Less than 25 percent of corporations are giving their internal audit functions the rigorous external reviews recommended by the Institute for Internal Auditors as a standard of strong corporate governance in the post-Sarbanes-Oxley world, according to a new study.
Conducted by PricewaterhouseCoopers, the survey, titled “2005 State of the Internal Audit Profession,” found that only 24 percent of respondents had undertaken quality assurance reviews of their internal audit departments in the last five years. The IIA now requires such reviews as one of its best practices.
Internal audit departments and quality assurance reviews came into vogue in the wake of accounting scandals at such companies as Enron Corp. and WorldCom. The IIA had long recommended such “QARs,” but finally revised its standards of best practices in 2002 to require them. Sarbanes-Oxley has only heightened senior executives’ awareness of internal audit’s purpose and its utility in testing internal controls over financial reporting, the PwC study says.
Crow
“I know a number of CEOs who frankly have put a big emphasis on the internal audit principally because of the increased scrutiny that companies have fallen under, and the problems of implementation around SOX generally,” said Charles Crow, a partner at the law firm Crow & Associates, which counsels clients in securities law. “The status of that job in the companies has risen over the last 18 months.”
Polycom, a $580 million provider of voice, video and data conferencing, was partly inspired by Enron and WorldCom to create its internal audit department in the first quarter of 2002. The scandals “drove home the value of internal audit functions,” says Donald Floyd, Polycom’s vice president of corporate governance and internal auditing. “The CFO and I pushed to make it happen. We always saw it as a necessity, but it certainly got moved higher on the priority list when you saw the damage being done at other companies.”
Floyd, the only full-time internal audit employee at Polycom, outsources many functions to a team at KPMG. The audit firm has a quality assessment program already in place that Floyd can use and monitor, he says.
Floyd also reports directly to Polycom’s audit committee, not a controller or chief financial officer, to avoid potential conflicts of interest. “Internal auditors have to be free of influence,” he says. “If there is impropriety, it can often come from those sources.”
Getting On The Radar
Even with those pressures to create and monitor internal audit functions, just 23 percent of respondents to the PwC survey had a formal quality assurance and improvement program in place that included periodic internal and external assessments.
Anderson
“We were surprised that [the percentage] was low,” says Dick Anderson, a partner in PwC’s internal audit services practice. “In the world we live in today, where clearly over the last few years coming out of Enron and Sarbanes there is more focus on internal auditing, one would expect that quality would be a bigger issue than it apparently is.”
One explanation may be that the demands of complying with sections 302 and 404 of Sarbanes-Oxley have overwhelmed companies’ internal audit functions, Anderson says.
“Internal audit departments have been spending significant amounts of their time on Sarbanes-Oxley,” he says. “Quality assurance, continuous improvement, as well as some other areas may have been pushed a little bit to the back burner because the internal audit functions are so focused on getting ready for Sarbanes-Oxley.”
In addition, compliance with the IIA standards is not mandated by any statute or regulation, and the IIA itself doesn’t have a regulatory arm or any authority. Some audit committees may not even realize that the external quality assurance review requirement kicks in this year, Anderson speculates.
“Internal auditors don’t have somebody like the [Public Company Accounting Oversight Board] looking at what they do,” Anderson explains. “If someone chooses not to comply, or hasn’t focused as much on quality improvements, it may not come up on somebody’s radar.”
EXPANDED ROLE?
According to PricewaterhouseCoopers’ "State Of The Internal Audit Profession Study: Internal Audit Post-Sarbanes-Oxley," 74 of respondents were "performing engagements at the request of either the audit committee or the full board of directors." Here are some of the activities:
Activity
Percent
Assess organizational risks
57%
Review and/or audit senior management travel and/or compensation expenses
52%
Provide briefings or training to the audit committee or board on internal controls, risk management or corporate governance
50%
Establish or maintain a “complaint handling” process or hotline on behalf of the audit committee or the board
47%
Assess compliance with an organization’s code of ethics or ethical climate
47%
Assist with the hiring or performance evaluation of the external auditors
28%
Review and/or audit board member travel and/or compensation expenses
22%
"State Of The Internal Audit Profession Study: Internal Audit Post-Sarbanes-Oxley (PricewaterhouseCoopers)
A Baseline For Standards
The PwC study was conducted in the third quarter of 2005 and includes responses from 271 audit managers. Of those managers, 82 percent were either chief audit executives or internal audit managers, 73 percent were from companies with at least $1 billion of revenue, and 70 percent were from internal audit departments that had four or more staff members, according to the study.
Trish Harris, an IIA spokeswoman, says internal audit departments that see the IIA standards as mandatory are motivated, in part, by a desire to help maintain public confidence in the operations of their companies. Many listed and highly regulated corporations go beyond the IIA standards, and obtain an external quality assessment every three years, she says.
“The standards are a baseline for internal audit professionalism, quality and practice on a global basis,” Harris says.
A well-designed external assessment not only validates compliance with the IIA standards and existing internal audit processes, it can provide benchmarks and measurements that can be used to improve audit performance, according to the PwC study.
For internal auditors to be effective, the internal audit department, senior management and the audit committee must first establish expectations and measure whether they are meeting their goals, says Anderson at PwC. Second, the auditors must establish best practices, such as using technology to execute their role. Third, the internal auditors should be assessed for meeting professional standards, such as those outlined by the IIA.
To be sure, some companies don’t have the resources to obtain a full external quality assessment. In that instance, Harris says, one option is to obtain independent validation of an internal quality assessment. That qualifies the assessment as an external one, in compliance with the IIA’s standards.
“Quality is a hallmark of professionalism, and organizations need to take assessing and improving their internal audit professionalism very seriously,” Harris says.
No comments yet