A case for responsible reporting: in considering ways to improve internal control over financial reporting, organizations should look to corporate responsibility reports

Internal Auditor, April, 2006 by Bruce McCuaig

OVER THE PAST THREE DECADES, frequent, repeated, fundamental failures in the governance of financial reporting have led to public outcry, special commissions, and regulatory change. Communities, suppliers, consumers, pensioners, and others have been impacted dramatically by corporate financial misconduct. By any measure, the consequences of corporate governance failures have reached well beyond those with direct economic interests in corporations.

There is little objective evidence that the reliability of financial reporting has improved in the last 30 years, despite the billions of dollars invested in attempts to do so. Efforts to address the issue have included the National Commission on Fraudulent Financial Reporting (known as the Treadway Commission) in the 1980s, The Committee of Sponsoring Organizations of The Treadway Commission's (COSO's) Internal Control-Integrated Framework in the 1990s, and the U.S. Sarbanes-Oxley Act of 2002 with its resultant Auditing Standard No. 2 (AS2) from the U.S. Public Company Accounting Oversight Board (PCAOB). However, fraudulent financial reporting and corporate governance issues remain. Do the requirements for internal control effectiveness opinions and deficiency reporting under Sarbanes-Oxley and AS2 provide enough information to satisfy all stakeholders that corporations have sound internal control, compliance, and governance frameworks and that the reliability of financial reporting is improving? Are new solutions needed?

There is a significant opportunity for internal auditors to develop and implement cost-effective, sustainable approaches that go beyond current regulatory requirements for reporting on the reliability of internal control over financial reporting, as well as to improve corporate governance and compliance, generally. In the last 30 years, corporations have achieved dramatic improvements in safety, quality, environmental, and other areas--but not in the reliability of financial reporting. There is an opportunity to go far beyond those minimum standards by borrowing from the successful techniques of our colleagues in other assurance professions and revising our disclosure and reporting frameworks.

What is needed is a fresh approach combined with innovative thinking. One model that auditors can draw from is the corporate responsibility report. Used by assurance professionals in the health, safety, environmental, and compliance areas, the corporate responsibility report is rapidly becoming a valuable source of detailed information--in addition to annual reports and regulatory filings--for all stakeholders. Internal auditors can dramatically expand the organization's reporting on internal control over financial reporting, corporate governance, and compliance using this medium.

CORPORATE RESPONSIBILITY REPORTS

Corporate responsibility reports are public documents directed toward stakeholders who do not have a direct economic interest in the corporation and whose information needs are not necessarily met by routine financial and regulatory reporting requirements. Typically, corporate responsibility reports deal with environmental, safety, supply chain, human rights, and social issues. They are becoming much more common, in some cases as separate documents, in other cases as part of a company's annual report. In fact, the June 2005 KPMG International Survey of Corporate Responsibility Reporting found that corporate responsibility reporting has been rising steadily since 1993 and has increased substantially in the past three years.

Public companies demonstrate in their corporate responsibility reports objective evidence that they have reduced environmental damage and improved worker and community safety, product quality, and working conditions. They describe in great detail the results of their various programs. The quantity and quality of information on these programs far surpasses information available in most annual reports on internal control, corporate governance, and compliance. For example, in its 2004 report on environmental compliance, Inmet, a Canadian mining company operating in remote locations, published a table tracking incidents of petroleum spills of less than 1 liter.

Corporate responsibility reporting is extremely relevant to the internal audit profession for two reasons: First, the tools and techniques used by fellow assurance professionals may prove equally useful to increasing the quality and quantity of information available to stakeholders on financial reporting, compliance, and governance issues. Second, as corporate responsibility reporting increases, appropriate new assurance standards will be required and internal audit services will be sought. Companies reporting on human rights, supply chain management, and environmental compliance will want their assertions audited. The internal audit profession has the global presence and experience to assist in developing the necessary standards and to provide assurance reports.

IDENTIFYING REPORTABLE INCIDENTS OR CONDITIONS