Home | Contact Us | About Us
 
 
 

Talking Points - Implementing Internal Controls over Executive Compensation

Mike Kesner is Head of the Executive Compensation Practice for Deloitte & Touche LLP

  1. Overview

    1. Under Sarbanes Oxley, CEO’s and CFO’s are responsible for establishing, evaluating and monitoring the effectiveness of internal controls over financial reporting and disclosure (Sections 404 and 302).
    2. Section 404 requires an internal control report and evaluation
      1. CEO and CFO are responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
      2. An assessment of the effectiveness of the internal control structure and procedures is also required by management.
      3. The outside auditor must issue a report attesting to the assessment made by management, in B.2. above.
    3. Section 302 requires that the CEO and CFO certify 
      1. The financial statements and other SEC filings do not contain untrue statements of a material fact or do not exclude material facts
      2. The financial statements fairly present in all material respects the financial condition and results of operations. 
      3. Internal controls are in place to ensure that all material information is known and that such controls are effective. 
      4. All significant deficiencies in the design or operation of internal controls, which could adversely affect the company’s ability to record, process, summarize and report financial data have been reported to the audit committee. 
  2. Internal Control Framework 
    1. The framework adopted by many companies for internal control processes and procedures is built around the Committees of Sponsoring Organizations’ Internal Control-Integrated Framework, or “COSO”.
    2. COSO is a principle-based internal control framework that requires the use of judgement when: 
      1. Defining the appropriate scope of internal control assessment.
      2. Pinpointing the specific internal control risks, control objectives and control activities most relevant to a company. 
      3. Defining what constitutes an internal control deficiency and evaluating its significance. 
      4. Determining the overall effectiveness of internal controls.
    3. COSO framework includes five key components: 
      1. Control Environment:  The control conscience of the organization, often referred to as the “tone at the top.”
      2. Risk Assessment:  The evaluation of internal and external factors that impact an organization’s operations, financial reporting and compliance. 
      3. Control Activities:  The policies and procedures – in effect, a detailed workplan, to ensure that actions are identified and implemented to control risk. 
      4. Information and Communication:  The processes that ensure relevant information is identified and communicated in a timely manner.
      5. Monitoring:  The process to determine whether internal control is adequately designed, executed, effective and adaptive.
    4. Control objectives are divided into 3 categories:
      1. Financial reporting:  Quarterly and annual financial statements, reports to lenders and other (e.g., government) constituents.
      2. Operations:  Supply chain management, quality control, R&D, etc.
      3. Compliance:  Contracts, tax law, foreign country trade practices, ERISA, etc.
    5. Sarbanes Oxley activity is primarily focused on D.1. above.  But, items D.2. and D.3. are very important due to the potential impact breakdowns in operational and compliance controls can have on financial reporting.
      1. If the company fails to comply with the tax code and ERISA, qualified plans could be assessed with significant monetary sanctions, which might impact the financial statements.
      2. From a Section 302 perspective, however, if the impact is not imminent at yearend or immaterial, it falls outside the rules.
  3. The Control Gap 
    1. As indicated, Sections 302 and 404 of Sarbanes Oxley are mostly focused on controls over financial reporting and ensuring that all material information is known and properly reported.
      1. Outside auditors only need to attest to the validity of management’s report on the financial reporting control environment.
      2. Most Compensation Committees are only tangentially aware of the control environment surrounding compensation administration, implementation and reporting.
      3. Most Human Resource departments are uninvolved in establishing the control environment; very few “subject matter” experts (i.e., compensation and benefits specialists) have any training in internal controls.
      4. Most internal and external auditors believe they can establish controls for just about anything, and often do not involve the subject matter experts.
      5. Most, but not all Sarbanes Oxley engagements are very narrowly scoped to focus solely on controls over financial reporting.
      6. The PCAOB, while sympathetic to the potential consequences of lax controls over compensation, benefits, recruiting and other human resource functions and activities, is only concerned with control breakdowns that have a material impact on the financial statements.
    2. Recently reported control breakdowns in compensation reporting and administration, while outside Sections 404 and 302, have negatively impacted companies in numerous ways.
      1. Reputation for integrity
      2. Relationship with shareholders
      3. Credibility with employees
      4. Interactions with regulators
    3. Case Studies 
      1. Company A recently paid $8 million in long-term bonuses based on relative Total Shareholder Return (TSR) compared to peers.  The amount was properly accrued and reported in the proxy.  Problem is, the relative TSR calculation contained an error, and no payment was owed.
      2. Company B inadvertently awarded stock options to a proxy listed executive from a non-shareholder approved plan.  Thus, the grant is not performance-based under Section 162(m).  The intrinsic value of the options is now close to $80 million due to a jump in stock price.  The company has been assuming the option spread will be the deductible in its FAS 123 footnote and in applying the treasury stock method to determine EPS.
      3. Company C’s CEO has been aggressively classifying certain perquisites as business related expenditures.  As a result, the proxy does not reflect close to $600,000 for items such as personal use of the corporate jet, home security and chauffeur and car.  The cost/value of these items is immaterial to the company and the executive.
      4. Company D accrued and paid bonuses totaling $50 million to top management.  It turns out EPS was overstated and had to be restated two years later.  Since the restatement was not due to an intent to mislead, the clawback provisions of Sarbanes Oxley do not apply.  The annual incentive plan does not have a general clawback provision for restatements.
      5. Company E’s SERP is very complex.  The Compensation Committee members have not been briefed on the magnitude of the cost.  While the expenses have been properly accrued each year, it consumes 8 ½% of pretax profits.
      6. Company F has not been able to properly track disqualified dispositions of Incentive Stock Options for its far flung employee base.  Thus, amounts have not been properly reported on the W-2, and the company has not been able to track its tax deduction.
      7. Company G has recently conducted an internal audit of its health care plan.  It turns out the company was providing health benefits to 900 individuals who no longer qualified as employees or dependents of employees.  Total cost to the company has averaged $1 million per year the last three years.
      8. Which of the above cases is subject to Sarbanes Oxley?
        1. Answer:  Probably Company B if the amount of the lost tax benefit is material.  Also Company D, but not because of the $50 million bonus overpayment.
      9. And, which of the above cases will cause the company to lose credibility with investors, damage to reputation of the Board of Directors, damage employee relations?
        1. Answer:  All.
  4. Constructive Steps to Control Risk
    1. Create a sustainable compensation control environment (see attached Powerpoint).
    2. Have the internal audit department report the results of their internal control reviews of compensation and other human resource functions to both the audit and compensation committees.
    3. Have a joint audit and compensation committee meeting at least once a year to discuss control environment for compensation and related areas.
    4. Ensure that relevant subject matter experts are involved in the development of proper internal controls.
    5. Obtain a report describing internal control procedures and compliance with such procedures over major compensation and related areas, including:
      1. Merit increases.
      2. Annual incentive plan calculations and payments.
      3. Equity compensation awards (including grant to exercise on payment).
      4. Benefit calculations and payments.
      5. Severance plan payments.
      6. Tax compliance with above programs.
    6. Automate processes; do not rely on spreadsheet.
    7. Obtain SAS 70 reports for outsourced programs (e.g., pension, 401(k) and equity).
    8. Require detailed “tally sheets” of senior executive compensation for all elements of pay. 
    9. Create methodology manuals for certain compensation processes (like benchmarking). 
    10. Ask lots of questions.  Then ask some more.
 
 

For more information about this site, contact broc@naspp.com.
© 2004, Executive Press, Inc.
Terms & Conditions, Disclaimer, Register/Subscribe, Contact Us