The Auditors’ Chinese Wall – Is SOx Still A Keystone?
When the Sarbanes-Oxley Act was passed in the summer of 2002, largely as a rushed reaction to Enron, it did get a few key things right. Notwithstanding the long debate we’ve had about cost/benefit or why it didn’t prevent the subprime crisis or large frauds such as Satyam and Madoff, both of which are derivative discussions for later, there were a few important changes that still make a difference.
We can’t allow time, or fuzzy academics, to let us forget the good reasons for having made them.
•Section 101-109: Establishment of PCAOB, the auditing, quality control, and independence standards and rules and funding provisions.
•Section 201-209: Restrictions on the kinds of services auditors could provide to their clients including financial information systems design and implementation, appraisal or valuation services, fairness opinions, or contribution-in-kind reports, internal audit outsourcing services and other ancillary services such as legal, HR and investment banking and actuarial services.
•Section 301: A requirement to implement systems or procedures that let whistle-blowers communicate confidentially with your company’s audit committee.
•Section 302: Legal requirements for CEO and CFO to sign statements verifying the completeness and accuracy of financial reports. This is the “GO Directly to JAIL; Do not Pass GO” card.
•Section 404: Additional attestations by CEOs, CFOs and outside auditors to the effectiveness of internal controls for financial reporting.
•Section 409: Requirements for material changes in their financial conditions to be disclosed “on a rapid and current basis” or “real-time disclosure.”
Now a new study, funded by the Institute of Internal Auditors Research Foundation claims that allowing external auditors to also perform internal auditing functions actually reduces companies’ accounting risk.
According to preliminary findings by professors at Brigham Young and Texas A&M universities, the knowledge of a company that an external auditor gains from internal auditing lowered the chances of publishing misleading or fraudulent financial results. The study questions the efficacy and efficiency of the Sarbanes-Oxley prohibition against external auditors also serving as internal audit co-sourcers.
Audit Integrity granted the professors access to its accounting risk data. The Institute of Internal Auditors Research Foundation (IIARF) provided financial support and access to public company data on conditions of anonymity and confidentiality. The authors were careful, however to remind us that, although financially supported by the IIARF, the views expressed in the paper were those of the authors and do not necessarily represent positions or opinions of the IIARF or The Institute of Internal Auditors (IIA).
Good thing too, since the new President of the IIA as of January 2008, Richard Chambers, gave an interview with CFO.com and warned against taking what he considers to be the narrow scope of the study too literally or as an endorsement of elimination of this prohibition.
“Their conclusion doesn’t sit well with IIA president Richard Chambers, who cautions that the researchers’ scope was very narrow and doesn’t delve into the many responsibilities of internal auditors. “They’re also looking at operational risks, compliance risks, business and strategic risks,” Chambers says.
While external auditors are independent of a company and primarily focused on reviewing financial statements and attesting to internal controls, internal auditors are — in the views of the IIA — ideally working in-house, as part of the business, and their work in helping management test and document internal controls is just one of their many tasks. Internal auditors have the best understanding of any function in a company to know where a company’s risks lie, Chambers contends.
Chambers doubts any of the large accounting firms would want to revisit this aspect of auditor independence rules, and the researchers themselves aren’t advocating that lawmakers reconsider this part of Sarbanes-Oxley. What they do hope is that their research — which is still subject to a peer review process that could take months or longer — will begin a debate about the thought process behind the law, which by all accounts was rushed through Congress. “There was a tsunami that came from the scandals and it didn’t matter what the evidence showed,” says Prawitt. “We had to shore up public perception and investor confidence in the markets.”
Back in January of 2007, right after the adoption of Auditing Standard 5 by the PCAOB, I made this prediction regarding this new standard and two others proposed at the time, Proposed Auditing Standard – Considering and Using the Work of Others and Proposed Rule 3525 – Audit Committee Pre-approval of Services Related to Internal Control:
What does this mean for the Big 4 firms? Well, first it means more latitude in how they serve their audit clients. Many companies have set a strict, non-elastic budget for their external audit under AS No.2 and haven’t been budging from this cap, even when they asked the audit firm to do something more. The amount was approved by the Audit Committee, published in minutes and cast in stone. They avoided any effort and exposure associated with going back to their Audit Committee for something more. So if a firm was allowed to do an additional piece of “non-audit internal control related” consulting, such as a Quality Assurance Review of the company’s internal audit function, then that amount was deducted from the audit fee so the total stayed the same. The Big 4 basically backed off of selling anything else (or servicing their audit clients in any broader relationship development way) since the fees available were capped.
Second, it means that the firms that pulled their Internal Audit Services practices out of External Audit, under the assumption that they needed to keep these business development and service delivery teams separate under AS No.2, will probably roll them back into the External Audit practices. Why have a separate practice, separate overhead and duplicate staff especially in areas such as IT audit and security (tough people to find anyway, let alone for two different sides of the house) when you can reemphasize full, broader service to existing annuity, external audit clients?
The Big 4 will let the independent firms such as Jefferson Wells, Protiviti and the regional boutique staffing firms have the crumbs, the staffing-type engagements. And in many cases both the companies and the firms will have to concede that they still have to allow other non-Big 4 vendors to do some of the work in order to get all the work done. But I expect that if AS No.5 is approved with a roll back of this “independence” requirement, the Big 4 will close ranks and go after as much of the work as possible in their existing audit clients and these companies will let them do it.
Roll Internal Audit Services, an advisory, consulting activity back into Assurance? What ? Why? Internal Audit is strategic. We’ve written a lot of white papers saying so.
Unfortunately, as a result of firms’ lack of ability to have “wishing make it so,” (majority of the internal audit services work I saw at PwC 2005-2006 was staff augmentation,) and the fact that that they need something to pump up Assurance numbers, you’re going to see firms quietly put internal audit practices back in with external audit.
Wait! I hear PwC has already done so. It was only mid-2005 when they made the “bold” decision to pull it out to try to make the internal audit team, (where partners were for the most part all ex-external auditors,) feel special. Should make their Assurance numbers look a little better next year. After all, the thin disclosures the firms give us don’t allow us to figure how many times or in how many ways they have rearranged the deck chairs on this Titanic in the past to make it look like all is still well. This is in spite of thousands of reductions and cuts still occurring as we speak.
Photo Source: The Great Wall From Space
Thank you Francine for a great entry. It seems evident that allowing an external audit firm to perform internal audit functions would REDUCE overall risk. Not to be too simplistic, but more time, more money, more hours invested… more ability to spot errors. Additionally, external auditors are generally held to a higher standard than internal auditors, particularly in the area of regulatory oversight. Seems to me that the Section 201-209 requirements highlight the difference between “independent in fact” -which an external auditor performing IA services can be- and “independent in appearance” – some interpret the dual roles as incompatible with each other.
One of the great things about SOX is that it really put pressure on the major accounting firms to look at their clients in terms of business risk. Firm’s began to look at their clients and wonder whether this company’s relaxed control environment was going to turn them into the next Andersen. What did we see following the Sarbanes Oxley Act. The Big 4 began to drop some clients because of issues that included independence and poor conrtol environments. This opened the door for some of these mid-level accounting firms like BDO and McGladrey to grow their market share and pick up some of these clients. It is important that these other firms are in the mix. The competition will act as its own control against poor audit integrity and quality because companies will begin to look at some of these other firms when they feel the auditors are not doing their job.
I’m not stalking you, I swear. But I can’t let your comment go unchallenged. (And I note that I’m not making any new points here; Fran has posted on this before.)
You state that SOX forced “the major accounting firms to look at their clients in terms of business risk” and, based on the risk that a particular client might “turn them into the next Andersen”, to drop the riskier clients from their portfolio. Those high-risk clients were picked-up by some of the mid-tier firms.
Are you suggesting that the mid-tier firms are better positioned to manage the risks of those “independence and poor control environment” clients? No offense to any mid-tier or smaller firms, but what makes you think they will do any better job of mitigating those risks than a Big 4 firm would have? Haven’t we already seen some of the same audit quality issues/failures at the mid-tiers? And what’s worse, those mid-tiers don’t have the same financial or personnel resources to weather the storm as would one of the Big 4 (again, no offense meant).
So what I’m saying is if any firm was too risky for, say, Deloitte, what makes you think that a BDO Seidman or Grant Thornton would or could handle that risk?
Competition may be a good thing and it may be true that any Big 4 firm who does a poor job may lose the account to one of the mid-tier firms, but isn’t it also true that some companies, because of their sheer size and global dispersion, cannot be audited by any firm other than a Big 4 firm? You wouldn’t expect a local, regional firm to be auditing a multi-national corporation, would you? If that’s the true situation, then just how much force does the threat of competition have on the “audit integrity and quality”? I would argue, “not very much.”
From my experience, auditors get changed because of (a) price, (b) chemistry between the audit partner and somebody with influence at the company, and (c) disagreement on accounting treatment. (Those were ranked in descending order from most to least common, by the way.) I have yet to see audit integrity and quality play a signficant role in the choice of auditor. But maybe that’s just me?
— Tenacious T.
I think you made a bit of a leap by assuming that “higher risk” meant “bigger, multimational” companies. “Risk” at a public accounting firm considers both risk of misstatement, and fees. The level of risk a firm might accept for a $15 million client might not be accepted for a $500K client. I think some of what happened is that the Big 4 looked at their $500K clients and said, “we’re not being paid enough to take on this risk, so we’ll pull back on those jobs and focus on the $15M clients”. So the other Big 4 and 2nd-tier firms picked up the smaller jobs that were dropped.
And of course, sometimes the $15M client is dropped, and those (at least to my knowledge, anecdotally) have mostly just been swapped among the Big 4. I don’t know of many huge multi-nationals jumping ship to BDO or GT.
I don’t think I assumed anything that Wyman didn’t explicitly write. Wyman defined risk and I went with it. He didn’t discuss the trade-off between fees and risk — which, by the way, was definitely what kept Andersen at Enron, year after year, even though it knew Enron was pushing the GAAP envelope. They bet the firm for $100 million a year in Enron fees.
I agree with your point that the smaller clients were dropped from the portfolio(s) because the fees didn’t justify the risks, in the minds of the partnership’s lawyers. We could probably write a book on all the risk mitigation missteps the firms take these days, from rubber stamped “risk reviews” (that nobody reads until after the client goes south when the search for the guilty parties is in full swing) to a relentless focus on reducing small risks to zero exposure while ignoring the huge “elephant-in-the-room” risks such as partner and staff qualifications (or lack thereof) for particular industries, clients and/or engagements.
With respect to your other points, I think if you go back and re-read Wyman’s post, you’ll see I was responding to his thoughts. For instance, I did not suggest–indeed, I refuted–the idea that the large multi-nationals would “jump ship” to a mid-tier firm. No offense to the mid-tiers, of course.
Have a great weekend!
— Tenacious T.