This quote, from a recent article, baffles me.
“Auditors should be familiar with control criteria involving the legal department under the
COSO framework. For example, to test the implementation and effectiveness of the control environment, auditors can compile a list of significant instances of misconduct that occurred in recent years, and then review board or committee minutes and reports to determine whether directors and executive management were apprised of such misconduct in a timely manner. Auditors can also review the minutes to see whether the board or committee followed up on allegations of a breach in internal controls, such as ordering special investigations, hiring outside advisers, requesting follow-up reports, and so forth.”
The article is in Compliance Week (July 7, 2010) by José Tabuena, senior vice president of governance and compliance with PhyServe Physician Services. Tabuena seems to think that all or most “misconduct” falls in the lap of the legal department and that one of its roles is not only to let the Board know right away but also to make sure the Board acts appropriately.