4. Internal Control Reporting

4. Internal Control Reporting and Financial Auditor Independence

ยท Although the federal Sarbanes-Oxley Act is intended to increase oversight over the financial reporting of publicly-held private companies, two key provisions of the Act apply to local governments: (1) increased authority of the audit committee and enhanced independence of the financial auditor, and (2) the effectiveness of financial internal controls over financial reporting.

ยท The Sarbanes-Oxley Act strengthens audit committee oversight and auditor independence. Under the Charter, the Board of Supervisors selects the City's financial auditor. The financial auditor has a direct reporting relationship with the Board of Supervisors Audit Committee. By adopting policies consistent with the Sarbanes-Oxley Act, the Audit Committee would increase the financial auditor's direct reporting requirements to the Audit Committee. The Audit Committee would also have authority over the approval of any non-audit services provided by the financial auditor.

ยท The Board of Supervisors should approve policies to maintain financial auditor independence. These policies include rotating the audit partner every five years and standards for conflict of interest.

ยท The Board of Supervisors should also assess the feasibility of conducting a Citywide evaluation of internal controls and requiring the financial auditors to report on the effectiveness of these internal controls. The increased costs of internal control evaluation and reporting could be offset by a reduction in loss from fraud or inefficiency.

Applying Sarbanes-Oxley to the Public Sector

In 2002, Congress enacted the Sarbanes-Oxley Act, increasing oversight of financial reporting of publicly-held private companies. Although the Sarbanes-Oxley Act does not apply to audits of government organizations,1 the underlying principles do apply. Two key concepts of Sarbanes-Oxley are:

ยท Increased audit committee oversight and enhanced auditor independence; and

ยท Ensuring effective internal controls and financial reporting on the effectiveness of internal controls.

Auditor Independence and Audit Committee Oversight

The Securities and Exchange Commission has adopted new rules, which amend existing requirements regarding auditor independence and enhance the independence of accountants that audit and review financial statements. Under these final rules, the Security and Exchange Commission has recognized the importance of the audit committee in assuring auditor independence. The Sarbanes-Oxley Act required the Securities and Exchange Commission to develop new rules on auditor independence, defining:

    ยท Allowable and non-allowable non-audit services;

    ยท Relationship between the independent auditor and the audit committee;

    ยท Conflict of interest standards; and

    ยท Auditor partner rotation and second partner review requirements.

Non-audit services

Under the new rules established by the Security and Exchange Commission, certain non-audit services provided by the financial auditor are prohibited, and other non-audit services require pre-approval by the audit committee. The Security and Exchange Commission's rules regarding non-audit services are based on three basic principles:

1. An auditor cannot function in the role of management.

2. An auditor cannot audit his or her own work.

3. An auditor cannot serve in an advocacy role for his or her client.

The new rules prohibit the financial auditor from performing such non-audit services as:

ยท Bookkeeping or other services related to the accounting records or financial statements of the audit client;

ยท Financial information systems design and implementation;

ยท Appraisal or valuation services;

ยท Actuarial services;

ยท Internal audit outsourcing services;

ยท Management functions or human resources;

ยท Broker or dealer, investment adviser, or investment banking services; and

ยท Legal services and expert services unrelated to the audit.

Non-audit Services Performed by the Financial Auditor in San Francisco

Over the past few years, San Francisco's financial auditor, KPMG LLP, has performed several non-audit projects for the City. These projects include (a) a FY 2001-2002 report on the Municipal Transportation Authority's payroll process and internal controls, (b) a policies and procedures manual on accounting for capital assets under the new government accounting standards, GASB 34, (c) assistance to the Controller's Office in implementing GASB 34, and (d) assistance to the Public Utility Commission in integrating their accounting information technology system.

During the same period, KPMG Consulting (now known as Bearing Point), which separated from KPMG LLP in 2000, provided consulting services to the Controller's Office on the City's automated purchasing system (ADPICS) and the financial reporting system (EIS). Bearing Point now has a contract with the City to provide support to the financial accounting management information system (FAMIS).

Role of the Audit Committee

Charter ยง 9.117 establishes the Board of Supervisors' Audit Committee. Under the Charter, the financial auditor reports directly to the Audit Committee. The Charter also gives the Board of Supervisors the authority to select the independent auditor to report on the annual financial statements. Consistent with the Security and Exchange Commission's new rules, the Board of Supervisors should consider adoption of Administrative Code provisions that would implement the intent of the Sarbanes-Oxley Act.

Financial Auditor Reports to the Audit Committee

The financial auditor already has a reporting responsibility to the Audit Committee. The Sarbanes-Oxley Act requires that the reporting by the financial auditor to the Audit Committee be more timely. The Security and Exchange Commission rules require that the financial auditor report to the Audit Committee, prior to issuing the final audit report on the financial statement:

ยท All critical accounting policies and practices used by the company management;

ยท All alternative accounting treatments of financial information that have been discussed with management, including the ramifications of the use of such alternative treatments and disclosures and the treatment preferred by the accounting firm;

ยท Other material written communications between the accounting firm and company management.

According to the Security and Exchange Commission, requiring the accountants to communicate information directly to the Audit Committee will aid the Audit Committee in fulfilling its responsibilities. As part of the proposed Charter Amendment discussed above, the Board of Supervisors should include requirements consistent with the Security and Exchange Commission's rule on financial auditor reporting to the audit committee.

Standards for Conflict of Interest

Consistent with the Sarbanes-Oxley Act, the Securities and Exchange Commission established a rule restricting employment of financial audit firm employees by the audited company. The Securities and Exchange Commission rule requires a one-year "cooling off" period before a member of the financial audit firm's audit team can be employed by the audited company in certain key positions, such as chief executive officer, controller, chief financial officer or chief accounting officer.

Financial Auditor Partner Rotation

The Security and Exchange Commission's rules establish a mandatory rotation of the financial auditor's lead partner every five years. Under the rules, the "audit partner" refers to the partner who is a member of the audit engagement team and who has responsibility for decision-making on significant auditing, accounting, and reporting matters that affect the financial statements or who maintains regular contact with management and the audit committee. According to the Commission, in establishing the partner rotation requirement, the Commission attempted to strike a balance between the need to have an audit team, which can take a fresh look at the financial report, and the need to have competent accountants on the audit team. The Controller's Office should develop a policy for adoption by the Board of Supervisors that is consistent with the Security and Exchange Commission rules on conflict of interest standards and financial auditor partner rotation.

Internal Control Assessments

Section 404 of the Sarbanes-Oxley Act directs the Security and Exchange Commission to adopt rules requiring annual reports of publicly-held private companies to include an assessment of the effectiveness of internal controls and procedures for financial reporting. Section 404 also requires the company's independent auditors to attest and report on management's assessment of internal controls. The Act did not specify a deadline by which the Security and Exchange Commission is to adopt rules regarding the assessment of the effectiveness of internal controls.

Process of Assessing and Reporting on Internal Controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 issued a report in 1992, Internal Control-Integrated Framework, which defined internal controls and provided guidelines to assessing and improving internal control systems. The report defined internal controls as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:"

ยท Effectiveness and efficiency of operations;

ยท Reliability of financial reporting; and

ยท Compliance with applicable laws and regulations.

The COSO report also identified five interrelated components of effective internal control, including:

ยท Control environment;

ยท Risk assessment;

ยท Control activities;

ยท Information and communications; and

ยท Monitoring.

Although the Security and Exchange Commission has not yet completed proposed rules for internal control assessment and reporting in compliance with the Sarbanes-Oxley Act, the completed rules are expected to be consistent with the definitions in the COSO report. Under existing practice, the financial auditor gives an opinion on the annual financial statement but does not report on the system of internal controls. According to the KPMG auditors in the March 1, 2002, Management Letter, the auditors "considered internal control in order to determine our auditing procedures for the purpose of expressing our opinion on the basic financial statements. An audit does not include examining the effectiveness of internal control and does not provide assurance on internal control." Under the Sarbanes-Oxley Act, the financial auditors would evaluate and report on management's assessment of the effectiveness of internal controls.

Implementing Policies to Assess and Report on Internal Controls

It could be costly for the City to conduct an assessment of internal controls and require financial reporting on internal controls. An internal control assessment would require identifying and evaluating the effectiveness of existing controls for City departments and functions, and developing internal controls to strengthen departments' practices. If the City implemented a policy to include an audit of internal controls as part of the annual financial statement audit, consistent with the intent of the Sarbanes-Oxley Act, then the cost of the annual financial statement audit would increase.

The Controller should study the feasibility of implementing policies to assess and report on the City's internal controls, including potential risk reduction and costs to the City. The feasibility study should be presented to the Board of Supervisors prior to June 30, 2004, with the possibility of implementing the policy for the fiscal year ending June 30, 2005. The Controller should present to the Board of Supervisors the expected cost, including expenditure details, of such a study within 60 days to the Board of Supervisors.

Conclusion

Although the Sarbanes-Oxley Act, which increases oversight over publicly-held private companies, does not apply to government agencies, the principles underlying the Act do apply. The Sarbanes-Oxley Act strengthens the role of the Audit Committee in the financial reporting process and increases the level of auditor independence. The Board of Supervisors Audit Committee already has a direct reporting relationship with the City's financial auditors. By adopting policies consistent with the Securities and Exchange Commission's rules under the Sarbanes-Oxley Act, the Board of Supervisors would increase its oversight over financial statement audits and non-audit services provided by the financial auditor.

The provisions of the Sarbanes-Oxley Act to evaluate and report on internal controls could be costly for the City to implement. However, if the City reduced its risk of loss from inefficient or fraudulent activities through strengthening internal controls, the reduced loss could offset the increased costs of implementing a comprehensive policy to evaluate and report on internal controls.

Recommendations

The Board of Supervisors should:

4.1 Propose an amendment to the Administrative Code, adopting the policies of the Sarbanes-Oxley Act and giving the Audit Committee authority to:

    i pre-approve all non-audit services performed by the City's financial auditor, and

    ii require financial auditor reports to the Audit Committee prior to issuing the final audit report on the financial statement, which include (i) all critical accounting policies and practices used by City management; (ii) all alternative accounting treatments of financial information that have been discussed with management, including the ramifications of the use of such alternative treatments and disclosures and the treatment preferred by the accounting firm; and (iii) other material written communications between the accounting firm and City management.

The Controller should:

4.2 Develop and present a policy within 60 days for Board of Supervisors adoption on auditor independence, including (a) standards on conflict of interest, and (b) financial auditor partner rotation;

4.3 Develop and present a cost estimate, including expenditure details, within 60 days for Board of Supervisors' consideration, of a feasibility study to assess and report on the City's internal controls; and,

4.4 If the Board of Supervisors approves the feasibility study, conduct and report on the feasibility of a policy to evaluate and report on the City's internal controls, prior to June 30, 2004, to be implemented for the fiscal year ending June 30, 2005.

Costs and Benefits

The City's costs to implement policies consistent with the Sarbanes-Oxley Act provisions on audit committees and auditor independence would be negligible. The provisions of the Sarbanes-Oxley Act to evaluate and report on internal controls could be costly for the City to implement, but could result in risk of loss from inefficient or fraudulent activities, offsetting the increased costs.

1 Government financial auditors are governed by separate regulations that are set by the federal Office of the Inspector General (OIG).

2 The Committee of Sponsoring Organizations of the Treadway Commission was formed in 1985 as an alliance of five professional organizations, including Financial Executives International, the American Accounting Association, the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and the Institute of Management Accountants.