The SECs recently issued proxy disclosure rules provide chief audit executives with opportunities to help companies improve their governance and risk management practices, according to the Institute of Internal Auditors.
In general, the rules issued by the SEC in December require companies to publicly disclose a wide range of governance activities in future proxy and information statements, including the boards leadership structure and role in risk oversight, and the relationship of the organizations overall compensation policies and practices to enterprise risk and risk management.
The new rules require reporting results of shareholder votes within four business days and make substantial changes to the valuation of some stock‐based awards to executives.
The rules offer an opportunity for chief audit executives to establish the importance of audit opinions on the adequacy and effectiveness of risk management processes as well as audit reports on the accuracy of other SEC‐required disclosures as compliance best practices, according to the IIA.
The new proxy requirements will place greater pressure on boards to demonstrate their role in the oversight of risk management, and by extension, this presents both challenges and opportunities for CAEs and their internal audit teams, said IIA president and CEO Richard Chambers.
He and other internal audit leaders recommend the following 10 actions for chief audit executives to take:
1. Read the SECs
2. Determine who in the organization is spearheading the new disclosure process and meet with them to ascertain whether the process is appropriate, repeatable, and documented comprehensively.
3. Meet with the person drafting the disclosure to discuss the boards role in risk oversight and ensure that the activities of the board and its committees, including the audit committee, are stated accurately, and that the related activities of internal auditing are described accurately.
4. Review the appropriateness of the determination of whether the organizations broad compensation policies and practices not just those that apply to senior executives might create risks that are reasonably likely to have a material adverse effect on the company and, therefore, require disclosure.
5. If such disclosure is required, review the draft and gain assurance that the language is appropriate and appears to address SEC requirements adequately. Moreover, consider suggesting inclusion of specific language concerning internal auditings role in assessing the completeness and accuracy of disclosures related to the organizations risk management practices.
6. Carefully consider the need for further, formal internal audit testing of the organizations risk management processes. If appropriate, suggest disclosure of the outcomes of this testing, including an opinion on the overall effectiveness of the organizations risk management processes.
7. Keep senior management and the audit committee thoroughly apprised of these activities.
8. Produce a written audit report documenting these disclosure-related activities.
9. Review the internal audit plan to ensure it covers adequately organizational activities related to the SECs disclosure requirements.
10. Discuss with the audit committee additional ways that internal auditing could assist the board in fulfilling its required risk management oversight.
Like requirements of the U.S. Sarbanes-Oxley Act of 2002, the SECs new disclosure rules soon will become a way of life for public companies and, similarly, they provide opportunities for internal auditing to add value to the organization, said Chambers. However, the decision to seize these opportunities must be made by each CAE.
The enhanced disclosure rules are effective for proxy solicitations and other reports filed with the SEC on or after Feb. 28, 2010. Each organizations initial filing will be carefully scrutinized by the agency, the analyst community, and investors, according to the IIA. Moreover, the tone and substance of the initial filings will serve as benchmarks for future reporting.
