Comments about New Century's Examiner's Report regarding the Audit Committee and Internal Audit
By Dave Tate, CPA, Esq. - The 500+ page February 29, 2008 report of Michael J. Missal, Bankruptcy Court Examiner, in In re New Century TRS Holdings, Inc., U.S. Bankruptcy Court for the District of Delaware, offers a somewhat rare opportunity to view how a person who is knowledgeable and has experience, in this case the Court Examiner (and his legal counsel), might, after the fact, evaluate the actions of corporate officers, directors, audit committee members, internal auditors and outside auditors in a corporate bankruptcy proceeding. Although the Examiner’s report does not hold the weight of a reportable court decision, it is nevertheless truly useful as a tool, such in the manner that a mock trial might be useful. The report can be found here.
The following discussion addresses only the Examiner’s report with respect to the audit committee and internal audit.
The Examiner notes that the four independent audit committee members “were capable individuals who approached their role with a sense of responsibility.” From May 2005 to the close of 2006 the audit committee met in person or by phone 21 times. “Moreover, the Audit Committee undertook significant activities in analyzing the ramifications of strategic decisions, the structure of management, reviewing financial reports, loan quality issues, and addressing operational concerns.” “The Audit Committee also turned to others for assistance, including [the outside auditor] for financial issues and the Internal Audit Department for operational issues.”
Nevertheless, the Examiner faulted the Audit Committee in four areas:
1. The Audit Committee did not ensure that management conducted an adequate analysis of entity-wide risk;
2. The Audit Committee did not ensure that key operational risks were addressed;
3. The Audit Committee did not give sustained attention to loan quality until 2006; and
4. The Audit Committee did not adequately supervise or make effective use of internal audit.
The Examiner also notes that internal audit was led by “a well-qualified internal audit professional,” who “hired qualified staff,” and that the internal audit personnel “seemed to pursue their responsibilities diligently and professionally.” “Moreover, consistent with sound practices, Internal Audit reported to the Audit Committee, developed a risk-based ranking of issues, typically provided written audit reports to the Audit Committee and developed a procedure to monitor recommendations for improvements. Internal Audit made valuable contributions to the governance and operations of New Century by preparing a significant number of audit reports, and in the process, identified issues concerning loan quality, regulatory compliance, loan servicing and loan appraisals.”
Nevertheless, the Examiner found the following “significant deficiencies” with internal audit:
1. Internal audit did not perform a thorough assessment of entity-wide risk;
2. Internal audit did not identify and examine certain areas of operational risk; and
3. Internal audit did not address internal control over financial reporting risk.
It should be kept in mind that neither the audit committee nor internal audit is responsible for the day-to-day operations of the business; thus, neither the audit committee nor internal audit was or could be the direct cause of the problems at the business. Essentially, although both the audit committee and internal audit diligently performed their functions, when looking at the financial problems that led to New Century’s bankruptcy, it is possible in hindsight to identify audit committee and internal audit deficiencies that may have helped to allow the financial problems to remain unfixed. It is that type of scenario that can present a most difficult dilemma for both the audit committee and internal audit: despite exercising diligence, if something goes wrong often it is possible for someone to argue that greater diligence or better diligence could have prevented the wrongful situation. The Examiner essentially argues that the audit committee and internal audit should have been more diligent, that they may have missed a couple of issues, and that they dropped the ball or did not aggressively enough follow through or pursue certain issues and deficiencies with management.
A lesson can be viewed from the Examiner and his approach to the New Century situation: it can only be concluded that at the end of the day, in performing their functions, both the audit committee and internal audit must do all that they can do to ensure that they have fully resolved each and every issue that they consider important to the risk management of the entity. And that leads to what appears to be a central criticism by the Examiner, that the entity should have and was required to fully implemented and entity-wide enterprise risk management program. Keep in mind that management, the audit committee and internal audit did engage in risk management. The Examiner concluded that those activities were not sufficient.
There is little hard authority for the proposition that the audit committee is responsible for oversight of entity-wide enterprise risk management. New Century was a public company, listed on the New York Stock Exchange. The Examiner references only “best practices for corporate governance,“ and cites N.Y.S.E. Listed Company Manual §303A.07(c)(iii) and (d), and Business Roundtable, Principles of Corporate Governance 17-20 (Nov. 2005). Section 303A.07 pertains only to audit committees of N.Y.S.E. listed companies, but does require those audit committees to discuss with management policies and guidelines relating to risk assessment and risk management, and the company's major financial risk exposures. There is other statutory authority requiring audit committees of all public companies listed in the U.S. to have certain oversight of financial and accounting internal controls; however, oversight of internal controls is not necessarily the same as oversight of enterprise risk management.
With respect to internal audit responsibilities, the Examiner does cite extensively from a couple of sources including from materials published by the Institute of Internal Auditors. The functions and responsibilities of internal audit to engage in enterprise risk management are much more clear. And, of course, the audit committee does interact with and oversee the performance of internal audit.
Whether or not sufficient authority exists to establish the proposition that public company audit committees are responsible for oversight of entity-wide enterprise risk management, or that it is now a broadly established best practice for public company audit committees to perform that oversight function, it can be argued that public company audit committees should at least be considering going in that direction to help protect themselves from after the fact second guessing if something goes wrong. Audit committees also should be working on their interaction with and oversight of internal audit. Internal audit is a tremendous resource to help the audit committee satisfy its functions and responsibilities, and to help the committee evaluate and monitor risk management.
Dave Tate, Esq.