Internal Auditors – Ignore At Your Risk
I had a great conversation with the public relations manager at the Institute of Internal Auditors (IIA) the other day. As much as I have been involved in the past with this organization and as much as I have reached out in the past and offered to speak, write, teach, consult…
“…Mr. St. Denis said he resigned on Oct. 1, 2007, and that later that month, AIG’s chief auditor, Michael Roemer, asked him why and said he would report those reasons to AIG’s audit committee. Mr. St. Denis wrote that he told Mr. Roemer about Mr. Cassano’s comment. That would indicate that a key AIG executive last fall was aware of Mr. St. Denis’s concerns….”
From my very first post on the scandal in January 2008:
The Société Générale 2006 Annual Report devotes quite a few pages to the subjects of risk management and controls.
First, they discuss the elaborate internal control organizational structure and its interaction with the Audit Committee. Pages 89-95 describe the internal control organization and how the internal audit function carries out inspections.
On page 99, we see the report on internal controls prepared and signed by the dual auditors under French law who review Société Générale’s books and records and have provided a clean opinion, agreeing with management’s assessment of internal controls. There were no exceptions cited. Société Générale has the benefit of both Ernst and Young and Deloitte to assist them in making sure everything is in order and functioning to produce financial information that is valid, true and complete.
There’s an entire chapter, pages 127-150, of the annual report devoted to Risk Management. This section covers all the risks they face and the myriad of policies, procedures, organizations and systems they, theoretically, have in place to manage them.
So what happened?
Audits, internal, external, whatever are usually fig leaves. They are usually public relations stunts. When we see Big 87654 partners going to prison on a regular basis, you’ll see some “backbone” in their audits. Until then, fuggedaboudit.
I don’t buy any of this “rogue trader” stuff at SoGen either, any more than I bought the GE-Kidder story about Joe Jett.
Francine:
YS has a post on a NYT article on AIG which will be of interest to you.
The first thing the engineers behind the Savings & Loan "crisis" of the 1980's did is get rid of the internal audit department. Ditto for the MCI/Worldcom merger.
“Audits, internal, external, whatever are usually fig leaves. They are usually public relations stunts.” – independent accountnat
Your comment is far too extreme. Audits are good. Could they be better? Yes.
I also want to partially agree with Francine. If IA is outsourced and management hires or fires the IA function, why would the outsourced function blow a whistle? There needs to be a law saying public companies need an IA function and the audit committee hires, fires, and determines comp. for the function. The IA function needs independence and we can’t rest on Man’s better angels.
@ChicagoAccountant
NYSE rules require IA function for all listed, public companies but do not require it to be inside company or for an outsourced IA to report to an internal executive who repreys to Audit Committee. I do not agree with an outsourced vendor reporting to Audit Committee. Should be executive inside who takes responsibility. Also no rule on explaining to Shareholder when IA is outsourced or when CAE or function is fired or eliminated or cut or not reporting to Audit Committee.
Francine,
I’m not an accountant so forgive if this is a naive question. What is your view of a regulation that would require mandatory rotation of audit firms as a bulwark against lax oversight by the audit firms. I imagine everyone involved would howl but it would be good for shareholders to know that the firm they’ve invested in really is as stable as the audit says.
NewGuy
@NewGuy
Sarbanes-Oxley does now require mandatory rotation of the audit partner but not audit firms. I am in favor of partner rotation, not necessarily firm rotation, since I believe it takes time to build a relationship, a team, and knowledge of the client. However, the point is really moot, since the upheaval in the markets and prior issues with firms saying, “the buck stops here” after Sarbanes-Oxley was passed make auditor changes pretty common and much more frequent than in the past. However, in the end, without a meaningful, useful, viable product, changing firms has just been “moving the deck chairs around on the Titanic.”
Francine,
Who cares if you outsource or not? Perhaps you could have a symbolic IA head internally, but what’s the point. As long as the function is independent of management, I don’t care if it is insourced or outsourced. Reporting to the audit committee, and not to management, creates independence.
@ChicagoAccountant
Full outsourcing of IA for s large public company is, I believe, a full abdication of responsibility and accountability for an important control to a vendor.I would be suspicious of a company that didn’t value internal audit as a company control that deserved company employees. Supplementing an internal team with specialized resources or seasonal staff is usually ok, if managed well. Internal Audit should report to the Audit Committee directly. In reality, that happens in a minority of circumstances. In many cases, even now, a CFO or other C level executive is responsible for budgets and performance review of CAE. In the case of full outsourcing, there should still still be an internal CAE who manages vendor, works with management to accomplish audits, and REPORTS DIRECTLY to Audit Committee. A vendor should not be reporting on behalf of the company directly to the Audit Committee.
Agreed Francine…I work in the fraud space and more times than not when doing an investigation we notice the reporting structure for internal audit is…GASP…to the CFO and not the AC which is piss poor.
Other times the org chart says IA reports to AC but documentation and communication is through CFO…again no good. And since we are there you realize that the structure doesn’t work and the IA function is a paper tiger.
“Full outsourcing of IA for s large public company is, I believe, a full abdication of responsibility and accountability for an important control to a vendor.”
How many large public companies fully outsource the IA function? I don’t imagine many. Full outsourcing is justified at smaller organizations. Why employ a team of people that will only work half the year? It is cheaper for large public companies to insource and supplement with specialists. In-house staff have a lower hourly rate and you can use staff 40+ hours a week, 52 weeks a year. Outsourcing or insourcing an IA function is about cost. You aren’t abdicating responsibility by hiring an accounting firm to do the exact same thing an internal team would do. I still don’t see the point.
@Independent Accountant – I remember getting in a huge fight with a girl in university because we had a group presentation on the GE-Kidder/Jett thing and I read Jett’s book at the prof’s suggestion, and the girl exclaimed, I paraphrase, “no no no – we can’t contradict the way this is described in the case study!” It got ugly.
Good times
I’ve participated in a number of outsourced (and also co-sourced) IA teams, often for multi-billion dollar global entities. So based on my experience, Chicago Accountant, I believe that quite a few large companies fully outsource the IA function.
Let’s be clear: “outsourced internal audit” is a classic oxymoron. It’s a complete contradiction in terms. Either the IA function is “internal” or it’s not an IA function.
Does it matter? You betcha. (wink)
Let me give you one example from personal experience (from a few years ago). I was at [insert name of Big 4 firm here]. Our fully outsourced IA team was assigned to review revrec at a smaller subsidiary of a multi-billion dollar global manufacturer of goods. (Percentage of completion, cost-to-cost under SOP 81-1 if that matters.) We judgmentally pulled the smaller contracts, reasoning that prior audits had focused on the bigger ones. Results: Nearly 30 percent of all contracts tested failed to properly recognize revenue in some fashion. Nearly one-third of the sample had a failure.
At the company’s request all results were color-coded into the usual green, yellow, red. Guess what? We gave the subsidiary a red in revrec. A red meant the report went to the Audit Committee. Did we get a prize for our astute findings? Nope.
Next thing I knew the local Controller called the VP of IA at Corporate, who called my Partner, to complain about our over-agressive and incorrect findings. Mind you, we outbriefed very day and the local Controller had agreed with every one of our findings as we went along. But now that was forgotten. Seemed our big mistake was not to acknowledge how much work the local team had put into improving revrec (it was a special corporate initiative) and there was NO WAY they could be getting a red. A red would mean telling the Audit Committee that the special initiative had not resulted in the improvements that they had been told to expect.
Our findings had to be wrong, and my team was obviously not working with the local folks in the appropriate way. So I was yanked off the account (the partner never called me to get my side of the story, she just called my local managing partner and about two hours later I was told I was to brief my replacement and would be off the account within 48 hours). The findings were changed to yellow and Big 4 firm got to keep its multi-million IA engagement for another year. That was when I got pretty cynical about the “outsourced IA” business.
In a “for profit business,” when your profits depend on the goodwill of your client but you are supposed to deliver bad news (when it’s required), there is an obvious conflict of interest. As I learned (and saw repeated later at a different Big 4 firm) findings can get changed quickly when the client is upset.
More frequently — in fact, almost always — negotiation of the IA fees leads to scoping and quality compromises. The client doesn’t want to pay? Fine, then let’s assign junior staff and tailor the work plan to minimize the hours. That happens all the time. I’ve seen one instance, maybe two, where we walked rather than take the work at a budget we knew we couldn’t both manage to AND do a quality job.
{In fairness, we frequently take these jobs with the intention of doing good work and then somehow passing on the additional “fee growth” to the client. Doesn’t always happen as planned….)
Does this sort of conflict extend to audits of financial statements? Sure it does. The overall audit fees ultimately determine scope, and scope largely determines the quality of the audit.
If you want quality audits (whether IA or other) whose findings are based on integrity with GAAP and GAAS, then you need to remove the profit motive from these “for profit” accounting businesses. At least, that’s what I’ve learned in my 9+ years with the Big 5/4.
(Which, by the way, will end in November as I’ve accepted a position in the corporate world.)
Krupo:
If you’re interested in the Joseph Jett fiasco, go to my blog. I have a number of posts on it. Gwadlys Savery of France prepared a video on Jett in August. My blog has a link to it. What did your case study say about the Jett fiasco?
Anonymous of 10:56 PM:
I agree with you as to the economics which drive audits. That’s why I have said repeal the 1995 Litigation Reform Act and let the plaintiffs’ bar sue away. You’ll see how quickly the fear of multibillion judgments will change the way audits are done. Removing the profit motive can’t be done in my opinion. The best we can do is use it to reduce the incidence of bad audits.
@Anon 10:56
What if the engagement was 100% insourced and the CAE said, “this can’t be, move it to yellow or you’re fired”? Would you have changed your results? Again, insource, outsource, it doesn’t matter. All that matters is you have a strong CAE and a resolute audit committee.
You have profit seeking accounting firms and you have profit seeking companies with insourced internal audit functions. It’s all a wash.
If you want change, you need to take a strong look at the regulatory structure and legal repercussions.
Hey indie-acc, I’ll have to scan through those posts.
The textbook basically delivered the GE-line, “very complicated transactions,” “no one could really understand,” all done by a whiz-kid without anyone else’s knowledge sort of thing.
I might still have it sitting around somewhere, I’ll have to see if I have it (or if I sold the book). 🙂
As the criminal CFO of Crazy Eddie, I never feared any auditors, whether they were internal auditors or external auditors. I did not fear Audit Committees, too.
I feared government agencies, like the FBI and SEC. However, the FBI and SEC of today are overwhelmed and under-resourced.
Therefore, if was still a criminal, I would no longer fear the FBI and SEC today.
A perfect storm is forming.
Get ready!
Ref. Chicago Accountant Oct. 31, 11:39: “Why employ a team of people that will only work half the year?…You aren’t abdicating responsibility by hiring an accounting firm to do the exact same thing an internal team would do.”
Veering a bit away from the purely regulatory issue, may I suggest that ‘internal’ auditors these days are not only supposed to ‘deliver’ audits/ICFR reviews via a checklist-based approach, but are expected to do much more. A transition from purely compliance/transaction-based audits to successively more robust risk-based audits is quietly underway at many organizations – in fact, this is one of the euphemistic ‘best practices’. While IAs have been factoring in business risk into their audit scoping process since quite some time now, they are now also expected to vigorously contribute to (and, in many cases, spearhead) the enterprise risk management initiative, being perhaps best placed to do so given their wide-angle view across organizational hierarchies and boundaries. And this is a much more sustained campaign, beyond individual audit assignments, dependent to a large extent on building lasting relationships with the process owners across business functions, not only Finance.
As such, may I submit that an outsourced accounting firm cannot really be expected to “do the exact same thing an internal team would do” and, as such, the apprehensions to “employ a team of people that will only work half the year” are totally unfounded.
Line of reporting is one thing. Who pays the piper is another.
I work in IA these days. My boss reports to AC *and* MD. But the MD decides the size of his salary & bonus, not the board’s remuneration committee (and they *do* have one…)