When the Sarbanes-Oxley Act was passed in the summer of 2002, largely as a rushed reaction to Enron, it did get a few key things right. Notwithstanding the long debate we’ve had about cost/benefit or why it didn’t prevent the subprime crisis or large frauds such as Satyam and Madoff, both of which are derivative discussions for later, there were a few important changes that still make a difference.
We can’t allow time, or fuzzy academics, to let us forget the good reasons for having made them.
•Section 101-109: Establishment of PCAOB, the auditing, quality control, and independence standards and rules and funding provisions.
•Section 201-209: Restrictions on the kinds of services auditors could provide to their clients including financial information systems design and implementation, appraisal or valuation services, fairness opinions, or contribution-in-kind reports, internal audit outsourcing services and other ancillary services such as legal, HR and investment banking and actuarial services.
•Section 301: A requirement to implement systems or procedures that let whistle-blowers communicate confidentially with your company’s audit committee.
•Section 302: Legal requirements for CEO and CFO to sign statements verifying the completeness and accuracy of financial reports. This is the “GO Directly to JAIL; Do not Pass GO” card.
•Section 404: Additional attestations by CEOs, CFOs and outside auditors to the effectiveness of internal controls for financial reporting.
•Section 409: Requirements for material changes in their financial conditions to be disclosed “on a rapid and current basis” or “real-time disclosure.”
Now a new study, funded by the Institute of Internal Auditors Research Foundation claims that allowing external auditors to also perform internal auditing functions actually reduces companies’ accounting risk.
According to preliminary findings by professors at Brigham Young and Texas A&M universities, the knowledge of a company that an external auditor gains from internal auditing lowered the chances of publishing misleading or fraudulent financial results. The study questions the efficacy and efficiency of the Sarbanes-Oxley prohibition against external auditors also serving as internal audit co-sourcers.
Audit Integrity granted the professors access to its accounting risk data. The Institute of Internal Auditors Research Foundation (IIARF) provided financial support and access to public company data on conditions of anonymity and confidentiality. The authors were careful, however to remind us that, although financially supported by the IIARF, the views expressed in the paper were those of the authors and do not necessarily represent positions or opinions of the IIARF or The Institute of Internal Auditors (IIA).
Good thing too, since the new President of the IIA as of January 2008, Richard Chambers, gave an interview with CFO.com and warned against taking what he considers to be the narrow scope of the study too literally or as an endorsement of elimination of this prohibition.
“Their conclusion doesn’t sit well with IIA president Richard Chambers, who cautions that the researchers’ scope was very narrow and doesn’t delve into the many responsibilities of internal auditors. “They’re also looking at operational risks, compliance risks, business and strategic risks,” Chambers says.
While external auditors are independent of a company and primarily focused on reviewing financial statements and attesting to internal controls, internal auditors are — in the views of the IIA — ideally working in-house, as part of the business, and their work in helping management test and document internal controls is just one of their many tasks. Internal auditors have the best understanding of any function in a company to know where a company’s risks lie, Chambers contends.
Chambers doubts any of the large accounting firms would want to revisit this aspect of auditor independence rules, and the researchers themselves aren’t advocating that lawmakers reconsider this part of Sarbanes-Oxley. What they do hope is that their research — which is still subject to a peer review process that could take months or longer — will begin a debate about the thought process behind the law, which by all accounts was rushed through Congress. “There was a tsunami that came from the scandals and it didn’t matter what the evidence showed,” says Prawitt. “We had to shore up public perception and investor confidence in the markets.”
Back in January of 2007, right after the adoption of Auditing Standard 5 by the PCAOB, I made this prediction regarding this new standard and two others proposed at the time, Proposed Auditing Standard – Considering and Using the Work of Others and Proposed Rule 3525 – Audit Committee Pre-approval of Services Related to Internal Control:
What does this mean for the Big 4 firms? Well, first it means more latitude in how they serve their audit clients. Many companies have set a strict, non-elastic budget for their external audit under AS No.2 and haven’t been budging from this cap, even when they asked the audit firm to do something more. The amount was approved by the Audit Committee, published in minutes and cast in stone. They avoided any effort and exposure associated with going back to their Audit Committee for something more. So if a firm was allowed to do an additional piece of “non-audit internal control related” consulting, such as a Quality Assurance Review of the company’s internal audit function, then that amount was deducted from the audit fee so the total stayed the same. The Big 4 basically backed off of selling anything else (or servicing their audit clients in any broader relationship development way) since the fees available were capped.
Second, it means that the firms that pulled their Internal Audit Services practices out of External Audit, under the assumption that they needed to keep these business development and service delivery teams separate under AS No.2, will probably roll them back into the External Audit practices. Why have a separate practice, separate overhead and duplicate staff especially in areas such as IT audit and security (tough people to find anyway, let alone for two different sides of the house) when you can reemphasize full, broader service to existing annuity, external audit clients?
The Big 4 will let the independent firms such as Jefferson Wells, Protiviti and the regional boutique staffing firms have the crumbs, the staffing-type engagements. And in many cases both the companies and the firms will have to concede that they still have to allow other non-Big 4 vendors to do some of the work in order to get all the work done. But I expect that if AS No.5 is approved with a roll back of this “independence” requirement, the Big 4 will close ranks and go after as much of the work as possible in their existing audit clients and these companies will let them do it.
Roll Internal Audit Services, an advisory, consulting activity back into Assurance? What ? Why? Internal Audit is strategic. We’ve written a lot of white papers saying so.
Unfortunately, as a result of firms’ lack of ability to have “wishing make it so,” (majority of the internal audit services work I saw at PwC 2005-2006 was staff augmentation,) and the fact that that they need something to pump up Assurance numbers, you’re going to see firms quietly put internal audit practices back in with external audit.
Wait! I hear PwC has already done so. It was only mid-2005 when they made the “bold” decision to pull it out to try to make the internal audit team, (where partners were for the most part all ex-external auditors,) feel special. Should make their Assurance numbers look a little better next year. After all, the thin disclosures the firms give us don’t allow us to figure how many times or in how many ways they have rearranged the deck chairs on this Titanic in the past to make it look like all is still well. This is in spite of thousands of reductions and cuts still occurring as we speak.
Photo Source: The Great Wall From Space