The following true story may sound familiar.
The internal auditor for a $2 billion transportation company feels handcuffed. He’s just completed another round of internal control reporting, and he doesn’t sense the chore was any different under new Sarbanes-Oxley compliance rules than it was under the old rules.
The executive had high hopes that the Securities and Exchange Commission’s guidance for management on assessing and reporting on internal controls, coupled with the Public Company Accounting Oversight Board’s new standard on the auditing of internal controls, Auditing Standard No. 5, would lead to a different outcome.
Those new rules direct management and auditors to focus on areas that pose the highest risk to financial statement accuracy. But, the internal auditor says, an audit of internal controls integrated with an audit of financial statements means the company’s external auditors still need to do considerable testing around low-risk areas.
The executive asked not to be identified because of the sensitivity of his relationship with his auditor. His company, however, operates in a brutally competitive and cost-conscious sector, with business units scattered around the United States and overseas. His external auditors, acting on the requirements of AS5, can’t rely on testing conducted by the business units directly because those employees are not adequately independent of the processes.
Once upon a time, the internal auditor had dreams that AS5 would finally let his department push testing onto the business units and let his team work on other projects. Now he acknowledges the inevitable: management won’t accept the higher cost of letting the external auditor do its own testing, the auditors won’t accept the testing done by business units—and his team is still stuck doing lots of testing.
“Do you want audit fee savings, or do you want the internal audit department to pursue other initiatives?” he asks. “To get an integrated audit approach that combines the Sarbanes-Oxley audit with the financial statement audit, to get the most bang for my buck, I still have to test the processes that have lower risk. If I do that, I can’t get to a risk-based model.”
“The leading practice for internal audit today is to say from a risk standpoint, ‘Where are my risks? Where am I most vulnerable?’”
— Tom Connors,
Audit Partner,
Deloitte & Touche
Connors
What to do? Tom Connors, an audit partner for Deloitte & Touche, says the problem sounds like the internal auditor needs to get back to the risk assessment.
“The leading practice for internal audit today is to say from a risk standpoint, ‘Where are my risks? Where am I most vulnerable?’” he says. “Many companies are finding today that after five years of Sarbanes-Oxley, the most vulnerability is no longer in financial reporting compliance. It’s in areas like operational risk, supply chain risk, third-party risk, strategic initiatives, mergers and acquisitions, and new markets. Maybe they need to go back to the risk assessment.”
Connors says internal auditors feeling caught in such crosswinds should put the onus back on management and the board of directors to better define risk and allocation of resources. “It’s wrong-headed thinking to say the primary role of internal audit is to manage and reduce external audit costs,” he argues. “Internal audit needs to ask: Where are we accepting risk that we’re not aware of? They need to be clear on what they’re covering and what they’re not with management and the board. That can help in resource discussions.”
Doxey
Chris Doxey, vice president of recovery audit firm APEX Analytix, has some sympathy for the Catch-22. She believes the new regulations should have more room to allow process owners, such as the business units, to begin the risk assessment and testing process. “In the concept of control self assessment, it’s a starting point,” she says. “It would be putting the responsibility of control effort back in the hands of the process owners.”
SMALL STEPS
Below are the main areas of concern the PCAOB sees for applying AS5 to small companies.
Use of entity-level controls to achieve control objectives. In smaller, less complex companies, senior management often is involved in many day-to-day business activities and performs duties that are important to effective internal control. Consequently, the auditor’s evaluation of entity-level controls can provide a substantial amount of evidence about the effectiveness of internal control. Chapter 2 discusses methods of evaluating entity-level controls and explains how that evaluation can affect the testing of other controls.
Risk of management override. The extensive involvement of senior management in day-to-day activities and fewer levels of management can provide additional opportunities for management to override controls or intentionally misstate the financial statements in smaller, less complex companies. In an integrated audit, the auditor should consider the risk of management override and company actions to address that risk in connection with assessing the risk of material misstatement due to fraud and evaluating entity-level controls. Chapter 3 discusses these
considerations in more detail.
Implementation of segregation of duties and alternative controls. By their nature, smaller, less complex companies have fewer employees, which limits the opportunity to segregate incompatible duties. Smaller, less
complex companies might use alternative approaches to achieve the objectives of segregation of duties, and the auditor should evaluate whether those alternative controls achieve the control objectives. This is discussed in Chapter 4.
Use of information technology (IT). A smaller, less complex company with less complex business processes and centralized accounting operations might have less complex information systems that make greater use of off-the-shelf packaged software without modification. In the areas in which off-the-shelf software is used, the auditor’s testing of information technology controls might focus on the application controls built into the prepackaged software that management relies on to achieve its control objectives, and the testing of IT general controls might focus on those
controls that are important to the effective operation of the selected application controls. Chapter 5 discusses IT controls in more detail.
Maintenance of financial reporting competencies. Smaller, less complex companies might address their needs for financial reporting competencies through means other than internal staffing, such as engaging outside professionals. The auditor may take into consideration the use of those third parties when assessing competencies of the company. Chapter 6 discusses the evaluation of financial reporting competencies in more detail.
Nature and extent of documentation. A smaller, less complex company typically needs less formal documentation to run the business, including maintaining effective internal control. The auditor may take that into account when selecting controls to test and planning tests of controls. Chapter 7 discusses this in more detail.
Source
PCAOB (Oct. 17, 2007).
Doxey acknowledges that such an approach has a decidedly pre-SOX feel to it, which fell out of vogue in the wake of major corporate accounting collapses earlier this decade. “Internal audit can make sure the business objectives are met by the process owner,” she says. “It doesn’t mean everything is done by the process owner.”
Heitger
The risk assessment is crucial to moving away from the initial, over-the-top approach common in the first few years of compliance with SOX and internal control reporting, according to Brian Ballou and Dan Heitger, co-directors of the Governance, Risk Management, and Reporting Center at Miami of Ohio University. “The secret ingredient is having a good process of understanding where the vulnerability lies for misstatements, errors, and fraud, and what the key mechanisms are for preventing and detecting those misstatements before they make it to the end financials,” Ballou says.
Heitger echoes Connors’ view that internal audit departments can combat the narrow, short-term view on immediate costs and benefits by taking a wider view of corporate risks. “A lot of companies are hard pressed to find bang for their buck,” he says. “But as companies are taking about financial reporting risk now, it’s opened their eyes that these are just financial reporting risks. It queues us up to look at other business-oriented risks. It’s taking us down a wider path of enterprise risk.”
As companies get more experienced with internal control reporting and risk assessments, Ballou says, the top-down, risk-based approach called for in new regulation will mature. “That’s the discipline that comes out of this approach,” he says.
Lordi
Frank Lordi, a principal at the AC Lordi consulting firm, says companies will get better at risk assessment when they focus more on the future than the past. “A lot of the people who are frustrated spent a lot of time and money getting historical financials right,” he explains. “But a lot more companies go out of business than have financial statement restatements. If we spent time on risks that impact business, the money would be better served for shareholders.”
Hartman
Even good risk assessments on the part of management, however, will have to stand up to auditor tendencies to call for more rather than less auditing. That’s the view of Thomas Hartman, a partner with law firm Foley & Lardner.
“If you look at the incentives in the system in which audit firms operate—not just Sarbanes-Oxley, but the overall environment—almost all of those incentives are to do longer, larger, more complex audits that decrease the risk of problems that might lead to liability,” Hartman says. “There isn’t a screaming headline for a firm that does a super efficient audit and saves 10 percent, but you see screaming headlines where there’s an accounting fraud at fill-in-the-blank.”
No comments yet