Third-Party Risks and Internal Audit – and Bring in Legal

Posted on May 18, 2016 by David Tate, Esq.

The following is a link to a short video discussion about auditing third-party risks from the Institute of Internal Auditors, CLICK HERE FOR THE VIDEO.

The discussion is interesting for what it says, and what it doesn’t say. Of course it’s only a short video and does not purport to cover anywhere near the entire topic, and the video also is only part I. The discussion also focuses only on negative risks, e.g., the risk of negative catastrophe such as from cyber breach, but what about a more positive risk such as a resulting shortage of product materials because new product demand surpasses the highest estimates?

Internal audit and other people who are involved in third-party risk need to avoid working in silos. The video doesn’t mention the audit committee, or internal audit’s charter, or the involvement of legal counsel, for example. What about the risk of faulty or dangerous product produced or materials used by a third-party vendor? The discussion does touch on evaluating whether to end or terminate the contract with a third-party vendor – how does internal audit do that – bring in legal right?

In any event, I’m just using the video to prompt some discussions, which certainly was the intent of the video.

Best, Dave Tate, Esq. (San Francisco / California), and click on the following link for my audit committee guide – and please tell other people who would be interested, CLICK HERE FOR A BLOG POST WITH A LINK TO THE GUIDE – JUST CLICK THE LINK – YOU DON’T NEED TO PROVIDE ANY INFORMATION

Comments on the DoJ Fraud Section Plan and Guidance

Posted on May 14, 2016 by David Tate, Esq.

Recently, on April 8, 2016, I wrote a post about the new DoJ Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance. Here is a link to that post and the Plan and Guidance CLICK HERE.

I did not at that time provide comments about the Plan and Guidance, which is only 9 pages in length. Whereas audit committees definitely should read and understand the Plan and Guidance, and take it into consideration for the purpose of pre-policies, processes and practices, and then also if an event or occurrence happens, my additional overview comments are as follows.

As you read through the Plan and Guidance, unfortunately I believe that you will find that for the most part it vaguely says that you should conduct an investigation of everything and everyone who might be relevant to the event or occurrence, that you should self report everything that you find (except for attorney-client information and materials, but of course the Fraud Section might argue about what qualifies as being attorney-client privileged), and that the Fraud Section will then consider what benefits it will grant, if any, to you for doing so. In that regard, I have to say that the Plan and Guidance is noncommittal, vague and overly broad, and might be considered heavy-handed, and as such isn’t particularly helpful or not nearly as helpful as it might have been.

The Plan and Guidance also only applies to the Fraud Section – thus, it does not apply to any of the other numbers of governmental entities, divisions, departments or sections that might also be looking into the event or occurrence. But, please do read and understand the Plan and Guidance anyway.

And the following is a link to my Excellent Audit Committee Guide – read it and pass it around, CLICK HERE.

Best, Dave Tate, Esq. (San Francisco/California)

What Insight Do Audit Committees Receive From Internal Audit – Not Enough Or Much – KPMG Survey

Posted on March 11, 2016 by David Tate, Esq.

What insight to audit committees receive from IA

The above chart is from a new KPMG survey of audit committee chairs and CFOs. You can find the survey at

Click to access GM-OTS-1653_SeekingValueThrough_IAB_V1.pdf

The survey and the above chart identify ongoing challenges for internal audit to provide and prove enough value to audit committee members and CFOs. It is well-documented that these challenges have existed for years – basically forever. But let’s not over generalize – one size doesn’t fit all, and certainly there are internal audit functions that are up-to-speed and that are providing good value.

If there is a problem in this area, you must also ask the audit committee members, not just the audit committee chair but also the individual members who aren’t the chair, why they aren’t getting the information that they need from internal audit? There’s either a lack of common understanding, and that lack of understanding might also be the fault of the audit committee members if they are not expressing themselves sufficiently, or there is a problem with the internal audit function, or its funding, or the qualifications of its members. In theory, it also is possible that the audit committee or the CFO simply are asking internal audit to perform a task or to provide information that is unreasonable; however, that is like saying “I can’t do that for you,” which of course is a very bad approach.

You can also see Tate’s Excellent Audit Committee Guide (updated January 3, 2016), at http://wp.me/p75iWX-q

Dave Tate, Esq., San Francisco and California, http://auditcommitteeupdate.com

Audit Committee 5 Lines of Defense 02132016 David W. Tate, Esq.

DTatePicture_Square

‘Internal audit is crucial to assessing impact of corporate culture’

Posted on February 22, 2016 by David Tate, Esq.

Internal audit’s mandate is much broader than external audit’s, says Richard Chambers of Institute of Internal Auditors

Click on the following link for the article: www.thehindubusinessline.com

Dave Tate, Esq. comment.

I’m going to disagree with Mr. Chambers on this one. I believe it is better for external audit to be auditing this issue – which is an issue that external audit already should be taking into consideration when designing the audit and the extent to which management and the accounting and internal control functions can be relied upon.

Although internal audit could be assigned a task or project relating to culture, on this topic I would keep the task or project very specific. Internal audit does also work and interact with management and executive management – assessing culture might detrimentally impact those relationships. I would however recommend that internal audit be more involved in risk management, which could involve culture but in a different context.

Audit committee, D&O, risk management, etc. blog: http://auditcommitteeupdate.com

Website: http://tateattorney.com

Trust, estate, conservatorship and elder abuse litigation blog: http://californiaestatetrust.com

Do You Have a Contrarian on Your Team?

Posted on February 14, 2016 by David Tate, Esq.

A divergent opinion can lead to more creative and better decisions.

Click on the following for the article: www.gsb.stanford.edu

Dave Tate, Esq. comments – good for thought – every board and management situation is different anyway – but also, did anyone say that there shouldn’t be or can’t be contrarian views on a board or committee? Look at the business judgment rule – there’s nothing there about all having to agree. One vote per person. My website: http://tateattorney.com.

Audit Committee 5 Lines of Defense

Posted on February 14, 2016 by David Tate, Esq.

Audit Committee 5 Lines of Defense 02132016 David W. Tate, Esq.

What do you do if you are an audit committee member or a director and you don’t know a relevant subject matter area?

Posted on January 27, 2016 by David Tate, Esq.

The answer to this question might seem easy – you could say (1) “learn the area” or you might say (2) “reply upon other people” or you might say (3) “learn the area and rely on other people.” But learning the area even with a good faith effort isn’t necessarily easy or quick, and you need to ask whether relying on other people will satisfy your responsibilities? Many audit committee and board relevant subject matter areas are difficult or complicated.

Based on the business judgment rule, I recommend the third approach. I say that because you might well in part rely upon other people, but you must do so intelligently, and I would ask, other than simple complete trust or deferral, can you intelligently rely on other people if you don’t have sufficient background to gather information and ask questions, let alone evaluate the information and make decisions?

Let me also add, if it’s a specific subject matter area in which you have an oversight responsibility, such as, for example, for audit committees, oversight of the independent or external audit and of the external auditor, oversight of internal controls, oversight of the internal audit function, oversight of significant accounting practices, policies and principles, and oversight of anonymous reporting, and there are also many other specific areas, then for those areas you really do need to have or obtain (yes, it can be okay to “obtain”) the necessary background knowledge about those areas as they are core areas of your responsibility.

Below is a summary of the business judgment rule that I have taken from Tate’s Excellent Audit Committee Guide (in the Guide I have stated the rule in three different ways, because the business judgment rule is so important), and you can find the January 3, 2016, version of the Guide (183 pages) at the following link (note, I do try to update the Guide every 2-3 months, and please tell other people about this blog and the Guide as they are only worthwhile if people read them) – the link for the January 2016 version of the Guide is http://wp.me/p75iWX-q

THE BUSINESS JUDGMENT RULE

The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. I have started with the business judgment rule because it provides a very good overall approach for directors and audit committee members to follow, although lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the committee member believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position would use under similar circumstances.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. The director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

* * * * *

CAQ Report Re Discussions With Audit Committees Re Audit Quality Indicators; Auditor Assessment Tool; Tate’s Excellent Audit Committee Guide

Posted on January 13, 2016 by David Tate, Esq.

The Center for Audit Quality (CAQ) has published a new report summarizing it’s discussions with audit committees about key audit quality indicators. Here is a link to the announcement which also contains a link to the report: CLICK HERE

And here is a snapshot of a relevant part of the announcement (you can also see the entire wording by clicking the above link):

CAQ discussions with AC about audit quality indicators

Keep in mind, however, that the PCAOB also is working on these issues, i.e., key indicators for audit committee or board evaluations of the external auditor, and audit committees already are required by law to oversee the hiring and performance of the external auditor. In my opinion if the PCAOB does issue new rules or materials on these issues, those new rules or materials will generate more audit committee and board oversight or activity than the CAQ materials. Nevertheless, the CAQ materials and discussions are helpful. Thus, here is a link to materials that the CAQ has already issued to help audit committees evaluate the external auditor: The CAQ Auditor Assessment Tool

And here is a link to Tate’s Excellent Audit Committee Guide (updated January 3, 2016), click on the following link, http://wp.me/p75iWX-q

Enjoy.
Dave Tate, Esq. and CPA licensed in California (inactive), San Francisco/California

DTatePicture_Square

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: