The PCAOB has proposed standards requiring auditors to assess whether compensatory arrangements held by executive officers create risks of material misstatements. According to Steve Seelig in Towers Watson’s Executive Pay Matters blog (“Does New PCAOB Proposal Really Eliminate the Risk of Auditor Involvement in Executive Compensation Design?,” May 30, 2013), the focus is on “the potential for incentive compensation program structures to create incentives for executive officers to exaggerate gains or minimize losses.”
This a re-proposal of a proposal from 2012. According to the PCAOB, the redraft is designed to make it clear that the auditor isn’t required to assess the reasonableness of the compensation. Steve, however, doesn’t see much difference between the two proposals and based on the comparison he includes in his blog, I don’t see much difference either. To be honest, they both seem fairly inscrutable to me.
Are You Going to Get to Know Your Auditor Even Better?
While there’s the potential for any type of compensation to incent executives to make the company’s financial condition look better than it is, this is particularly a concern with stock compensation, where the value delivered to the exec is driven by the stock price, which, in turn, is driven by the company’s financial performance. Thus, this is potentially something new that auditors will be focusing on when they review your stock compensation programs. The PCAOB proposal calls for auditors to read the related compensation contracts (this would be the grant agreements and any other related documentation for stock awards) and also to read the disclosures in the company’s proxy statement and other public filings.
My first thought is “aren’t the auditors already reading those things?” Probably they are (aren’t they?), but maybe not with a focus on whether the arrangements create risk that execs will be incented to misstate the company’s financials.
But given what many stock plan administrators have told me about their auditors–i.e., their auditors are often fresh from the CPA exam with little to no understanding of stock compensation–I also have to wonder whether the auditors are really capable of making this assessment. It seems unlikely that someone who doesn’t understand what the exercise price of an option is will understand the nuances in financial risk inherent in, say, an option vs. restricted stock, and how clawback provisions and holding requirements might be used to mitigate that risk. Steve is concerned that auditors “may develop bright-line rules on what compensation programs are risky or not,” which seems like a reasonable concern to me.
Light Reading
If you are looking for some light summer beach reading, well, this PCAOB proposal sure isn’t it (however, I do recommend “Let’s Pretend This Never Happened” by Jenny Lawson–perfect summer reading and nothing to do with stock compensation). The whole thing (the PCAOB proposal, not the Jenny Lawson book) clocks in at 203 pages and includes sentences like “In the fourth bullet, delete the period (.) and add a semicolon (;) at the end of the bullet.” Seriously?
On the other hand, if you can wade through the proposal, (1) you are a better person than me, and (2) you have until July 8 to submit your comments to the PCAOB.
– Barbara
Tags: audit, internal control, internal controls, PCAOB, risk, risk management
Stock plan management teams are responsible for handling a significant amount of confidential data. Access control procedures are essential to maintaining an appropriate level of security to ensure that confidential information remains confidential. In creating an access control policy, both inadvertent and intentional access must be considered. There are data privacy laws both in the U.S. and internationally that dictate how data is transmitted. Confirming with your legal team that your company’s practices adhere to privacy laws is crucial. However, there are daily practices and considerations that are easy to overlook and could compromise the integrity of your practices by weakening the controls in place to limit data access. Here are my top three “hidden” areas to focus on when considering your department’s access control practices.
Workspace
Because the stock plan management team will be working with and talking about confidential information, the actual location of the team is crucial to access control. For example, desks should be located in a space where both printed material and computer monitors cannot be easily viewed by other employees and confidential conversations won’t be overheard.
It’s also important to know that access to the stock plan management work area can be prohibited when none of the members of the team are present. In many companies, the stock plan management team shares office space with another department. If this is necessary, it is best that the other employees sharing that space have access to equally sensitive information so that they are familiar with the company’s data privacy practices.
Archives
Administering stock plans can generate a bulk of both hard-copy and electronic documents that need to be retained on site or in archives. Just like the general workspace, the location of these document files is an essential consideration for access control. Both hard copy and electronic documents can be safeguarded not only by locks (or passwords) but also by their location. Access control for hard copy documents stored on location can be maintained simply by placing locked filing cabinets in a room that also can be locked. However, if the volume of hard copy documents requires off-site storage archiving, make sure that there are controls in place for who in the company can request access to the archives.
Electronic documents, especially in the form of spreadsheets, often contain a higher volume of confidential information than do paper documents. In addition, data stored electronically is far more likely to be a part of daily procedures. Access control for archived electronic documents is just as straight-forward as it is for paper documents: they should be password protected and housed in folders and/or servers where access can be limited. With current documents, on the other hand, that are needed for daily processes it is much easier to let access control slip. It’s important to maintain password protection, even on active documents, and avoid saving documents in unprotected locations–especially on a laptop that may be removed from the workspace.
Distributed Materials
Distributed materials present the biggest challenge to maintaining access control. The stock plan management team can’t avoid sharing certain confidential information with external partners or other departments. The key is to establish how to ensure that the shared data doesn’t ultimately become available to parties that should not have access to it. If regular data sharing is required, establish an automated process that transmits data between systems or a protocol for file exchange. It’s best if confidential information never be sent via email, even internally and even if it is password protected.
Your company’s IT and legal teams can help you establish the best protocol for data privacy, but insufficient access controls can undermine those practices. As with all processes, document your access control procedures and make sure that everyone who does have access to confidential information understands the importance of those procedures. For more on internal controls, visit our Internal Controls Portal .
-Rachel
Tags: access, confidential, data privacy, internal control, password