committees are juggling governance
requirements, economic constraints, and
employee morale and productivity issues
that can require tough decisions. Internal
auditors need to consider how they can
help the committee navigate the storm.
The compensation committees’ governance risks can be broken down into
Strategic risks. The number one issue
that many committees are dealing with
is ensuring that their compensation philosophy and strategies are consistent
with the organization’s mission and
goals. They are doing this under the
vigilant eyes of external stakeholders
and other interested parties. A conservative compensation philosophy could
reduce Sarbanes-Oxley governance risks
and increase other strategic risks (e.g.,
retention of key employees). The consequences of a business-as-usual compensation philosophy have been
highlighted recently in several high-profile executive dismissals.
Compliance risks. In addition to the
Sarbanes-Oxley disclosure and proxy
statement issues, the compensation committee needs to be aware of the organization’s bylaws, codes of conduct, and
compensation-benefit plan agreements.
Additionally, some whistleblowing or
hotline calls may address compensation
issues, and the committee may need to
be part of the solution.
Reporting risks. Much of the committee’s success depends on the quality of
the information it receives or the quality of the information that the human
resources department uses to produce
the analyses that it provides to the committee (e.g., incentive compensation
information and salary surveys). Many
human resources groups are not strong
in financial analysis. This weakness can
threaten the quality of the committee’s
decision-making information and ability to achieve its strategic and compliance objectives. To compensate for this
weakness, many human resources groups
have partnered with their organization’s
accounting or finance groups.
Operational risks. Good information is
essential, but not sufficient. If the decision-making process isn’t effective, decisions will be flawed. Many of the risks in
this area are obvious (e.g., lack of expertise, lack of resources, and communication breakdowns). Several human
resources journals have also cited not having enough time to debate and deliberate before making key decisions as a risk.
To mitigate this risk, they recommend
creating an annual calendar for committee activities.
INTERNAL AUDIT ACTIONS
Internal auditors need to connect with
the compensation committee to gain an
understanding of its activities, concerns,
and what the auditors can do for the
committee. The internal audit group may
want to partner with the human
resources department and complete a risk
assessment for this activity. Some possible internal audit services that could be
Facilitating the Sarbanes-Oxley risk and
control documentation and evaluation
for activities in this area.
Providing assurance services related
to the timeliness and accuracy of the
Offering consulting services focusing
on the committee’s decision-making
process or facilitating a self-assessment
of committee effectiveness.
Promoting good communication on risk
issues that the audit and compensation
committees need to be aware of and
helping the committees develop appropriate responses.
A NEW OPPORTUNITY
Sarbanes-Oxley requirements and risks
have created an opportunity for internal
auditors to offer their services to the
compensation committee. Many committees are looking for all the help they
can get. These requirements have also
created an opportunity for internal auditors to partner with their human
resources clients in helping the committees meet their governance responsibilities. The bottom line is that making
these connections gives internal auditors
an opportunity to make a solid contribution to improving their organization’s
To comment on this article, e-mail the
author at firstname.lastname@example.org.
Readers are encouraged to share emerging risk
issues and best practices from their own audit
experiences. To submit a “Risk Watch” article for
consideration or to request coverage of a particular
risk, e-mail email@example.com.
FEBRUARY 2004 INTERNAL AUDITOR