Is Sarbanes-Oxley Compromising Internal Audit? (In the News)Oct. 2, 2005
by Eric Krell
Internal auditors at many companies have been so consumed by the legislation that traditional priorities are falling by the wayside. But some organizations are finding ways to balance the function's ongoing compliance responsibilities with a renewed focus on strategic and operational risks.
It's a brave new world for internal audit, one that presents new opportunities and new risks. The function has risen to the challenges that the new regulatory environment poses. Now finance and internal audit executives must find ways to balance internal audit's independence with its ongoing compliance contributions while keeping it sufficiently staffed. And they must define and execute the function's future role, which will likely encompass a strong and broad risk management component.
At Korn/Ferry International, a Los Angeles-based executive search, outsourced recruiting and leadership development provider, internal audit has conducted internal controls testing in 10 European and Asian countries, worked alongside co-sourced internal auditors from KPMG, and spent considerable time deciphering and disseminating the latest Sarbanes-Oxley compliance guidance filtering out of the SEC and the Public Company Accounting Oversight Board (PCAOB). Now, says vice president of finance and corporate controller Alan Hill, the function will hand off some of its compliance responsibilities to business process owners so that it can spend more time on traditional internal audit activities -- which he admits may not be so traditional anymore.
Long before Sarbanes-Oxley was signed into law, "we had a very good internal audit function, one that reported directly to the chair of our audit committee," notes Hill, who credits the function with stepping up to help the company meet the challenges of the new regulatory environment. "We've relied on internal audit to be our internal experts on the latest guidance. They have really helped us manage the compliance burden."
Balancing Compliance And Independence
The compliance contribution of companies' internal audit function seems to be a top-of-mind concern for the regulators, external auditors and corporate executives who have been most influential in determining how Sarbanes-Oxley will be implemented, audited and enforced. In May, the PCAOB issued guidance on audits of internal controls that included this message to external auditors: "Take advantage of the significant flexibility that the standard allows to use the work of others." In other words, trust and use the internal controls testing that internal auditors have conducted.
The public hearings which preceded that guidance were contentious; the sessions were packed with leaders from the largest public accounting firms, the SEC, the PCAOB, and public companies still shell-shocked from the amount of time and money compliance had consumed. Yet all attendees seemed to agree upon the value of an independent internal audit function.
In many cases, however, that independence has been compromised by companies' Sarbanes-Oxley compliance efforts. The amount of legwork that Section 404 demands caught many finance departments and compliance project teams by surprise. Internal auditors were pulled away from their normal duties and assigned to compliance tasks. Many organizations allocated 50 percent or more of their internal audit group to initial Section 404 work, says Anne Marchetti, practice director of Sarbanes-Oxley services for Parson Consulting in Chicago.
Given the amount of space devoted to internal audit's independence in the white papers on sustainable compliance now being published by Big Four firms, it seems that many organizations were unable to manage that reassignment of resources without sacrificing the function's objectivity. For example, if internal auditors contribute to the testing of internal controls, they should not be expected to evaluate their own work, emphasizes a Deloitte & Touche white paper. "If internal audit is placed into the position of concluding on the effectiveness of the controls on behalf of management, then the function may not be considered objective enough to be relied upon by the independent auditors as they determine the extent of testing necessary to support their internal control audit procedures."
Internal auditors' compliance work often encompassed documentation and remediation as well as controls testing. Many management teams -- which sometimes included internal auditors -- also conducted documentation, testing and remediation. But in neither of these cases can companies expect to reduce their external audit expenses. "External auditors cannot rely on the results of management testing," Marchetti points out. They may be able to rely on the testing work done by internal auditors -- but only if the internal audit function is not involved in documentation and remediation activities.
"The internal audit group should not make remediation recommendations, perform remediation and then test," adds Marchetti. "They would be testing their own work, and this would be a segregation-of-duties issue."
Concerns about independence and objectivity may be limiting the candor of the dialogue between internal audit executives and their organization's audit committee. Marv Tseu, CEO and co-founder of IT compliance solutions provider Active Reasoning Inc. in Palo Alto, Calif., serves on the audit committee of the board of directors for Plantronics, a publicly traded communications headset manufacturer. He says the audit committee meets more often than it did before Sarbanes-Oxley's passage, but meetings with the chief audit executive are much more confined to specific audit discussion points. Plantronics' internal auditors are taking a less consultative approach "due to a constant fear of being held accountable to specific opinions or advice," says Tseu, who points out that the same dynamic holds true with external auditors. "This puts an increased burden on the audit committee to ensure that the auditors are truly digging deeply into the financial data."
Surveying the Wider Risk Landscape
At many companies, internal audit's compliance involvement has distracted its attention from operational audits, systems audits and other project work. "Internal audit organizations have been so consumed by Sarbanes-Oxley that other priorities are falling by the wayside," warns a PricewaterhouseCoopers white paper. "Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That's because a failure to address key strategic and operational risks as well as compliance risk in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and financial risks in the future."
While the prose is overheated, the point is sound. In a letter to the SEC this spring, Institute of Internal Auditors (IIA) president Dave A. Richards emphasized that the "redirection of internal audit coverage" to compliance efforts raises issues that companies must address. "The IIA believes the annual internal audit plan needs to be balanced and reflect all the risks facing the organization -- not just the financial-reporting-related risks," Richards concludes.
Hill agrees. At Korn/Ferry, "some time normally spent on traditional internal audit activities has been sacrificed," he acknowledges. "As soon as we meet our 404 deadline, our internal auditors will spend more time doing what they've always done -- examining the revenue recognition process in a specific country or how the expense-payment process is handled in another office."
The business assessment and audit group for Oracle, the Redwood Shores, Calif.-based enterprise software provider, has helped the company comply with Sarbanes-Oxley on two fronts. First, it provided risk management oversight by sending an internal auditor to participate in all of the meetings held by the finance team responsible for Sarbanes-Oxley compliance. Second, the group contributed, selectively, to internal controls testing. "We've focused on the judgmental areas," notes Scott Rae, vice president of business assessment and audit, who reports functionally to audit committee chairman Donald Lucas and administratively to president and CFO Gregory B. Maffei. Those areas include processes that involve reserves or accruals, consolidation, and treasury.
That work has not distracted the internal audit group from its day job, however. "We executed a risk assessment for the company this year," Rae reports. "It helps us comply with Sarbanes-Oxley, but it also helps the internal audit function determine how we're going to allocate our resources. We're using more of a risk-based approach to how we focus our effort."
Iron Mountain, a records management and data protection company based in Boston, is another business that's determined to keep its audit plan well-balanced. "Legal compliance, operational compliance -- which translates to optimization and effectiveness -- and financial reporting compliance have come to the forefront, thanks to Sarbanes-Oxley," says chief accounting officer Jean Bua. "A lot of people are looking at internal audit to serve as a bridge that connects these three areas."
The company's internal audit department is currently designing an enterprise risk initiative. "We're looking to further strengthen our [internal audit] staff's skills so that we can do an enterprise risk assessment and also step back to make sure that we are appropriately addressing all of our business risk, customer risk, foreign currency risk -- all of our risks," says Bua. "We're looking at internal audit as playing an even greater role in mitigating our risks and watching out for where we may have gaps in our compliance areas."
Iron Mountain is not alone in seeking a holistic view of its enterprise risks. More and more internal audit departments are looking to adopt broad-based risk management approaches, according to Ted Frank, president of Cleveland-based Axentis Inc., a provider of enterprise governance, risk and compliance management software. Frank also leads the technology council of the Open Compliance and Ethics Group, a not-for-profit organization that helps companies align their governance, compliance and risk management activities. "I get more questions from the internal audit folks than I ever have before about broad, enterprisewide risk management," he says. "They are thinking about how that offers strategic value to the organization."
When Korn/Ferry hired two new internal auditors last year, the midsize company doubled its internal audit function's head count. It also hired internal auditors from KPMG (the company's external auditing firm is Ernst & Young) on a contract basis to assist with internal controls documentation for its IT function and to help with a project in its Colombia office. Without that co-sourcing arrangement, Hill estimates, his company would have needed to hire two or three more full-time internal auditors.
Although Korn/Ferry is not yet giving GE a run for its revenue, it's a complex, global organization with operations in 35 countries. Finding qualified internal auditors is challenging, as it is for many U.S. public companies looking to staff their operations abroad.
"We've historically looked for internal auditors with a public accounting background who also have internal audit experience," says Hill. "That hasn't changed. But today, Sarbanes-Oxley familiarity and experience is very valuable."
And it's in short supply. "Even if funding is available and permission has been granted to hire, organizations are struggling to find qualified resources," says Parson Consulting's Marchetti.
That's particularly true for small to midsize companies, which should consider lifting a page from Oracle's audit playbook. The company's internal audit team invites one to four colleagues from other parts of the business -- finance or IT, for example -- to participate in each of its projects. Rae looks for candidates whose background is a good match for the project, although they typically have scant, if any, internal auditing experience. "Our guest auditor program helps us from a resource perspective, and it helps stimulate two-way knowledge transfer," he reports.
Internal auditors' growing responsibilities present an opportunity to expand their influence. "Internal audit should strike while the iron is hot," says Iron Mountain's Bua. But the function "should not be treated as a bureaucratic command-and-control center," she adds. "It should really be embedded in the organization and add value. I think if internal audit steps up to that challenge, it will be seen as a very good business partner, and internal auditors will advance their profession markedly in the next few years."
A Call for Autonomy
Accounting professor C. William Thomas has seen internal audit come full circle in the past 35 years. "In the early days, internal audit was more focused on controls and compliance," says the former KPMG and BDO Seidman auditor and current J.E. Bush Professor and Master Teacher at Baylor University in Waco, Texas. "During the 1990s, the function focused more on operational auditing issues that dealt with profitability and the pinpointing of risk." After the Enron debacle and the Sarbanes-Oxley Act, internal audit's attention turned to internal controls once again. But Thomas notes that in addition to scrutinizing internal controls surrounding financial reporting, leading internal audit functions are examining a more holistic collection of risks across the enterprise.
To do so effectively, internal audit departments must be as autonomous as possible, Thomas says. For starters, that means that internal audit directors should report to the audit committee of the board. "They don't always report through that structure," Thomas observes. "If companies realign their internal audit function to have the internal audit director report directly to the chair of the audit committee, who is independent, that would lend a great deal of independence to the internal audit function."
The Institute of Internal Auditors (IIA) endorses that reporting relationship. In a 2005 survey of IIA members from Fortune 1000 companies, three-quarters of the nearly 300 respondents said that their organization's internal audit function reports functionally to the audit committee.
Most survey respondents work for companies with more than $1 billion in annual revenue. Only 10 percent work for companies with fewer than 2,500 employees.