The U.S. government, through the U.S. Securities and Exchange Commission (SEC), and the New York Stock Exchange (NYSE) now formally recognizes the benefits to shareholders and the general public of an internal audit function for listed companies. The NYSE listing requirements state: “Every listed company must have an internal audit function.” Today there are close to 2,800 companies listed on the NYSE, many of them the largest companies in the world.
However, obstacles exist to meeting this goal. During the last several years, more mercenary and self-serving influences on corporate management resulted in the de-emphasis of the permanent internal audit function, often due to cost-containment pressures. Internal auditors had to justify their existence and prove a return on investment from their activities. During the late 1980’s and 1990s, internal audit departments revised approaches, restructured and reduced staff in order to respond to these pressures. Right now many multinational organizations have a small or almost non-existent centralized internal audit function, even though the demand for their participation and expertise worldwide is at an all-time high.
Many organizations outsourced their internal audit function in its entirety or, at least, significantly co-sourced major portions, sometimes eliminating the Chief Audit Executive role completely. If the remaining overseer of the function reports to the CFO or Controller, this is now viewed by regulators and the investor public as contrary to independence of the function and the requirement for unimpeded access to the Audit Committee of the Board of Directors.
Prior to Sarbanes-Oxley, the service provider for outsourced internal audit was often the same firm who provided the external audit services, one of the Big 6. Add to this the often frequent use of this same service provider as chief technology, system integration and strategic consultant and it’s no wonder there was a strong reaction to the implosion of Enron, where one ill-fated services firm provided all three types of professional services to the energy company. Sarbanes-Oxley, enacted in July 2002, was a direct response to Enron and similar accounting scandals. The public and politicians were pushed to the wall and forced to mandate dramatic action to address the apparent lack of scrutiny, oversight and independent objective review of the financial results reported by publicly traded companies.
The internal audit profession is not presently regulated by the SEC, the Public Company Accounting Oversight Board (PCAOB) or any U.S. government agency. But internal auditing has evolved into a well-recognized, value-added, global profession, with more than 90,000 worldwide members of its primary professional organization, The Institute of Internal Auditors (The IIA). The IIA Standards include a code of ethics. Sarbanes-Oxley has created a direct and measurable impact on internal audit departments of every size and in companies across industries. For companies seeking to build their internal audit function with talented, experienced audit professionals who can implement complex risk management and corporate governance strategies, attracting the most qualified internal auditors is now an immediate business necessity.
On March 9, 2004, The PCOAB delivered the final standard for the integrated audits of internal controls over financial reporting and financial statements. The final standard allows for use of judgment by external auditors regarding the competence and objectivity of the internal auditors when determining the extent to which they can relay on their work and therefore reduce their testing and their fees. During the hearings, the Board openly stated its desire that companies strengthen their internal audit function. Companies must review their competence and objectivity, as well as how their effectiveness and viability will be viewed.
• Does the company have an adequate allocation of resources in their internal audit function?
• Does it benchmark favorably against comparable companies in its industry, against the IIA Standards and against applicable laws and regulations?
• Are they establishing performance and quality standards for the internal audit function and measuring against those standards?
• Does it have an appropriate relationship between the internal audit function, external auditors, regulatory and compliance functions and the Audit Committee of the Board of Directors?
How many listed companies, in the US and internationally, can answer these questions is such a way that gives comfort to all stakeholders – their customers, employees, the communities in which the companies operate, their vendors and, last but not least, their shareholders?