of recognizing the broader definition. Rather you have mentioned a few elementary controls. We believe you should embrace the entire definition of control as stated in AU §319.

COSO defines internal controls broadly, rather than limiting internal controls merely to financial reporting. We believe that this definition is the most appropriate definition for use by the SEC. While we endorse the current SEC proposal to prescribe "...companies to include a report on their internal controls and procedures for financial reporting in their annual reports." We believe that public disclosures on internal control by management and the board should be based on a broad definition of the term "internal control." The attestation to annual financial statements by the public accounting firm can be limited to the "internal controls over financial reporting and procedures that relate to financial reporting."

As noted by COSO's Internal Control - Integrated Framework supplement on Reporting to External Parties1 issued ten year ago, "investors want information on whether the organization has controls to help ensure that it is operating efficiently and effectively, and is complying with legal and regulatory requirements." The COSO supplement provides guidance to those choosing to report publicly on internal controls and the framework it describes can still be useful today.

The broad definition of internal control has several advantages in enhancing the transparency of public reporting. We have encouraged internal auditors to understand the implications of an expanded definition in their organizations and to be a catalyst for implementing the COSO definition of internal control. IIA guidance calls for internal auditors to provide assessments of these systems of internal controls to senior executives and directors. The Institute believes that management's and the board's report on internal controls should cover a broad spectrum of internal controls as envisioned by COSO. We believe that mandatory reporting on the entire system of internal control would be a potent weapon in the ongoing fight to protect shareholders and the investing public.

The IIA Practice Advisory that covers this process is attached for your consideration. Please note that the report should be coordinated and draw on representations from management about the sufficiency of internal controls, the result of control system tests performed by internal auditors and others on the management team, and the work of the external auditor. Senior management and the audit committee are thus provided a basis to effectively evaluate the adequacy of the system of internal control and make the representation which is to be included in the annual report. The definition of internal control used in the guidance is that defined in COSO's Internal Control - Integrated Framework document.

In summary, The IIA strongly supports the SEC rules that are proposed to implement Sections 404, 406, and 407 of Sarbanes-Oxley Act. In the context of a corporate governance code tailored to a particular public company, a professionally staffed, independent internal audit function is one of the cornerstones upon which good corporate governance must be constructed. Toward this end, we offer the above recommendations in the hope that they will be of significant value in assuring sound corporate governance.

Thank you for the opportunity to comment as you work with this vitally important rule. Timely enactment of this regulation is essential to restore investor confidence in our capital markets and, thereby, to ensue America's long-term economic vitality. We applaud the SEC's noteworthy actions to improve the quality of the financial reporting process.


William G. Bishop III, CIA

1 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework, 1992

Attachment - IIA Practice Advisory: Assessing and Reporting on Control Processes