Internal Audit in the New Business Environment
Introduction
United States (US) public companies are navigating new reporting and monitoring demands arising from new regulation and societal trends. The Sarbanes-Oxley Act (SOX) and the apparent conversion of US Generally Accepted Accounting Principles (GAAP) to the International Financial Reporting Standards (IFRS) have created reporting issues for US companies. In addition, an ever-increasing environmentally conscious investor group has raised the demand for sustainability metrics and the recent financial crisis has led many companies to develop more elaborate enterprise risk management (ERM) practices.
Structured interviews with Chief Audit Executives (CAEs) of 11 large publicly traded companies (average revenues of $4.92 billion) with offices in Northeast Ohio were conducted to provide insight to these changes. The CAEs are well-seasoned professionals with an average of 19.2 years’ intenal audit experience. The internal audit staffs ranged from three to 80 individuals, with an average of 15.5. These individuals are leading professionals in internal auditing. Their opinions and insight are consolidated and summarized in this article to be useful to management as they consider the direction and scope of their company’s internal audit function, to internal auditors as they assess their role in the current business landscape, and to academics as they discern emerging business trends and challenges.
Audit Scope
In 2002, the US Congress reacted to a series of accounting scandals by enacting the Sarbanes-Oxley Act (SOX) with the costly and burdensome Section 404 (S404). Initially, internal auditors dedicated most, if not all, of their resources toward meeting S404 requirements causing the internal audit pendulum to swing from a consulting focus to an assurance/compliance focus (Deloitte, 2006; Gray, 2004; PwC, 2005). While most internal auditors agreed that they should direct the internal control compliance effort, they found the work to be tedious and mundane (Nagy and Cenker, 2007). As such, many internal auditors sought ways to lessen their S404 compliance role and return to areas requiring more of their expertise and professional judgment.
Ten of the 11 CAEs reported that their S404 workload has significantly decreased since the early compliance years [1]. Time and resources dedicated to S404 compliance work for these ten internal audit departments declined from 90 to 100 percent in the initial compliance years to 20 to 50 percent in 2009. The CAEs noted more efficient testing and documenting procedures and the issuance of much needed guidance by the Public Company Accounting Oversight Board (PCAOB) as the primary reasons for the reduced S404 workload. In particular, Auditing Standard No. 5 issued by the PCAOB in 2007 persuaded external auditors and management to focus on key internal organizational control. One CAE stated that their company went from documenting and testing 3,900 controls in the early compliance years to a more reasonable 250 key controls in the current year. The remaining CAEs noted similar reductions in the number of controls tested and documented for the S404 requirement. This renewed focus on the key controls along with improved testing and documenting efficiencies has significantly reduced internal audit’s workload for S404 compliance.
Despite the reduction in S404 work, the sampled companies’ internal audit departments still dedicate significant time and resources (20 to 50 percent) toward S404 compliance, although the current roles of internal audit differ. Six of the sampled CAEs reported they have effectively shifted internal control documentation and testing responsibilities from internal audit to process owners. For these companies, internal audit simply coordinates and monitors compliance work performed by process owners. The remaining five internal audit departments still assume full compliance responsibility and perform all documentation and internal control testing annually. The CAEs do not expect their department’s S404 responsibilities to change in the near future.
Ten of the eleven sampled CAEs believe that annual S404 compliance requirement is still beneficial. They suggest the annual S404 exercise maintains a high level of awareness of internal control importance. Several CAEs also suggested that S404 work tightened their company’s internal control structure, particularly in information technology. Despite these benefits, the CAEs were quick to express many concerns about the ongoing compliance requirements. Six of the CAEs fear that S404 work is “losing its luster” and employees are beginning to view it as a ‘rubber-stamp’ exercise. Other CAEs questioned whether the compliance benefits exceed the costs. Nonetheless, they do not anticipate a reprieve from S404 requirements for their companies in the near future.
One CAE did not find any benefit in the annual S404 compliance work, suggesting the initial compliance efforts effectively identified and rectified material control weaknesses, and subsequent annual compliance efforts merely document and test already sound internal control structures. Furthermore, this CAE believes that the external auditors miss the spirit of the regulation by focusing on check marks or initials indicating control performance rather than business processes effectiveness.
International Financial Reporting Standards (IFRS)
In February 2010, the SEC unanimously voted to reaffirm its strong support for a single set of global standards and expressed continued support for the convergence of U.S. GAAP and IFRS [2]. The Commission directed the staff of the Office of the Chief Accountant to develop and execute a work plan addressing several areas of concern that were highlighted in the many comment letters pertaining to the convergence project. The SEC will wait until the execution of this work plan, along with the completion of other convergence projects by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB), before making a determination in regards to incorporating IFRS into the U.S. financial reporting system (SEC, 2010a). This determination is expected to occur in the summer of 2011.
Understandably, companies are hesitant to commit significant resources to an IFRS convergence project before hearing a definitive statement and timeline from the SEC. Nine of the eleven sampled companies have performed minimal to no work toward IFRS convergence. Two companies had their external auditors perform initial assessments of an IFRS convergence impact on their organizations, but have not yet acted on these assessments. Most of the CAEs (seven) expect internal audit to play a part in the IFRS convergence project, but are not sure of the nature of that role. The remaining four CAEs do not foresee their departments being overly involved in the IFRS project. They expect such a project will be outsourced or handled by a separate project team. All of the CAEs are monitoring the situation and waiting on the SEC to provide a definitive timeline before implementing any substantial convergence project.
Although the specifics of an IFRS conversion are still unclear, the CAEs believe the U.S. will eventually adopt the globally accepted standards. This presents an opportunity for internal audit to take the lead in their company’s anticipated IFRS convergence project. The vast majority of CAEs (ten of eleven) find merit in establishing a single set of global accounting standards [3]. However, they believe that converting to a more principle-based set of standards will create many issues in the U.S. financial reporting environment. For example, three CAEs speculate that much implementation guidance will arise with a principle set of accounting standards, and the resulting standards will be similar to current U.S. GAAP. In addition, the CAEs fear that subjective principle-based standards will provide management opportunity to employ overly aggressive accounting practices. In sum, they believe a convergence to IFRS will happen, but they are less certain what type of standards will result or when.
Corporate Social Responsibility
In response to the increasingly popular “green” movement, organizations worldwide are taking action regarding corporate social responsibility (CSR) (IIA, 2010). In their recently published practice guide on CSR, the Institute of Internal Auditors (IIA) define CSR as the way “firms integrate social, environmental, and economic concerns into their values, culture, decision-making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve society (IIA, 2010).” CAEs were asked about various aspects of their company’s CSR program, including the role of internal audit in such programs.
All of the sampled companies have some type of CSR program. Seven CSR programs are in early stages of development and primarily focus on legal compliance and contractual obligations. The remaining four CSR programs are more developed, recognizing CSR risks and strategies to meet company-wide objectives. Two of these companies issue separate sustainability reports, and two describe their CSR activities in their annual report disclosures. None of the sampled internal audit departments are meaningfully involved in the CSR programs for lack of developed CSR performance measures. The CAEs do not expect their companies’ CSR programs to reach full maturity in the foreseeable future.
Prior research suggests companies perform CSR activities for economic and/or ethical reasons (Borkowski et al., 2010). Regarding economic reasons, several interviewed CAEs sense their companies are performing just enough CSR activities to avoid negative attention from customers, employees, and shareholders. The CAEs believe investors expect the company to abide by applicable laws and regulations, and that they do not value any CSR actions above and beyond these requirements. Regarding ethical reasons, the sampled companies’ CSR activities seem to improve employee morale and help attract and retain high-quality personnel. A few CAEs noted that some business customers have begun inquiring about their company’s CSR activities, and one CAE suggested that they perform CSR activities because it is “the right thing to do.” The CAEs generally believe that until the market begins valuing CSR activities, companies will not invest significant resources to develop comprehensive CSR programs.
Enterprise Risk Management
Many companies responded to the accounting scandals of the early 2000s and the ensuing recession by taking measures to improve their entity risk management process. In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an enterprise risk management (ERM) framework to provide guidance in this area.
Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004).
In a 2008 survey led by Crowe Horwath LLC, more than 65 percent of CFOs and 70 percent of audit committee members cite managing enterprise risk as their organization’s biggest challenge over the next year. Standard and Poor’s has recently begun evaluating a firm’s ERM procedures as a component of their credit evaluation (Dreyer and Ingram, 2008), and a new SEC proxy statement disclosure requirement has companies providing insight into their board’s involvement in risk assessment (SEC, 2010b).
Nine of the eleven sampled companies have begun developing ERM processes in the past few years. Early ERM process development activities involved identifying and ranking the company’s enterprise risks, and constructing formal methods to continuously monitor and manage identified risks. Internal audit is or will be involved in the ERM process by ensuring the developed risk management activities are performed by the appropriate individuals. The two remaining sampled companies are not currently developing an ERM process. One of these companies tried ERM but found the process to be an inflexible “check list” exercise, and the other company manages risks informally. Several CAEs noted the economic downturn has strained resources, slowing ERM process development.
Conclusion
Internal audit orientation has recently shifted from S404 compliance to focus on operations and consulting. Although still significant, internal audit has a more manageable S404 workload primarily due to renewed focus on key controls and improved testing and documentation efficiencies gained over time. Reduced S404 compliance workload allows internal audit to focus on value-added activities including operational audits and risk assessment.
The CAEs noted that their companies are waiting on the SEC to provide a definitive timeline before investing substantial resources toward an IFRS convergence project. The CAEs generally find merit in a global set of accounting standards and believe that US convergence to IFRS is likely to happen. However, they are less certain regarding what type of standards will result a convergence or when. Similarly, most of the CAEs are uncertain what role internal audit will play in an IFRS convergence project, but most anticipate involvement in some capacity.
The CAEs recognize that emerging environmental conservation societal trends have influenced many companies to develop CSR programs. All of the sampled companies are performing CSR activities; however, none of the companies have a CSR program containing auditable metrics. The CAEs suggest the market punishes socially irresponsible corporate behavior, but does not particularly reward socially responsible behavior. Thus, several CAEs sense their companies are performing just enough CSR activity to avoid negative attention from customers, employees, and investors. Internal audit has a limited role in these CSR programs primarily because they lack specific objectives and auditable performance metrics.
Increased scrutiny from investors and regulators resulting from accounting scandals in the early 2000s and the more recent recession has caused companies to formalize risk management practices. Most of the sampled companies have begun developing an ERM program in the past several years. For several companies, internal audit is directly involved in developing the ERM program by constructing risk metrics and monitoring procedures.
The opinions and insights provided in this article are presented to stimulate further discussion and research in areas surrounding internal audit orientation, IFRS convergence, CSR activities, and ERM programs. Although the number of CAEs interviewed is relatively small (11) raising concerns about generalization of the responses, the responses presented are both insightful and thought-provoking. The limited sample size made structured interviews possible, resulting in more detailed responses to specific questions. The high variation of the scope and activity of internal audit departments in the sample made face-to-face interviews the appropriate technique to obtain reasonable and meaningful responses. In summary, the detailed responses presented help bring awareness to the issues surrounding the selected business topics, and that management, regulators, investors, and the internal audit profession will be better equipped to position the internal audit function and their companies in the business community.
Authors:
Albert L. Nagy, PhD, CPA
Professor
Department of Accountancy
John Carroll University
20700 North Park Blvd.
University Heights, Ohio, U.S.A. 44118
(216)-397-4454
[email protected]
Mariah Webinger, PhD
Assistant Professor
Department of Accountancy
John Carroll University
20700 North Park Blvd.
University Heights, Ohio, U.S.A. 44118
(216)-397-4225
[email protected]
Notes
- The remaining CAE’s company established a financial compliance group for the initial S404 work. Soon after, the company had to restate their financial statements and disclosed several internal control material weaknesses. This led to significant changes in the company’s corporate governance structure, including hiring the CAE to redefine the internal audit function and the internal audit department assuming the S404 compliance work. Thus, the S404 compliance workload for this internal audit department has significantly increased due to these recent events.
- The roadmap to convergence was largely put on hold when the global economic crisis hit. The SEC was dealing with major issues at that time: a change in the white house, the financial crisis, massive frauds, and an increase in congressional scrutiny for all regulatory bodies.
- The one CAE that did not see a need to change from U.S. GAAP to IFRS indicated that investors understand U.S. GAAP and are fully capable of determining the impact of any differences between U.S. GAAP and IFRS.