A Response to Reuters on Internal Audit and Banks
Reuters has a story out today entitled, “Regulators tighten up bank in-house checks.”
Unfortunately it does nothing to illuminate, in fact it distorts, the role of internal audit, external audit and the Audit Committee of the Board of Directors in a bank. Just another example of the lack of understanding by most major media journalists of these functions and their roles in the capital markets and regulatory infrastructure.
I’ve written many times about why this happens. It’s not for lack of trying or desire for doing the right thing by the individual journalists. They have no time or encouragement to learn. The editors often know even less and make journalists simplify and dilute exact terms that accurately describe roles and responsibilities in the law in the interest of “readability” and mass market appeal. Some of them have no desire to understand these activities.
Here’s my response since I could not, for some reason, post a comment at Reuters.
Dear Reuters: This story is a hot mess and unfortunately does nothing to raise awareness of the role or responsibilities of internal auditors. For example, why the use of “so-called” in the second paragraph? It implies a pejorative.
Ummm, that’s what the function is called. Internal Audit.
And was the function “discredited in the financial crisis where there were clear lapses in managing risks” or is it that the internal audit profession, “largely escaped fallout from the financial crisis which mostly hit regulators, credit rating agencies and external auditors.”
I think the fallout on external auditors was very late and still sorely lacking as they have scooped up all the work for government addressing the problems that occurred. They also got away with not issuing any “going concern” warnings to qualify the financial statements of all the banks that failed, were bailed out, were forcefully acquired due to insolvency or went bankrupt in the US or UK as a result of the crisis. Taxpayers paid but were not warned in advance.
Did the “U.S. reform of Wall Street, known as Dodd-Frank” put responsibility for implementing the reform on a bank’s internal audit committee.” ?? I don’t recall anything like that. There was no mention of the Audit Committee of the Board of Directors but there was mention in Dodd-Frank of requirements for risk committees for banks. Those standards have been written by the Fed. Dodd-Frank didn’t mention external auditors or internal auditors once. Instead, Sarbanes-Oxley was the law that, at least for the US, drew the line between services external auditors could provide to their clients – internal audit co-sourcing or outsourcing is now prohibited – but the UK has unfortunately not adopted that restriction. In fact, the UK has allowed the conflict to proliferate in the name of cost savings.
“There is no direct supervision of internal auditors…” except by management and the audit committee of the board of directors to whom the Chief Internal Auditor is encouraged to have a direct line of reporting by Sarbanes-Oxley.
Listing standards for the NYSE require an internal audit function. NASDAQ where most new tech IPOs like Facebook are listed, does not. Back in 2003, the Institute of Internal Auditors (IIA) made recommendations post- Sarbanes-Oxley that were adopted for the most part by NYSE, but not completely by NASDAQ. And both the NYSE and NASD left a few key recommendations hanging.
In addition, the IIA has never mandated, under its own standards for the internal audit profession, a direct reporting of the internal audit function to the independent Audit Committee. The SEC did not adopt this requirement in their final rules, either.
If you have any questions on how to make these corrections, you can find me at https://francinemckenna.com
You may want to read my column in American Banker about risk committees in banks.
What is it with you and Reuters? Everytime they report something related to accounting you go ballistic. Sounds personal to me.
There are some very good reporters at Reuters, in particularly the investigative group currently covering Chesapeake (they won the Loeb award for their Shell Games series last week) and on the legal and FS investigative side like Alison Frankel and Matt Goldstein’s team. They call me on the accounting aspects of their stories. But the accounting reporting, especially in the UK, is inconsistent and often ill-informed. Here in the US Dena Aubin covers often, is getting better, but often has to do “file a story” reporting and uses the same sources over and over. (Soyoung Ho, at Thompson Reuters, on the other hand, does a great job when she gets the chance. She also calls and writes me often.) Reuters has no one who can do opinion or analysis coverage of the accounting industry. There’s a desire to dilute the details to make it easier to read. The editors obviously think that’s better than getting it right. There are very few dedicated accountancy reporters in the US that have been at it long enough, are genuinely interested, and generally get it right. Michael Rappoport at WSJ, Jonathan Weil at Bloomberg and…. Well that’s about it in my book. (NYT’s Norris and Nocera are dilettantes when it comes to reporting on the accounting firms.. Only when it’s sexy and only for sport.)
Summary: I like writers who collaborate with me, and dislike those who don’t, because the one who collaborate with me get it right and the ones who don’t, don’t.
Sort of true. I respect writers who either know what they are talking about or who are not too proud to ask the right folks for help. Michael Rappoport and Jonathan Weil do not collaborate with me although I have talked to them both extensively. But they know their stuff and know who to call when they need help.
An abbreviated response (I won’t go so far as to call it a “hot mess”. Let the readers decide for themselves):
1) “For example, why the use of “so-called” in the second paragraph? It implies a pejorative.
Ummm, that’s what the function is called. Internal Audit.”
– So-called has 2 definitions: 1) commonly named : popularly so termed 2) falsely or improperly so named . Only one, the second, implies a pejorative. The first simply states that term is so termed, based on previous information. In the Reuters example, the immediately preceding, lead paragraph mentions “in-house checks”. In-house…internal. The connection seems clear.
2) ” ‘There is no direct supervision of internal auditors…’ except by management and the audit committee of the board of directors to whom the Chief Internal Auditor is encouraged to have a direct line of reporting by Sarbanes-Oxley.”
– You conveniently omit the rest of the sentence. The context is important. It continues “…though the sector is trying to become more professional in pushing for higher standards and profile” Again, the implication seems to be clear, the author is contrasting external auditors’ formal oversight structure (the PCAOB) with internal auditors’ lack of a similar body. The following sentence goes on to mention a specific body that could serve that function.
I’ll concede that the two quotes in your 2nd paragraph do seem to be contradictory. #1 is forgivable as most people’s knee-jerk reaction to the “so-called” phrase is the same as yours. #2 seems like a willful omission, I’m interested in your reaction.
Maybe I should have said “implies to me a pejorative.” Since it’s my opinion I believe I am entitled to choose the definition. “Internal Audit” is more than a common or popular term for the function. That’s what it is called – by its professional association, by the laws on both sides of the Atlantic and in accounting and auditing standards. Not sure why the editor would allow the insertion of “so-called” and run the risk of a negative connotation.
“Trying to become more professional” ?? That’s an insult to the IIA, a large, international organization that provides globally recognized professional certifications and respected research and has been around since 1941. The IIA is an organization that serves a similar function as the AICPA did before PCAOB. The PCAOB now exists and takes over for standard setting and independent rather than a peer-based regulatory role for public company external auditors because of legislation enacted as a result of a direct failure of external auditors to fulfill their duty in the face of scandals such as Enron, WorldCom, HealthSouth, Tyco, etc. Although internal auditors have failed too, they are not an independent part of the capital markets and regulatory system with a public duty to shareholders versus management but an internal function within the company hierarchy. That internal auditors have accomplished professional recognition similar to lawyers, engineers and others who work within companies for which no regulatory body like the PCAOB exists either is much to the profession”s credit.
Richard Chambers, CEO of the IIA, agrees with my criticism of the Reuters piece based on his retweet of my blog post and private remarks to me.
PS It’s nice to see you engaged again. I remember our spirited conversations years ago under your previous nom de plume.
Same here. I respect you for being willing to defend your positions, even though I may disagree with them.
Thanks. Disagree away… Makes me sharper and forces me to make sure.
I am interested in your current perspectives on the emerging trend that IA is ‘internal consultant to management’?