Effective Auditing for Corporates: Key Developments in Practice and Procedures 9781472920447, 9781849300445

In the wake of the recent financial crisis, increasing the effectiveness of auditing has weighed heavily on the minds of

198 109 5MB

English Pages [223] Year 2012

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

Effective Auditing for Corporates: Key Developments in Practice and Procedures
 9781472920447, 9781849300445

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Introduction This multi-author volume brings together a diverse selection of authors with a wide variety of experience and expertise. The first third of the book focuses primarily on external auditing matters, including the rise of the integrated audit. Integrated audits are noteworthy because they require a distinct auditor opinion on internal controls, in addition to the traditional opinion on financial statement accounts and balances. Barely 10 years old, this integrated audit is a direct requirement of the United States’ Sarbanes–Oxley legislation and has raised the importance of how financial statements are constructed. The section begins with a thoughtful essay on financial fraud and creative accounting, together with an explanation of why investors should appreciate external auditing. Other essays consider cultural changes, independence, Sarbanes–Oxley after 10 years, and the overall market for external auditing services. The second section of the book focuses on internal auditing, starting with why corporations should choose to establish such a department. While also mandated by various legislative and regulatory bodies, including the New York Stock Exchange, the anticipated value of increased assurance and business recommendations causes many private firms to establish these departments as well. Whether a department consists of 1 or 1,000 internal auditors, the objectives and even professional standards are the same. These professional standards are set globally by the Institute of Internal Auditors (IIA). Interestingly, even internal auditors are audited through a quality assurance review (QAR) process defined by the IIA. Central to these standards is a risk-based approach to internal auditing, as described in the Sanchez and Roybark chapters. This section concludes with the first of my two chapters (on data-driven risk assessments) and helps serve as a transition into the third and final section, focusing on new horizons for auditing. In my experience, it’s not enough just to comply with the IIA’s quality standards to be seen as an effective internal audit department. Real success is about exceeding these minimum standards, and adding value back to the corporation through both assurance and advisory recommendations that improve the ability to achieve organizational objectives within an acceptable level of risk. Common characteristics of high-performing internal audit departments include demonstrating a thorough understanding of the business and industry. Similary important is a continuous improvement culture that allows the audit team to keep pace with other changes within the enterprise. The rapidly increasing pace of change in business, the rise of new technologies, and associated issues with quality and reliability of electronic audit evidence all demand that auditors in the future refine existing skills and add certain new skills in order to remain most effective. Examples of new horizons that both internal and external auditors are beginning to explore include corporate social responsibility and environmental sustainability. This section is not intended to be all-inclusive—your firm

vii

FINAL INTRO PRELIMS VERSION 1.indd 7

13/02/2012 12:28

likely has other, company- or industry-specific emerging issues that merit attention. Our intent is that reading these and previous sections will help you identify what these issues are for you and your firm. “Audit” has its roots in Latin, meaning “to hear,” and in this book we have attempted to capture the latest developments in auditing by listening to the perspectives from a variety of audit and risk professionals. We trust these essays will start conversations that will help your team be more prepared for the future. Joe Oringel Managing Director, Visual Risk IQ

viii

FINAL INTRO PRELIMS VERSION 1.indd 8

13/02/2012 12:28

Contributors Monika Causholli is an assistant professor at the University of Kentucky. She obtained her PhD from the University of Florida in 2009, a master’s degree in accountancy from the University of Texas at Arlington in 2004, and a bachelor of science degree from Oregon State University in 2000. Her research interests include audit production and knowledge acquisition, auditor specialization, audit quality, and the effects of regulation in the audit markets. She currently serves as an editorial board member of Auditing: A Journal of Practice and Theory.

Controls Auditor (CICA) certificates. Since starting his career as an information systems auditor, Davis has provided data security consulting and information systems auditing services to the US Securities and Exchange Commission, Raytheon Company, Dow Jones, and other organizations. He has authored articles addressing IT issues for the IIA, IT Governance, and ISACA, as well as writing Internet content for Techtarget. com, Toolbox.com, and Suite101.com.

Denise Cicchella is a recognized expert in construction audit, protecting owners from the overpayment of construction costs due to fraud, error, or negligence by contractors. She is a Certified Internal Auditor, Certified Fraud Examiner, Certified Construction Auditor, and Project Management Professional, and a fellow of the Life Management Institute. She holds an MBA in international business from Fairleigh Dickinson University and a BBA in accounting from Loyola University. She is president of the New York/New Jersey Chapter of the National Association of Construction Auditors. Cicchella is author of the Institute of Internal Auditor’s handbook Construction Audit Guide: Overview, Monitoring, and Auditing.

Michael De Martinis is a senior lecturer in the department of accounting and finance at Monash University, Australia, where he is currently director of the master of business (accounting) course. He teaches classes in auditing and fraud examination, and focuses his research on audit production and efficiency. He has published articles on public sector auditing, audit planning, and the market for audit services in a number of journals including the Australian Journal of Public Administration, European Business Review, Managerial Auditing Journal, and the Journal of Accounting Literature. De Martinis received his bachelor’s degree from La Trobe University, his MBA from Monash University, and his doctorate on audit planning and production from the Australian National University. He is a member of the CPA (Australia).

Robert E. Davis obtained a bachelor of business administration degree in accounting and business law and an MBA in management information systems from Temple and West Chester Universities, respectively. During his 20 years of involvement in education, he acquired postgraduate and professional technical licenses in computer science and computer systems technology. He also holds Certified Information Systems Auditor (CISA) and Certified Internal

Henning Drager currently works as chief sustainability officer for BDO LLC Ukraine, where he is developing sustainability services and leading on enhancing BDO’s environmental, social, and corporate governance (ESG) practices. Prior to BDO, Henning gained 13 years’ experience managing international sustainability and corporate social responsibility teams at ACCA Global, Friends of the Earth, the World Wildlife Fund, and Goldman Sachs.

ix

FINAL INTRO PRELIMS VERSION 1.indd 9

13/02/2012 12:28

Robert G. Eccles is a professor of management practice at the Harvard Business School, where he teaches courses on innovating for sustainability in the MBA and executive education programs and on the role of the corporation in society in the doctoral program. He is the author of numerous cases, articles, and books, including three books on corporate reporting. The most recent book, coauthored with Mike Krzus, is One Report: Integrated Reporting for a Sustainable Society. Eccles graduated with SB degrees in mathematics and humanities and social science from the Massachusetts Institute of Technology in 1973, and received his AM (1975) and PhD (1979) in sociology from Harvard University. Stuart Gardner has more than 20 years of audit and corporate experience in a variety of sectors and industries, including government, publishing, and financial services. His experience combines audit of numerous largescale construction projects, internal controls and audit reviews, information security, relocation planning, and project risk management. He was director of risk assessment for the McGrawHill companies. Gardner is a Chartered Public Finance Accountant (UK government and healthcare), Certified Construction Auditor, Certified Information Systems Auditor, and Certified Information Systems Security Professional. He holds a bachelor’s degree in computer science from the University of Swansea. David Hay is professor of auditing and head of the department of accounting and finance at the University of Auckland Business School. David had 12 years of experience in auditing with Big Eight audit firms in London and New Zealand before completing further study and

commencing his academic career. He has taken an active role in the admissions requirements for chartered accountants in New Zealand, including a period as chief examiner, and recently served as president (New Zealand) of the Accounting and Finance Association of Australia and New Zealand. He has published more than 20 articles on auditing and accounting research in refereed academic journals and is an editor of the International Journal of Auditing and a member of nine editorial boards. W. Robert Knechel is the Frederick E. Fisher eminent scholar in accounting at the University of Florida. He is currently director of the International Center for Research in Accounting and Auditing (ICRAA) at the Fisher School of Accounting. He is also a professor of accounting research at the University of Auckland and professor of auditing and chairman of the executive master of auditing programs at Maastricht University. His research has been published in the Accounting Review, the Journal of Accounting Research, Contemporary Research in Accounting, Accounting Organizations and Society, Auditing: A Journal of Practice and Theory, and Accounting Horizons. Currently he is senior editor of Auditing: A Journal of Practice and Theory. Michael P. Krzus is an independent integrated reporting advisor and president of Mike Krzus Consulting, Inc. With Robert G. Eccles, professor of management practice at the Harvard Business School, he is coauthor of the first book on integrated reporting, One Report: Integrated Reporting for a Sustainable Strategy. He is a member of the Sustainability Accounting Standards Board Advisory Council. Trust Across America named Krzus one of the top 100 thought leaders of 2010. He was a 2010

x

FINAL INTRO PRELIMS VERSION 1.indd 10

13/02/2012 12:28

Cecil and Ida Green honors professor at the Neeley School of Business, Texas Christian University, and a member of Sustainable Asset Management’s (SAM) Group 2010 Sustainable Asset Management Faculty. Gilad Livne has been a senior lecturer at City University’s Cass Business School since May 2005. Prior to that he was an assistant professor of accounting at the London Business School. He received his MSc in 1994 and PhD in 1996, both in accounting, from the University of California at Berkeley. He is a CPA (Israel) and worked for several years as a senior auditor in Israel after completing his BA in accounting and economics at Tel Aviv University. Livne’s research focuses on understanding how capital markets react to accounting information and the role of auditors. Jyothi Manohar serves as a director for a CPA and consulting firm in the United States that has international affiliations. She is an accounting, audit, and consulting professional focusing on the community banking industry. Her experience covers US banking regulations, risk management, internal controls, accounting, financial, and regulatory reporting, and audit committee responsibilities. She also has experience writing articles and presenting relevant topics for community bankers at industry conferences and on webcasts. She has assisted in creating staff training material and providing training for staff and senior auditors serving the banking industry. Yusarina Mat-Isa is a lecturer in the faculty of accountancy, MARA University of Technology, Malaysia. She graduated from Lancaster University with a master of science in accountancy and financial management and holds a bachelor

of accounting (hons) degree from Tenaga National University. Currently she is teaching subjects in various fields, including auditing and financial accounting. Her main research interests are auditing, risk management, and financial accounting. Zuraidah Mohd-Sanusi is a deputy director of the Accounting Research Institute and an associate professor in the Faculty of Accountancy, MARA University of Technology. She holds a doctorate in business administration (accounting) from the National University of Malaysia and master of science and bachelor of science degrees in accounting from Syracuse University. Her main research interests are forensic accounting, auditing, corporate reporting, corporate governance, management accounting, and management. She has published in a number of national and international journals. In addition to teaching, she supervises and advises masters and doctoral students. Joe Oringel is a CPA and CIA with 20 years’ experience in internal auditing, fraud detection, and forensics, which includes more than 10 years of external audit, internal audit, and risk advisory work with Big Four companies. His corporate experience includes information security and internal auditing for large, global companies in highly regulated industries. In 2006 Oringel and his business partner Kim Jones started Visual Risk IQ, which helps large, complex organizations to take advantage of new technologies for continuous auditing and monitoring, visual reporting, and risk-focused data analysis. Oringel studied at Louisiana State University’s acclaimed Center for Internal Auditing, earning a BS in accounting, and he holds a MBA from the Wharton School at the University of Pennsylvania.

xi

FINAL INTRO PRELIMS VERSION 1.indd 11

13/02/2012 12:28

Bonita K. Peterson Kramer is a professor of accounting in the College of Business at Montana State University. She earned her PhD from Washington State University, and her auditing experience includes work with KPMG in Texas and in the Montana Office of the Legislative Auditor. She currently teaches a graduate advanced auditing course and undergraduate courses in intermediate accounting. Kramer has received several teaching awards, including the Montana Society of CPAs’ Outstanding Educator Award and the Montana State University Cox Family Faculty Excellence Award. She has published articles in numerous accounting academic and practitioner journals, twice receiving the Lybrand bronze medal from the Institute of Management Accountants. She has also coauthored a true-life computerized fraud examination/auditing case simulation and a book, Financial Statements Demystified. Hugh Pforsich is an associate professor of accounting at Sacramento State University. He teaches managerial accounting, cost accounting, and taxation at the undergraduate, graduate, and executive MBA levels. He is also a consultant in the healthcare industry. His professional affiliations since 1995 include the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA). He has published articles in Advances in Taxation, Global Perspectives on Accounting Education, Strategic Finance, New Perspectives on Healthcare Auditing, the Journal of the International Academy for Case Studies, the Journal of Accounting and Finance Research, Advances in Quantitative Analysis of Finance and Accounting, and Advances in Investment Analysis and Portfolio Management.

Helen M. Roybark is an associate professor of accounting at Radford University, where she teaches accounting information systems and auditing. Her teaching philosophy is to actively engage students so that the classroom experience is connected to the professional world. Prior to joining the faculty at Radford, she worked in the accounting profession for 27 years, during which she owned and operated an accounting firm in Newport News, Virginia, for 12 years. Roybark earned her PhD from Virginia Commonwealth University in 2003. She is a certified public accountant licensed by the Commonwealth of Virginia and a certified fraud examiner with the Association of Certified Fraud Examiners. Paul J. Sanchez conducts a CPA practice in Port Washington, New York. He is the owner of Professional Service Associates (PSA), a consulting and professional training and development business servicing financial services companies, CPA firms, and professional associations. Prior to starting PSA he was vice president, professional development, for the audit division of a regional bank, served on the technical staff of the auditing standards and examinations divisions of the AICPA, and practiced public accounting in the New York office of Deloitte. Sanchez is a frequent lecturer and seminar leader for accounting, auditing, banking, and other professional presentations. He also is the author of a textbook, Accounting Basics for Community Financial Institutions, and the monthly “Ideas and analysis letter: The Sanchez take.” Curtis C. Verschoor is the emeritus Ledger and Quill research professor at the School of Accountancy and Management Information Systems and honorary senior Wicklander research fellow in the Institute for Business and Professional Ethics, both at DePaul University. He is also CEO and

xii

FINAL INTRO PRELIMS VERSION 1.indd 12

13/02/2012 12:28

chair of C. C. Verschoor & Associates. His career in industry included service as the corporate controller of Colgate-Palmolive Company and of Baxter Laboratories, as vice president of finance and certified financial planner of a diversified public corporation, and as the chief internal auditor and assistant controller of the Singer Company. Professor Verschoor has written articles in many prominent journals. His most recent books are Internal Auditing: Fundamental Principles and Best Practices, Audit Committee Essentials, and Ethics and Compliance: Challenges for Internal Auditing. Liv A. Watson is the chief product officer and founder of XBRL International, Inc., a global consortium that is working to build a standard for exchanging business information. She is also an accomplished writer and commentator, having been a coauthor and contributing author on several books—among them, XBRL for Dummies, The Governance, Risk, and Compliance Handbook, and Trust Meltdown. Her articles and commentary have been published in leading business journals, including the Harvard Business Review and Strategic Finance. One of her articles received the IMA Lybrand silver medal and was selected for inclusion in the International Federation of Accountants’ (IFAC) 2007 Articles of Merit.

xiii

FINAL INTRO PRELIMS VERSION 1.indd 13

13/02/2012 12:28

FINAL INTRO PRELIMS VERSION 1.indd 14

13/02/2012 12:28

Creative Accounting: Auditors’ Roles in the Detection of Financial Fraud by Zuraidah Mohd-Sanusi and Yusarina Mat-Isa Universiti Teknologi MARA, Malaysia

This Chapter Covers 8 An introduction to creative accounting concepts and methods. 8  Areas of possible manipulation of company accounts. 8 The use of a checklist to help in the detection of creative accounting practices and accounting fraud. 8  Case studies of two companies in Malaysia that have used creative accounting practices. 8  What is expected of auditors in detecting creative accounting practices.

Introduction: Understanding the Concepts of Creative Accounting

“Creative accounting practices” is a term used to describe any means that may be employed to manipulate financial data, and it includes the aggressive choice and application of accounting principles as well as fraudulent reporting (Mulford and Comiskey, 2002). These practices may fall within or beyond the boundaries of Generally Accepted Accounting Principles (GAAP). Creative accounting practices cover a wide range of areas, especially premature recognition of and over- or underestimation of revenue, aggressive capitalization and extended amortization policies, misreporting of assets and liabilities, and getting creative with the income statement and cash flow reporting. If an organization wishes to practice creative accounting, there is plenty of scope for the manipulation of accounting information. Such manipulation may well leave external or other interested parties confused as to what is real or unreal, or true or false, in a published set of financial statements. Accounting techniques are normally chosen to produce more meaningful financial numbers, and any changes in these techniques will usually be clearly indicated in the notes to the accounts. In contrast, creative accounting is more often applied as way of hiding a particularly bad performance. The management may opt for accounting techniques that will give the impression of an exceptionally good year, or one that presages a sound financial performance in the future. Reported results may be smoothed out to give an impression of stability or sustained improvement, or to boost assets to avoid takeover (Mulford and Comiskey, 2002). Another benefit that management may derive from this practice is to influence the confidence of shareholders by being able to report stable earnings or positive changes in anticipated income. It is difficult to draw a line in regard to creative accounting practices because of the complexity of business transactions, which may make it difficult to detect misstatements or omissions. GAAP offers various accounting methods for companies to choose from, and which method a company adopts will depend on the nature of its business. The availability of these different methods provides options for companies to choose the one that best projects their financial performance. Although GAAP requires consistency in the adoption of an accounting method, some companies may exploit the

3

NEW INSIDE PAGES FINAL copy.indd 3

13/02/2012 12:58

Effective Auditing for Corporates opportunity to use more than one over the years. Even with the restrictions imposed by rules, regulations, and standards, there are many ways in which accounting methods can be manipulated that give scope for a wide range of creative accounting practices. For example, the ambiguity that arises in the area of provision expenses and valuation of assets could lead to the adoption of methods that favor the company but not the stakeholders. The loopholes in certain accounting areas, or unclear definitions in financial reporting standards, may also provide opportunities for the financial players to manipulate the numbers—sometimes very aggressively. In many instances creative accounting practices are associated with fraud. There is a high possibility that misstatements are the result of the managers misrepresenting the company’s true financial condition. A misstatement may be attributed to changes in the regulatory requirements or accounting rules, or it may be part of a management strategy on earnings (Coffee, 2004). Management has a strong incentive to manage earnings in order to maximize its own compensation, particularly when compensation is based on measures of earnings (Kothari, Leone, and Wasley, 2005). Maximizing compensation is not the only incentive for managers to engage in creative accounting practices, as shown in Figure 1. Figure 1. Expected rewards of creative accounting practices Maximized compensation Lower income taxes

Increased share price

Improved debt ratings Boost profitsharing bonus Lower interest cost of debt

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recognized that frauds went to the very top of many organizations in which a significant portion of the company was owned by founders and board members. COSO’s 1999 study “Fraudulent Financial Reporting: 1987-1997” has found that in 72% of cases the CEOs appeared to be associated with the financial manipulation. It showed that managers had incentives to manipulate earnings around the specific, predictable events of the periodic earnings reporting as they expected the returns to be rewarding. “In many instances, creative accounting practices are associated with fraud. There is a high possibility that misstatements are the result of the managers misrepresenting the company’s true financial condition.”

4

NEW INSIDE PAGES FINAL copy.indd 4

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud Whether creative accounting practices result in fraudulent financial reporting depends on the intentions of the managers. Fraud and error, although both show up as misstatements, differ in substance depending on whether intention is present or not. Fraud occurs when a misstatement is made with knowledge of its falsity and there is an intention to deceive, whereas error is not deliberate and there is no intention to deceive other parties. Although not all creative accounting practices amount to fraud, it is sometimes hard to distinguish between fraud and creative window-dressing in financial statements. The International Standard on Auditing 200 (ISA 200) requires that an audit be designed to provide reasonable assurance that both errors and frauds in the financial statements are detected, and the audit must be planned and performed with an attitude of professional scepticism and due professional care. Hence, auditors need to be vigilant for the indicators of creative accounting practices. They are required to detect the “red flags” of creative accounting practices that may signal fraudulent financial reporting. These flags may not necessarily indicate fraud, but auditors need to be on the alert for them. A failure to conduct an audit with proper care may expose the auditor to potential legal liabilities.

Areas of Possible Manipulation and the Red Flags Signaling Fraud

There are various ways companies can maneuver their financial reporting through the wide range of accounting treatments allowed in GAAP as well as beyond what is set out in accounting standards. Some of the methods may be considered legal, while other techniques are totally unacceptable and illegal. The practices of creative accounting can be summarized under five main categories, as shown in Table 1. Table 1. Categories of creative accounting practices, with examples Use of different accounting methods

Subjective or estimated quantities

Artificial transactions

Structuring of corporate transactions

Timing

• For instance, the choice of inventory method: a company may choose between a first in, first out or last in, first out method for inventories. • The choice of accounting depreciation: straight line and accelerated depreciation methods. • The company can choose the accounting policy that conveys a preferred image.

• Certain entries in the accounts involve an unavoidable degree of estimation, judgment, and/ or prediction. • Estimation of numerous future economic events such as expected lives and salvage values of longterm assets, obligations for pension benefits and other postemployment benefits, deferred taxes, and losses from bad debts or asset impairments.

• Artificial transactions can be entered both to manipulate balance sheet amounts and to move profits between accounting periods. This is achieved by entering two or more related transactions with an obliging third party, normally a bank.

• For example, business combinations can be structured to qualify for pooling or purchase accounting. • Lease contracts can be structured so that lease obligations are on- or offbalance sheet • Equity investments can be structured to avoid or require consolidation.

• Genuine transactions can also be timed so as to give the desired impression in the accounts. • The timing of inventory shipments or purchases, or of receivable policies, which will affect cost allocations and net revenues. • Selection to make or defer expenditures, such as R&D, advertising, or maintenance

Adapted from Amat, Perramon, and Gowthorpe (2007) and Healy and Wahlen (1999).

5

NEW INSIDE PAGES FINAL copy.indd 5

13/02/2012 12:58

Effective Auditing for Corporates Dishonest management has lucrative options in its choice of accounting methods for the recording of inventory amounts and asset depreciation. This flexibility, legitimate use of which is allowed by GAAP, offers opportunities to exaggerate or minimize company profits. Managers may also attempt to manipulate earnings where judgment or estimation of certain accounts is needed in the financial reporting. Determining the amount of certain expenses—for example, provision for doubtful debt and impairment of securities—can involve high levels of ambiguity. Companies may artificially recognize profits before they are realized, or they may try to book leased assets into the balance sheet. Another method is through the structuring of transactions to alter financial reports to either mislead stakeholders about the underlying economic performance of the company, or to influence the outcomes of contracts that depend on reported accounting numbers. This is especially true when some off-balance sheet items, such as commitments and contingencies, are exploited to project a better financial position. Timing is another area that managers can manipulate to show a better than actual financial position, an example being the deferment of recognition of R&D costs. Some companies may apply several techniques in making their accounting figures appear to be in good shape. Parmalat, one of Italy’s largest industrial empires, concealed billions of euros of debt through fictitious sales by its shell companies, as highlighted in Figure 2.

PARMALAT CASE

Figure 2. Example of creative accounting practices at Parmalat Multiple fraud schemes being applied by Parmalat

In one scheme, numerous shell companies were set up to generate bogus profits to cover up the €14.3 billion of debts

The shell companies were also used as a tool to hide the company‘s debt through intercompany transfers and a double-billing system that was used to formulate fictitious sales

There are countless ways in which companies can manipulate their financial statements, and in most cases the red flags or fraud indicators which suggest that fraud might be happening are just too obvious to ignore. For instance, when a company relies heavily on external debt, it tends to manipulate its revenue to demonstrate that it has the ability to pay off the debt. Management is under pressure not only from the high level of debt itself but also from the large interest payments incurred, which affect profits and reduce cash flow. Large debts increase the tendency for managers to engage in creative earnings management practices (see, for example, Beatty and Weber, 2003). Auditors should therefore be on the lookout for “red flags” if their client is highly leveraged as past experience indicates a linkage of creative accounting practices with such leverage. Late submission of financial statements can also be a warning signal. Failure to submit a company report on time may happen for many reasons: the company may be in financial difficulty, there may be disagreement among management, or regulatory requirements may not have been complied with. Any one of these could be the factor

6

NEW INSIDE PAGES FINAL copy.indd 6

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud that pushes management into adopting creative accounting practices, so that in cases of late submission auditors should be especially alert for indicators of fraud. The prevalence of cases of alleged manipulation of financial statements suggests that the currently available tools for financial analysis and other methods that have been used to detect such practices have failed to detect the manipulation activities. It shows that additional tools are urgently required to detect the red flags of creative accounting practices that, if taken too far, may lead to fraudulent financial reporting. One of the tools that can be exploited for this purpose is the creative accounting checklist.

A Checklist to Detect Creative Accounting Practices

A tool for detecting the red flags of fraud has been discussed thoroughly by Mulford and Comiskey in their book, The Financial Numbers Game: Detecting Creative Accounting Practices (2002). Although the authors suggested many types of criteria, not all the information required would be directly available in the company’s financial reports. Hence, in developing the creative accounting checklist presented here, we have modified the method introduced by Mulford and Comiskey to only include revenue, assets, and amortization criteria, as shown in Table 2. Table 2. Creative accounting checklist (modified after Mulford and Comiskey, 2002) No.

Item Revenue checklist

1.

Does the company have a right of return policy?

2.

Has there been any change in revenue recognition policy?

3.

Was the revenue of the company recognized before the product/service was available?

4.

Does the company have the physical capacity to generate the reported revenue? Assets checklist

5.

Has the company changed its credit policy?

6.

Have payment terms been extended?

7.

Has the company changed its inventory method?

8.

 as the company reclassified its properties, plants, and H equipment (PPE)? Amortization policies checklist

9.

 as the company extended the amortization and H depreciation period for capitalized costs?

10.

Is there an example of a prior-year write-down of assets that became value-impaired?

11.

Is there any reason to believe that normal operating expenses are converted to reserves?

7

NEW INSIDE PAGES FINAL copy.indd 7

13/02/2012 12:58

Effective Auditing for Corporates Revenue is the most common item to be manipulated by management as there are too many alternative ways to recognize it, whether through legal or illegal techniques (Albrecht et al., 2009). The two most common practices are premature recognition of revenue and overstatement of revenue. The former involves recognizing revenue from legitimate sales in a prior period, while the latter entails the recording of more revenue than is actually realized. These two practices—which in some cases may be hard to distinguish—can be used to show a greater earnings capacity than is actually the case. Similarly, assets are often overvalued in an attempt to bolster the company’s financial position and net worth. Besides such overvaluation of assets, which is usually perpetrated by management, misappropriation of assets is one of the most common frauds committed against a company, and this is usually done by internal staff. As assets have a close link with revenue, there can be a strong motivation to creatively alter asset figures in the balance sheet. Amortization is the deduction of capital expenses over a specific period of time, usually the life of the asset. This means that amortization is related in one way or another to the assets and revenue of a company. One of the most common techniques used by companies to improve the financial figures is to extend the amortization period. When the amortization period is extended, expense recognition is postponed to a later period, which results in a boost to the current earnings.

Application of the Creative Accounting Checklist—A Preliminary Study

The modified creative accounting checklist shown in Table 2 was applied in a preliminary study conducted on the top 100 companies listed on the Bursa Malaysia Berhad (financial institutions were excluded) using financial reports for the year 2008. Each annual report was analyzed using a content analysis method. The 11 indicators in the checklist were measured using a score of 0 or 1; 0 was given for each item in the checklist with a “no” answer, and a score of 1 was given to each item with a “yes” answer. Thus, for the three categories in the checklist— revenue, assets, and amortization—the maximum possible scores are 4, 4, and 3, respectively. The maximum overall score on the checklist as a whole would, of course, be 11. The companies we studied scored in the range 0 to 5. Figure 3 shows the results for the top-scoring 23 companies—those with a total score in the range 3–5. Two firms scored the highest (5), two scored 4, and the remaining 19 firms scored 3. These scores were attributable to high scores in the revenue category, which could indicate that revenue is one of the main areas for manipulation. The majority of the top 23 companies scored 1 to 2 in the assets category, whereas about half of the 23 companies scored 1 in the amortization category, with none scoring 2 or 3. This indicates that there is no apparent pattern of possible manipulation in the assets and amortization categories.

8

NEW INSIDE PAGES FINAL copy.indd 8

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud Figure 3. Frequency analysis of 23 companies with highest checklist scores

9% 9%

Score 5 Score 4

82%

Score 3

Figure 4 gives a detailed breakdown for the four top-scoring firms (those with total checklist scores of 5 and 4). Firm D, an oil and gas company, scored the highest mark, of 3, for an individual category, revenue, but scored 0 in the amortization category. Firm C, a property development company, obtained the highest score (3) in the assets category, but scored 0 in the revenue category. The highest overall score of 5 was turned in by Firm A and Firm B, both of which are sizable companies with crossborder, diversified businesses. Figure 4. Checklist score breakdown for the top-scoring four companies

Checklist score

6 5 4 3 2 1 0

Firm A

Firm B Revenue

Firm C Assets

Firm D Amortization

The score breakdowns presented in Figure 4 may reflect the actual financial predicaments of some of these companies. For example, in 2010 Firm B sought legal counsel following a major loss of Malaysian ringgit (MYR) 2.1 billion, although it had had very good years prior to that. The loss incurred was related to cost overruns on four projects over the last few years, including the building of oil and gas installations in Qatar, the Bakun hydroelectric project in Sarawak, and a marine project involving the construction of vessels for use in the Qatari project. Hence, it is not surprising that the company should have a high creative accounting score for its 2008 annual report.

9

NEW INSIDE PAGES FINAL copy.indd 9

13/02/2012 12:58

Effective Auditing for Corporates With Firm A, on the other hand, no obvious issue has surfaced in recent years, but the company has been under close scrutiny because of its volatile return on assets, which swung from 66% in 2009 to 44.5% in 2010, and a gradual loss of market share to a close competitor. This company has been in stiff competition with its rival and acquired a large tranche of new assets in 2009 to beef up its operations. Thus, with a score of 2 in the assets category, a careful analysis of the company’s reported figures relating to assets might be worthwhile. Case Study

Two Companies in Malaysia Using Creative Accounting

In recent years several companies in Malaysia have been involved in misstatements of financial information in their annual reports that led to investigations by the Securities Commission Malaysia (SCM) and the Bursa Malaysia Berhad (BMB), the securities market regulators. Here we will will look at two anonymous cases, both of which involve public listed companies in Malaysia, and consider the question of how auditors could have helped in detecting the creative accounting practices.

Company T Company T, founded in 1996, is a leading custom air cargo carrier offering a full range of services for express shipping with an average annual turnover of MYR 700 million. In May 2007 the company’s shares saw a massive sell-down following the announcement of findings from a special audit conducted pursuant to the alleged unreliability, discovered by the company’s newly appointed auditor, of its consolidated results for the financial year ending December 31, 2006. The special audit found that the company’s revenue for 2005 and 2006 had been overstated by more than MYR 500 million through recognition of revenue that had yet to crystallize. The overstatement of revenue for the financial year ending December 31, 2005, involved the recording of invoices issued for purported services to 19 companies totalling MYR 197 million. In the financial year ending December 31, 2006, the same modus operandi had been applied, resulting in the false recording of 20 invoices totalling MYR 333 million. This misreporting represented overstatements of 36% and 30%, respectively, of the company’s consolidated revenues for the years ending 2005 and 2006 and changed what would otherwise have been pretax losses into pretax profits. A further audit extended back to the financial year ending December 31, 2004, showed a similar modus operandi that resulted in an overstatement of revenue by approximately MYR 95 million. However, the findings for that financial year could not be fully substantiated as the documentation needed for further testing had not been completed. This saga led the SCM to charge three executives of Company T, including its founder, with misreporting of financial information. This case shows that creative accounting practices can extend back many years before they are detected. Many questions have arisen as to why the previous auditor failed to bring the issue to light during the normal course of auditing the financial statements for the years ending 2005 and 2006. Provided that the audits were conducted with due care and consideration and all relevant audit procedures were undertaken, the auditor should have discovered frauds of that magnitude. Nevertheless, this did not happen and stakeholders had to wait for the newly appointed auditor to spot that something was wrong with the company’s financial statements.

10

NEW INSIDE PAGES FINAL copy.indd 10

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud Some creative accounting practices may represent a fine line between manipulative finessing and fraud that would be difficult to distinguish. As the case of Company T illustrates, premature recognition of income from purported sales that involve significant amounts is too obvious an indicator to go unnoticed for several years. It is very perplexing to ponder on the possibility that the auditor was not able to spot even a trace of such indications of malpractice. Sometimes more palpable creative accounting practices are employed, but still auditors fail to detect them, as is shown by the next case.

Company M Company M used to be the largest manufacturer of optical data storage media in South East Asia. Founded in 1994, the company’s ability to cater to its clients’ specific needs and its reputation as a reliable manufacturer garnered it a prominent base of global clients. Nevertheless, in 2007 things took a different turn for the company. About a year before that, in June 2006, the company had talked about a “sterling fourth quarter” for its financial year ending April 2006. However, in April 2007 the company announced that two of its major subsidiaries had defaulted on maturing trade facilities. A preliminary investigation report highlighted “substantial irregularities” in the subsidiaries’ financial statements, including fictitious trade creditors and debtors, undisclosed related party transactions, and a deposit payment of MYR 211 million for production lines that appeared to be fictitious. The investigation also uncovered misstatements of inventories arising from closing stock balances being inflated by as much as MYR 100 million. The other major fraud was the amount of trade receivables as a result of fictitious trade debtors, which had been booked as MYR 334 million. Based on the investigation’s findings, it was concluded that the misstatements in the company’s financial statements had been going on and had accumulated over a number of years. Misstatements of the revenues and cost of sales dated back to at least the financial year ending April 2005. Misstatements in the balance sheet that included inventories, trade receivables, and prepayments also went back as far as the financial year ending April 2005. Soon after the investigation report was released in December 2007, the SCM charged the company’s former financial controller and the executive chairman with making false statements. The SCM also obtained an arrest warrant against the company’s executive director. The company was unable to sort out its financial woes, which was not surprising considering that a large chunk of its past revenues had been falsified. It failed to submit a regularization plan to the authorities and was delisted in April 2008. It has since been declared bankrupt. As with Company T, this case was another shock to the Malaysian corporate community. The public too is awed at how far companies can manipulate financial figures to make their performance look good. Some of the creative accounting practices employed are so obvious but yet so deceptive, and the companies we have looked at may have gone the extra mile to meticulously cover up their tracks. Putting the issue of auditor independence aside, companies appear to know the tricks of fooling auditors, and some have done so successfully as our two case studies show. It is daunting that frauds of this scale went undetected for several years despite the fact that auditors went through the financial statements. Performed with reasonable care, the audits should have flagged that things might not be all they were claimed to be in such financial statements. This makes us wonder how companies that have creatively manipulated their financial statements to this extent could have deceived the auditors. Another question of equal importance is whether the auditors are doing their work properly.

11

NEW INSIDE PAGES FINAL copy.indd 11

13/02/2012 12:58

Effective Auditing for Corporates Detecting Creative Accounting Practices—What Can Be Expected of Auditors?

An audit conducted in accordance with International Standards on Auditing (ISAs) is designed to provide reasonable assurance that the financial statements taken as a whole are free from material misstatements. Although the ultimate responsibility for the prevention and detection of fraud and error rests with those charged with governance, auditors can still be held liable in the event that financial statements are misstated. However, when we take into account that auditors have to work within limitations, it would be extremely costly, and probably impossible, for them to find all the misstatements in a financial report. The limitations faced by auditors—the inherent limitations of internal controls, the fact that only sample testing can be done, time and cost factors, and the limitations of human resources—however, do not release them from the responsibility of uncovering material misstatements that would adversely affect the interests or decisions of the users of a financial statement. If we view creative accounting as a practice that may lead to actual misrepresentation and falsification in the financial statements, it is clear that auditors should equip themselves with the appropriate principles, techniques, and tools to detect such practices, as shown in Figure 5. Figure 5. Auditors and the detection of creative accounting practices

Auditor and red flags

Principles

Dete accouction of c nting reativ pract e ices

Techniques and tools

The principles of professional scepticism and due professional care are the two most important conventions that auditors should uphold. ISA 200 requires that an audit be designed to provide reasonable assurance of detecting both material errors and fraud in financial statements, and this obviously has relevance to creative accounting practices. In accomplishing this objective, the audit must be planned and performed with an attitude of professional scepticism. Professional scepticism is an attitude that includes a questioning mind and critical assessment of the audit evidence. The auditor should not accept every management assertion at face value; in saying that, he or she should not assume that management is dishonest, but the possibility of dishonesty must be considered. The due professional care principle requires the auditor to apply the care and skills expected of reasonably prudent and competent auditors. It concerns what the auditors do and how well do they do it. Auditors must possess the level of skills commonly possessed by other auditors and they must exercise these skills

12

NEW INSIDE PAGES FINAL copy.indd 12

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud with reasonable care and diligence. If after conducting the audit with professional scepticism and due professional care an auditor still cannot detect unwarranted creative accounting practices, then the auditor has satisfied him or herself that they have done everything within their means to assert the accuracy of the financial report. The auditor’s approach should be: trust—but verify! “Although the ultimate responsibility for the prevention and detection of fraud and error rests with those charged with governance, auditors can still be held liable in the event that financial statements are misstated.” Auditors are expected to have knowledge of suitable techniques and tools that enable the effective detection of creative accounting practices. The creative accounting checklist we have presented here is one tool that can be used by auditors to enhance their ability to detect these practices. Nevertheless, auditors should bear in mind that the checklist will not be able to provide a conclusive finding. It is just a tool to enable them to reach a more informed conclusion on whether or not financial statements may have been creatively altered. Apart from the creative accounting checklist, auditors can explore many computer-assisted tools that offer a wide variety of applications. These tools, such as fraud detector (Cerullo and Cerullo, 2006), can examine data faster and more accurately and generate reports on exceptional or unusual items in the financial statements. Auditors are also expected to have an understanding of the most common forms, indicators, and warning signs—better known as red flags—of creative accounting practices that could indicate fraud. The red flags may not be indicators in themselves, but taken together collectively they may indicate an increased motivation to commit fraud. Audit risk represents the risk that auditors will opine that financial statements are fairly stated and an unqualified opinion can be issued when in fact they contain material misstatements. Audit risk will be high in the event that auditors fail to exercise due professional care in detecting creative accounting practices that eventually prove to be fraudulent. Faced with high audit risk, auditors are exposed to legal consequences that could be instigated by clients, shareholders, or third parties such as creditors (Figure 6). Figure 6. Auditors’ legal relationships Pay audit fees

Client

Auditor Provide audit services

Conduct of audit and auditor‘s report

Third parties (creditors, employees, regulators)

Shareholders

13

NEW INSIDE PAGES FINAL copy.indd 13

13/02/2012 12:58

Effective Auditing for Corporates As shown in Figure 6, auditors are expected not only to serve the client but also to meet their responsibilities and duty of care to shareholders and third parties. Hence, in the event that there is a breach of duty of care, these shareholders and stakeholders may sue the auditors for negligence. Thus, in minimizing the legal risk, auditors should exercise due professional care and embrace professional scepticism in their work. “Financial manipulation at many times could be rewarding favourably to the companies which include improved share price, debt ratings, interest costs, restrictions from debt covenants, and profits.”

Summary There are many methods that management can use to cover up poor financial performance or to boost the company’s earnings. These practices may be both within and beyond the boundaries of Generally Accepted Accounting Principles (GAAP). The methods include switching between different accounting methods; exploiting subjective estimations of certain financial numbers; the creation of artificial transactions; the complexity of business transactions and corporate structure; and the manipulation of income recognition across different time periods. Such practices may be difficult to detect, and sometimes it is hard to distinguish between legal and illegal practices. Companies have many reasons to turn a blind eye to manipulation by management with regards to financial reporting. Financial manipulation can create improvements in share price, debt ratings, interest costs, restrictions from debt covenants, and profits. The rewards for those people involved in preparing the financial numbers can be lucrative as well, especially if management compensation packages are based on financial performance. Hence, auditors should be careful to examine management compensation packages that are based on financial performance to ensure that the latter is reported truly and accurately. In conducting an audit, auditors should bear in mind the following points. 8 Creative accounting practices may often be tantamount to misleading the users of financial statements, and auditors should always be alert to the possibility that they amount to actual fraud. 8 Creative accounting practices that may indicate the presence of fraud are more worrying than accounting errors. 8 Auditors need to increase their vigilance in conducting audits, especially if the indicators of creativity raise suspicions that the purpose may be to fraudulently manipulate the accounts. 8 Detecting creative accounting practices is not an easy task, but auditors should not pass on their responsibilities to others. 8 If the task of detecting creative accounting using normal audit procedures is too difficult, auditors should consider seeking other methods to detect such practices. 8 Understanding the issue of creative accounting will help auditors to ensure a high quality of financial reporting and to maximize returns to stakeholders.

14

NEW INSIDE PAGES FINAL copy.indd 14

13/02/2012 12:58

Auditors’ Roles in the Detection of Financial Fraud More Info Books: Albrecht, W. Steve, Conan C. Albrecht, Chad O. Albrecht, and Mark Zimbelman. Fraud Examination. 3rd ed. Mason, OH: South-Western Cengage Learning, 2009. Coffee, John C., Jr. Gatekeeper Failure and Reform: The Challenge of Fashioning Relevant Reforms. Oxford: Oxford University Press, 2006. Mulford, Charles W., and Eugene E. Comiskey. The Financial Numbers Game: Detecting Creative Accounting Practices. Hoboken: NJ: Wiley, 2002. Articles: Amat, Oriol, Jordi Perramon, and Catherine Gowthorpe. “Manipulation of earnings reports in Spain: Some evidence.” Journal of Applied Accounting Research 8:3 (2007): 93–115. Online at: dx.doi.org/10.1108/96754260880001055 Beatty, Anne, and Joseph Weber. “The effects of debt contracting on voluntary accounting method changes.” Accounting Review 78:1 (January 2003): 119–142. Online at: dx.doi.org/10.2308/accr.2003.78.1.119 Cerullo, Michel J., and M Virginia Cerullo. “Using neural network software as a forensic accounting tool.” Information Systems Control Journal 2 (2006). Online at: tinyurl.com/8xkvufc Healy, Paul. M., and James. M. Wahlen. “A review of earnings management literature and its implications for standard setting.” Accounting Horizons 13:4 (December 1999): 365–383. Online at: dx.doi.org/10.2308/acch.1999.13.4.365 Kothari, S. P., Andrew J. Leone, and Charles. E. Wasley. “Performance matched discretionary accrual measures.” Journal of Accounting and Economics 39:1 (February 2005): 163–197. Online at: dx.doi.org/10.1016/j.jacceco.2004.11.002 Reports: Beasley, Mark S., Joseph V. Carcello, Dana R. Hermanson, and Terry L. Neal. “Fraudulent financial reporting: 1987–1997: An analysis of US public companies.” Committee of Sponsoring Organizations of the Treadway Commission (COSO),1999. Online at: tinyurl.com/7l4ogtf International Federation of Accountants (IFAC). “International Standard on Auditing 200 (ISA 200): Overall objectives of the independent auditor and the conduct of an audit in accordance with international standards on auditing.” IFAC. Online at: tinyurl.com/6pz48a9 Websites: Bursa Malaysia Berhad: www.bursamalaysia.com/website/bm International Federation of Accountants (IFAC): www.ifac.org

15

NEW INSIDE PAGES FINAL copy.indd 15

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 16

13/02/2012 12:58

Cultural Changes in External Auditing by Jyothi Manohar Accounting, Audit, and Consulting Professional, Philadelphia, Pennsylvania, USA

This Chapter Covers 8  How external auditing has evolved over the years, and factors that have impacted cultural changes in external auditing over the last century. 8  The users of financial statements are now a much wider group. They now include any individual or entity that has a vested interest in a business’s financial condition, such as lenders, regulators, or government departments. 8  Companies have changed from being focused on one line of business to become more complex organizations with many lines of business through multiple ownership structures and across international borders. 8  The globalization of business and information technologies that are advancing by leaps and bounds have dramatically changed the manner in which business is conducted—from paper-based to electronic-based to Internet-based, and now via mobile devices. 8  Accounting rules used to be simple. With all the changes in the business world and the development of a single, global marketplace, accounting standards have proliferated into complex requirements that are both rule- and principle-based. 8  The clamor for better corporate results, global competition, and a greed for the rewards of corporate success have led to major accounting fraud and company failures. This has resulted in vast changes in the rules of corporate governance and in the role and accountability of both the audit committee and the external auditor. 8  Since business was largely male-dominated, auditing used also to be a primarily male-dominated profession. It has evolved into a profession that has competing numbers of male and female professionals and changing perspectives.

Introduction

This chapter focuses on external audits of financial statements. The objective of an external audit is to conclude that financial statements are, or are not, fairly presented in accordance with appropriate accounting standards. Consequently, a knowledge of accounting is a prerequisite for auditing. An auditor of financial statements must, therefore, have a thorough understanding of the accounting rules and other regulations that impact the financial statements that are being audited. This understanding, in turn, must be preceded by a thorough understanding of the business and industry in which the company presenting the financial statements operates. Cultural changes in auditing have evolved with the multifaceted nature of business, a global marketplace, advancing technologies, a clamor for comparable, timely, and transparent information on which to base business decisions, corporate accounting fraud and corporate failures, and all the consequences that flow therefrom.

17

NEW INSIDE PAGES FINAL copy.indd 17

13/02/2012 12:58

Effective Auditing for Corporates The Users of Financial Statements

Although audits of exchequers, royal vaults, trusts, bequests, and accounts have a long history in many countries in the world, the modern concept of “independently validating and providing reasonable assurance (positive or negative) as to the accuracy, fairness, reasonableness or compliance with regulations,” i.e. the independent audit of a business entity’s financial numbers began with the industrial revolution and the founding of formal stock exchanges across the world during the 1800s. The regulatory requirement for external audits of companies whose stock traded on these exchanges generally became prevalent in different countries during the 1930s. This happened when the securities and exchange commissions (or similar regulating authorities) in different countries required that companies listed on public stock exchanges and whose stock traded on those exchanges should, among a myriad of other regulatory requirements, have the “fair presentation” of their financial statements attested by a third party that was fully independent of the management and operations of the company. In other words, an external auditor should have no stake in the ownership of, or receive any other type of benefit or remuneration from, the company he or she was auditing. The intent was that the “users” of the financial statements—in this case, the investors in the respective companies—should have reliable financial information on which to base their investment decisions. Further, independent or “external” auditors were viewed as being qualified in their knowledge of the accounting rules applicable to the company being audited and unbiased in their approach to validating the books, records, and transactions of the company which were translated into financial statements in a manner that was “generally accepted” and understood by the investing public. Over the years, the “users” of financial statements have mushroomed. Depending on the nature of the business and the industry in which it operates, the individuals, regulatory authorities, governments, financial institutions, funders, and other entities that use and rely on an entity’s financial information have changed. For instance: 8 A  not-for-profit or charitable organization does not have ownership through stock holdings and is not listed on a stock exchange. However, it may receive funding, charitable donations, grants, or bequests from other business entities, individuals, or government agencies. All of these sources of funding (the users) would have an interest in the financial statements of the not-forprofit organization to ensure that the monies they have provided are being used for the purpose intended. 8 Companies in regulated industries such as financial institutions, insurance companies, pharmaceutical companies, utility companies, airlines, etc., may or may not be publicly traded on a stock exchange but must follow the regulatory requirements of their respective regulators. In these instances, the regulators, in addition to other stakeholders, are “users” of the company’s financial statements. The regulators have an interest in ensuring that reliable financial information is being produced to help them to monitor the stability of the company and to ensure that the company complies with applicable regulations. 8 Federal, state, and local governments, municipalities and school districts are all recipients of revenues from individuals and business organizations in the

18

NEW INSIDE PAGES FINAL copy.indd 18

13/02/2012 12:58

Cultural Changes in External Auditing form of levies and taxes. Their expenditures are intended to be for the public good in the form of infrastructure (roads, bridges, waterways, libraries), social programs, education, support for low-income families, healthcare, etc. Members of the general public are “users” of government agencies’ financial information in that we are interested in making sure that our tax payments are being put to appropriate use. 8 Small businesses, owned by individuals or families, are the unseen and unheard mainstay of national economies all over the world. These small business entities turn to financial institutions and other funding sources for loans that will fund different aspects of their business. Increasingly, their banks or credit unions have become “users” of financial information and are requiring external auditors to provide reasonable assurance as to the financial condition and income-producing capabilities of the businesses for which they provide financial support. As the users of financial statements and the corresponding utility of financial information have become more diverse, the method of presentation of financial information has evolved from merely accumulating numbers to also include disclosures relating to the numbers and, in many cases, compliance with relevant laws and regulations that govern the presentation of financial information. It follows, therefore, that accounting standards vary widely from industry to industry and often from country to country. The financial presentation for each is unique. The external auditor has to develop the knowledge and expertise to adapt to the requirements of each type of financial statement presentation in order to provide “reasonable assurance” as to fairness.

Accounting Standards and the Globalization of Business

In order for the external auditor to effectively conduct an audit and conclude on the fair presentation of financial statements, it is critical that he or she understand the applicable accounting standards. As accounting has changed over the decades, so has the culture of external audit.

Accounting Methods

Accounting has evolved from Luca Pacioli’s double-entry system in the late 1400s to modern day approaches. While debits and credits still form the keystones of all accounting standards, the British (and some of the countries that were previously British colonies, like India) use the traditional approach in which accounts are classified by their nature as real, personal, or nominal, while countries like the United States and Canada use the accounting equation approach in which the balance sheet must reconcile, i.e. Assets = Liabilities + Equity. Accounts are classified as assets, liabilities, equity, income, and expense. Irrespective of the approach, the concept is the same: the difference between income (or revenue) and expenses represents net income (or loss), which in turn is absorbed into equity (or capital). The balance sheet represents the financial condition of an entity as of a point in time, while the income statement (or statement of operations) represents the activity for a fiscal year. What initially started as the cost method of accounting, where all account balances and transactions were stated at cost and recorded on a cash basis—i.e. when cash

19

NEW INSIDE PAGES FINAL copy.indd 19

13/02/2012 12:58

Effective Auditing for Corporates was actually exchanged—evolved into accrual-basis accounting, i.e. when revenue was earned and expense incurred as opposed to when cash was transacted. With the advent of selling goods and services on credit, accrual-basis accounting became the norm, although cash-basis accounting is still widely prevalent, particularly for tax purposes. Over the years, the carrying (or reportable) value of different assets and liabilities, depending on the nature of each, has also diverged from historical cost to current cost and fair values.

Complexity of Business Organizations

Business organizations are not limited to single entities that conduct one line of business. The purpose and structure of business entities are as diverse as the world itself. Business transactions are not limited to the buying and selling of goods and services. Revenues can be generated from something as trivial as selling paperclips to items such as an office building, a shopping center, artwork, or a group of companies, from selling seats for travel by air, land or water, from renting space, cars, or equipment—in fact from any of a multitude of transactions. Services can be one-time, ongoing, contingent, or for a fixed fee. Assets no longer consist only of tangibles that can be physically perceived, but also of intangibles such as goodwill, trademarks, patents, royalties, intellectual property, and rights to future income streams. Business transactions that at first were generally conducted face to face were later done over the telephone, first nationally, then internationally, then remotely via fax and computers, and now, globally via the World Wide Web and mobile applications. As the complexity of business organizations, industries, and transactions has increased, and the sources and manner of revenue generation, asset, liability, and income creation have increased, so have generally accepted accounting rules and standards. While there are commonalities in accounting rules among industries and companies, there are additional unique accounting standards by industry— for example, airlines, insurance, financial institutions, broker-dealers, investment companies, and utilities.

Diversity in Accounting Standards

Most of the major developed and developing countries in the world have an accounting standard-setting body. For instance, the Accounting Standards Board (ASB) in the United Kingdom, the Financial Accounting Standards Board (FASB) in the United States, the Accounting Standards Committee of Germany (DRSC), and the Accounting Standards Board of Canada (AcSB). As a means of standardizing diverse accounting practices in a global marketplace and for global users of financial information, IFRS, or International Financial Reporting Standards were born, as promulgated by the International Accounting Standards Board (IASB), which replaced the International Accounting Standards Committee in 2001. The IASB was formed in cooperation among various countries in Europe, North and South America, and the Far East, with more and more countries today seeking to adopt IFRS. IFRS are “principles-based” standards as opposed to “rules-based” in that they require financial reporting based on the nature and substance of a transaction rather than following a specific rule related to that transaction. In addition to these standard-setters are governments and government agencies that also set unique government accounting standards.

20

NEW INSIDE PAGES FINAL copy.indd 20

13/02/2012 12:58

Cultural Changes in External Auditing Estimation in Accounting

It is common knowledge that accounting rules incorporate the use of judgment and estimates in many cases. This is especially true as it relates to the valuation of assets and, in many instances, liabilities. Loss contingencies, reserves for uncollectible receivables (whether accounts receivable or loans receivable), reserves for all types of asset impairment, the estimated useful life of an asset, and inventory valuation are all typical examples of accounting estimates. The introduction of fair value or “markto-market” accounting in the 1990s and its burgeoning influence on international accounting and reporting standards has significantly increased the underlying complexity of how certain asset or liability balances are derived. Earlier we made reference to the use of historical cost, current cost, or fair value to report financial statement balances. Relatively speaking, historical cost and current costs may be more readily determinable than fair value. Generally, the FASB has defined fair value as “the exchange price in an orderly transaction between market participants to sell the asset or transfer the liability in the market in which the reporting entity would transact for the asset or liability, that is, the principal or most advantageous market for the asset or liability…the definition focuses on the price that would be received to sell the asset or paid to transfer the liability (an exit price) not the price that would be paid to acquire the asset or received to assume the liability (an entry price).” Depending on where in the global marketplace a transaction is being conducted and who is conducting it, the fair value of an item (an investment security, a piece of real estate, a commodity, a loan, a car, a piece of equipment…you name it) could vary widely. It is easy to see why the fair value of an asset or liability, unless traded on a public exchange such as the stock market, as a basis for reporting would be complex, involving significant judgment and assumptions that must be elaborately explained in financial statement disclosures. The preceding paragraphs set the tone for what external auditors must know, understand, and indeed specialize in to effectively conduct an audit and issue an opinion on the financial statements prepared by a business.

Auditing Standards

The primary objective of the standard-setters is to ensure that the user of financial information is properly informed through transparency in financial reporting and that the public interest is served. The goal of the external auditor is to adhere to auditing standards, understand the business, rules, and reporting requirements of the auditee, maintain an unbiased viewpoint (through appropriate professional skepticism), obtain and document all the necessary evidence, and opine on the fairness of the financial information being presented. This not only includes the numbers that make up the account balances being reported, but also the narrative disclosures that accompany the numbers in the form of the “Notes to the financial statements.” As with accounting standards, generally accepted auditing standards (GAAS) in all major countries are issued and monitored by an appropriate standards board. For instance, in the United States the American Institute of Certified Public Accountants (AICPA) issues the standards by which auditors of nonpublic companies must abide.

21

NEW INSIDE PAGES FINAL copy.indd 21

13/02/2012 12:58

Effective Auditing for Corporates Public company auditors are governed by the auditing standards (AS) issued by the Public Company Accounting Oversight Board (PCAOB). In Japan, the auditing standards codified by the Business Accounting Council (BAC) and implemented by the Japanese Institute of Certified Public Accountants (JICPA) constitute GAAS. In Canada, the Auditing and Assurance Standards Board (AASB) has adopted International Standards on Auditing (ISA) as GAAS for the audits of financial statements. The International Federation of Accountants (IFAC) issues the International Standards on Auditing with the objective of providing guidance that will ensure high-quality audits. The auditing standards boards of many countries in the world are members of the IFAC.

What the External Auditor Must Know

In order for an external auditor to independently validate a financial statement balance, he or she must first understand the transaction that resulted in the balance. There are many questions to consider. 8 I n every case, have all the financial transactions impacting the company been captured, and if so, how did the account balance come about? 8 If an asset, does it exist, is it complete, is it valued properly, and does the company actually own the asset? 8 If a liability, is it valued correctly and is it complete? 8 If a capital account balance, does it properly represent the holdings of real shareholders? 8 If a revenue or income balance, is it real, is it complete, and was it earned in the reporting period? (And when or how is revenue recognized in a world of eBay, Groupon, Facebook, and Amazon?) 8 If an expense account balance, is it complete, and is it being reported in the correct amount and in the proper period. 8 Have there been any significant violations of laws or regulations that will have an impact on the financial statements? 8 How is the business doing in its industry and in its economic environment? Will it be viable to continue to do business in the near term? 8 Do all of the disclosures accompanying the basic financial statements (the balance sheet, the income statement, the statement of equity, the cash flow statement) properly reflect the business of the company, the nature of its transactions, and its business relationships and commitments? The answers to these questions will vary widely, depending on the type of company or organization under audit, the industry in which it operates, the state of the national or global economy impacting the industry, the complexity of its business transactions, its affiliated entities, whether it is standalone or part of a consolidated group, the number of its locations, its corporate governance, the quality of its management, internal operations and information systems, its technology infrastructure and whether its footprint is national, international, or global. The starting point for the auditor, therefore, is an understanding of each of these aspects of the company which he or she will audit. Needless to say, like the various branches of medicine and affiliated specializations, auditing has become a field where specialized training and expertise are required for an external auditor to meet professional standards and conduct an effective audit.

22

NEW INSIDE PAGES FINAL copy.indd 22

13/02/2012 12:58

Cultural Changes in External Auditing Cultural Evolution in Auditing

This is a rather dramatic cultural evolution! The very first external auditors likely went to the single location occupied by a company, looked at a few documents to support transactions, examined the assets that were on hand, made inquiries of company management and some external suppliers, asked a few questions and traced amounts of transactions to a handwritten ledger before they were satisfied that the numbers were proper. Auditing standards used to incorporate general standards, fieldwork standards, and reporting standards that have since mushroomed to cover fair-value audit guidance, special circumstances, and rules concerning independence and ethics disseminated by varying governing bodies. Auditing standards now variously address all of the following. 8 E  xpertise and exercising due professional care. All external auditors are expected to have the training and expertise necessary to carry out their responsibilities in compliance with GAAS. This standard includes a requirement to execute the audit in an unbiased fashion with appropriate professional skepticism. 8 Arrangement with the auditee to explain the roles and responsibilities of the external auditor and of company management. Specifically, this elaborates that company management is responsible for the quality of the financial statements and the internal controls that affect the financial statements. The latter requirements evolved with the corporate governance rules of the early 2000s. 8 Independence and accountability. Typically, the external auditor is evaluated and engaged by and reports to the audit committee of the board of directors or similar governing body that is charged with corporate governance and overseeing the financial reporting of the company. This accountability to a committee that is independent of the management of the company preserves the independence of the external auditor and prevents any influence by management over the audit process. As a result of the audit process, therefore, the external auditor is obligated by auditing standards to report specific matters, including deficiencies and exceptions noted, to the audit committee. 8 Quality control. This concerns the required levels of review within the external audit firm of work performed by an audit team to ensure that auditing standards have been met with respect to the nature of the company under audit. 8 Audit documentation and audit work-paper standards. What previously used to consist of handwritten sheets of paper supported by paper-based audit evidence has evolved into word-processed documents, spreadsheets, templates, portable document format (PDF) files, and various other electronic documents housed in electronic work-paper databases that can be more readily protected from modification and destruction (see the section “Corporate accounting fraud and corporate failures” below). Audit workpapers are housed on an external audit firm’s server in a remote location and are accessible by the firm’s authorized audit professionals from anywhere in the world through a personal computer or other portable device. (Gone are the days of files full of paper and audit trunks that were lugged around from one location to the next!)

23

NEW INSIDE PAGES FINAL copy.indd 23

13/02/2012 12:58

Effective Auditing for Corporates 8 Responsibilities relating to fraud in the financial statements. This standard has been in existence since the late 1990s and requires external auditors to consider the possibility of material fraud impacting the financial statements, but it has since been modified (in response to some of the major corporate fraud incidents of the early 2000s) to provide more specific guidance relating to the plan and design of external audit procedures to respond to the risk of fraud. Auditors are now required to address the potential for internal or external fraud that could have a material effect on the financial statements. Based on the auditor’s understanding of the company being audited, and of the internal and external changes that affect the company, fraud risk must be made part of an audit risk assessment at the entity level, account balance level, and transaction level. Planned audit procedures must include specific procedures to address any potential fraud risks identified in the risk assessment process. 8 Planning and assessing the risk of material misstatement in financial statements. This standard addresses the requirement for the auditor, as noted previously in this chapter, to gain a thorough understanding of the company under audit, identifying and evaluating all the internal and external factors that impact the company’s financial results and the risk that the financial statements may be significantly (or in audit parlance, “materially”) misstated. Evaluation of these factors and risks, particularly the design and operating effectiveness of the company’s internal controls (system of checks and balances) are expected to dictate the audit procedures that will be performed. This is a far cry from merely examining supporting documentation and vouching for receipts and disbursements. 8 Materiality in planning and performing an audit. Understanding that an audit of financial statements does not purport to examine all of the company’s transactions and does not attest to the financial statements being completely accurate, the concept of “fair presentation” involves testing, through sampling or other means, reasonable auditor assumptions and judgments and a degree of tolerance for potential errors. The level of tolerance is also dictated by the external auditor’s perception of how a user’s judgment will be affected by reading the financial statements. Materiality thresholds therefore guide auditors’ conclusions on whether an account balance is fairly stated (in other words, not materially misstated) and how exceptions and errors in account balances will be resolved. 8 Audit evidence, with specific considerations for certain items such as inventory, claims and litigation against the company under audit, segment information, etc. The legitimacy and validity of audit evidence has always been a high priority for external auditors. The move from paper-based evidence to electronic and cyber-based audit evidence, and the magnitude thereof, adds complexity to audit procedures. External auditor culture has evolved to adopt electronic audit tools and data-mining technologies and techniques to comply with the requisite auditing standards in a changing business world.

24

NEW INSIDE PAGES FINAL copy.indd 24

13/02/2012 12:58

Cultural Changes in External Auditing 8 Required auditing procedures, including: • external (or independent) third-party confirmation of account balances and transactions; • contractual commitments; • analytical procedures to examine the interrelationships among different aspects of financial information (e.g. capital ratios, ratios of reserves for loan losses to total loans, gross profit margin, current ratio, working capital ratios, efficiency ratios) as a means of identifying trends and, hence, misstatements in account balances; • audit sampling techniques to extract the most representative samples to test the fairness of account balances. 8 Auditing accounting estimates, including fair-value accounting estimates and related disclosures. The increasing number of estimates in financial reporting and the increasing trend toward fair-value accounting, as noted earlier, has resulted in changes in audit standards that became effective as recently as 2009, providing guidance to auditors on how to audit these estimates and related disclosures. In many instances, external auditors have had to use the expertise of valuation specialists as part of the audit team in order to meet auditing standards requirements to properly evaluate and conclude on the fair value of account balances. 8 Other special considerations, including special reports and circumstances, using the work of other auditors and experts, evaluating third-party service organizations used by the company under audit, consideration of laws and regulations in an audit of financial statements, additional audit procedures on initial audit engagements, subsequent events, related party transactions, going concern (whether the financial condition and near-term prospects of the company are conducive to the company continuing to be a viable business entity) 8 Content of the representation letter. Written representations from management have been a standard audit requirement for a long time. The content of the representation letter, however, has evolved with the times. Not only does management now attest to having answered all of the auditors’ inquiries and to having provided all the requested information, but, among other things, it also takes responsibility for the preparation of the financial statements and related internal controls, compliance with all applicable laws, regulations, and accounting and financial reporting standards, the evaluation of all appropriate estimates, and the accuracy and completeness of all balance-sheet accounts. 8 Reporting on the audit. The external auditor’s opinion has evolved consistent with the delineation of responsibilities between the auditor and management. The opinion letter clearly addresses the scope of the audit, the relevant accounting and reporting standards, qualifications (or caveats) to the opinion, and a positive or negative assurance as to the fairness of presentation of the financial statement.

25

NEW INSIDE PAGES FINAL copy.indd 25

13/02/2012 12:58

Effective Auditing for Corporates Take a look, for example, at the audited financial statements of Médecins Sans Frontières USA (see More Info). This is a not-for-profit organization, with its financial statements presented in accordance with US Generally Accepted Accounting Principles (US GAAP). The auditor’s opinion addresses the relevant accounting rules and how the auditor conducted the audit. Contrast these with the annual report of Royal Bank of Scotland (RBS) (see More Info). This is a multicompany parent holding company that is primarily in the financial services business. The financial statements have been prepared in accordance with International Financial Reporting Standards (IFRS). The auditor’s opinion addresses the scope of the financial statement audit as well as compliance with applicable regulations. The manner of presentation of the financial information varies with the nature and type of RBS’s industry, as does the auditor’s report.

Corporate Accounting Fraud and Corporate Failures

The most sweeping reform in external audit culture has been a response to large-scale corporate accounting fraud and corporate failures that resulted either from the fallout from fraud or from the economic and financial crises that have recently been gripping the globe. Accounting irregularities and scandals began in the 1990s and gained momentum to climax with catastrophic results in the early 2000s. The well-publicized incidents involving Enron, Parmalat, WorldCom, Tyco International, and AIG, to name but a few, revealed instances of company management, external auditors, and boards of directors falling down in their respective fiduciary, professional, and oversight responsibilities. External auditors were cited for altering and/or destroying audit work-papers and audit evidence to cover up their blatant failure to adhere to auditing standards. The result: the demise of what had been a prestigious international audit firm and loss of public (investor) confidence in large corporations and their external audit firms. This was the impetus for widespread changes that include, but are not limited to: 8 t he creation of additional regulatory bodies such as the PCAOB to create new rules for and to monitor the quality of work performed by external auditors of public reporting companies in the United States; 8 the prohibition of external auditors from providing non-attest services to the company under audit; 8 strict definitions for auditor independence and ethics; 8 corporate responsibility, requiring the chief executive officer and chief financial officer to take responsibility for the accuracy and completeness of financial statements and the effectiveness of internal controls over financial reporting; 8 additional rules governing conflicts of interest; 8 expanded financial reporting disclosures; 8 expanded penalties for criminal fraud and white-collar crime; 8 expanded disclosures relating to executive compensation. Although these changes were intended for publicly traded companies and their external auditors, other auditing standards boards that promulgate standards for nonpublic companies and government agencies have increasingly adopted similar standards, particularly in relation to the ethics, independence, and accountability of external auditors and how they report.

26

NEW INSIDE PAGES FINAL copy.indd 26

13/02/2012 12:58

Cultural Changes in External Auditing The global interdependence of business, coupled with widespread economic and financial crises, on the other hand, have thrown a spotlight on the ability of business entities, large and small, to survive. In assessing external factors that affect financial statements, auditors have had more occasions in the past few years to “qualify” their audit opinions to alert users of financial statements as to “the company’s ability to continue as a going concern.” Irrespective of the circumstances, the external auditor has to respond to what is critical for the users of a financial statement.

Summary External audit firms, whether global, regional or local, have expanded, restructured, affiliated, and positioned themselves to meet the new challenges and demands of a changed external audit environment. The image of a traditional external auditor—a man in a dark suit with a pocket protector—has evolved into competing numbers of men and women in the audit profession, agile with technology, ready to travel the world at a moment’s notice and adapting to a myriad of additional requirements and specializations within what was a staid profession. It is not uncommon for external auditors to have served in corporations or in industry, or in other professions such as law or teaching, prior to becoming auditors. The variety and depth of knowledge and expertise required to be an external auditor today necessitates that training for external auditors be ongoing, intense, specialized, and covering a wide variety of relevant subjects that extend beyond traditional accounting and auditing. The ongoing training keeps the auditor able to grapple with the dynamics of a rapidly changing work environment. Increasingly included on external audit teams are asset valuation specialists, actuarial specialists, regulatory compliance experts, and technology specialists. Changes in business culture will, of necessity, continue to spawn cultural changes in external auditing.

More Info Book: Girgenti, Richard H., and Timothy P. Hedley. Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global, Regulated, and Digital Environment. New York: McGraw-Hill, 2011. Articles, Standards, and Reports: International Auditing and Assurance Standards Board (IAASB). “The clarified standards.” The final set of International Standards on Auditing (ISAs) and the International Standard on Quality Control. Online at: tinyurl.com/6pz48a9 Médecins Sans Frontières USA. “Financial statements and report of independent certified public accountants: December 31, 2010 and 2009.” Online at: tinyurl.com/6olgprp Royal Bank of Scotland. “Annual report and accounts 2010.” Online at: tinyurl.com/6p35yhn Wikipedia. “Luca Pacioli.” Online at: en.wikipedia.org/wiki/Luca_Pacioli

27

NEW INSIDE PAGES FINAL copy.indd 27

13/02/2012 12:58

Effective Auditing for Corporates Websites: Accounting Standards Board (AcSB; Canada): www.acsbcanada.org Accounting Standards Board (ASB; UK): www.frc.org.uk/asb/ Accounting Standards Committee of Germany (DRSC): www.drsc.de American Institute of Certified Public Accountants (AICPA): www.aicpa.org Auditing and Assurance Standards Board (AASB; Canada): www.aasbcanada.ca Financial Accounting Standards Board (FASB; US): www.fasb.org International Accounting Standards Board (IASB) and International Financial Reporting Standards (IFRS): www.ifrs.org International Auditing and Assurance Standards Board (IAASB): www.ifac.org/auditing-assurance Public Company Accounting Oversight Board (PCAOB; US): www.pcaobus.org

28

NEW INSIDE PAGES FINAL copy.indd 28

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years by Curtis C. Verschoor DePaul University, Chicago, Illinois, USA

This Chapter Covers 8 The Enron and WorldCom frauds led to the US Congress to enact the Sarbanes–Oxley Act of 2002 (SOX), which covers public corporations and their independent auditors. 8  Before SOX, regulation of the auditing industry was largely carried out by the industry and by auditors themselves. 8  This chapter discusses the costs and benefits of the provisions set out in the 11 titles, or sections, of the Act. 8  On the whole, the legislation is viewed as having been successful. The most negative comments relate to the costs of compliance with Section 404(b), which requires the independent auditor to express an opinion on the client’s internal controls over financial reporting.

Introduction

Two massive financial statement frauds were uncovered within months of each other in 2001–02: Enron and WorldCom. They capped a string of similar earlier fraud cases and became the trigger for the US Congress to overwhelmingly pass in July 2002 the most far-reaching legislation affecting public corporations and their independent auditors since the 1930s. Reflecting the diversity of subject matter covered, the Sarbanes–Oxley Act of 2002 (SOX) was known as the Public Company Accounting Reform and Investor Protection Act in the US Senate and the Corporate and Auditing Accountability and Responsibility Act in the US House of Representatives. Some of the various titles of the Act also had additional descriptive names. The many provisions of SOX apply to all companies that are publicly traded in markets in the United States regardless of their legal domicile or country of origin. Implementing various aspects of the legislation that affect companies headquartered in other countries has been slower than the progress in the United States. This has been particularly true in countries that have a less robust regulatory environment than that existing in the United States. The main thrusts of SOX (as well as of this chapter) involve three areas: 8 a total revision of the regulatory framework for the public accounting and auditing profession; 8 assignment of new responsibilities to senior management of public companies and to their boards of directors, particularly the audit committee; 8 other miscellaneous provisions.

29

NEW INSIDE PAGES FINAL copy.indd 29

13/02/2012 12:58

Effective Auditing for Corporates Perhaps independent auditors are the group that has been affected most significantly by SOX. Since auditing became a distinct occupation many hundreds of years ago, auditors have functioned largely as self-regulating professionals. Previous to SOX, important decisions—including setting the bar for entry into practice, promulgating the auditing standards auditors should use, determining the quality of performance in using those standards, and disciplining those who failed to practice properly in accordance with the standards—were tasks largely or exclusively performed by the auditing industry and auditors themselves. Although sentiment for a total repeal or significant overhaul of at least some of the provisions of SOX has lingered for years, most unbiased observers believe that, on the whole, the legislation has been successful in most areas. The most negative commentary about SOX has arisen because of the costs of compliance with the provisions of Section 404(b), which requires a company’s independent auditor to express an opinion on the adequacy of their client’s internal controls over financial reporting. Another SOX provision that was designed to protect employee whistleblowers from retaliation in cases of financial fraud has not resulted in success. The Act contains 11 titles, or sections, that set out specific mandates and requirements for financial reporting. The costs and benefits of the various provisions of SOX are discussed title by title more fully below.

Discussion of the Provisions of the Sarbanes–Oxley Act by Title Title I: The Public Company Accounting Oversight Board

Title I establishes the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms that provide audit services. The functions of the PCAOB include registering auditors on a global basis to audit corporations publicly traded in the United States, setting auditing standards that registered firms must use, , inspecting firms’ audit performance and the effectiveness of their quality controls, and disciplining those whose performance is substandard. These provisions totally changed the governance of the independent public accounting and auditing industry. Whereas previous to SOX the audit occupation was largely self-regulating, SOX created the PCAOB to provide guidance and to oversee the performance of audits of companies that are publicly traded in the United States. The PCAOB is an independent agency under the general oversight of the US Securities and Exchange Commission (SEC). Since the responsibilities of the PCAOB involve only audits of publicly held companies, the setting of standards for and peer review of the performance of audits of private and nonprofit organizations remain with the American Institute of Certified Public Accountants (AICPA). In terms of auditing standard-setting, the PCAOB in 2003 adopted the existing AICPA audit standards and concentrated its efforts on a standard for the newly required audit of effectiveness of internal control over financial reporting. Auditing Standard No. 2, “An audit of internal control over financial reporting performed in conjunction with an audit of financial statements,” was issued by the PCAOB and approved by the SEC in

30

NEW INSIDE PAGES FINAL copy.indd 30

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years June 2004. It was applicable to only the largest corporations. Although there had been public hearings and much public commentary, it was shortly assailed by corporations as requiring too much effort and resulting in high cost on the part of both clients and auditors. Because of the volume of the outcry, the PCAOB held more public hearings, requested more public commentary, and totally changed its approach to the subject. The new Auditing Standard No. 5, “An audit of internal control over financial reporting that is integrated with an audit of financial statements,” was approved by the SEC in July 2007 and has remained in place thereafter with only limited complaints. The cost of an independent opinion on internal control over financial reporting for smaller companies remained an issue until the SEC in 2010 permanently exempted smaller public companies from the internal control audit requirement. This subject is also discussed below under Title IV of the Act. Through the end of 2011, the PCAOB has issued, and the SEC has approved, 10 additional auditing standards, eight of them in 2010. These cover a multitude of subjects, including such important topics as audit quality, evidence, planning, materiality, and various aspects of risk. The PCAOB has also issued eight “staff audit practice alerts” covering emerging and topical issues. During this same period from 2003 to the end of 2011, the AICPA has issued 24 auditing standards applicable to audits of nonpublic and not-for-profit entities. There appears to be no plan to converge the differences between the two groups of standards. Both the PCAOB and AICPA continue to issue guidance on ethics and independence. In terms of inspection of audit firm quality, the PCAOB’s own evaluation of its success is less satisfactory. The PCAOB issued a report on June 30, 2011 titled: “Updated information on PCAOB international inspections” (PCAOB, 2011). It attached a list of more than 300 companies traded in the United States that are audited by non-US firms (mostly affiliates of the Big Four US firms) where the PCAOB had been denied access to conduct inspections. The companies are based in certain European countries and in China, including Hong Kong. The most recent overall PCAOB report concerning the quality of audit firm performance found in firm inspections was published in September 2010 (Goelzer, 2010). Covering aspects of PCAOB inspections conducted during the 2007 through 2009 inspection cycle, acting chair Daniel L. Goelzer noted that the inspection findings “underscore the need for auditors to be diligent in assessing and responding to emerging areas of risk when economic and business conditions change.” In other words, the PCAOB report indicated that improvement was required. Specific inspection observations in the report were instances where auditors appeared not to have complied with PCAOB auditing standards in areas such as fair-value measurements, impairment of goodwill, indefinite-life intangible assets, and other long-lived assets, allowance for loan losses, off-balance sheet structures, revenue recognition, inventory, and income taxes. The report also noted that the “deficiencies identified by inspectors in their reviews of issuer audits suggest that firms should continue to focus on making improvements to their quality control systems.”

31

NEW INSIDE PAGES FINAL copy.indd 31

13/02/2012 12:58

Effective Auditing for Corporates It should be noted that, although some portions of the inspection reports issued on individual firm audit performance are made public, specifics of noted deficiencies are required to be kept confidential. This protects the firm when litigation is under way or threatened. In a speech on June 2, 2011, “Rethinking the relevance, credibility, and transparency of audits”, PCAOB Chairman James R. Doty gave another evaluation of the effectiveness of the PCAOB inspection process: “The PCAOB has now conducted annual inspections of the largest audit firms for eight years. Our inspectors have reviewed more than 2,800 engagements of such firms and discovered and analyzed hundreds of cases involving what they determined to be audit failures. We have conducted more than 1,500 inspections of smaller domestic firms and of non-US firms. These include multiple inspections of hundreds of those firms. And our inspectors have identified hundreds more cases involving what they determined to be audit failures.” (Doty, 2011). In other words, there appears to be a great number of instances where auditing firms need to improve their performance in audits of public companies. This title of the Act also directs the SEC to study the adoption of a more principles-based approach to accounting standard-setting in the United States. The report resulting from this requirement concluded that principles-based standards, if properly implemented, would result in more transparent information being provided to investors while continuing to hold management and auditors responsible for publishing financial information that conforms to the objectives of the accounting standards.The subject of whether the SEC will allow or even mandate that companies traded publicly in the United States adopt international accounting standards (IFRS) rather than US generally accepted accounting principles (GAAP) is still under development in late 2011. Efforts to converge the content of US GAAP and IFRS have been under way for several years. In November 2011 the SEC issued a staff paper, “Work plan for the consideration of incorporating international financial reporting standards into the financial reporting system for US issuers: An analysis of IFRS in practice” (SEC, 2011c). Another staff paper (SEC, 2011b) described potential alternatives as to the future involvement of the Financial Accounting Standards Board (FASB) in determining US accounting standards. The PCAOB has also been involved with the SEC, the US General Accountability Office (GAO), and other groups formed to study various other issues involving public companies and auditors that were mandated by SOX. These topics are covered later in this chapter.

Title II: Auditor Independence

This title of SOX limits the types of non-audit services that an auditor of a public company’s financial statements can provide. Audit firms had found that providing consulting services to their clients was more profitable than performing audits, which were viewed as a commodity. In 1999, the AICPA published a practice aid titled: Making Audits Pay: Leveraging the Audit into Consulting Services (Ramos and Delahanty, 1999).

32

NEW INSIDE PAGES FINAL copy.indd 32

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years This was an indication that the major firms thought of themselves as multiservice firms rather than just accountants and auditors. This attitude led observers to question the independence of the audit process. There was at least the appearance of a conflict of interest when an audit firm gave a clean opinion on financial statements that were based in part at least on advice provided by the same firm as a consultant. Further, one of the driving forces leading to the enactment of SOX was Arthur Andersen’s apparent loss of independence for audit purposes because it provided almost all of the internal auditing for Enron Corporation on basically an outsourcing basis. Andersen also provided significant amounts of very profitable consulting services on accounting matters to Enron. Aspects of the range of services provided by the auditor of financial statements and their advantages and disadvantages are discussed in “Pros and cons of using external auditors for internal auditing and other services” (pp. 121–131). Additional requirements in this title of SOX include mandatory advance approval by the audit committee of all non-audit services performed by the firm auditing the financial statements. Also required are structured reports to the audit committee by the auditor about key aspects of the audit. These include a comparison of alternatives to critical accounting policies that a client has chosen. SOX also codified into law certain practices previously introduced by the SEC Practice Section of the AICPA (superseded in January 2004) including the rotation of audit partners after five years of continuous service to a client and requiring a period of time to elapse before a senior-level auditor can be employed by a client. The results of implementing SOX provisions in this area are generally believed to continue to be beneficial.

Title III: Corporate Responsibility

The provisions of SOX on corporate responsibility strengthen the understanding of all concerned as to who bears primary responsibility for the content of periodic financial reports. Both the chief executive and chief financial officers of public companies must take individual responsibility and certify the accuracy and completeness of their company’s financial reports on a quarterly basis. SOX also requires these individuals to certify as to the completeness and effectiveness of internal controls over disclosures of material financial and other information. The disclosure assertions are separate and distinct from the assertions on the effectiveness of internal controls. The disclosure control requirements have resulted in the formation of formal compliance activities— usually in the form of a standing staff committee that is specifically focused on periodic public disclosures. These requirements are generally believed to continue to be beneficial, although some critics believe that the benefits do not exceed the costs of compliance. A significant SOX provision also requires audit committees and not management to be directly in charge of important relationships concerning specific matters regarding the audit engagement. Specifically, SOX requires the audit committee, in its capacity as a committee of the board of directors, to be directly responsible for the appointment, compensation, and oversight of the work of any public accounting firm that is employed by the company. An increased engagement by audit committees has been widely viewed as an important improvement in the quality of corporate governance.

33

NEW INSIDE PAGES FINAL copy.indd 33

13/02/2012 12:58

Effective Auditing for Corporates Provisions in this title also require officers receiving bonuses or other compensation to repay those funds if the payments were based on information that turned out later to be false. SOX also prohibits insider trading during pension fund blackout periods. An SEC (2003a) report required by SOX analyzed enforcement actions over the past five years by the SEC that have included proceedings to obtain civil penalties or disgorgements. The objective of the study was to develop methods to more efficiently, effectively, and fairly provide restitution to injured investors and to improve the collection rates for civil penalties and disgorgement.

Title IV: Enhanced Financial Disclosures

This area of SOX requires public companies to make more specific disclosures of the details of off-balance sheet transactions as well as loans and other matters involving directors and officers. A member of the audit committee must qualify as a financial expert and be so designated. This title also includes the now infamous Section 404, which requires both a management assessment of and the independent auditor’s opinion on the effectiveness of internal controls over financial reporting. As noted, this requirement is in addition to the disclosure control declaration discussed previously. As described earlier in this chapter, the requirements of Section 404 have been the focus of the loudest and most persistent critics of SOX. Particularly distasteful to many was the realization that the immediate effect of SOX was to give audit firms the opportunity to greatly increase the amount of services provided and the corresponding fees they were able to charge to large, publicly held clients. Observers also criticized SOX’s emphasis only on internal controls over financial reporting, rather than on internal controls in general. Observers believe that this limitation was at the behest of the independent auditors. The most important outcome of legislation passed after the savings and loan crisis was the need for concern about all aspects of control, not just financial reporting to the public. At least five factors have muted, but not eliminated, the pressures for modification or total repeal of these SOX requirements, which are considered the most onerous in the entire law. They are: 8 the savings since 2007 resulting from the less onerous provisions of PCAOB Auditing Standard No. 5 as compared with those of Auditing Standard No. 2; 8 cost reductions made possible by management guidance issued in June 2007 by the SEC; 8 elimination of the need for an independent auditor’s opinion on management’s assessment process for internal control over financial reporting; 8 the exclusion of smaller public companies from obtaining an independent auditor’s opinion on internal controls over financial reporting; 8 the effects of other cost-reduction efforts by both clients and auditors. Auditing Standard No. 5 also defines a “material weakness” in internal control. Provisions in this title of SOX also require public companies to disclose whether or not they have adopted a code of ethics applicable to their senior financial officers.

34

NEW INSIDE PAGES FINAL copy.indd 34

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years As all companies have done so, this area has been welcomed as a favorable outcome of the enactment of SOX that has increased investor trust. Another provision in this title requires public companies to disclose on a “rapid and current basis” any material changes in their financial condition or operations. This general disclosure requirement may have received little notice or emphasis on implementation because of the preoccupation of the SEC with other matters. It is also implicit in other SEC requirements.

Title V: Analyst Conflicts of Interest

Provisions in this title of SOX do not affect auditors, but rather deal primarily with the conduct of securities analysts who previously had recommended to members of the public that they purchase securities, when actually those recommendations were based on the fact that the analyst’s employer was being compensated for marketing to the public those same securities products, which sets up an obvious conflict of interest. This title also contains requirements for public disclosure of any knowable conflicts of interest. These provisions have been well accepted and are believed to have contributed to increased confidence of investors in the structure of the financial marketplace.

Title VI: Commission Resources and Authority

This section also deals with financial industry professionals, not auditors. It sets forth authority for the SEC to bar individuals from positions in the industry. Its purpose is to build public confidence in securities analysts and others. The title also lists the sources of funding for the SEC, which prior to the enactment of SOX had been a contributing factor to the scandals that occurred.

Title VII: Studies and Reports

This title directs the Comptroller General of the United States, who heads the US Government Accountability Office (GAO), and the SEC to perform various studies and report the results to Congress and the public. Topics studied include the effects of consolidating public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted companies, as was alleged with Enron to manipulate their financial reports. Studies analyzed the extent of off-balance sheet information and whether rotation of audit firms should be mandatory. The SEC (2003b) report on the study of credit rating agencies outlined the proper role of such agencies in the securities markets. The Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 (US Government, 2010)mandated further study of the specific issue of reliance on credit ratings, since the regulation of the credit rating industry by the SEC had not been completely implemented. The resulting July 2011 report outlined needed amendments to several rules and regulations in order to eliminate existing legislative mandates for reliance on credit ratings (SEC, 2011c). In September 2011, the SEC issued its first annual “Summary report of commission staff’s examination of each nationally recognized statistical rating organization” (SEC, 2011d). The report concluded that the SEC staff examiners had many findings and observations and made corresponding recommendations for improvements.

35

NEW INSIDE PAGES FINAL copy.indd 35

13/02/2012 12:58

Effective Auditing for Corporates The Dodd–Frank Act enhanced the SEC’s oversight responsibilities of the activities of nationally recognized credit rating agencies. Another 2003 SEC report required by SOX Section 703 studied the number of securities professionals practicing before the SEC who: have aided and abetted a violation of the Federal securities laws but who have not been sanctioned, disciplined, or otherwise penalized as a primary violator in any administrative action or civil proceeding; and have been primary violators of the Federal securities laws between 1998 and 2001. An additional 2003 report in SOX Section 704 analyzed enforcement actions over the previous five years by the SEC involving violations of reporting requirements imposed under the securities laws, and restatements of financial statements. The objective of the study was to identify areas of reporting that are most susceptible to fraud, inappropriate manipulation, or inappropriate earnings management. A SOX study of the pros and cons of audit firm rotation was required to be completed by the GAO by mid-2003, yet the subject was still under active discussion eight years later. In the same June 2, 2011, speech by PCAOB chairman Doty referred to earlier in this chapter, he stated that the 2003 report: “…noted that the SEC and the Board would need several years to evaluate whether the Sarbanes–Oxley reforms—including audit partner rotation—were sufficient, or whether further independence measures are necessary to protect investors.” (Doty, 2011.) Doty went on, in 2011, to commit the PCAOB to further examine the issue of auditor long-term tenure with “rigorous analysis and the weight of evidence in support and against.”

Title VIII: Corporate and Criminal Fraud Accountability

This title is also referred to as the “Corporate and criminal fraud accountability Act of 2002.” It sets forth the criminal penalties of fines and imprisonment that shall be assessed against violators of the securities laws as well as those who interfere with investigations. Its provisions increase the time for bringing legal claims of securities fraud. This title was also designed to provide employment protection against retaliation for employee whistleblowers who come forward to report fraud information about their employer. The whistleblowing aspects of SOX have been singularly unable to provide employment security as employers have been largely successful in challenging almost all of the claims made under these provisions. Claimants must meet a very high burden of proof in order to plead their case. Administration of this aspect of SOX is with the Department of Labor, not the SEC. To remedy these inadequacies, the Dodd–Frank Act contains provisions that broaden the protections for whistleblowers provided under SOX. The Dodd–Frank Act contains provisions that allow the SEC to pay substantial cash bounties to whistleblowers who provide information about securities frauds. The new authority granted by the Act is broad and comprehensive and is believed to be widely used, although no overall reports have yet been made. Awards to whistleblowers can range from 10% to 30% of the amount of monetary sanctions in cases over

36

NEW INSIDE PAGES FINAL copy.indd 36

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years US$1 million, including penalties and interest as well as disgorgement of ill-gotten gains. Information provided to the SEC must be “original” and derived from the whistleblower’s independent knowledge or analysis and not be known to the SEC from any other source. Final rules governing details of the operating methods of the SEC Office of the Whistleblower became effective in August 2011.

Title IX. White Collar Crime Penalty Enhancement

These provisions increased the criminal penalties that should be assessed for securities law and other violations under the US Federal Sentencing Guidelines. For example, imprisonment for wire fraud (fraud committed via wire, radio, or television) is increased from five years to 20 years. Conspiracy is to be treated the same as the act. A special provision adds penalties dealing with corporate reports. A false certification that a periodic report did comply with SEC rules when in fact it did not is punishable by a fine of up to US$1,000,000, imprisonment for 10 years, or both.

Title X. Corporate Tax Returns

This title merely requires the CEO to sign a public company’s tax returns.

Title XI. Corporate Fraud Accountability

Provisions under this title state that securities fraud and tampering with records necessary in an investigation are criminal offenses and identify appropriate penalties. They also give the SEC the ability to “freeze” or temporarily stop the execution of transactions deemed to be large or unusual. This title also gives the SEC the power to ban any individual from future service as an officer or director of a public corporation. Summary The Sarbanes–Oxley Act of 2002 has achieved most of the objectives set for it in providing both improved confidence in the financial marketplace and stronger investor rights. Most observers of governance would conclude that public company audit committees have accepted their increased burdens well and generally performed appropriately. As noted in this chapter, there is concern that the performance of independent auditors still needs improvement, and this is one area of SOX that is being worked on. SOX has been criticized, perhaps unjustly, because it did not prevent the global financial crisis of 2007–09. However, that catastrophe is believed to have been caused primarily by failures in the banking system and its regulation, with only minor blame apportionable to audit failures or failures of disclosure. Some blame for the crisis has been placed at the door of the SEC for inadequate regulation of securities rating agencies, but this task was not given to the Commission until well after the financial crisis had begun. Some observers in the United States have also criticized SOX for motivating some new public offerings of securities from New York to stock exchanges elsewhere in the world, but as noted above, this may be only hearsay. One country’s loss is another’s gain. Several studies of the cost of compliance with SOX were completed in the first few years of its existence. Particular focus has been directed to the high costs incurred by companies and the larger audit fees resulting from the audit of internal control over financial

37

NEW INSIDE PAGES FINAL copy.indd 37

13/02/2012 12:58

Effective Auditing for Corporates reporting. An SEC (2011a) staff study required by the Dodd–Frank Act analyzed this subject in companies with securities traded in the public markets with a market float between US$75 and $250 million. It found that:

8  the costs of Section 404(b) have declined since the SEC first implemented the requirements of Section 404, particularly in response to the 2007 reforms;

8  investors generally view the auditor’s attestation on internal controls over financial reporting as beneficial;

8  financial reporting is more reliable when the auditor is involved with internal control over financial reporting assessments;

8  there is no conclusive evidence linking the requirements of Section 404(b) to listing decisions of the studied range of issuers. Various other research studies have also examined and documented some of the benefits that have flowed from SOX. A study by Nowland and Simon (2010) showed that foreign firms cross-listed in the United States and thus subject to SOX became significantly more transparent in their dealings with share-owners than a sample of comparable firms not subject to SOX. The researchers defined transparency in terms of the dispersion and accuracy of securities analysts’ forecasts of earnings. Several other studies found that internal controls have improved in companies subsequent to SOX implementation procedures. One researcher believes that these stronger controls have resulted in lower costs of capital to issuers.

More Info Book: Ramos, Michael J., and Linda C. Delahanty. Making Audits Pay: Leveraging the Audit into Consulting Services. American Institute of Certified Public Accountants (AICPA) Practice Aid Series. New York: AICPA, 1999. Articles: Goelzer, Daniel L. “PCAOB board issues report on inspection observations of auditing during the economic crisis.” Press release. September 29, 2010. Online at: tinyurl.com/8ywlqmm Doty, James R. “Rethinking the relevance, credibility, and transparency of audits.” Speech at SEC and Financial Reporting Institute 30th Annual Conference, Pasadena, CA, June 2, 2011. Online at: tinyurl.com/3dns5eo Nowland, John, and Andreas Simon. “The effect of a change in analyst composition on analyst forecast accuracy: Evidence from U.S. cross-listings.” Journal of International Accounting Research 9:1 (Spring 2010): 23–38. Online at: dx.doi.org/10.2308/jiar.2010.9.1.23 Reports: Public Company Accounting Oversight Board (PCAOB). “Updated information on PCAOB international inspections.” June 30, 2011. Online at: tinyurl.com/7t9hqok Securities and Exchange Commission (SEC). “Report pursuant to Section 308(c) of the Sarbanes Oxley Act of 2002.” January 2003a. Online at: www.sec.gov/news/studies/sox308creport.pdf

38

NEW INSIDE PAGES FINAL copy.indd 38

13/02/2012 12:58

Sarbanes–Oxley After Nearly 10 Years Securities and Exchange Commission (SEC). “Report on the role and function of credit rating agencies in the operation of the securities markets.” January 2003b. Online at: www.sec.gov/news/studies/credratingreport0103.pdf Securities and Exchange Commission (SEC). “Study and recommendations on Section 404(b) of the Sarbanes-Oxley Act of 2002 for issuers with public float between $75 and $250 million.” April 2011a. Online at: www.sec.gov/news/studies/2011/404bfloat-study.pdf Securities and Exchange Commission (SEC). “Work plan for the consideration of incorporating international financial reporting standards into the financial reporting system for U.S. issuers: Exploring a possible method of incorporation.” May 26, 2011b. Online at: tinyurl.com/3wkej8m [PDF]. Securities and Exchange Commission (SEC). “Report on review of reliance on credit ratings.” July 2011c. Online at: www.sec.gov/news/studies/2011/939astudy.pdf Securities and Exchange Commission (SEC). “2011 summary report of Commission staff’s examinations of each nationally recognized statistical rating organization.” September 2011d. Online at: tinyurl.com/7e3f2y2 [PDF]. Securities and Exchange Commission (SEC). “Work plan for the consideration of incorporating international financial reporting standards into the financial reporting system for US issuers: An analysis of IFRS in practice.” November 16, 2011c. Online at: tinyurl.com/7s3k477 [PDF]. US Government. “H. R. 4173: Dodd-Frank Wall Street reform and consumer protection act.” 2010. Online at: tinyurl.com/7nhkvgq [PDF]. Websites: Addison-Hewitt Associates guide to the Sarbanes–Oxley Act: www.soxlaw.com Commodity Futures Trading Commission (CFTC; US): www.cftc.gov CFTC information on implementing the Dodd–Frank Act: www.cftc.gov/LawRegulation/DoddFrankAct/index.htm CFTC information on whistleblowing: www.cftc.gov/ConsumerProtection/WhistleblowerInformation/index.htm General Accountability Office (GAO; US): www. gao.gov Public Company Accounting Oversight Board (PCAOB; US): www.pcaobus.org PCAOB auditing standards: pcaobus.org/Standards/Auditing/Pages/default.aspx PCAOB guidance, including staff audit practice alerts: pcaobus.org/Standards/Pages/Guidance.aspx Securities and Exchange Commission (SEC; US): www.sec.gov SEC information on implementing the Dodd–Frank Act: www.sec.gov/spotlight/dodd-frank.shtml SEC Office of the Whistleblower: www.sec.gov/whistleblower

39

NEW INSIDE PAGES FINAL copy.indd 39

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 40

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies by Gilad Livne Cass Business School, City University, London, UK

This Chapter Covers 8 A description of the nature of the client–auditor relationship, together with a brief historical perspective. 8  How impaired auditor independence can cause significant losses to various parties, such as shareholders and lenders. 8 The potential benefits when auditor independence is strong. 8  A discussion of some of the main threats to independence, followed by the possible remedies and their limitations.

Introduction

The external auditor is nominated to carry out audit work on behalf of the audited company’s shareholders. Being a proxy for the shareholders fundamentally requires the external auditor to be independent of the audited firm’s managers. Auditing standards require independence both in mind and in appearance. Independence implies the ability and willingness of the auditor to identify a range of deficiencies during the audit process and then to challenge the audited firm on these findings. Such deficiencies include matters regarding internal control, the accounting policies adopted, and absent or misleading reporting. In practice, the external auditor’s various interactions with the audited firm are conducted through and with the client’s top management. Inevitably, this gives rise to a “special” relationship between managers of the audited firm and the auditor. This special relationship typically starts with the nomination process—often the client’s management suggests that a particular audit firm should be nominated1—and continues along several dimensions: fees are paid to the auditor by the audited firm, not directly by shareholders. During the audit process, management is responsible for providing answers to the auditor concerning matters about which it knows more, and so auditor must rely on (often self-serving) managers. In preparing the annual report, accounting and reporting issues are effectively jointly decided by management and the auditor, even though, strictly speaking, the preparation of the accounts is the responsibility of the managers. It is therefore quite sensible to ask if auditor independence, both in mind and appearance, can be maintained given this nature of the relationship. In other words, it is important to identify the threats to auditor independence in light of this special relationship. This is not an abstract exercise. The recent financial crisis has brought the question of auditor independence to the fore. It has put auditors under a public magnifying glass, with some commentators questioning the integrity of external auditors and

41

NEW INSIDE PAGES FINAL copy.indd 41

13/02/2012 12:58

Effective Auditing for Corporates their complicity in producing what may be misleading reports (for example, in the case of Lehman Brothers’ reporting of transactions in certain loans, known as Repo 105). Before this crisis, the accounting scandals of the early 2000s, including Enron, WorldCom, and Parmalat, led to a comprehensive rethink of matters relating to auditor independence in the United States and indeed around the world. Legislation followed— most prominently in the United States, with the Sarbanes–Oxley Act (henceforth SOX) of 2002 imposing various restrictions on the external auditors. It is worth remembering that blaming compromised auditor independence for accounting scandals is not a recent phenomenon.2 An early example, from 1938, is the case of McKesson & Robbins, where the firm Price, Waterhouse & Co. failed to verify the existence of inventory. The bankruptcy of Westec in 1965 raised concerns, many years before Enron, that the provision of nonaudit services compromised auditor independence. Not surprisingly, some commentators have suggested that auditors do not serve as the protectors of shareholders’ and lenders’ interests (e.g. Carey, 1967). These and other failures have prompted a wave of litigation against auditors, with large sums awarded to plaintiffs and paid by auditors. These auditing failures and the large losses inflicted on shareholders, lenders, and employees demonstrate that impaired auditor independence can lead to grave consequences. However, it is not sufficient to focus on the adverse effects of compromised independence. It is also important to highlight the possible advantages of maintaining a high degree of auditor independence. This is the subject of the next section.

Independence of Mind vs Independence in Appearance It is common to speak of these two types of auditor independence, but what is the difference? A clear distinction may be hard to make, as the two overlap and interact. Nevertheless, independence of mind is a desirable psychological–behavioral trait in an auditor. He or she should be objective and free from bias. He/she should be willing to challenge clients and maintain a good degree of skepticism coupled with an inquisitive mind-set. Being knowledgeable also increases the auditor’s ability to challenge managers on their reporting decisions. This highlights the important role education and training can play. Independence in appearance is about avoiding relationships or circumstances that can threaten, or may be seen to threaten, the willingness or ability to scrutinize and criticize managers. For example, having a managerial or advisory role in the client firm can impair the auditor’s objectivity and hence his or her ability to carry out an effective audit on behalf of shareholders. Having connections through family ties is another example. It should be made clear, however, that appearing to be independent is not sufficient. What truly is required is the independence of mind.

42

NEW INSIDE PAGES FINAL copy.indd 42

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies The Benefits of Employing Independent Auditors

In many countries an external audit of the annual accounts is required by law. For example, in the European Union, the Fourth (1978) and Seventh Council Directives (1983) require that the annual accounts or consolidated accounts be audited by one or more persons entitled to carry out such audits of companies traded on a stock exchange within the EU.3 This is a costly requirement for audit clients and their shareholders, and, more broadly, to society, as resources currently devoted to the audit task (inclusive of the cost of external and internal auditors, as well as the cost of regulation and enforcement) could be employed, perhaps more productively, elsewhere in the economy. It therefore begs the question what benefits can be ascribed to external audits performed by independent auditors. A somewhat deeper, and more difficult, question is whether these benefits exceed their cost. To place these questions in context, it is important first to recognize the need to supply reliable and relevant information to investors. Financial information can be regarded as the oil that runs modern capital markets—securities markets in particular. Information of high quality enables investors to make efficient investment decisions, as investment money can be directed where it is most productive. While investors often act for profitmaking purposes, society at large can benefit when money is invested where it is needed most (and hence where the returns are the highest). However, if the provisions for financial information remain unchecked, there is a good chance that the providers of such information will use it opportunistically and/or in a misleading manner to generate private gains. For example, managers could create a false impression of a good financial performance to reward themselves with higher bonuses. The result will be a waste of scarce resources, missed growth opportunities, and ultimately the collapse of capital markets when trust in financial disclosure is lost. Independent external auditors help to produce investment-relevant and reliable information that enables investors to make sound economic decisions. This is because they verify the information provided in the financial statements (for example, the existence of inventory and cash balances). They also pass judgment on the accounting policies adopted by client firms. Their expertise and knowledge assist clients in selecting and implementing adequate measurement and reporting procedures demanded by third parties. This is called the information role of independent auditors, and it is linked to the trust with which investors and creditors can treat the audited financial statements.

This role and its benefits are widely recognized by investors and regulators. In the United States, SOX has as one of its main objectives to improve auditor independence because it should lead to a reduced cost of capital. Academic research has provided some evidence that is consistent with this argument.4 And although some argue that SOX has been costly to implement but has had only limited impact, Amir, Guan, and Livne (2010) show that that auditor independence has increased following SOX and that auditor independence does reduce the cost of borrowing. Independent auditors also help in monitoring the financial affairs of client firms. Through their tests and examinations of internal procedures, the external auditors learn how the client firm is carrying out its various transactions.

43

NEW INSIDE PAGES FINAL copy.indd 43

13/02/2012 12:58

Effective Auditing for Corporates At a very basic level they can thus identify causes of inefficiency, waste, and leakage. Reporting these to the audit committee and top managers provides an opportunity to improve financial performance. Moreover, the independent external auditor’s scrutiny enhances the likelihood that fraud and embezzlement will be detected. This is called the monitoring role of independent auditors. Shareholders and lenders alike therefore benefit from strong monitoring by independent auditors because it safeguards the client’s assets.5 In summary, the collective presence of independent auditors in the economy is capable of increasing the trust of investors in capital markets. This is because they can rely on the financial information provided by audited firms, as well as rest assured that the firms’ financial affairs are conducted efficiently and honestly. In turn, such an economy can perform better because its securities markets attract capital and efficiently direct valuable resources to the most beneficial uses.

The Various Threats to Auditor Independence

There are a number of threats to auditor independence. In my discussion of these threats I make reference not only to several professional and regulatory pronouncements, but also more broadly to points raised by various commentators and academics. It should also be noted that different professional and regulatory organizations have a somewhat different view of the potency of such threats. This is the case because different countries have different legal and commercial systems that are embedded in broader cultural and societal contexts. As a matter of convenience, however, I will refer mainly to the ethical framework adopted recently by the United Kingdom’s Auditing Practices Board (APB).6 The threats listed below and discussed in the following sections may, thus, not be exhaustive. 8 The appointment and termination processes. 8 Self-interest. 8 Familiarity and complacency. 8 Social bonding. 8 Economic bonds. 8 Management and employment. 8 Litigation.

The Appointment and Termination Processes

Although the external auditor is employed for the benefit of shareholders, the appointment and dismissal processes are quite removed from shareholders. Management is responsible for suggesting the external auditor and rarely offers a choice to shareholders. As a rotation of audit firms is relatively infrequent—a periodic rotation is currently not required by law in most countries—the typical scenario is that the renewal of the incumbent auditor’s term is brought to the annual general meeting (AGM) for approval by shareholders. In practice there is little that shareholders can do except vote against a nomination or renewal. In other words, the nomination and appointment mechanism does not allow for competing proposals to be brought directly before shareholders. The result is that the incumbent auditor is at the mercy of the client’s managers as to the renewal process. Moreover, there are no direct channels between auditors and shareholders through which competing auditors can make a case

44

NEW INSIDE PAGES FINAL copy.indd 44

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies for appointment. Thus, the special auditor–client relationship is off to a problematic start: the nominated auditor “owes it” to the client’s managers and is under threat of dismissal by managers. Occasionally auditors are rotated, on a voluntary basis. Academic evidence suggests that many voluntary rotations take place because the incumbent auditor is too independent for managers’ taste (see, for example, DeFond and Subramanyam, 1998; and Lennox, 2000). The new auditor is likely selected by the client’s management in an opportunistic fashion in that the new auditor is more likely to accommodate clients’ wishes than the incumbent auditor. Since managers have almost exclusive control of this process, shareholders seem unable to influence the decision in a way that would ensure auditor independence. The result can be the nomination of a new and less-independent auditor.

Self-Interest

The presence of financial interest of the auditor in the audited firm can impair objectiveness, and hence independence. Consider an auditor who is also a shareholder. The (independent) auditor’s duty is to ensure that financial performance is accurately reported, even if this implies reporting poor performance. However, as a shareholder, the auditor may prefer that bad news is withheld, at least until the auditor-shareholder can sell his/her position. Similar arguments hold for an auditor-lender (for example, through the holding of corporate bonds).7 As a second example of a self-interest threat to independence, consider the case where the external auditor carries out some nonaudit work for the client. This is quite a common situation. The auditor therefore may need to scrutinize and evaluate the nonaudit work carried out by colleagues in the audit firm. Many auditors may be quite reluctant to confront their colleagues and would have the self-interest to minimize any exposure that could risk his audit firm’s reputation.

Familiarity and Complacency

Familiarity can blunt the skepticism that is expected of the auditor. This may be because the auditor develops a degree of overconfidence in his or her knowledge of the client firm. It may be that the repetitive nature of a long-term engagement between the auditor and his/her client leads to complacency and, consequently, to the underweighting of warning signs. Some commentators speak of the need for “fresh” eyes and mind that lead to a better scrutiny of the client. Yet familiarity also has a positive aspect as it implies a better understanding of the client and helps the auditor to perform better. Research on auditor tenure suggests that, as the audit–client relationship lengthens, audit quality improves.

Social Bonding

Long-term audit engagements bring the external auditor and members of the client firm’s management team closely together. It is not unusual for friendships to form in the workplace. Moreover, to the extent that a client’s managers nominate auditors from their own circle of friends, the likelihood of objectivity on the part of the auditor decreases. This “self-serving” bias is grounded in psychology theory and arises when, as a consequence of close relationships, one cannot separate one’s own interests from those of others.

45

NEW INSIDE PAGES FINAL copy.indd 45

13/02/2012 12:58

Effective Auditing for Corporates It is not entirely clear, however, how powerful this threat is. Auditors need to follow certain professional and ethical norms, and they are bound by social norms. Moreover, concerns about reputation may be quite powerful and sufficient to rein in such a threat, even if only at the subconscious level.

The Economic Bond

Auditors’ livelihoods depend on the fees they generate from audit and nonaudit services. Auditors thus have an inherent incentive to keep the client—that is, the audited firm’s managers—“happy.” Failure to do so can cost them the client and the loss of a long stream of future income. This economic bond is regarded by many as perhaps the greatest threat to auditor independence. Nonaudit services have attracted the harshest criticism. These include consulting services such as corporate finance advisory, investment advisory or management, valuation services, and IT consulting and implementation services. Typically, fees for nonaudit services represent a very lucrative source of income. Some commentators have raised concern that in order to be awarded nonaudit service contracts, auditors may compromise their audit work. Even in the absence of nonaudit services, the fundamental problem remains. While in the past audit work was relatively limited in scope, following SOX external auditors now need to audit internal control systems. As a result, there has been a sharp increase in audit fees. At the same time, SOX and similar regulations in many other countries have restricted the ability of external auditors to provide nonaudit services.8 These facts are also reflected in the data. Table 1 shows that average total fees (audit and nonaudit) have increased steadily since 2003, when many of the SOX requirements came into effect. Moreover, while nonaudit fees have declined sharply, audit fees have significantly increased. Importantly, these trends appear for both large and small auditors. Hence, an economic bond can still arise in the post-SOX era, though more so with respect to audit fees.

Management and Employment

The auditor and the audited firm must be different entities, as an effective and objective audit clearly requires such a separation. For this reason, US regulation explicitly prohibits the provision of nonaudit services that involve activities which otherwise should be performed by the client’s management and personnel (i.e. management roles). Matters become somewhat more complex when a previous auditor is hired by the client firm to perform a management role. One concern is that the members of the audit team will be reluctant to criticize a former colleague, perhaps because of social bonding. A second concern is that the ex-auditor, having acquired knowledge of the audit process and its weaknesses, may be able to take advantage and “game” the new auditor to the benefit of the client (and now the new employer). In the United States, therefore, there is a requirement of a one-year cooling-off period. In the United Kingdom, APB Ethical Standard 2 requires a two-year cooling-off period.

46

NEW INSIDE PAGES FINAL copy.indd 46

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 47

915,416

Nonaudit fees

75,716

47,447

1,206

Audit fees

Nonaudit fees

Number of observations 1,840

44,780

70,734

115,513

6,044

1,075,320

507,378

1,582,697

7,784

834,808

405,472

1,240,280

2001

4,035

25,167

58,540

83,706

9,308

637,044

608,674

1,245,717

13,343

452,009

442,310

894,348

2002

5,144

20,373

61,099

81,471

10,140

488,418

740,242

1,228,660

15,284

330,892

511,669

842,561

2003

5,195

24,219

92,955

117,174

8,985

502,674

1,293,586

1,796,259

14,180

327,387

853,722

1,181,108

2004

5,665

28,342

131,154

159,497

8,349

446,225

1,504,478

1,950,704

14,014

277,301

949,328

1,226,629

2005

6,091

25,782

153,565

179,347

7,801

452,631

1,738,797

2,191,428

13,892

265,477

1,043,746

1,309,223

2006

* I thank Angela Pettinicchio for helping me to compile this table. † Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers (PwC), and, prior to 2002, Arthur Andersen.

123,162

4,442

Total fees

Non-Big Four auditors

Number of observations

1,151,070

506,958

Audit fees

Nonaudit fees

1,658,027

Total fees

Big Four auditors†

5,648

414,876

Audit fees

Number of observations

1,330,292

Total fees

Overall

2000

6,261

24,530

159,525

184,056

7,287

501,381

1,808,029

2,309,410

13,548

281,012

1,046,198

1,327,210

2007

5,930

24,253

161,290

185,543

6,874

489,497

1,918,416

2,407,913

12,804

274,026

1,104,626

1,378,652

2008

5,312

24,014

157,671

181,685

6,503

470,427

1,837,057

2,307,484

11,815

269,721

1,082,009

1,351,729

2009

Table 1. Average audit and nonaudit fees (US dollars) earned by Big Four and non-Big Four auditors in the United States during 2000–09.* (Source: Audit Analytics)

Threats to Auditor Independence and Possible Remedies

47

13/02/2012 12:58

Effective Auditing for Corporates Litigation

Sometimes disputes between client and auditor end up in legal action or, short of that, a threat to take matters to the courts. In such a case auditor independence is perceived to be impaired. The ability of the auditor to judge matters on an objective basis irrespective of allegations of deficiencies in the audit procedures and conclusions comes under threat in these circumstances. By the same token, when the auditor sues the client, the natural presumption is that objectivity is lost. The US ethical rules require the audit firm to assess whether independence is impaired. In the United Kingdom ethical standards are stricter and require the auditor to resign. Litigation by shareholders, for example through “class action,” typically targets not only the client and its management, but all too often the external auditor. The threat to the client–auditor relationship is less clear here. It is possible that the auditor would take a more “aggressive” approach to the audit to reduce potential damages that might be awarded by a court. To the extent that this creates bias in judgment, independence is impaired. It is also interesting to note differences in legal systems. In the United States, civil litigation as well as criminal litigation is possible and there is no cap on the amount of damages that can be awarded. In the United Kingdom the legal environment changed with the new Companies Act 2006. Criminal charges can be brought against auditors, although in these cases the penalties do not include prison sentences. Perhaps more importantly, auditors and clients can for the first time enter into a “liability-limitation agreement” that caps the amount an auditor would need to pay in compensation. On one hand, this should encourage auditors to avoid a box-ticking mentality and rely more on their professional judgment as the fear of financial losses recedes. On the other hand, with the lowered threat of litigation, auditors may feel that the penalty for “collaboration” with clients is less costly. If the latter holds, auditor independence is likely to suffer. Occasionally, the audit firm helps a client to defend itself against a legal dispute or with respect to regulatory inquiry or investigation. ASB Ethical Standard 1 (revised) calls this an “advocacy threat” because the auditor needs to defend the client. The standard states that, as a result, the audit firm effectively assumes a role very similar to a management role. This, in turn, threatens the auditor’s objectivity and independence.

Case Study

Waste Management Inc.—A Study in Compromised Auditor Independence

Following the collapse of Enron, many have blamed nonaudit fees for distorting auditors’ incentives toward collusion with managers and sacrifice of independence in favor of keeping lucrative nonaudit fees. But a few years prior to Enron another scandal was

48

NEW INSIDE PAGES FINAL copy.indd 48

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies exposed—the scandal of Waste Management (WM). Studying this scandal from SEC filing9 reveals a number of problems related to compromised auditor independence that were a result of several threats discussed in this chapter. Perhaps a faster regulatory reaction to the WM scandal could have circumvented the fall of Enron. In February 1998, WM announced that it was restating its financial statements for the fiveyear period 1992 through 1996 and the first three quarters of 1997. This restatement was the largest in the SEC’s history at that time. In the restatement, WM admitted that through 1996 it had materially overstated its reported pretax earnings by US$1.43 billion and that it had understated certain elements of its tax expense by US$178 million. In most instances the company had improperly deferred recognition of current operating expenses to future periods in order to inflate its current period income. The company admitted that it had misstated its expenses relating to, among other things, depreciation of vehicles, equipment, and containers, capitalized interest, asset impairments, and purchase accounting related to environmental remediation reserves. In analyzing what the contributing factors might have been, the SEC pointed out some telling shortcomings of the client’s relationship with the auditor, Arthur Andersen. Among these were:

8  Capping audit fees for a number of years. Between 1991 and 1997 total audit fees were US$7.5 million.

8  At the same time, the auditor billed WM US$11.8 million in nonaudit fees. In addition, Andersen Consulting billed the company US$6 million in other fees.

8  Andersen served as WM’s auditor since before WM became a public company in 1971. 8  Andersen regarded WM as a “crown jewel” client. 8  Until 1997, every chief financial officer and chief accounting officer in WM’s history as a public company had previously worked as an auditor at Andersen.

8  During the 1990s, approximately 14 former Andersen employees worked for WM, most often in key financial and accounting positions.

Measures to Thwart the Threats to Auditor Independence

It is doubtful that the threats to auditor independence can be thwarted entirely. Arguably, some can be contained, but ultimately it is a matter of the incentives that auditors have to maintain objectivity and of their willingness to stand up to clients. Regulators all over the world have for many years tried to find solutions through legislation. In addition, some other remedies may be available from other sources. The discussion in this section is not meant to be exhaustive of the full range of possible solutions and their effectiveness but, rather, to highlight what may be considered the most notable ones. These include: 8 modifying the selection process; 8 limiting nonaudit services; 8 rules making rotation mandatory; 8 better disclosure; 8 reliance on market forces; 8 adoption of good corporate governance mechanisms. These will be briefly discussed in turn.

49

NEW INSIDE PAGES FINAL copy.indd 49

13/02/2012 12:58

Effective Auditing for Corporates Modifying the Selection Process

In most developed countries auditors are selected by the management of the client firm (and are nominally approved by shareholders), which makes auditors more answerable to management than to shareholders, whom they purport to represent. Shifting the balance of power to shareholders is possible by allowing them to directly nominate and appoint, or renew the appointment of, the external auditor. Some experimental evidence suggests that this will lead to greater auditor independence (Mayhew and Pike, 2004). It may be that having a regulatory oversight for the nomination process could also help, although this may fall short of requiring shareholders to take control over the process. In Korea auditors are nominated by the authorities in cases where there is a suspicion of earnings manipulations. Evidence presented by Kim and Yi (2009) suggests that these “designated” auditors are more independent than auditors selected by client firms. SOX has taken an intermediate approach whereby audit committees, not managers, are now responsible for the nomination process. This can be effective only to the extent that the audit committees themselves are sufficiently independent.

Limitation of Nonaudit Services

With the enactment of SOX in 2002, the United States took a strong opposing stand to nonaudit fees, regarding these as among the most serious threats to independence. At the same time, and as Table 1 shows, auditors are now required under this Act to audit the internal control systems and procedures of a client firm. The decline in nonaudit fees has been compensated for by an increase in audit fees, a category that now includes fees paid for the audit of the internal control systems. Table 1 even suggests that auditors now generate greater fees than before SOX.

Nonaudit Services Prohibited under SOX10 Section 201(a) of SOX makes it unlawful for the external auditors to provide for the client, contemporaneously with the audit, any nonaudit services, including those in the following nine categories: 8 bookkeeping or other services related to the client’s accounting records or financial statements; 8 design and implementation of financial information systems; 8 appraisal or valuation services, fairness opinions, or contribution-in-kind reports; 8 actuarial services; 8 internal audit outsourcing services; 8 management functions or human resources; 8 broker or dealer, investment adviser, or investment banking services; 8 legal services and expert services unrelated to the audit; 8 any other service that the Public Companies Accounting Oversight Board determines, by regulation, is impermissible. The principles governing these rules of independence with respect to services provided by auditors are largely predicated on three basic principles, violations of which would impair the auditor’s independence: an auditor

50

NEW INSIDE PAGES FINAL copy.indd 50

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies cannot function in the role of management; an auditor cannot audit his or her own work; and an auditor cannot serve in an advocacy role for his or her client. Nonetheless, the provision of tax services is allowed to the extent that the service has been preapproved by the client’s audit committee, bearing in mind the risk of impaired independence. In light of these facts, it is therefore reasonable to ask whether the Act has been successful in lessening the economic dependence of auditors on clients’ fees. While the nature of the fees has changed in the United States, the fundamental problem of auditors receiving their pay from the very entity which they should scrutinize is still the same. It is interesting to note that not all countries have adopted the same approach, which suggests that some legislators do not believe in the effectiveness of this solution. Nevertheless, the requirement for an audit of the internal control systems may carry the side benefit of enabling, perhaps even forcing, the auditor to better understand the audited firm. Thus, any client-specific knowledge lost as a result of the restrictions imposed on nonaudit services may have been replenished through a more encompassing audit task. Academic research into the effects of the economic bond has not yielded clear-cut findings, although there are a few studies that fail to implicate the economic bond as a cause of poor reporting (e.g. Ashbaugh, LaFond, and Mayhew, 2003; Chung and Kallapur, 2003; Larcker and Richardson, 2004; and Ruddock, Taylor, and Taylor, 2006). One solution may be to make all fees paid to auditors, at least in part, contingent on future performance. For example, fees would become fully payable if subsequent to the release of audited accounts there is no restatement or regulatory investigation.

Mandatory Rotation Rules

In many countries it is now required that the leading audit partner is replaced periodically. For example, in the United States and United Kingdom the requirement is that the leading partner cannot serve in this role for more than five years. The underlying assumption is that a new partner would bring in a “fresh look,” being free from familiarity and complacency threats. However, the fundamental problem of the economic bond is largely unaffected by this requirement (the fee is unlikely to change with a new partner). It may also be argued that such a change involves some settingup costs and the loss of client-specific knowledge, which can weaken independence. Some countries require, or are considering the requirement for, a mandatory rotation rule for the entire audit firm. It is not clear if this is a good solution, as the loss of client-specific knowledge would be larger with audit firm rotations than with partner rotation. Furthermore, ruling out long-term relationships implies a shorter fee stream for auditors which, in turn, may reduce their incentive to acquire client-specific knowledge and make them more vulnerable to independence problems.

51

NEW INSIDE PAGES FINAL copy.indd 51

13/02/2012 12:58

Effective Auditing for Corporates Unfortunately, there is little empirical evidence on these issues. Academic research (e.g. Myers, Myers, and Omer, 2003) has found some evidence that audit quality improves with auditor tenure, indicating the benefits of client-specific knowledge that is acquired over the years. Such benefits may outweigh the risks of familiarity and complacency threats.

Better Disclosure

The famous maxim that sunlight is the best disinfector may apply here as well. Specifically, in many countries publicly listed firms are now required to provide disclosures of fees paid to the external auditor. Moreover, such disclosures should distinguish between audit and nonaudit fees. This information enables shareholders and potential investors to assess the degree to which economic dependence is a threat. Academic research also seems to indicate that investors use this information: where the disclosed economic bond is low, the cost of capital is low.11 Nevertheless, this disclosure does not go far enough in many countries. In particular, there is no widespread requirement for or practice of disclosing the names of the leading partners who sign the audit opinion. This leads to reduced accountability because shareholders and investors cannot easily assess a partner’s quality.

Market Forces

In a market populated by several auditors, reputation concerns may be a powerful force. Loss of reputation can easily lead to the demise of an audit firm, as was witnessed with Arthur Andersen in the Enron debacle. Free-market enthusiasts therefore may argue that there is only limited scope for regulation. This is doubtful, because in the absence of regulation the market can engage in a “race to the bottom” through tacit collusion and no fear of penalties. The other market force that can enhance auditor independence is litigation by shareholders of the external auditor. Fear of the cost of litigation may discipline auditors and force them to adhere to high audit standards to avoid such litigation in the first place, or to reduce its impact once litigation is under way. Yet it is not clear how powerful this force is. Auditors can pass on to clients the cost of damages they have to pay, as long as these are not colossal and as long as the client is still financially viable. More importantly, economic theory tells us that auditors will weigh the likely benefits of pleasing clients against the probable cost of litigation. It is not clear, therefore, that the balance will always be on the side of litigation.

Corporate Governance Mechanisms

The adoption of good corporate governance mechanisms by a client firm can help to increase auditor independence by reducing the scope for conflict between auditors and managers. For example, employing proper compensation schemes that reduce incentives to manage earnings will reduce the incentive to compromise auditor independence. SOX has taken an important step in this direction by threatening to impose criminal charges against managers who provide misleading information to auditors.

52

NEW INSIDE PAGES FINAL copy.indd 52

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies In addition, setting in place a strong and independent audit committee overseeing the auditor nomination process can help to reduce independence problems. Following the nomination, ensuring that the external auditor can meet and communicate with the members of the audit committee directly, without manager intervention or oversight, can further lift obstacles to independence. However, many firms are effectively controlled by powerful CEOs who select members of the board that are loyal to him or her. In such an environment, the threat to auditor independence may be quite significant.

Monitoring the Auditors Auditors scrutinize their clients, but who monitors the auditors, and is it effective? Both in the United Kingdom and United States regulation now requires that auditors’ work is examined by professional and independent bodies. This is done as part of an overall effort to increase independence through the threat of enforcement action. In the United Kingdom this is carried out by the Audit Inspection Unit (AIU), which is part of the Professional Oversight Board (POB; an arm of the Financial Reporting Council). In the United States the task is delegated to the Public Companies Accounting Oversight Board (PCAOB). One of the declared aims of the AIU is to provide “monitoring of the quality of the auditing function in relation to economically significant entities.”12 The AIU tends to focus on large auditors and specific areas of concern. For example, the work plan for 2010/11 states that “The AIU will monitor and report on the quality of audits, based on the reviews of some 100 audits, of which the majority will relate to the largest audit firms, focusing on areas relating to segmental reporting, revenue recognition and fraud, and will continue to focus on going concern, fair value accounting estimates, asset impairments and compliance with ethical standards.”13 In the United States the PCAOB replaces a peer-review function that was performed by members of the American Institute of Certified Public Accountants (AICPA). The PCAOB’s mission is “to oversee the audits of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports” (emphasis added).14 The AICPA reviews were conducted by practicing auditors. The PCAOB’s reviews are conducted by independent professionals. DeFond (2010) argues that this represents a tradeoff between industry expertise (under the AICPA) and independence of the review process (under the PCAOB). It is not clear therefore that the PCAOB is more effective in increasing independence and, in turn, audit quality. There is not much evidence on this issue, but a recent paper by Lennox and Pittman (2010) fails to establish that the new review process is informative with respect to audit quality.

53

NEW INSIDE PAGES FINAL copy.indd 53

13/02/2012 12:58

Effective Auditing for Corporates Summary Maintaining auditor independence has benefits, while violating auditor independence carries some costs. In this chapter I described these benefits and costs. I then highlighted several main threats to auditor independence. I also reviewed possible solutions and critically assessed them. The main conclusion is that, notwithstanding the adoption of some of these solutions by new regulations, many of the threats to auditor independence are still very potent. Based on the above analysis, I would recommend the following measures that I believe can most effectively enhance auditor independence. 8  Shift the auditor nomination process to a panel of members of audit committees and major shareholders. An independent audit committee should have the expertise and inside knowledge required to find a good match with the external auditor. A panel that also includes shareholders is more likely to make informed decisions that are in the interest of shareholders. In a company with a dispersed shareholding, it will make sense to ask major shareholders to participate, as their motivation is stronger. 8  Increase the financial and criminal penalties for managers who sign misleading reports. SOX has already done this, but it is not a universally accepted approach. The threat of individual persecution will increase managers’ incentives to cooperate with external auditors. This, in turn, would reduce conflicts and threats of dismissal. 8  Require disclosure of audit and nonaudit fees as well as the identities of signing partners. Currently, this is not required everywhere. Disclosure enhances investors’ ability to judge whether independence is at risk. Furthermore, disclosure should be required of the number of hours worked, and billed, by the external auditor to further help third parties to assess audit quality. 8  Make fees partially contingent on whether or not published accounts are subsequently corrected. This will provide a more direct link between audit quality and pay and will reduce litigation cost at the same time. Like managerial compensation, which is often linked to performance, auditors will have stronger incentives to exert the right amount of effort and not succumb to pressure by clients.

More Info Book: Carey, J. L. “The new pressures on the CPA.” In Symposium for Educators. Washington, DC: Ernst & Ernst, 1967; pp. 11–22. Articles: Amir, Eli, Yanling Guan, and Gilad Livne. “Auditor independence and the cost of capital before and after Sarbanes–Oxley: The case of newly issued public debt.” European Accounting Review 19:4 (2010): 633–664. Online at: dx.doi.org/10.1080/09638180903503986 Ashbaugh, Hollis, Ryan LaFond, and Brian W. Mayhew. “Do non-audit services compromise auditor independence? Further evidence.” Accounting Review 78:3 (July 2003): 611–639. Online at: dx.doi.org/10.2308/accr.2003.78.3.611

54

NEW INSIDE PAGES FINAL copy.indd 54

13/02/2012 12:58

Threats to Auditor Independence and Possible Remedies Brandon, Duane M., Aaron D. Crabtree, and John J. Maher. “Non-audit fees, auditor independence, and bond ratings.” Auditing: A Journal of Practice and Theory 23:2 (September 2004): 89–103. Online at: dx.doi.org/10.2308/aud.2004.23.2.89 Chung, Hyeesoo, and Sanjay Kallapur. “Client importance, non-audit services and abnormal accruals.” Accounting Review 78:4 (October 2003): 931–955. Online at: dx.doi.org/10.2308/accr.2003.78.4.931 DeFond, Mark L. “How should the auditors be audited? Comparing the PCAOB Inspections with the AICPA Peer Reviews.” Journal of Accounting and Economics 49:1–2 (February 2010): 104–108. Online at: dx.doi.org/10.1016/j.jacceco.2009.04.003 DeFond, Mark L., and K. R. Subramanyam. “Auditor changes and discretionary accruals.” Journal of Accounting and Economics 25:1 (February 26,1998): 35–67. Online at: dx.doi.org/10.1016/S0165-4101(98)00018-4 Dhaliwal, Dan S., Cristi A. Gleason, Shane Heitzman, and Kevin D. Melendrez. “Auditor fees and cost of debt.” Journal of Accounting, Auditing and Finance 23:1 (January 2008): 1–22. Online at: dx.doi.org/10.1177/0148558X0802300103 Europa. “Fourth Directive: Annual accounts of companies with limited liability.” Fourth Council Directive 78/660/EEC. July 25, 1978. Online at: tinyurl.com/896ky8x Europa. “Seventh Directive: Consolidated accounts of companies with limited liability.” Seventh Council Directive 83/349/EEC. June 13, 1983. Online at: tinyurl.com/7a2twu6 Khurana, Inder K., and K. K. Raman. “Do investors care about the auditor’s economic dependence on the client?” Contemporary Accounting Research 23:4 (Winter 2006): 977–1016. Online at: dx.doi.org/10.1506/D171-8534-4458-K037 Kim, Jeon-Bon, and Cheong H. Yi. “Does auditor designation by the regulatory authority improve audit quality? Evidence from Korea.” Journal of Accounting and Public Policy 28:3 (May–June 2009): 207–230. Online at: dx.doi.org/10.1016/j.jaccpubpol.2009.04.006 Larcker, David F., and Scott A. Richardson. “Fees paid to audit firms, accrual choices, and corporate governance.” Journal of Accounting Research 42:3 (June 2004): 625–658. Online at: dx.doi.org/10.1111/j.1475-679X.2004.t01-1-00143.x Lennox, Clive. “Do companies successfully engage in opinion shopping? Evidence from the UK.” Journal of Accounting and Economics 29:3 (June 2000): 321–337. Online at: dx.doi.org/10.1016/S0165-4101(00)00025-2 Lennox, Clive, and Jeffrey Pittman. “Auditing the auditors: Evidence on the recent reforms to the external monitoring of audit firms.” Journal of Accounting and Economics 49:1–2 (February 2010): 84–103. Online at: dx.doi.org/10.1016/j.jacceco.2009.04.002 Mayhew, Brian W., and Joel E. Pike. “Does investor selection of auditors enhance auditor independence?” Accounting Review 79:3 (July 2004): 797–822. Online at: dx.doi.org/10.2308/accr.2004.79.3.797 Myers, James N., Linda A. Myers, and Thomas C. Omer. “Exploring the term of the auditor– client relationship and the quality of earnings: A case for mandatory auditor rotation?” Accounting Review 78:3 (July 2003): 779–800. Online at: dx.doi.org/10.2308/accr.2003.78.3.779 Ruddock, Caitlin, Sarah J. Taylor, and Stephen L. Taylor. “Non-audit services and earnings conservatism: Is auditor independence impaired?” Contemporary Accounting Research 23:3 (Fall 2006): 701–746. Online at: dx.doi.org/10.1506/6AE8-75YW-8NVW-V8GK Zeff, Stephen A. “How the U.S. accounting profession got where it is today: Part I.” Accounting Horizons 17:3 (September 2003): 189–205. Online at: dx.doi.org/10.2308/acch.2003.17.3.189

55

NEW INSIDE PAGES FINAL copy.indd 55

13/02/2012 12:58

Effective Auditing for Corporates Reports: Auditing Practices Board. “Ethical standards.” Online at: www.frc.org.uk/apb/publications/ethical.cfm Websites: Auditing Practices Board (APB; UK): www.frc.org.uk/apb Audit Inspection Unit (AIU; UK): www.frc.org.uk/pob/audit Professional Oversight Board (POB; UK): www.frc.org.uk/pob Public Company Accounting Oversight Board (PCAOB; US): pcaobus.org

Notes 1. In the United States the audit committee and board of directors are now responsible for selecting the external auditor. Nevertheless, powerful CEOs can influence the selection process, especially when the directors are not independent. 2. In the following brief historical review of scandals in the United States I draw on Zeff (2003). 3. In the United States this requirement was first introduced by the New York Stock Exchange in 1933. Requiring that certified public accountants (CPAs) carry out the audit became statutory in the Securities Exchange Acts of 1933 and 1934, following the financial crisis in 1929–33. Interestingly, many of the firms listed on the Exchange audited their statements voluntarily (Zeff, 2003) prior to these requirements. 4. See, for example, Brandon, Crabtree, and Maher (2004); Khurana and Raman (2006); Dhaliwal et al. (2008). 5. This, in turn, can further reduce the cost of capital (Amir, Guan, and Livne, 2010). 6. In particular, APB Ethical Standard 1 (revised December 2010). 7. Such financial interest is disallowed in most countries. Nevertheless, from a theoretical point of view, allowing the auditor to be a shareholder in the audited firm may better align his interest with that of other shareholders. This may carry the benefit that the auditor-shareholder is incentivized to perform the audit task diligently. 8. Arguably, the restrictions in the United States are the harshest. In the United Kingdom nonaudit services are not prohibited. The UK Corporate Governance Code requires audit committees to develop the company’s policy on the engagement of the external auditor to supply nonaudit services. Ethical Standard 5 of the UK Auditing Practices Board requires the external auditor to assess the extent to which the provision of nonaudit services results in conflict of interest. 9. US Securities and Exchange Commission. “Litigation release no. 17039/June 19, 2001. Accounting and auditing enforcement release no. 1410/June 19, 2001.” Online at: www.sec.gov/litigation/litreleases/lr17039.htm 10. Modified from Securities and Exchange Commission. “17 CFR parts 210, 240, 249 and 274…Strengthening the Commission’s requirements regarding auditor independence.” Modified March 27, 2003. Online at: www.sec.gov/rules/final/33-8183.htm 11. See, for example, Brandon, Crabtree, and Maher (2004) and Amir, Guan, and Livne (2010) for the link between economic bond and the cost of debt. 12. Professional Oversight Board: www.frc.org.uk/pob 13. Financial Reporting Council. “Plan 2010/11.” June 2010. Online at: tinyurl.com/7x4do9r [PDF]. 14. PCAOB web page “Mission, structure and history”: pcaobus.org/About/History/Pages/default.aspx

56

NEW INSIDE PAGES FINAL copy.indd 56

13/02/2012 12:58

The Market for External Audit Services: The Demand for Audits, Audit Production, Audit Firm Strategy and the Market for Audit Inputs1 by David Hay,a Monika Causholli,b Michael De Martinis,c and W. Robert Knecheld University of Auckland Business School, New Zealand University of Kentucky, Lexington, USA c Monash University, Victoria, Australia d University of Florida, Gainesville, USA a

b

This Chapter Covers 8 The extensive body of research on audit markets, fees, and production. 8  We present a model of the components that determine audit fees and production. 8 Overall, knowledge is concentrated on certain aspects of the model and little is known about some important areas, including the labor market for the factors of audit production. However, there is extensive research on audit fees, although there are limitations to what is known. The research to date also omits certain elements of the audit market and audit production. 8  Some overall conclusions are presented concerning the current understanding of audit markets developed in existing research, and directions are suggested for future research.

Introduction

The market for audit services provides many opportunities for research that enhances our understanding of why and how audits are done. Aspects of this market, including audit fees and production, have received a great deal of attention from researchers, practitioners, and regulators since the 1970s. This chapter provides an overview for managers of the research that links the demand for auditing, audit production, audit firm strategies, and the market for auditing inputs. Even when there were eight dominant international audit firms (rather than the four that currently exist—i.e. the Big 4: Deloitte, KPMG, Ernst & Young, and PricewaterhouseCoopers), regulators were concerned about competition in the audit market. This interest in audit markets has spurred a large body of research that examines various aspects of audit contracting, audit pricing, and audit production, commencing with the influential studies on audit fees by Dan Simunic. The continual evolution of audit practices, restructuring of the big audit firms, and significant changes in the regulation of auditing have caused many researchers to explore these issues over the past three decades. Much of this research has addressed issues related to the factors that determine how high audit fees are, while a smaller body of research has examined audit production (effort). Together, researches on fees and production are important because of what they may be able to tell us about the quality of audits. We present an integrated model of the market for audit services to derive some overall conclusions concerning our current understanding of audit markets and to suggest some directions for future research.

57

NEW INSIDE PAGES FINAL copy.indd 57

13/02/2012 12:58

Effective Auditing for Corporates Overview of the Audit Market and its Components

Figure 1 presents an overview of the market for audit services. A number of important elements of this market are identified. The focal point, given the large body of previous research, is audit fees. Audit fees have been widely examined because they reflect a complex interdependence between the demand for audits and assurance (users), the structure of the audit market (market conditions), the nature of the audit firm (firm marketing and strategic positioning), and the actual cost of delivering an audit (process cost). The examination of audit fees has shed light on many issues, such as independence and governance, as well as on the competitive structure of the market for audit services. Further, the cost of conducting an audit depends on the factors of production needed to service a specific client. The primary factor of production in an audit is professional labor. Although audit methodologies are increasingly utilizing information technology in the audit process, IT leads to a change in the skill sets required rather than reducing the extent to which labor is important. The extent (and type) of labor resources needed for an engagement depend on the characteristics of the client, the audit firm’s methodology and technology, and the cost of the factors of production, which is partially determined in a separate marketplace. Figure 1. An integrated overview of audit markets and related participants. (Source: Causholli et al., 2010)

Firm technology

Factors of production

The firm

Process cost

Firm market strategy

Audit fees

Factor market

Market conditions

Client attributes

Audit service market

Market conditions

Report Users

Figure 1 shows how all these attributes of the client, the auditor, and the market impact the audit (and its size, which impacts the audit fee), and thus the audit opinion issued. We begin our discussion by focusing on the link between production cost and fees. This is a natural starting point because the earliest research on audit fees assumed that fees were a function of auditor effort (i.e. labor hours and, therefore, costs). An auditor’s cost function consists of two components: direct production costs, and an allowance for any losses that may accrue to the auditor if the client company fails. Researchers developed the classic audit fee model, which linked fees directly to the attributes of the client, effectively bypassing the factors of production shown in Figure 1. As a result, the audit fee model incorporates the implicit—but generally unstated—

58

NEW INSIDE PAGES FINAL copy.indd 58

13/02/2012 12:58

The Market for External Audit Services assumption that client attributes are effective proxies for the factors of production and process cost. That is, studies using the audit fee model assume that client size, risk, and complexity will measure what the audit fee is likely to be. An extremely large body of literature has been generated from the audit fee model. We know that there is a large range of drivers of audit fees. Researchers have included more than 180 different independent variables classified into three broad categories: 8 client attributes; 8 auditor attributes; 8 engagement attributes. Client attributes have the most substantial impact on fees, with size being the most significant in nearly all studies. Complexity measures (for example, number of subsidiaries and extent of foreign activities) and inherent risk (i.e. items that require special audit procedures such as inventory and receivables) are positively related to audit fees, while auditee profitability is negatively related. The auditor attributes that have been examined primarily include measures of auditor quality. The results strongly support the observation that audits done by the largest international firms are associated with higher audit fees. Auditor specialization has also been found to have a significant positive effect, but the evidence is mixed as to whether this effect is due to specialization in national or local offices, or a combination of both. Engagement attributes include the existence of audit problems—for example, issuing an audit opinion that was other than “clean.” Overall, results show that modified opinions have a positive effect on fees, but most of the evidence on this point dates from research done prior to 1990. Improved governance through more active directors or audit committees is positively related to audit fees, one person holding the combined offices of CEO and chairman is not significantly related to audit fees, and operating in a regulated industry is negatively related to audit fees (i.e. an audit fee discount prevails). Evidence has also shown that the Sarbanes–Oxley Act of 2002 (SOX) in the United States led to substantial increases in audit fees.

Audit Production

Production refers to the process by which inputs are transformed into outputs. In the case of an audit, an auditor’s effort—the type of labor and the time expended—is transformed into assurance about the financial statements, i.e. reduction in the residual risk of material misstatement. Audit production has received much less attention in the literature than audit fees, mainly because of a dearth of direct measures of audit inputs (auditor effort) and outputs (achieved level of assurance). Although audit fees are often available as public data, analysis of audit production requires internal data (e.g. labor hours) from accounting firms, and researchers have historically had limited access to data on labor hours. In spite of these limitations, the scarce studies on audit production have provided valuable insight into the audit process. As is the case for audit fees, client size (e.g. total assets, sales) is the most important factor that affects the total labor utilized in an engagement. However, the effect of

59

NEW INSIDE PAGES FINAL copy.indd 59

13/02/2012 12:58

Effective Auditing for Corporates size is not a direct correlation, but rather a functional relationship. Other attributes that influence auditor effort are client risk and complexity. In general, increased complexity is associated with an increase in total hours across most ranks. Some factors that relate to client complexity include: the operations of the company, the number of subsidiaries, geographic dispersion of clients’ operations, and the proportion of foreign assets. In terms of client risk, previous research has examined the effect of inherent risk, control risk, and fraud risk. The research indicates that, overall, higher risk requires more labor resources. However, it is important to distinguish between the risk metrics because of their differential effect on the various components of labor. Beyond risk and complexity, other client and engagement attributes have been shown to influence audit effort, including the client’s industry, client assistance in preparing documentation, auditor tenure, provision of nonaudit services, number of reports issued, busy season, type of audit opinion, and the extent of interim work. For example, client industry can influence audit effort—audits of financial service firms consume fewer labor resources, possibly because they have significantly better controls than firms in other industries, and possibly due to regulation. Considering auditor tenure, it is argued that an auditor incurs significant costs during the early years of an engagement to gain knowledge about the client’s business and financial reporting system, so repeat engagements should have lower production costs. This suggests a negative relationship between auditor tenure and audit labor. Despite the intuitive appeal of this argument, research has found either an insignificant or a positive relationship between auditor tenure and audit hours, suggesting a lack of learning since auditors do not become more efficient with more client-specific experience. A related stream of research examines whether audits are produced efficiently by comparing proxies for an audit’s inputs and outputs. Generally, an efficient audit would be one that uses the minimum number of inputs (resources) for a given level of output, or produces the maximum output for a given level of inputs, given the production technology available. Overall, results show that most audit engagements are performed relatively efficiently, with reported efficiency scores well above 80% (where 100% is the most efficient). Figure 1 also highlights that audit production depends on the technology used by the audit firm and the audit process. Very little research is available on how different audit technologies affect audit production. One problem with examining the relative effectiveness and efficiency of audit technologies is that researchers usually have access to data concerning a single firm using a standardized methodology for a single time period. However, one study examines how audit production changed as one firm moved from a traditional audit approach in the early 1990s to a risk-based approach in the early 2000s. Using a risk approach, auditors formulate a composite risk measure—auditor business risk—which incorporates client business risk, risk of material misstatement, and auditor litigation risk. Business risk audits use a greater proportion of high-level (partner, manager) labor than a traditional audit approach.

60

NEW INSIDE PAGES FINAL copy.indd 60

13/02/2012 12:58

The Market for External Audit Services To summarize, research that examines audit production shows that the factors driving audit hours are often the same as those driving audit fees, with client size, risk, and complexity being the most important factors that impact audit effort. However, collective evidence in this area suggests that the effects vary from client to client and are highly dependent on whether labor is analyzed in total or separately by rank. For example, given the mixed results for the effect of risk on audit labor, it is important to understand how an increase in client risk could affect auditor effort across ranks. In addition, this line of research has not been able to consistently document a learningby-doing effect that is common in many other industries and services. Additional research to understand why learning does not seem to occur in auditing is an important extension in this line of research.

Audit Firm Market Strategy and Audit Fees

Audit fees are likely to be influenced by an audit firm’s strategy for increasing its market share and obtaining new clients. Starting in 1979, when the US Federal Trade Commission forced the accounting profession to relax its prohibitions against advertising and solicitation, accounting firms have become much more aggressive about pursuing new clients. Audits can be viewed as a bundle of services over time (multiperiod engagements) and across activities (nonaudit services, or NAS). The nature of this bundling has a direct influence on how audits are marketed and priced. Empirical evidence supports the existence of three main marketing/strategic approaches used by audit firms to attract and capture new clients: 8 lowballing (when the audit fee charged to a new client is well below that charged by the client’s previous auditor); 8 value-adding through the provision or bundling of additional NAS; 8 industry specialization to differentiate audit quality. Lowballing is a commonly used technique and often involves offering an audit fee to a potential new client that is well below what the client was paying its previous auditor and may even be below the auditor’s actual cost. Lowballing has long been established in the literature as a strategy to attract and capture new clients. While there are a few exceptions, most empirical research has observed that audit fees are significantly lower immediately following a change of auditors. Possible drivers of such discounting include client attributes (size, risk, and profitability) and type of auditor (Big 4 audit firm or non-Big 4 audit firm). As expected, the initial audit fees of the Big 4 are higher than those of the non-Big 4, and the extent of the audit fee discounting is greater for non-Big 4 audit firms. Other research has shown that both auditor type and the type of auditor change impact audit fee discounting: less audit fee discounting is observed in the Big 4 market, where there is less competition (i.e. it is oligopolistic) and when the change of audit firm is a “market upgrade” (i.e. non-Big 4 to Big 4). A significant impact on the audit market was the recent passage of SOX in the United States. The additional workload required of auditors—for example, reporting on internal controls (combined with the demise of Arthur Andersen)—may have created a lack of capacity in the market for audit services post-SOX. Overall, results reveal that while small and large audit firms discounted initial audit fees in the pre-SOX period, only small audit firms are found to offer initial discounts in the post-SOX period.

61

NEW INSIDE PAGES FINAL copy.indd 61

13/02/2012 12:58

Effective Auditing for Corporates Another potential audit firm marketing strategy is to increase revenues by expanding the scope of services available to clients by packaging new services with the financial report audit. This so-called joint provision of audit and nonaudit services may lower audit fees as the auditor utilizes knowledge gathered from the provision of NAS to conduct a more efficient audit. On the other hand, it is argued that the provision of NAS may harm auditor independence, particularly when the proportion of NAS fees generated relative to audit fees is of such a magnitude that the fear or threat of losing the NAS fees outweighs the provision of a quality audit service. These two opposing arguments help to explain why research examining the relationship between the provision of NAS and audit production (efficiency) and audit quality (effectiveness) provides mixed and inconclusive results. Audit firms also can attract new clients or generate higher fees by differentiating their services through industry specialization. Differentiation in this context is often interpreted as adding value by supplying a higher-quality audit service that meets client and investor demand for improved financial reporting. An advantage of this strategy is that the audit firm is able to increase its bargaining power with current and potential clients, resulting in the charging of an audit fee premium relative to nonindustry specialist audit firms. This leads to an increase in reputation that serves as a “bond” for supplying such higher-quality audits. In theory, the reputation gained reinforces a positive feedback cycle whereby an industry specialist gains a competitive advantage and greater market power which, in turn, supports the charging of an audit fee premium. Consequently, industry specialization allows for price differentiation across otherwise similar clients. In summary, the research on audit firm market strategy and audit fees has examined three issues, namely, lowballing, “loss-leader” pricing through the joint provision of audit services and NAS, and industry specialization. Results show that whereas the first two strategies are associated with audit fee discounting, the third strategy is associated with audit fee premiums. However, across all three issues there are somewhat mixed results, warranting further research (for example, on the impact of new regulation such as SOX). Auditor specialization, in particular, remains an interesting area for further research given that its association with audit fee premiums appears to be conditional on the type of market examined and on the way specialization is measured.

Market Conditions and Audit Fees

The structure of audit markets is also highly relevant to audit pricing. Overall, market conditions such as concentration and regulation can influence audit fees. Numerous efforts have been undertaken to investigate the effect of market concentration on auditor competition. The market has generally been found to be competitive, though highly and increasingly concentrated. The market for audit services is highly concentrated in some markets (for example, that consisting of companies listed in the United States), and this has increased as the Big 8 have become the Big 4. Over time, this has raised concerns that clients have too few choices and audit firms may have too much pricing power over clients, potentially resulting in economic rents accruing to the benefit of the auditor. However, fewer competitors can lead to increased competition if individual suppliers are aggressive

62

NEW INSIDE PAGES FINAL copy.indd 62

13/02/2012 12:58

The Market for External Audit Services (i.e. a so-called Bertrand competition) or search costs are reduced, with a reduction in the number of options that need to be considered. This theory has often been supported by studies into the effects of accounting firm mergers, which have frequently found that although concentration has increased, competition also increases when there are fewer very large audit firms. An important issue related to market concentration is the potential for self-selection by audit clients. That is, because some companies have more complex audits, they are more likely to select larger, more experienced or better-capitalized auditors, typically one of the “Big” firms, which could influence the magnitude of audit fees. They may also be more likely to choose industry-specialist auditors. A few studies have examined the issue of self-selection, arguing that clients choosing Big 4 auditors may be systematically different from those that do not. Arguments have been presented that the “Big” firms are not necessarily higher quality, but simply are specialized in auditing certain types of clients, especially larger, more complex clients. Auditing standards can also have a significant effect on audit fees because they have become increasingly complex, often resulting in increased auditor effort and documentation. As a result, new standards that influence the audit process are expected to result in higher audit fees. This effect was most strongly observed with the issuing of new auditing standards in 1987 (in the United States) and with the introduction of SOX. Preliminary evidence suggests that the introduction of the International Financial Reporting Standards (IFRS) is also associated with increased audit fees. These results all suggest that increases in regulatory complexity are associated with higher fees. On the other hand, there has also been a trend toward deregulation in some aspects of the audit profession (for example, removing regulations that restricted advertising and solicitation). Such deregulation was expected to lead to greater competition among audit firms and lower audit fees. Regulation that increases competition, such as the introduction of compulsory tendering, has also been followed by lower audit fees. More specifically, deregulation to allow advertising leads to higher audit fees, but direct solicitation leads to lower audit fees. Variations in investor protection and regulatory oversight regimes, including the extent of liability, can also influence audit fees and production. Studies show that that the higher a country’s legal liability for auditors, the higher are the audit fees; that Big 4 firms charge higher fees in a given a liability setting; and that the Big 4 premium is smaller when liability is higher. The last result—that the “Big” firms are not able to charge such a high premium in settings with higher liability—is particularly pertinent because it suggests that the Big 4 already provide higher-quality audits and so have less need to increase the quality of their work in circumstances where they are exposed to greater litigation risk. Overall, regulation (and deregulation) make a difference to the overall level of audit fees. As regulation has become more complex and varied across different jurisdictions, there is considerable opportunity for research that examines the varying effects of different forms of regulation.

63

NEW INSIDE PAGES FINAL copy.indd 63

13/02/2012 12:58

Effective Auditing for Corporates Audit Fees and Audit Production

There are numerous implications for interpreting previous research and designing future research that are highlighted by adopting an integrated view of the literature. One question that comes to mind is whether audit fees actually provide a reasonable proxy for audit production. Audit fees are obviously the result of a very complex process and interactions among various components of the audit market. Of necessity, a singleequation estimation of audit fees ignores or simplifies many of the links in Figure 1. This approach has provided some useful and important insights into auditing, but it also has some serious limitations. For example, the production-based view embedded in audit fee models abstracts from demand and implicitly assumes that auditors are efficient and provide a homogeneous, yet unobservable, product. If auditors are systematically inefficient, or if demand is admitted to the analysis, then higher audit fees can be attributed to higher production costs or a higher demand for auditing, and the explanations cannot be readily disentangled in a single-equation model. Further, if audit demand can influence audit fees (which arguably is a reasonable economic assumption), then auditor pricing power also becomes an issue, adding a third potential explanation for higher audit fees—namely, rent-seeking behavior on the part of auditors. Summary This chapter provides an overview of empirical research related to audit markets, fees, and production. The overall perspective in Figure 1 highlights areas that have been subject to extensive research, and we have summarized what is known—or not known—in those areas. Without a doubt, the largest body of literature applies to the drivers of audit fees. However, as emphasized in this chapter, what we know about audit fees is conditioned on some stringent assumptions about audit markets and production that may not hold in today’s audit markets and may conflict with other aspects of audit research incorporated in Figure 1. We also have a relatively well developed understanding of audit production and efficiency in individual firms, and audit firm market strategies pertaining to lowballing, nonaudit services, and industry specialization. The remaining issues available to audit researchers are large and robust. They include the impact of recent major regulatory changes, and proposals being considered in jurisdictions around the world, more advanced approaches to the audit fee research, and deeper examination of audit production. However, future progress may depend on new theories, methods, and data, and an ability to integrate previous research with what will follow. Researchers themselves can address some of the issues related to new theory and methods. Economics, psychology, sociology, and anthropology all present theoretical developments which can fuel future research on auditing. Statistical methods are always being improved and provide increasingly powerful tests. Data have been, and will likely continue to be, a problem for many researchers, at least for large-scale empirical analyses. However, improvements in data gathering and measurement technology (e.g. text analysis) will provide new data in the future. Two other potential solutions are already presenting themselves with the increase in international audit research and a growing acceptance of field research. Finally, integration of research

64

NEW INSIDE PAGES FINAL copy.indd 64

13/02/2012 12:58

The Market for External Audit Services across the components and participants of the audit market should increasingly be a goal of audit research. In other professional disciplines, evidence-based practice has become increasingly important, and this has been found to be facilitated by systematic reviews of research literature (for example, that by the Cochrane Collaboration in medicine or the Campbell Collaboration in criminology). Future advances might utilize blended research methods where survey, field study, or experimental methods are combined with the empirical/archival methods that have been most prevalent in previous research, facilitating a broader view of audit research and increasing our understanding of audit markets, fees, and production.

More Info Book: Knechel, W. Robert, Steve Salterio, and Brian Ballou. Auditing: Assurance and Risk. South-Western, 2007. Articles: Causholli, Monika, Michael De Martinis, David Hay, and W. Robert Knechel. “Audit markets, fees and production: Towards an integrated view of empirical audit research.” Journal of Accounting Literature 29 (2010): 167–215. Online at: papers.ssrn.com/sol3/papers.cfm?abstract_id=1768199 Hay, David C., W. Robert Knechel, and Norman Wong. “Audit fees: a meta-analysis of the effect of supply and demand attributes.” Contemporary Accounting Research 23:1 (2006): 141–191. Online at: dx.doi.org/ 10.1506/4XR4-KT5V-E8CN-91GX Simunic, Dan A. “The pricing of audit services: Theory and evidence.” Journal of Accounting Research 18:1 (1980): 161–190. Simunic, Dan A. “Auditing, consulting, and auditor independence.” Journal of Accounting Research 22: 2 (1984): 679–702. Website: Center for Audit Quality: thecaq.org

Notes 1. This chapter is a shorter version of an article by the same authors in the Journal of Accounting Literature.

65

NEW INSIDE PAGES FINAL copy.indd 65

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 66

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department by Bonita K. Peterson Kramer a and Hugh D. Pforsichb a b

California State University, Sacramento, USA Montana State University, Bozeman, USA

This Chapter Covers 8 Reasons for establishing an internal audit department. 8 Finding an appropriate director. 8 Developing the charter and mission. 8 Staffing the internal audit department. 8 Determining the department’s overall strategy. 8 Using a risk-based assessment framework to determine the department’s scope. 8 Assessing the internal audit department’s effectiveness.

Further, this chapter discusses the process followed by The Schwan Food Company as it established its internal audit department.

Introduction

The internal audit department is a critical part of corporate governance. It helps top management and the audit committee meet their governance responsibilities in many ways, including by providing: systematic analyses of business processes and related controls; an unbiased evaluation of existing risk within the company; evaluations of the accomplishment of company goals; reviews of financial and operational performance; recommendations for internal control improvements and increased efficiency and effectiveness in resource use; 8 a preventive and detective presence regarding fraud. 8 8 8 8 8

The demand for internal auditing services has skyrocketed with two events in the past decade. First, Section 404 of the Sarbanes–Oxley Act (SOX) of 2002 mandated public companies to include with their annual report an internal control report that contains an assessment by management of the effectiveness of the company’s financial reporting internal control system. Internal auditors have the technical expertise and professional objectivity to assist in this assessment process. Second, the New York Stock Exchange required all listed companies to “maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control” by October 31, 2004. But the benefits of an internal audit department aren’t unique to public companies. They are also applicable to private companies, as well as governmental and nonprofit entities.

69

NEW INSIDE PAGES FINAL copy.indd 69

13/02/2012 12:58

Effective Auditing for Corporates Indication of the phenomenal growth in demand for internal audit services can be at least partially measured by the increase in members of the Institute of Internal Auditors (IIA), a global organization headquartered in Altamonte Springs, Florida, USA, as well as by the number of individuals achieving the professional certification in this field. The IIA reports that, as of April 2005, it welcomed its 100,000th member, and by October 2011 its membership had grown to more than 170,000. Further, in May 2005 the IIA awarded the Certified Internal Auditor (CIA) credential to 50,000 individuals, and doubled that number to 100,000 CIAs by March 2011. If you are wondering how to establish an effective internal audit department, The Schwan Food Company did just that with the help of G. Randolph Just when he was the chief audit executive (CAE) at the company. Randy was a coauthor on our original article on this topic, which appeared in Strategic Finance in April 2006 (Pforsich, Peterson Kramer, and Randolph Just, 2006). Sadly, Randy passed away unexpectedly in January 2006. He added a tremendous amount to the body of knowledge on establishing an effective internal audit department and his contributions to the profession are sorely missed.

History of The Schwan Food Company The Schwan Food Company began in 1952 with one man and one truck. Marvin Schwan, the founder, was the son of German immigrants who came to the United States in 1920. He and his parents ran a creamery in Marshall, Minnesota, but were having trouble making ends meet. Marvin discovered that, because of government pricing structures, he could sell ice cream for a few cents more in Yellow Medicine County, immediately north of Marshall. On March 18, 1952, he borrowed some dry-ice bags and, with a used 1946 Dodge panel van, he headed north with 14 gallons of ice cream. He knocked on farmhouse doors and sold all the ice cream. The next day he did the same thing again. Now, 59 years later, Schwan has gone from one man and one truck to 6,000 drivers in the home delivery part of the business, which constitutes approximately 40% of the company’s total revenues. In addition to home delivery, Schwan’s primary business units have grown to include its global consumer brands and its food services group. The global consumer brands manufactures, markets, and delivers frozen foods to grocery, warehouse, club, and convenience stores across the country. The food services group manufactures, markets, and distributes value-added frozen food products to public and private schools, universities, healthcare facilities, convenience stores, and chain restaurants. Today the company’s workforce consists of approximately 17,000 people.

Why Establish an Internal Audit Department?

The motto of the internal audit department (IAD) at Schwan is “advancing the business.” There are numerous ways in which internal auditors can help to accomplish that objective. First, an effective IAD can help a company to reach its goals by helping management to improve controls, business processes, and business risk management. Second, internal auditors serve a critical role as part of the corporate governance structure by ensuring that the company achieves its objectives in an ethical, legal, and well-governed manner.

70

NEW INSIDE PAGES FINAL copy.indd 70

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department Third, internal auditors help in the battle against fraud. In 2010, the Association of Certified Fraud Examiners (ACFE) obtained data on 1,843 recent fraud cases totaling more than US$18 billion in losses. In the resulting 2010 “Report to the nations on occupational fraud and abuse” the ACFE stated that approximately 66% of the victim organizations in its study had an internal audit function and that those organizations suffered a median fraud loss of US$145,000 compared to median losses of US$209,000 for companies without internal audit departments. This result is similar to the ACFE’s four earlier studies conducted every two years since 2002 (Figure 1). Figure 1. ACFE “Report to the nations” estimates

50,000

0

$209,000

$218,000

2002 (n = 663) 58%

2004 (n = 508) 57%

$145,000

$118,000

$120,000

$80,000

100,000

$130,000

$153,000

150,000

$87,500

Median fraud loss ($US)

200,000

$250,000

250,000

Internal audit dept present No internal audit dept

Key to x-axis: Year is year of ACFE report to the nations n = number of cases studied % = percentage of victim organizations with internal audit department

2006 (n = 1,134) 59%

2008 (n = 959) 56%

2010 (n = 1,843) 66%

The Association of Certified Fraud Examiners The Association of Certified Fraud Examiners (ACFE) was established in 1988 in Austin, Texas. It is the world’s largest anti-fraud organization, currently with approximately 55,000 members worldwide, and is considered by many to be the premier provider of training and education on fraud-related matters. The ACFE regularly provides a variety of professional education courses and seminars on different fraud topics throughout the world, and also produces a number of selfstudy materials, available for purchase from its website (www.acfe.com). The ACFE is also the sponsoring organization of the Certified Fraud Examiner (CFE) credential, which covers four major areas in its common body of knowledge: fraud prevention and deterrence; financial transactions; fraud investigation; and legal elements of fraud. Many of the ACFE’s training materials are beneficial for auditors—external and internal—in gaining a better understanding of various aspects of fraud. The IAD is a critical part of corporate governance, along with senior management, the audit committee, and the external auditors. Internal auditors can be considered to be the eyes and ears of management as well as the corporate conscience. Given its importance, how should a company begin to establish an effective IAD?

71

NEW INSIDE PAGES FINAL copy.indd 71

13/02/2012 12:58

Effective Auditing for Corporates Start with the Leader

Finding a qualified department head is a crucial first task. Not only should the chief audit executive possess the necessary internal audit technical skills, but he or she should also be able to gain respect from both management and the audit committee. Good communication skills, objectivity, and a strong moral character are also desirable characteristics. The creation of Schwan’s IAD was driven by personnel changes in top management. The Schwan Food Company’s founder, Marvin Schwan, passed away suddenly in 1992 and his brother, Alfred, then served as president and chairman of the board. In 1998, Marvin and Alfred’s families essentially agreed to hire top executives from outside the family to run the business. Until that time, while the company was a private family business with everything controlled very much out of Marshall, Minnesota, they did not see the need for an internal audit function. The first nonfamily member CEO, who had a long and distinguished career in the food business, came on board in 1999. At about the same time a new audit committee chair began his service. In 2002 a new CFO was hired who had extensive public accounting experience. This new leadership helped the company to slowly make changes. It improved the governance structure by establishing an internal audit department while retaining the positive aspects of the company’s corporate culture, including its high standards of ethics, values, and hard work. Thus, the creation of the IAD was part of a companywide effort to improve control and governance structures for a privately held but global company that had the goal of doubling in size between 2002 and 2007. After conducting a regional and national search through a recruiting firm, the management team chose Randolph Just to be their CAE. He brought with him extensive public accounting and internal auditing experience. Specifically, at around the age of 30, Randy earned an MBA and became a CPA, working for Peat, Marwick, Mitchell & Co. (now KPMG) in their Dallas, Texas, office for several years. He then joined the internal auditing profession at St Paul Medical Center in Dallas, which was part of the largest not-for-profit hospital system in the United States. He spent several years in the hospital/healthcare/internal auditing industry in Texas, then Pennsylvania, and then Missouri. During this time he served two terms as national president of the Association of Healthcare Internal Auditors and also as executive director of the Healthcare Audit Network, and essentially ran a national healthcare auditing conference for five years. In 1998, Randy and his wife decided to move to a rural community in Idaho to raise their children, and he consulted internationally for about a year until he was rehired by KPMG in their internal auditing practice, living in Idaho, but working for their Los Angeles, California, office in internal auditing. Randy often joked that he met the Schwans because of Enron. Schwans had been audited by Arthur Andersen for more than 30 years, and after Andersen’s demise following the Enron situation, Schwan Sales Enterprises (the name of the company at that time) put the contract out for bid. KPMG won the contract in May 2002. After learning this, Randy emailed the KPMG partner in Minneapolis, Minnesota, to congratulate her, and he mentioned that he had grown up in the area. She saw from his email signature that he worked for Management Assurance Services (KPMG’s internal audit practice) out of Los Angeles. She emailed back that Schwan wanted to start an internal audit department and asked if Randy was interested in moving back to Minnesota. He applied for the job

72

NEW INSIDE PAGES FINAL copy.indd 72

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department because he considered it to be a “wonderful opportunity.” Shortly thereafter, he was selected by a search committee, which included the chair of the audit committee, and he accepted the offer. Per Randy, it was “the job of a lifetime.”

The Charter and Mission

Once the CAE is hired, he/she should lead the development of the written audit charter (see Appendix 1 for The Schwan Food Company’s charter), which sets forth the purpose, authority, and responsibilities of the IAD. Such a charter, which should be approved by the audit committee on behalf of the board of directors, is crucial for sending the message throughout the organization that internal auditing is viewed as a priority and has the endorsement of both executive management and the audit committee. The charter should also clearly establish the independence of the IAD because it is critical that internal auditors be organizationally independent of management in order to enhance their effectiveness. This independence allows the auditors to perform their work objectively and without bias or concern that they will be unduly influenced by management. Schwan decided that its IAD should report directly to the CFO for administrative purposes. For purposes of governance, it established an advisory relationship between the IAD and the board’s audit committee (Figure 2). Figure 2. Reporting relationships for The Schwan Food Company’s internal audit department

Chief financial officer (Tracy Burr)

Internal audit department

Audit committee

(CAE: G. Randolph Just)

(Chair: David Kidwell)

Direct reporting relationship

Advisory reporting relationship

But these relationships, whether direct reporting or advisory, were flexible, depending on the styles of individual managers. Schwan’s audit committee chair was very “hands on” and viewed his relationship with the IAD to be as direct as the CFO–IAD relationship. The audit charter protected the IAD’s independence by ensuring full access by the CAE to the audit committee and protecting the CAE from removal without the approval of the audit committee. In addition, Schwan’s audit committee charter established that the IAD was accountable to the board of directors through the audit committee.

73

NEW INSIDE PAGES FINAL copy.indd 73

13/02/2012 12:58

Effective Auditing for Corporates The IAD mission statement should be specified in the charter. The mission of Schwan’s IAD was “to provide independent, objective assurance services designed to add value and improve the Schwan Company’s operations. The IAD helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the overall control environment and the network of enterprise business risk management control and governance processes.” This mission statement is almost verbatim with the Institute of Internal Auditors’ approved definition of the purpose of internal auditing. In other words, the department’s mission corresponds with Schwan’s overall mission in that the IAD exists to help the company to reach its goals and achieve its business objectives in an ethical, legal, well-governed manner. This mission is accomplished by helping to improve controls, business processes, and business risk management. To promote good relations and introduce the IAD’s mission at Schwan, Randy Just initially met with all the members of executive management and then the senior management to gain an understanding of their expectations. Through these meetings he was able to introduce internal auditing as a service function charged with helping management to achieve company objectives rather than as something to fear or view as a threat.

Staffing the Department

Based on the analysis of Schwan’s external auditor, the audit committee and senior management decided to initially staff the IAD with 10 internal auditors supported by an annual budget of approximately US$1.63 million. The size of the function was expected to increase as the company grew. Ideally, Just wanted people at the senior and manager level to have public accounting experience as well as internal auditing work in industry. He recognized that it wasn’t possible to find people at the staff level with that combination of experience. He staffed the IAD so that it possessed a fairly broad-based assortment of expertise in financial, operational, compliance, and information systems auditing. Initially, the greatest challenge was convincing qualified people to relocate to Schwan’s corporate headquarters in Marshall, Minnesota, a community that is three hours from Minneapolis with a population of approximately 12,000. While this is an attractive community for individuals with a family-based lifestyle, it was a hurdle to overcome in seeking to fully staff a new IAD. The company used industry contacts to recruit staff in addition to receiving assistance from outside recruiting organizations. After a few months, Schwan was able to fill all the positions.

Overall Strategy

Once the staffing was completed, Just worked with two of his managers to develop a risk-based assessment methodology tied to the COSO (the Committee of Sponsoring Organizations of the Treadway Commission) internal control framework and a consumer products business process model. The IAD used this risk-based approach to determine the scope of its services.

74

NEW INSIDE PAGES FINAL copy.indd 74

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, a private-sector initiative to study the factors that might lead to such reporting. The sponsoring organizations represented the major professional accounting organizations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA). Representatives from private industry, public accounting, the New York Stock Exchange, and investment firms comprised the membership of COSO and were independent of each of the sponsoring organizations. COSO is sometimes referred to as the “Treadway Commission” because the original chair of the National Commission was James C. Treadway, Jr., executive vice president and general counsel of Paine Webber, Inc. COSO’s goal is to provide thought leadership in three interrelated areas: internal control, enterprise risk management, and fraud deterrence. COSO’s thought papers are available for free download on its website. The consumer products business model describes how a company translates strategic objectives into business goals, processes, and tactics to achieve those objectives. The model presented in Figure 3 outlines the following factors. 8 First, external business drivers and stakeholders, which are the outside factors and pressures that can prevent an entity from attaining its objectives. These may include the political and legal environment, actions of competitors, customers, trade regulations, and others. 8 The second factor is the set of various markets that are relevant to the company’s business. 8 Finally, the business processes define how work is done in the company and how outputs of one process become the inputs of the next. Business processes are broken down into three sections: 1. the strategic management process, which defines the company’s mission and objectives, as well as the risks that threaten the objectives, and establishes processes to monitor and manage those risks and achieve the objectives; 2. core business processes, which develop, produce, sell, and distribute the company’s products; 3. resource management processes, which support the other processes. These include functions such as human resources, information technology, accounting, and others. Included in the overall consumer products business model are lists of the company’s alliances, core services/products, and potential customers.

75

NEW INSIDE PAGES FINAL copy.indd 75

13/02/2012 12:58

Effective Auditing for Corporates Figure 3. Consumer products business process model External business drivers and stakeholders Existing competitors, foreign competitors, new entrants, private label, substitutes, shareholders, regulators, alliance groups, consumers, customers, suppliers Wholesalers Retailers Vertical manufacturers

Strategic management process Core business processes Manage product portfolio

Sell products

Procure materials

Governments Foreign markets

Manufacture products

Distribute products

Serve customers

Resource management processes Information management

Property management

Financial/Treasury management Regulatory management

Markets

Suppliers Customers

Company products and services by business unit

Foreign entrants

Mass merchandise

Private label/brand

Club stores

Other consumer products

Department stores Specialty retail consumers

Companies Wholesaler

Niche market customers

Distributor

Alliances

Human resource management

Business processes

Wholesalers Wholesalers Grocery retailers Food service

Government Alliances

Core services and products

Customers

As part of this risk assessment process, Just reviewed the strategic plans of the company and its business units. The IAD’s efforts focused on the key areas and objectives on which the company and the business units focused. This was accomplished by having auditors meet with executives at the various business units and walk through a questionnaire they developed as part of the risk-based assessment approach (see Appendix 2). The IAD then weighted and prioritized potential projects across all the business units, giving consideration to the volume of their activities and their importance to the company’s overall strategic plan (Figure 4). Figure 4. Risk assessment overview Identify business risks and controls (operational, financial reporting, and compliance)

Objectives

Measure and prioritize the identified risks Obtain management consensus

Focused interviews

Process

Analysis of financial and operational reports and other company information Industry knowledge sources

Risk profile—ranked

Deliverables

Recommended management action (initial actions identified during the risk assessment) Recommended internal audit action: • internal audit plan • resources and skill sets required to execute plan

76

NEW INSIDE PAGES FINAL copy.indd 76

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department Risk-Based Assessment

The risk assessment framework closely incorporated the concepts of risk and control. Schwan established business objectives at all levels of the company from corporate down through each business unit. To achieve these objectives, it put in place core business processes that were groupings of related business activities (e.g. procure materials, manufacture products, distribute products, sell products, serve customers). The core business practices were supported by processes that provided resources and services to them. Risks threaten the achievement of business objectives at all levels, while controls are the activities that are put into place to manage or mitigate the risks (Figure 5). Controls are often built into the core business processes and support processes. Figure 5. Risk assessment framework RISKS

RISKS Business objectives

Core business processes

Support processes

RISKS

Support processes

RISKS

Within each process, the IAD assessed: 8 gross risks—threats or impediments to the accomplishment of corporate or process objectives; 8 the strength of relevant controls and management’s response to the identified risks; 8 residual risks—a reevaluation of risk in light of controls and management’s response. At the end of this process, residual risks are compared to gross risks for reasonableness. See Figure 6 for a graphical representation of this risk assessment. Figure 6. Residual risk assessment Almost certain

P r o b a b i l i t y

Gross risk B Gross risk A

Residual risk A Residual risk B Remote/insignificant

Catastrophic

Impact

77

NEW INSIDE PAGES FINAL copy.indd 77

13/02/2012 12:58

Effective Auditing for Corporates The IAD rated the risks based on the magnitude of the impact of the risk as well as its probability. They conducted residual risk assessments through interviews with multiple levels of management, a review of business plans, analysis of financial and operational reports, and a review of miscellaneous information (e.g. industry information, process documentation, etc.). For validation, they discussed the assessment results with the appropriate levels of management. At Schwan, food quality and safety is one area of continual vigilance. Every single batch of raw materials or product that comes into Schwan’s factories is tested for contamination, and the IAD assesses a gross risk of contamination of raw materials at a certain level. As a result of Schwan’s very stringent controls, the residual risk has been assessed as extremely low. For more examples, see Table 1.

Assessing Effectiveness

On average, Just reviewed the status of the internal auditing plan with the auditing committee five times a year. The main criterion against which the success of the IAD was measured was whether the internal auditors were adding value. For example, were the major projects being performed? Was the IAD receiving requests from the business units for other projects? Just budgeted approximately 80% of the internal audit staff time for projects that were identified through the risk assessment process, leaving 20% of their time open for emerging priorities. In its first year the department received a large number of requests for other projects, and that was clearly viewed as a substantial measure of success. During the meetings with the audit committee, Just also reported what percentage of the audit plan was complete, although that wasn’t the primary measure of success since the IAD was created to address risk as it arises. Consequently, the annual internal audit plan could be revisited throughout the year and changed as need dictated. Another major measure of success was the open acceptance by the business units and their willingness to work with the internal auditors. On the audits that came up in the risk assessment process, company personnel were willing to offer ideas on areas where they felt they could use audits, and they called the internal auditors for projects. For additional monitoring of the effectiveness of the IAD, Just implemented a ninequestion Internet-based client survey that was used to gather input and feedback from the audit customers about each of their projects (see Appendix 3). As time passed and the IAD became more established, other metrics of success would be developed, such as the percentage of audit recommendations implemented by the various business units.

78

NEW INSIDE PAGES FINAL copy.indd 78

13/02/2012 12:58

Likely

Moderate

Likely

Treasury and finance

Procure materials

Manufacture products

Uncertainty of exchange rates and volatility of oil price makes profit assurance difficult

Risk relating to the inaccurate forecast of volume requirements of ABC company

Poor visibility of inventory distribution chain can result in product stockouts and oversupply

NEW INSIDE PAGES FINAL copy.indd 79

4

3

4

P

Minor

Major

Moderate

Impact (I)

Gross Risk Ratings

Probability (P)

Process

Description of risk

Gross risk ratings

2

4

3

I

8

12

12

PxI

Moderate

Strong

Weak

Control effectiveness rating (C)

2

3

1

C

Moving from weekly to daily order processes and a more automated replenishment process

Specialize in the farm-to-fryer concept. Employs geographic diversification to help mitigate risk

No preventive controls are available. Management monitors profitability levels. Any hedging is not performed by subsidiaries but by the US HQ

Description of control/response 4

3

3

Likely

Moderate

Moderate

Minor

Moderate

Moderate

Revised impact (I2)

Risidual Risk Ratings

P2

Revised probability (P2)

Residual risk ratings

2

3

3

I2

6

9

12

P2 x I2

Table 1. Examples of residual risk ratings. Risks and controls are compiled by process, and the average ratings per process are used to construct bar charts

Advancing Your Business with an Effective Internal Audit Department

79

13/02/2012 12:58

Effective Auditing for Corporates Summary

8  Establishing an effective internal audit department is a critical part of corporate governance and a good way to advance your business; it adds value by helping the organization to achieve its objectives, improving risk management, strengthening internal controls, and enhancing overall corporate governance. 8  It is critical to find a qualified director for the internal audit department; qualifications include not only education, certification, and experience, but also skills in oral and written communication, a high level of personal and professional ethics, and the ability to work well with people. 8  Crucial to the establishment of the department is to define the department’s mission and develop its written charter, which should state the purpose, authority, and responsibility of the internal audit activity. 8  The internal audit director needs to develop an overall strategy for the scope of the department’s activities, which will include risk-based assessments. 8  A method of determining the effectiveness of the department’s work should be developed. 8  The Sarbanes–Oxley Act of 2002 is legislation that pertains only to public companies, yet The Schwan Food Company, a private company, was motivated to install an internal audit function in view of the benefits that an internal audit department can provide to an organization. 8  Although this chapter has focused on the process followed by The Schwan Food Company in establishing its internal audit department, the key issues are applicable to organizations in other industries as well.

More Info Books: American Institute of Certified Public Accountants (AICPA). The AICPA Audit Committee Toolkit: Not-for-Profit Organizations. 2nd ed. New York: AICPA, 2010. Among other items, the tools relate to internal control and internal audit, as well as external auditors and related resources. Online at: tinyurl.com/3b5wpd5 Morrow, John F. (ed.). The AICPA Audit Committee Toolkit: Public Companies. 2nd ed. New York: American Institute of Certified Public Accountants (AICPA), 2008. Articles: Applegate, Dennis, and Ted Wills. “Struggling to incorporate the COSO recommendations into your audit process? Here’s one audit shop’s winning strategy.” Internal Auditor (December 1999): 198–204. Online at: www.coso.org/audit_shop.htm. Article summarizes COSO’s internal control model, emphasizing how adopting the model can help a company in its auditing procedures. It also explains how the Boeing Company adopted the COSO model and how effective it was. Cenker, William J., and Albert L. Nagy. “Do audit charters need a reality check?” Strategic Finance (January 2004): 49–53. Describes how recent changes by the Institute of Internal Auditors and the US Securities and Exchange Commission have created a conflict of duties for the internal auditor, and the impact these changes will have on an internal audit department’s charter.

80

NEW INSIDE PAGES FINAL copy.indd 80

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department

Institute of Internal Auditors (IIA). “Does your control system pass the COSO test?” Tone at the Top (March 1998). Online at: tinyurl.com/7t9uv7j Marks, Norman. “How much is enough?” Internal Auditor 57:1 (2000): 28–34. Describes how a corporation identified the most significant elements affecting internal audit staff size and devised a formula that works for it. Pforsich, Hugh D., Bonita K. Peterson Kramer, and G. Randolph Just. “Establishing an effective internal audit department.” Strategic Finance (April 2006): 22–29. Online at: www.imanet.org/PDFs/Public/SF/2006_04/04_06_pforsich.pdf Salierno, David. “The right measures.” Internal Auditor 57:1 (2000): 41–44. Shares the thoughts of eight chief audit executives on the utility of top-ranked performance measures as identified in Ziegenfuss (2000). Tarr, Richard. “Built to last.” Internal Auditor 59:6 (2002): 29–33. Describes five steps useful in developing an internal audit department from scratch; however, no specific company or example is used in the article. Ziegenfuss, Douglas E. “Measuring performance.” Internal Auditor 57:1 (2000): 36–40. Reports findings from a study to determine the performance indicators that chief audit executives considered the most important measures of success for internal audit departments. Reports: Association of Certified Fraud Examiners (ACFE). “Report to the nations on occupational fraud and abuse.” 2010. Online at: www.acfe.com/rttn.aspx [earlier versions of the report are also available on the website]. Committee of Sponsoring Organizations of the Treadway Commission (COSO). “Internal control—Integrated framework.” American Institute of Certified Public Accountants (AICPA), July 1994. Online at: tinyurl.com/6re5jwt [PDF]. Websites: Association of Certified Fraud Examiners (ACFE): www.acfe.com Committee of Sponsoring Organizations of the Treadway Commission (COSO): www.coso.org Institute of Internal Auditors (IIA): www.theiia.org The Schwan Food Company: www.schwans.com

Appendix 1: Schwan Internal Audit Services Charter Purpose

The purpose of the Schwan Audit Services department is to provide independent, objective assurance services designed to add value and improve the organization’s operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the overall control environment and the network of enterprise business risk management, control, and governance processes.

Scope of Work

The scope of work of the Schwan Audit Services department is to determine whether the organization’s network of enterprise business risk management, control (including

81

NEW INSIDE PAGES FINAL copy.indd 81

13/02/2012 12:58

Effective Auditing for Corporates reporting and disclosure controls), and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure that: 8 risks are appropriately identified and managed; 8 interaction with the various governance groups occurs as needed; 8 significant financial, managerial, and operating information is complete, accurate, reliable, and timely; 8 employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations; 8 resources are acquired economically, used efficiently, and adequately protected; 8 programs, plans, and objectives are achieved; 8 quality and continuous improvement are fostered in the organization’s control processes; 8 significant legislative or regulatory issues impacting the organization are recognized and addressed appropriately. Opportunities for improving management control, profitability, and the organization’s image may be identified during audits. They will be communicated to the appropriate level of management.

Independence

To provide independence, the reporting relationships, authority and responsibility of the Schwan Audit Services department are established by the Audit Committee on behalf of the Board of Directors. The chief audit executive reports to the chief financial officer for administrative purposes and also has full and independent access to the chief executive officer and the Audit Committee. Personnel in the Schwan Audit Services department report to the chief audit executive. The approval of the Audit Committee is required for the removal or replacement of the chief audit executive. It is the policy of the Audit Committee to devote a portion of each meeting to an executive session at which only the chief audit executive is present. In at least two meetings per year, outside director members of the Audit Committee shall consult privately with the external auditors and with the chief audit executive and report the results of the private consultations to the Board of Directors. In addition, the senior internal audit executive will have opportunity to meet with independent directors on the Audit Committee at each committee meeting.

Accountability

The chief audit executive, in the discharge of his duties, shall be accountable to management and the audit committee to: 8 provide annually an assessment on the adequacy and effectiveness of the organization’s processes for controlling its activities and managing its risks in the areas set forth under the purpose and scope of work; 8 report significant issues related to the processes for controlling the activities of the organization and its affiliates, including potential improvements to those processes, and provide information concerning such issues through resolution; 8 periodically provide information on the status and results of the annual internal audit plan and the sufficiency of department resources;

82

NEW INSIDE PAGES FINAL copy.indd 82

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department 8 coordinate with and provide oversight of other control and monitoring committees and functions (for example, enterprise risk management, controllership, treasury, governance, finance, disclosure, ethics and quality committees; risk management, quality assurance, regulatory compliance, security, legal, environmental, and external audit functions).

Responsibility

The chief audit executive and staff of the Schwan Audit Services department have responsibility to: 8 develop a flexible annual internal audit plan using an appropriate riskbased methodology, including any risks or control concerns identified by management, and submit that plan to the audit committee for review and approval as well as periodic updates; 8 implement the annual internal audit plan, as approved, including as appropriate any special tasks or projects requested by management and the audit committee; 8 maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Charter; 8 evaluate and assess significant merging/consolidating functions and new or changing services, processes, operations, and control processes coincident with their development, implementation, and/or expansion; 8 issue periodic reports to the audit committee and management summarizing results of audit activities, including significant audit issues and management action plans; 8 keep the audit committee informed of emerging trends and successful practices in internal auditing; 8 provide a list of significant measurement goals and results to the audit committee. 8 assist in the investigation of significant suspected fraudulent activities within the organization and notify management, the external auditors, and the audit committee of the results; 8 consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.

Authority

The chief audit executive and staff of the Schwan Audit Services department are authorized to: 8 have unrestricted access to all functions, records, property, and personnel; 8 have full and free access to the audit committee; 8 allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives; 8 obtain the necessary assistance of personnel in units of the organization where they perform audits, as well as other specialized services from within or outside the organization.

83

NEW INSIDE PAGES FINAL copy.indd 83

13/02/2012 12:58

Effective Auditing for Corporates The chief audit executive and staff of the Schwan Audit Services department are not authorized to: 8 perform any operational duties for the organization or its affiliates. 8 initiate or approve accounting transactions external to the Schwan Audit Services department. 8 direct the activities of any organization employee not employed by the Schwan Audit Services department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors.

Standards of Audit Practice

The Schwan Audit Services department will meet or exceed the Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. _________________________________ Chief Audit Executive _________________________________ Chief Executive Officer _________________________________ Audit Committee Chairman Approved by the Schwan Audit Committee October 29, 2002

Appendix 2: Business Risk Assessment Interview Topics

The following questions and topics are intended as an overview of the type of discussion we would like to foster through our risk assessment interview process. Please use this information as a guide for our discussion. It does not have to be filled out in advance.

Overview

1. Discuss business strategies for your area of responsibility. 2. Discuss key business processes performed within your area of responsibility. 3. Discuss key business initiatives: current, upcoming, and/or ongoing.

Risks

1. What business risks do you see within your area? (See attached list of potential business risk factors.) 2. Can you estimate the likelihood of these risks occurring? (Example: high—very likely this will happen; medium; low) 3. Can you estimate the impact of these risks? (Example: high impact; medium; low) 4. Do you have a process for measuring and identifying these risks?

84

NEW INSIDE PAGES FINAL copy.indd 84

13/02/2012 12:58

Advancing Your Business with an Effective Internal Audit Department Controls

1. Briefly describe what controls are in place to protect against these risks.

Other Items

1. Do you have other areas of concern outside your immediate responsibilities?

Business Risk Categories and Risk Factors (for discussion) Risk Category Risk Factors External environment • competition • industry • financial markets • owner relations • political • business interruption • regulatory Control environment

• support • measurements

• legal • strategic

Infrastructure

• leadership • human resources

• information management

Marketing & selling

• • • •

• • • •

Supply chain

• purchasing • cost

• raw material management • vendor management

Liquidity

• cash flow • assets • cost of capital

• exchange rates • taxation • funding requirements

Operations

• processes • production cycle • capacity

• finished product management • contingency planning • incentives

product branding satisfaction services competition

product development products marketing distribution channels

85

NEW INSIDE PAGES FINAL copy.indd 85

13/02/2012 12:58

Effective Auditing for Corporates Appendix 3: Schwan Audit Services Client Satisfaction Survey Strongly agree Agree 1.

Neither agree nor disagree Disagree

Strongly disagree

No basis to respond

I was pleased with Audit Services’: a. Knowledge b. Professionalism c. Communication Please provide comments:

2. Audit Services respected my existing workload: Please provide comments: 3. The objectives, purpose, and scope were clearly communicated to me: Please provide comments: 4. Communication of results and status was timely and adequate: Please provide comments: 5.

My business concerns and perspective were adequately considered: Please provide comments:

6. The action items made business sense: Please provide comments: 7. Overall, this audit or project provided value to me: Please provide comments: 8. I consider Schwan Audit Services to be a valuable business partner: Please provide comments: 9. Please provide recommendations that would improve the process:

86

NEW INSIDE PAGES FINAL copy.indd 86

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When by Paul J. Sanchez Professional Service Associates, Port Washington, New York, USA

This Chapter Covers 8 The need for internal auditing professionals to make a serious professional risk assessment about how limited audit resources should be allocated to various corporate activities. 8  A risk-based approach and a risk model for prioritizing auditable activities by risk scores. 8 The perennial internal audit problem of how to effectively use limited audit resources. It emphasizes that high risk areas require top priority. 8  This chapter highlights a model that easily can be used to rank auditable activities.

Introduction

Each year the senior audit manager in a corporate internal audit department is faced with the difficult task of presenting the audit committee with a schedule of audit coverage for the coming year. The senior audit manager must decide what to audit and when. This crucial assignment for the internal audit function sets in place the audit schedule for the year. The schedule should focus on the areas of risk that, if not controlled, will most likely interfere with corporate objectives. If audit work does not cover such risk areas, the audit function may find itself in the embarrassing position of being in the wrong place at the wrong time. Since the internal audit function is part of the enterprise risk management (ERM) process, the auditor is expected to know the sensitive operations of the entity and to use audit resources to provide efficient audit risk coverage. A proper ERM process will embrace an audit plan that will satisfy the audit committee and will answer the question of what to audit.

Internal Auditors Cannot Audit Everything!

This chapter focuses on each corporation’s need for a careful, consistent, professional approach to determining what to audit. The generally limited resources in the corporate internal auditing environment must be used in selected areas on the basis of a risk prioritization exercise. Without a risk-based auditing approach, professional auditors may fall into the trap of trying to audit all activities. It is an automatic reaction. Auditors try to do a little audit work in every auditable area. It is usually difficult or inconvenient for management and audit committee members to accept the truth—that there simply are not enough audit resources to audit “everything.” Auditors never want to be in a position where they would have to say that there will be no audit coverage in particular areas. It is difficult for auditors to list what will not be audited. Accordingly, internal auditors tend to do “a little bit of everything.” That is the same as doing “a lot of nothing”—and it is not a helpful approach to applying overall effective audit coverage for the corporation. The modern audit committee wants to know that the limited audit resources are being allocated to the high-risk areas at the expense of the low-risk areas.

87

NEW INSIDE PAGES FINAL copy.indd 87

13/02/2012 12:58

Effective Auditing for Corporates Without a risk-based auditing approach, professional auditors may fall into the trap of trying to audit all activities. It is an automatic reaction. Auditors try to do a little audit work in every auditable area. “A little bit of everything” is “a lot of nothing!”

Internal Auditors Must Rank Auditable Activities

Although internal auditor resources are scarce, corporate management seems to expect auditors to provide audit coverage for “everything that moves.” That simply cannot be done! The auditor must be in the right place at the right time. A risk-ranking approach, where high-risk activities are more subject to audit coverage than low-risk areas, is essential. In fact, some low-risk areas will not be covered at all by the internal auditors. Those activities are just not significant, or, as practicing accountants say, they are “not material.” A risk assessment approach to creating an audit plan is the logical startingpoint for the audit manger who wants to focus audit coverage on high-risk areas.

Professional Standards

The auditing standards (measures of the quality of performances) of the internal audit profession recognize the importance of an audit plan. That fact is clearly stated in the international professional auditing standards promulgated by the Institute of Internal Auditors (IIA). IIA Standard “2010—Planning” states the following: “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.” Paragraph A1 of Standard 2010 suggests that the risk assessment: 8 be based on a documented risk assessment; 8 be undertaken at least annually; 8 should consider the input of senior management and the board. Further, the Standard 2010 suggests the internal audit activity have, at a minimum, a carefully prepared annual audit plan based on risk assessment. Audit committees expect such a plan; the professional standards require such a plan; and common sense dictates such a plan.

The Audit Plan

Designing a Plan

Designing a workable audit plan requires knowledge of all the activities and the related risks and controls throughout the corporation. The audit plan is dependent on the size and capabilities of the audit staff. It must be prepared by the senior audit manager (i.e. the general auditor or director of internal auditing). The plan should be based on: 8 the strategic objectives of the corporation;

88

NEW INSIDE PAGES FINAL copy.indd 88

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When 8 the risk (chance, possibility, or likelihood) of control failures that would impede the achievement of the objectives; 8 what activities must be audited based on laws or regulations; 8 potential monetary losses; 8 the estimated time required to provide audit coverage, taking into account the proposed nature, timing, and extent of the internal auditor’s work, and the work that might be done by external auditors or others; 8 any changes or proposed changes to controls, automated systems, operations, etc.; 8 any changes in the composition of the audit staff; 8 the dates and results of previous audits. Although the audit plan will guide the audit work to be performed, it must be flexible. It must allow the audit staff to react to unforeseen events. Sometimes an unanticipated risk event is encountered that requires the auditor to reconsider the initial risk-based plan and to reallocate audit resources. When this happens, the auditor must adjust the original plan and “give-ups”(the deferral or elimination of what was originally scheduled) must be presented to management. The reallocation of resources will alter the original schedule, but the rescheduling of audit coverage would still be guided by risk concerns.

Use a Systematic Approach

To devise an audit plan, it is best to: 8 start analyzing the business functions, goals, risks, and controls of the corporation, which the auditor, as part of the ERM team, is familiar with; 8 develop a standardized approach to a systems-based audit. If the auditor uses a standardized approach to the audit of systems of internal control, the audit plan should develop as follows: 1. Identify the business functions of the entity. 2. Identify auditable activities within the functions. 3. Identify what could go wrong—“Where can the entity get burned?” These are the risks. 4. Identify key controls—“What would prevent the burning?” 5. Use a model that has a scoring scheme for ranking auditable activities from high-risk to low-risk. 6. Decide what to audit, and how and when to audit it. The important notion to remember is that the starting-point is a list of auditable activities within the business functions of the corporation—one that is not based on accounts, departments or physical locations. Examples of business functions with related, auditable activities might include those set out in Appendix 1 for a retail establishment or a not-for-profit hospital. It is difficult to sit down and list what should be audited without some formal approach. The tendency is simply to look at last year’s audits and expand or contract the coverage. This might have been sufficient in the past. Today, however, businesses

89

NEW INSIDE PAGES FINAL copy.indd 89

13/02/2012 12:58

Effective Auditing for Corporates and their attendant business risks change frequently. Any audit risk assessment must consider the current business risks in each of the corporation’s business functions. A business function approach to determining what should be audited is recommended. In past years, audits were generally financial in nature. They concentrated on verifying or substantiating the numbers in the accounting records. That approach has changed. Today, audit departments are embracing the IIA standards and are conducting audits that are designed to report on the adequacy, efficiency, and effectiveness of the systems of internal control. These systems-based, operational-type audits are more comprehensive than the “old” substantive test audits. The approach is now standardized and makes audit planning easier, since “how to audit” is not a serious concern. The basic concerns of the systems-based audit are as follows. 8 Are there controls in place that, if they work, will prevent or detect material problems and will help to achieve corporate objectives? I.e. are the controls adequate? 8 Do the identified controls work? I.e. are the controls effective? 8 Do the controls provide the best outcomes at the lowest possible cost?

The Risk Assessment Process for a Bank

In this section we will consider the example of a currently used risk assessment process for a depository institution (i.e. a bank).

Identify the Business Functions

Every depository institution is, for the most part, involved in the following external and internal business functions.

External

Every depository institution is, for the most part, involved in the following external and internal business functions. 8  Funding: Obtaining funds to do business. 8 Lending: Temporarily loaning funds to customers. 8  Investing: Buying and holding government and other securities with funds not loaned out. 8  Trading: Short-term buying and selling of government and other securities and other financial instruments (foreign exchange, Bankers Acceptances, certificates of deposit, etc.). 8  Fee-based customer servicing: Receiving fees for providing services to customers; other fee-based services.

Internal 8  Support functions for external business: Internal activities that support the above regular business functions of the bank. 8  Accounting and reporting: Internal bookkeeping, accounting, and financial reporting activities.

90

NEW INSIDE PAGES FINAL copy.indd 90

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When Identify Major Activities Within Each Business Function

After listing the business functions, each auditable activity within the business functions should be identified. Auditable activities will differ from bank to bank. The audit manager must know what his or her bank is doing and must carefully list the major activities within each business function. A generalization of major activities by function might include the following.

Funding 8 Deposit-gathering accounts (time, demand, CDs, money market, public, commercial, individual retirement arrangements, etc.). 8 Issuance of commercial paper. 8 Issuance of short-term debt. 8 Bank borrowings. 8 Federal funds borrowed. 8 Repurchase agreements. 8 Other.

Lending 8 Loans (commercial, personal, agricultural, foreign, real estate, consumer, letters of credit, acceptance financing, etc.). 8 Federal funds sold. 8 Reverse repurchase agreements. 8 Outstanding drafts “accepted” by the bank—bankers’ acceptances receivable. 8 Other.

Investing 8 Interest-bearing bank account deposits. 8 Security positions (treasuries, agencies, municipal securities, BAs, CDs, etc.). 8 Float—cash management. 8 Advances to (or investments in) affiliates. 8 Other.

Trading 8 Foreign exchange. 8 Securities (treasuries, agencies, municipal securities, BAs, CDs, etc.). 8 Interest rate futures, interest rate swaps, credit swaps, etc. 8 Other.

Fee-Based Customer Services 8 Check processing. 8 Trust service (corporate and personal). 8 Discount brokerage.

91

NEW INSIDE PAGES FINAL copy.indd 91

13/02/2012 12:58

Effective Auditing for Corporates 8 Home banking. 8 Lockbox services. 8 Safekeeping, safe deposit, custodial. 8 Mortgage servicing. 8 Money transfer/wire transfer. 8 Other.

Internal Business Functions 8 Interoffice settlement system (IOS). 8 Systems development life cycle (SDLC). 8 Asset–liability management. 8 Marketing. 8 Human resources (personnel). 8 General services (security, purchasing, maintenance, etc.). 8 Insurance. 8 Data center management. 8 Payroll. 8 Legal. 8 Audit. 8 Other.

Internal Accounting, Reporting, and Compliance 8 Loan loss provision and related reserve for loan losses. 8 Tax provision and related deferrals. 8 Accrued payables. 8 Dividend policy and payments. 8 Pension, profit-sharing, incentive compensation, etc. 8 Other assets, fixed assets, and goodwill. 8 Regulatory compliance/regulatory reporting. 8 Other liabilities. 8 Other. This categorization could be used by the audit manager to decide on the audit coverage for activities within each business function. Clearly, because of the limited resources not all of the activities can be audited. They must be sorted out. The list of auditable activities should be adjusted as needed based on changes in the business of the bank and changes to the bank’s risk exposure. The list of auditable activities is a necessity. Preparing such a list is a simple procedure, that, if properly thought out, can be a valuable part of the planning.

Identify Risks and the Procedures (Control) to Manage the Risks

For each auditable activity within the business functions, the audit manager should identify the major business risks (i.e. “What could go wrong?”). This should be based primarily on the auditor’s previous experience with the auditable activity. Input from line management can also be used to obtain an understanding of the activities and the related risks—as long as auditor objectivity is not compromised. A generalized

92

NEW INSIDE PAGES FINAL copy.indd 92

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When example of major risks and related controls for the bank’s auditable foreign exchange activity is shown in the risk/control sheet presented in Appendix 2. It should be noted that to create a risk calculation worksheet (see Appendix 3) for each auditable activity is a monumental task. But it is necessary if the priorities for the audit plan are to be properly established. Without one the auditor is in the dark. The risk calculation worksheets become a bank-wide inventory of risks and controls that can be updated periodically based on changing business risks and control conditions. The risk calculation worksheet is not unlike the documentation envisioned by the US Sarbanes–Oxley Act of 2002 (SOX). For well-controlled public companies, such documentation should be readily available.

Use a Model to Rank the Risks for the Activities Included in the Audit Plan

The audit manager can use the risk calculation worksheet for each activity to decide what audit coverage is appropriate. The audit manager can then devise a scoring mechanism for the activities, focusing on risks and related controls. The auditable activities can then be ranked from high-risk to low-risk. Various ranking schemes are in use by banks. As long as the scheme is consistently applied, a fair and reasonable ranking of auditable activities can be achieved. The auditor can then audit, review, or monitor some or all of the activities, or parts of the auditable activities. With currently updated risk calculation worksheets, the auditor is in an excellent position to allocate resources to those activities that are “riskier” than others. The ranking can be based on a simple 1 to 4 scoring scheme based on responses to a standardized questionnaire. A very simple, currently used model consists of two parts. 8 Part 1: Establish “importance weights” for the model’s four categories. 8 Part 2: Assign risk (scores “0” to “4” for each question indicated in Appendix 4 for each auditable activity; “0” would indicate no risk; “4” would indicate unacceptable risk). The following text can be read in conjunction with the risk calculation worksheet presented in Appendix 3.

Part 1: Importance Weights

The auditable activities must be examined in greater depth. It is necessary to consider the following four categories for each auditable activity: 8 monetary values; 8 nature of operations; 8 controls and security; 8 human resources. Importance weights can be assigned to these four categories. The importance weights should add up to 100% and can be assigned on the basis of the general auditor’s beliefs about which category is most important relative to the other categories.

93

NEW INSIDE PAGES FINAL copy.indd 93

13/02/2012 12:58

Effective Auditing for Corporates Typical weights might look like those shown in Table 1, although different companies may have different opinions about the “importance” of each category. Table 1. Typical importance weights for categories in each auditable activity Category

Overall importance weight

1.

Monetary values

20%

2.

Nature of operations

10%

5.

Controls and security

50%

4.

Human resources

20%

Total

100%

The importance weights are subjective. They are based on the professional judgment and the audit philosophy of the internal audit function. Different audit functions have different philosophies. The importance weights are a matter of opinion about how the four categories relate to each other (in terms of risk) on a scale of 0 to 100. What the categories stand for, of course, is essential. For each auditable activity the categories must be carefully studied. This requires a good working knowledge of the auditable activity. Exactly what the four major categories stand for in the simple model presented here is explained below. Monetary values: This category deals with monetary values and the importance of the transaction in terms of the currency (dollar, euro, pound, etc.) amount per transaction, the total daily value of the transaction, the average end-of-day monetary balances (end-of-day balance sheet amounts) and the liquidity of the transaction. Nature of operations: This category deals with the type of transaction, the time constraints on completing the transaction, the consequences of completing late, the number of transactions in an average day, the complexity of the transaction, and the sophistication of processing. Controls and security: This category deals with the traditional, long-standing operative objectives of internal accounting controls. It is concerned with the following. 8 Are transactions executed in accordance with management’s general or specific established lines, limits, etc.? 8 Are transactions recorded so that proper accountability for assets is maintained and financial statements that comply with Generally Accepted Accounting Principles (GAAP) or International Financial Reporting Standards (IFRS) are the result? 8 Is the recorded accountability for assets compared with existing assets at reasonable intervals, and is appropriate action taken with respect to differences? That is, are balance sheet amounts compared to actual assets or to customer input—cash, investments, loan statements, deposit statements, etc.?

94

NEW INSIDE PAGES FINAL copy.indd 94

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When Human resources: This fourth category deals with the quality of management, including experience, awareness, and problem-solving ability. It also deals with the staff—its size, abilities, experience, motivation, and training. In addition, it is concerned with delegation of duties and proper follow-up of findings, exceptions, and so on. The importance weights for each category must be allocated to subcategories. For example, based on the philosophy of the audit department and of the organization overall, the 20% for the “monetary values” category might be allocated as in Table 2. Table 2. Example of importance weights allocated to subcategories of “Monetary Values” category Subcategory

Importance weight

Value per transaction

5%

Total daily value of transactions

5%

End of day balance

5%

Liquidity

5%

Total

20%

Again, the allocation of importance weights to the four categories (monetary values, nature of operations, controls and security, and human resources) is subjective and differs between organizations. Careful consideration in light of the audit philosophy of the internal audit function is required to properly perform the risk assessment. Each subcategory for each auditable activity requires an intelligent assessment in terms of risk ratings (high, medium, or low) and known or perceived conditions. The ratings are made on a scale of 0 to 4, where 0 is no risk and 4 is high-risk. The 0 to 4 scale must to be established for each sub-category before the assessment begins. The established questions are based on the notion that “0” is no risk, “1” is a very low risk, “2” is moderate risk, “3” is above average risk and “4” is unacceptable risk. The established scale must be used consistently for all auditable activities. The rating multiplied by the importance weight gives an overall risk score for each of the four categories and related subcategories. The risk rating is based on evidence and professional judgment. The sum of the overall risk scores by category is the total risk score for each auditable activity. How each auditable activity relates to each other auditable activity is then compared and ranked by reviewing absolute total risk scores.

Part 2: The Detailed Risk Assessment Questionnaire

To develop the risk ratings, detailed questions are asked for each activity. A summary of the questions by category is given in Appendix 4. The risk calculation worksheet in Appendix 3 is used to score each auditable activity, which then can be listed from high-risk score to low-risk score based on total risk score for each auditable activity.

95

NEW INSIDE PAGES FINAL copy.indd 95

13/02/2012 12:58

Effective Auditing for Corporates Summary The entire assessment process is not time-consuming if the audit manager knows the risks and controls for each auditable activity. A serious attempt to implement this approach will probably result in a question as to why the internal auditors are or are not concentrating efforts in one area versus another. The answer is straightforward—the time and effort spent on any audit area should be based on a careful, consistently applied risk ranking. A conscientious annual audit risk assessment is a healthy experience for the audit department and for the bank. The approach set forth in this chapter is a simple one, and it costs little to do. The only ingredient needed is knowledge of the bank’s business functions, activities, and controls. The approach makes the difficult decision about differentiating between activities such as:

8 wire transfers; 8 commercial lending; 8 investment of depositor funds; 8 trust management (managing other people’s money); 8 foreign currency trading; 8 derivative activities (hedging or trading). The ranking of these auditable activities and others will differ from bank to bank. That is so because of the different bank audit philosophies that are in place (which will be reflected in the importance weights) and auditor assessments about the risks and control conditions within each auditable activity. Banks will differ on what activities need audit coverage, and what type of audit coverage is needed. That is appropriate since each internal audit function will be performing its audit coverage based on its own professional risk assessment. Decisions about allocating resources to the auditable activities are easier and more professional when a simple risk assessment approach is used. The perennial resource allocation headache is less of a problem when a risk-based auditing approach such as the one presented in this chapter is used. The professional internal auditor who is determining the annual audit plan should implement the following steps outlined in this chapter.

8 List the business functions and auditable activities. 8 For each auditable activity determine the business risks and related controls. 8 Establish importance weights. 8 Use the various questions to risk score by category for each auditable activity. 8 Calculate overall risk scores by auditable activity. 8 Rank the activities by risk score (high to low). 8 Based on available resources, determine what to audit and when.

96

NEW INSIDE PAGES FINAL copy.indd 96

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When More Info There are few notable books and/or articles about the specifics of internal auditor risk assessment. The sources given below, however, provide some useful further information. Standards: Institute of Internal Auditors (IIA). “International Professional Practices Framework (IPPF).” 2011 edition, updated for 2012. Online at: tinyurl.com/79nzmne Institute of Internal Auditors (IIA). “2010—Planning.” Online at: tinyurl.com/72nbjmx Websites: Institute of Internal Auditors (IIA): www.theiia.org Washington State University Office of Internal Audit on risk assessment: internalaudit.wsu.edu/riskassessment.html World Intellectual Property Organization (WIPO) on risk assessment methodology: tinyurl.com/83ut78n

97

NEW INSIDE PAGES FINAL copy.indd 97

13/02/2012 12:58

Effective Auditing for Corporates Appendix 1: Examples of Business Functions and Auditable Activities for a Retail Establishment and a Not-for-Profit Hospital Not-for-profit hospital

Retail establishment 1.

Obtaining working funds Stock issuance Debt issuance Vendor financing Other

2.

Product acquisition Buying goods R&D Market analysis Cash payments Quality control Product returns

3.

Sales Product location Customer credit approval Cash collections Customer satisfaction Customer tracking Shipping

4.

Inventory control Obsolescence review Storage levels

5.

Cash management Budgeting Cash flow “float” management Tax management

6.

Stockholder relations Dividend maintenance Public relations Brand management

7.

Personnel and payroll Hiring Training Development Payments to employees

8.

Security and safety Automated Nonautomated Insurance

1.

Gathering funds Grants Patient fees Donations

2.

Expenditures Plant replacement and maintenance R&D Supplies and materials Professional fees Employee costs (personnel and payroll)

3.

Fund balance control Budgeting Float management Satisfaction of donor intent

4.

Constituency relations Patients Community Brand management

5.

Security and safety Automated Nonautomated Insurance

98

NEW INSIDE PAGES FINAL copy.indd 98

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When Appendix 2: Example of Risk/Control Sheet—Major Risks and Related Key Controls for Foreign Exchange Activity Major risks

Key control

Deals could be made with unauthorized parties

Management establishes lists of authorized customers, including brokers

Deals could be made in excess of approved lines and limits

Trading limits are established for customers, currency traded, etc.

Approved customers may not be properly reviewed for overall creditworthiness

Nontrading personnel compare trading activity with authorizations; trading positions are valued daily by nontrading personnel and compared with authorizations

Market risk (daily price changes) for positions held may not be independently monitored

Excessive price changes and authorization violations are reported daily to senior management by nontrading personnel

Unauthorized bank employees could execute trades for the bank

Approved customers (including brokers and dealers) are given specific trading authorizations; authorized bank employee foreign currency dealers are told with whom (which specific person) they can transact business with at the counterparty’s company

99

NEW INSIDE PAGES FINAL copy.indd 99

13/02/2012 12:58

Effective Auditing for Corporates Appendix 3: Risk Calculation Worksheet Activity: Date: Factor

Importance x Risk rating = Risk score weight (1 to 4)

Subtotal

1. Monetary values Value per transaction Total value of transactions End-of-day balances Liquidity 2. Nature of operations Pressure Volume Complexity of transaction Process sophistication 3. Controls and security Authorization: General Specific Recording: Flow of documents and activities GAAP or IFRS Access: Direct Indirect Comparison: Periodicity Actions taken 4. Human resources Management: Experience Awareness Problem solving Staffing/motivation Training Delegation of duties Resolution of previous findings Staff: Experience Performance

100 points

Total risk score

100

NEW INSIDE PAGES FINAL copy.indd 100

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When Appendix 4: Determination of Risk Ratings for Each Activity— Summary of Questions by Category Category No. 1: Monetary Values:

This category requires the risk assessor to consider the characteristics of the activity and the valuables, if any, that are being handled. (Valuables are items that have monetary worth in their present form or when they are converted.) Value per transaction: For each activity, what is the risk level (i.e. the chance that there will be a monetary or nonmonetary loss) based on the importance of the average daily monetary amount of each transaction? Use a risk scale of one for low-risk to four for high-risk. Monetary amounts for all activities must be decided upon. Total daily value of transactions: What is the risk level based on the importance of the total daily value of all transactions? Volume numbers for the 1 to 4 ratings must be established. End-of-day balances: What is the risk based on the amount of valuables held overnight, i.e. end-of-day balances? Monetary amounts for the 1 to 4 ratings must be established. Liquidity: What is the risk level based on the ease with which valuables can be converted into cash? Consider the number of activities needed for conversion, the time needed to convert, the expertise required to convert, and the degree of negotiability of the instrument in question.

Category No. 2: Nature of Operations

This category requires the risk assessor to consider the characteristics of the day-today work performed by employees. It requires knowledge of the type of transaction involved, the time needed to finish the transaction, the consequences of completing the transaction late, the average daily number of transactions, the complexity of the transactions, and the sophistication of processing. Pressure: What is the risk level based on the time constraints on completing the transaction and the consequences if the work is not completed on time? Volume: What is the risk level associated with the absolute number of units received, processed, or delivered by the activity during the average day? Complexity of transactions: What is the risk level based on the number of people, the amount of time, the number of steps, and the degree of difficulty involved in completing the transactions? Processing sophistication: What is the risk level based on the reliability of the technology used for processing?

Category No. 3: Controls and Security

This category requires the risk assessor to consider the “health” of the procedures and activities that safeguard the assets and generate reasonably accurate financial information.

101

NEW INSIDE PAGES FINAL copy.indd 101

13/02/2012 12:58

Effective Auditing for Corporates Authorization—general: What is the risk level based on the importance of having written, understandable, properly distributed, and suitably monitored general authorizations (i.e. policies concerned with the definition or identification of general conditions under which transactions are authorized without regard to specific parties or transactions)? Authorization—specific: What is the risk level based on the importance of having written policies that specify the conditions under which transactions can be undertaken and with whom and at what prices, limits, volume, etc.? Recording—flow: What is the risk that the flow of documents, activities, procedures, and controls will not record all transactions properly and completely? Recording—GAAP or IFRS: What is the risk that transactions are recorded in a way that does not easily generate accurate financial statements that are in accordance with Generally Accepted Accounting Principles or International Financial Reporting Standards? Access—direct: What is the risk that direct access to assets will be achieved by unauthorized employees or others? Access—indirect: What is the risk that unauthorized personnel can prepare or process documents that will result in improper use of assets? Periodic comparisons: What s the risk that there is a significant difference between accountabilities for assets and the actual assets? Follow-up comparisons: What is the likelihood that the differences between accountabilities and actual assets are left long outstanding and not investigated at once?

Category No. 4: Human Resources

This category requires the risk assessor to consider the characteristics that constitute top quality management and staff. It deals with management quality, experience, awareness and problem solving ability. It also deals with motivation, training and the delegation of duties. Experience - Management: What is the risk that the appropriate knowledge and skills are lacking? Awareness: What is the risk that management is not aware of the current state of operations? Problem Solving: What is the risk that management is not able to meet operating problems promptly and effectively? Staffing & Motivation: What is the risk that management does not have an appropriate staff size to inspire staff employees to perform well?

102

NEW INSIDE PAGES FINAL copy.indd 102

13/02/2012 12:58

An Auditor’s Approach to Risk-Based Auditing: What to Audit and When Training: What is the risk that management has not provided appropriate training to appropriate employees? Delegation of Duties: What is the risk that management does not appropriately delegate duties? Resolution of Previous Findings: What is the risk that management is not satisfactorily taking action to respond to audit or other “findings?” Staff Experience: What is the risk that the staff does not have a high level of experience? Performance: What is the risk that the quality of work and the timeliness to which staff carry out their duties is less than standard?

103

NEW INSIDE PAGES FINAL copy.indd 103

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 104

13/02/2012 12:58

Compliance and Corporate Audit by Helen Roybark Radford University, Virginia, USA

This Chapter Covers 8  Some of the regulatory roles and responsibilities under the Sarbanes–Oxley Act, 2002, and Securities and Exchange Commission (SEC) regulations of the chief executive officer and chief financial officer, the audit committee, the internal audit department, and the organization’s external auditor. 8 The key provisions of Sarbanes–Oxley and the regulatory requirements of the SEC. 8 An assessment of the pre- and post- Sarbanes–Oxley environments. 8 A case study that considers PepsiCo’s handling of its regulatory requirements.

Introduction

Every public company must have an annual integrated audit completed by an external auditor that is registered with the Public Company Accounting Oversight Board (PCAOB), so how does an organization ensure regulatory compliance? The independent audit is the cornerstone of public confidence in the US capital market (Sutton, 2002). The significance of the public audit was identified in United States v. Arthur Young & Co. (1984), when the US Supreme Court described the independent audit as a “‘public watchdog’ function.” This has been the legal foundation of the auditing of public companies for the past 27 years. Following the sharp decline in technology stocks (2000) and the Enron (2001) and WorldCom (2002) failures, the utility of the public audit was called into question by society (Carmichael, 2004). Congress responded by passing the Sarbanes–Oxley Act of 2002, which was signed into law on July 30, 2002. Section 101 of the Act established the PCAOB to oversee the audit of public companies that are subject to the securities laws and related matters. The US Securities and Exchange Commission (SEC) has oversight and enforcement authority over the PCAOB as specified in Section 107 of the Act. The Sarbanes–Oxley Act has been called the most significant regulatory reform since the Great Depression. “The Act is extremely important in its implications for boards and managements of public companies, for the accounting profession, and for the capital markets system in the United States” (Messier, Glover, and Prawitt, 2010, p. 35). It applies to all US public companies. While the Act does not apply directly to privately held companies, it may have indirect effects should such companies wish to raise capital, be acquired by a public company or become a public company, or work with customers or other partners who may require Sarbanes–Oxley compliance from their suppliers and vendors. The Act includes a broad range of provisions dealing with corporate governance, so it affects how business is conducted. It created legal responsibilities associated with the chief executive officer (CEO), chief financial officer (CFO), the audit committee, the internal audit personnel, and the external auditor. Given the legal mandates and expanded regulatory requirements, the organization must ensure that these individuals and groups clearly understand their roles and responsibilities in the post-Sarbanes–Oxley world.

105

NEW INSIDE PAGES FINAL copy.indd 105

13/02/2012 12:58

Effective Auditing for Corporates Good governance demands that an organization’s board of directors ensures that the highest ethical behavior is maintained throughout the organization and that its public disclosures are reliable, timely, and satisfy all legal mandates. This sends a clear message to the public, stakeholders, and regulators about the board of directors’ and management’s role and responsibilities (IIA, AICPA, and ACFE, 2008). Stakeholders want to know how all actors—the CEO and CFO, the audit committee, internal auditors, and the external auditor—are responding to heightened regulations and their oversight and leadership roles and responsibilities. Management’s assessment of internal controls must be made using a recognized framework, referred to as “control criteria.” Most US companies use the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal control—integrated framework (COSO, 1994) and the Control objectives for information and related technology (COBIT) framework (ISACA, 2007) as a supplement to the COSO framework for IT controls.

Roles and Responsibilities under the Sarbanes–Oxley Act and Securities and Exchange Commission Regulations CEO and CFO

The Sarbanes–Oxley Act created three separate and distinct legal certification requirements where CEOs and CFOs are personally responsible—Section 302, Section 404, and Section 906 (Geiger and Taylor, 2003; SEC, 2002).

Section 302

Section 302 requires compliance in respect of the following: 8 that the CEO and CFO certify in each annual report or quarterly report filed with the SEC (Sections 13(a) or 15(d) of the Securities Exchange Act of 1934) that the signing officer has reviewed the report (subsection a1); 8 that, based on those officers’ knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading (subsection a2); 8 that, based on such officers’ knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the company as of, and for, the periods presented in the report (subsection a3); 8 that the signing officers are responsible for establishing and maintaining internal controls (subsection a4A) and that the internal controls have been designed to ensure that material information is made known to the officers within the company during the period in which the periodic reports are being prepared (subsection a4B); 8 that the officers have evaluated the effectiveness of the company’s internal controls as of the end of the fiscal year (subsection a4C) and that the signing officers have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date (subsection a4D);

106

NEW INSIDE PAGES FINAL copy.indd 106

13/02/2012 12:58

Compliance and Corporate Audit 8 that the signing officers must disclose to the issuer’s auditors and the audit committee of the board of directors all significant deficiencies in the design or operation of internal controls which could adversely affect the financial reporting and state that they have identified for the issuer’s auditors any material weaknesses in internal controls (subsection a5A) and any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls (subsection a5B); 8 that the signing officers must indicate in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses (subsection a6). Section 409 of the Act requires real-time disclosure of the annual (10-K) and quarterly (10-Q) report. Current SEC regulations require that each annual report be filed within 60 days after the end of the fiscal year except for nonaccelerated filers with less than $75 million of public float (within 90 days) and quarterly reports to be filed within 40 days after the end of each quarter except for nonaccelerated filers (within 45 days). Note that real-time disclosures apply to both Sections 302 and 404 requirements (SEC, 2005).

Section 404

Section 404 requires that each annual report contain an internal control report which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting (subsection a1). In addition, the annual report must contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting (subsection a2). There are major differences between the annual Section 404 assessment and that required for the interim Section 302 assessments. For example, the external auditors do not opine on interim reports. While the same rigor does not have to be repeated each quarter for the 302 assessment, prudence suggests that management should utilize a documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications. For the purposes of Section 404, the majority of companies and audit firms use COSO’s (1994) definition of internal control “as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in four categories: the effectiveness and efficiency of operations; the reliability of financial reporting; compliance with applicable laws and regulations; and the safeguarding of assets. To comply with Section 404, the SEC regulations require that the company’s annual report include an internal control report by management that contains (SEC, 2003):

107

NEW INSIDE PAGES FINAL copy.indd 107

13/02/2012 12:58

Effective Auditing for Corporates 8 a  statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company; 8 management’s assessment of the effectiveness of the company’s internal control over financial reporting (ICFR) as of the end of the company’s most recent fiscal year, including a statement as to whether or not the company’s ICFR is effective; 8 a statement identifying the framework used by management to conduct its evaluation; 8 a statement that the registered public accounting firm that audited the financial statements in the annual report has issued an attestation report on the effectiveness of the ICFR; 8 the attestation report of the registered public accounting firm that audited the company’s financial statements. Note that SEC regulations relating to internal control over financial reporting do not encompass the elements of the COSO definition that relate to the effectiveness and efficiency of a company’s operations and compliance with applicable laws and regulations, with the exception of compliance with the applicable laws and regulations that are directly related to the preparation of financial statements (SEC, 2003). The SEC set a threshold for concluding whether a company’s ICFR is effective. That threshold is the presence of one or more material weaknesses. Management’s assessment of ICFR must identify whether or not the company’s ICFR is effective. Management’s assessment cannot be considered effective if one or more material weaknesses exist. A material weakness is defined as a deficiency, or a combination of deficiencies, in internal control over financial reporting such that there is a reasonable possibility (the likelihood of the event is either reasonably possible or probable) that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis (SEC, 2007).

Section 906

Section 906 requires that the periodic reports which contain financial statements filed by an issuer with the SEC shall be accompanied by a written statement by the CEO and CFO (or equivalent thereof) of the issuer (subsection a). Note that Sections 302 and 404 provide the civil basis for noncompliance, whereas Section 906 provides the criminal basis for noncompliance. The 906 statement that is required shall certify that the periodic report containing the financial statements fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934 and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer (subsection b). A rigorous process for the selection of audit committee nominees is critical. The selection process should not be based on personal ties to management or friendly or previous relationships.

108

NEW INSIDE PAGES FINAL copy.indd 108

13/02/2012 12:58

Compliance and Corporate Audit Criminal penalties for noncompliance include: 8 w  hoever certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned for not more than 10 years, or both (subsection c1); or 8 whoever willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned for not more than 20 years, or both (subsection c2).

Audit Committee

Section 205 of the Sarbanes–Oxley Act defines the term audit committee as a committee (or equivalent body) established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer (subsection A). Section 301 of the Act requires that the audit committee, in its capacity as a committee of the board of directors, be directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm retained by the company for the purpose of preparing or issuing an audit report. In short, the audit committee must be proactive with the external auditors (subsection 2). In addition, the following provisions relate to the audit committee: 8 each member of the audit committee must be a member of the board of directors and must otherwise be independent (subsection 3A); 8 other than in his or her capacity as a member of the audit committee, a member may not accept any consulting, advisory, or other compensatory fee from the organization or be an affiliated person of the company or subsidiary thereof (subsection 3B); 8 Section 301 requires the audit committee to establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters (subsection 4A); 8 the committee must establish and maintain the confidentiality and anonymity of submissions by employees of the issuer of concerns regarding questionable accounting or auditing matters (subsection 4B); 8 each audit committee shall have the authority to engage independent counsel and other advisers, as it determines necessary to carry out its duties (subsection 5); 8 each issuer shall provide for appropriate funding, as determined by the audit committee in its capacity as a committee of the board of directors, for payment of compensation to any advisers employed by the audit committee (subsection 6).

109

NEW INSIDE PAGES FINAL copy.indd 109

13/02/2012 12:58

Effective Auditing for Corporates Ideally, the audit committee should have its own charter which explicitly identifies the composition of the audit committee, members’ qualifications, the committee’s purpose, and its reporting, disclosure, and corporate oversight responsibilities. The audit committee should help to set and maintain the tone at the top (a part of the control environment). Given its technical roles and responsibilities, it may be helpful for the chair of the audit committee to be an accounting expert (Beasley et al., 2009). Beasley et al. (2009) recommend that the agendas for the audit committee be set in advance and that the chair of the committee set the agenda. The agenda should be consistent with the committee’s charter and the assessment of company risks. Guidelines on what information the audit committee will evaluate should be driven by the committee and not management. While management provides information to the audit committee, it should be received by all audit committee members sufficiently in advance to allow the audit committee to adequately evaluate the information before the next scheduled meeting of the committee. Audit committee activities may occur outside of formal meetings. Ongoing communications between committee members and with management, internal auditors, and external auditors between scheduled meetings may be needed to ensure substantive monitoring by the audit committee. The authors recommend that the audit committee should meet frequently with those in charge of the internal audit function. To achieve a high level of independence, the director of internal audit should report to the audit committee chair. Both groups can benefit from a strong and open relationship. The audit committee should assess both the reputation of the external audit firm and the quality of the audit personnel assigned to the engagement, as well as the collective strengths of the audit team (Beasley et al., 2009). As previously noted, Section 301 specifically directs the audit committee to directly oversee the external audit firm and/ or the external auditor(s). To that end, the audit committee should evaluate the public information available about external audit firms/auditors as disclosed by the PCAOB. The first thing that the audit committee of a public company should do is to verify that the external auditor is registered with the PCAOB. As of January 18, 2011, 2,388 audit firms were registered with the PCAOB. The second thing that the audit committee of a public company should do is to evaluate any inspection reports issued by the PCAOB to the external audit firm/auditor. As required by Section 104 of the Sarbanes–Oxley Act, the PCAOB issues inspection reports for the purpose of assessing compliance with certain laws, rules, and professional standards in connection with a firm’s audit work on public companies. Firms that audit more than 100 public companies during a calendar year are inspected on an annual basis. Triennial inspections include those firms that issue at least one audit report but no more than 100 reports during a calendar year. These firms are inspected on a year-to-year basis, given the mix of firms in terms of the size and nature of audit practice. As of June 9, 2011, the PCAOB has issued 1,141 inspection reports (Roybark, 2011b) since 2004. The audit committee can review the inspection reports to determine whether audit deficiencies associated with the external audit firm/auditor have been identified by the PCAOB. An effective quality control system provides the organizational underpinning for conducting effective audit engagements. Another important PCAOB disclosure available

110

NEW INSIDE PAGES FINAL copy.indd 110

13/02/2012 12:58

Compliance and Corporate Audit to the audit committee is that of audit firms which have failed to address quality control criticisms satisfactorily. Inspection reports may contain nonpublic content about potential defects in a firm’s system of quality control. Such quality control criticisms remain nonpublic if the firm addresses them to the PCAOB’s satisfaction within 12 months of the inspection report date. If a firm fails to address any of the quality control criticisms within the 12-month period allowed by law, the portion of the report discussing the particular criticism is made publicly available. As of June 9, 2011, 96 of the 1,141 inspection reports included public disclosure of defects in the firms’ quality control systems that had not been addressed to the PCAOB’s satisfaction, thereby resulting in public disclosure (Roybark, 2011b). Other public information available on the PCAOB’s website (for url, see More Info section) includes settled disciplinary orders where final decisions to impose sanctions have been made against an audit firm/auditor, adjudicated disciplinary orders, and termination of bars. The audit committee should review and monitor accounting policies and estimates, judgments, and assumptions involving the implementation of accounting policy. In short, the audit committee should be actively involved with accounting alternatives and estimates (Beasley et al., 2009). Another resource that may be useful to the audit committee is the PCAOB’s staff audit practice alerts (SAPs). “Staff Audit Practice Alerts highlight new, emerging, or otherwise noteworthy circumstances that may affect how auditors conduct audits under the existing requirements of the standards and rules of the PCAOB and relevant laws” (PCAOB, 2011, p. 1). As of December 7, 2011, the PCAOB has issued nine SAP alerts, which address the following topics: 8 m  atters related to timing and accounting for option grants (No. 1, July 28, 2006); 8 matters related to auditing fair-value measurements of financial instruments and the use of specialists (No. 2, December 10, 2007); 8 audit considerations in the current economic environment (No. 3, December 5, 2008); 8 auditor considerations regarding fair-value measurements, disclosures, and other-than-temporary impairments (No. 4, April 21, 2009); 8 auditor considerations regarding significant unusual transactions (No. 5, April 7, 2010); 8 auditor considerations regarding using the work of other auditors and engaging assistants from outside the firm (No. 6, July 12, 2010); 8 auditor considerations of litigation and other contingencies arising from mortgage and other loan activities (No. 7, December 20, 2010); 8 audit risks in certain emerging markets (No. 8, October 3, 2011); 8 assessing and responding to risk in the current economic environment (No. 9, December 6, 2011). The link for the PCAOB’s staff alert page is given in the More Info section at the end of this chapter—see PCAOB (2006–11).

111

NEW INSIDE PAGES FINAL copy.indd 111

13/02/2012 12:58

Effective Auditing for Corporates Internal Audit Department

Although the internal audit function is considered to be part of the organization’s internal control system, it is directly accountable to the audit committee in most public companies. The internal audit function provides assurance to both management and the audit committee regarding the effectiveness of all aspects of the organization’s system of internal control, risk management, and governance practices. Its activities are considered part of the monitoring layer of the system of internal control and, therefore, are included in both management’s and the external auditor’s assessment. In addition, the work of the internal audit department may be used by the external auditor (why reinvent the wheel?). The external auditor must gain an understanding of the internal audit function and the activities performed by the department. A major issue for the external auditor is assessing the competence and objectivity of the internal auditors and the effect of their work on the audit. The external auditor is more likely to rely on the work of internal auditors when the internal audit department and its personnel are more independent (i.e. the department reports to the audit committee). This may result in significant cost savings in terms of the external audit fee (Messier, Glover, and Prawitt, 2010).

External Auditor

To conduct an audit of a public company, the external auditor must be registered with the PCAOB. The external auditor must follow the general auditing standards and the standards as set out in the PCAOB’s Auditing Standard (AS) No. 5: “An audit of internal control over financial reporting that is integrated with an audit of financial statements” (PCAOB, 2007). The external auditor must conduct an integrated audit (AS No. 5, section 1 in the text that follows “section” refers to a section of AS No. 5). This means that the auditor is engaged to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting (the audit of ICFR) that is integrated with an audit of the financial statements (section 1). The objective in an audit of ICFR is to express an opinion on the effectiveness of the company’s ICFR. The objective of an audit of the financial statements is to opine on the statements.1 Although the objectives of the audits are not identical, the auditor must plan and perform the work to achieve the objectives of both audits simultaneously (section 6). To conduct the audit of the ICFR, the external auditor should use the same recognized control framework to perform the audit of ICFR as management uses for its annual evaluation of the effectiveness of the ICFR (section 5). The external auditor must opine on the effectiveness of the company’s internal control over financial reporting (section 3). As defined by the SEC and AS No. 5, effective ICFR means that if one or more material weaknesses exist, the company’s ICFR cannot be considered effective (section 2). If no material weaknesses exist, the external auditor will issue an unqualified opinion, while an adverse opinion will be issued if one or more material weaknesses exist. The audit must be appropriately planned (section 9) and risks must be assessed (sections 10–12). The size and complexity of the organization play an important role in the risk assessment process and the determination of the audit procedures, so the audit can be scaled to the size and complexity of the organization and its controls and risks of misstatement, including the risk of fraud (section 13). AS No. 5 calls for the auditor to use a top-down, riskbased approach to the audit of ICFR to select the controls to test (section 21).

112

NEW INSIDE PAGES FINAL copy.indd 112

13/02/2012 12:58

Compliance and Corporate Audit The auditor must test those entity-level controls that are important to the auditor’s conclusion about whether the company has effective ICFR. Entity-level controls vary in nature and precision and include controls related to the control environment, controls over management overrides, the company’s risk assessment process, centralized processing and controls including shared service environments, controls to monitor the results of operations, controls to monitor other controls (including activities of the internal audit function, the audit committee, and self-assessment programs), controls over the period-end financial reporting process, and policies that address significant business control and risk management practices (sections 22–56). For each control that is selected for testing, the evidence necessary to persuade the auditor that the control is effective depends on the risk associated with the control. The risk associated with a control consists of the risk that the control might not be effective, and, if not effective, the risk that a material weakness would result. As the risk associated with the control being tested increases, the evidence that the auditor should obtain also increases (section 46). In subsequent years’ audits, the auditor should incorporate knowledge obtained during past audits which he or she has performed of the company’s ICFR into the decision-making process for determining the nature, timing, and extent of the testing necessary (section 57). The auditor must evaluate the severity of each control deficiency that comes to his or her attention to determine whether the deficiencies, individually or in combination, are material weaknesses as of the date of management’s assessment. Note that the auditor is not required to search for deficiencies that, individually or in combination, are less severe than a material weakness (section 62). The severity of a deficiency depends on: whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure; and the magnitude of the potential misstatement resulting from the deficiency or deficiencies (section 63). Indicators of material weaknesses in ICFR include (section 69): 8 identification of fraud, whether or not material, on the part of senior management; 8 restatement of previously issued financial statements to reflect the correction of a material misstatement; 8 identification by the auditor of a material misstatement of financial statements in the current period in circumstances that indicate that the misstatement would not have been detected by the company’s ICFR; 8 ineffective oversight of the company’s external financial reporting and ICFR by the company’s audit committee. The external auditor must communicate, in writing, to management and the audit committee all material weaknesses identified during the audit. The written communication should be made prior to the issuance of the auditor’s report on ICFR (section 78). Note that if the auditor concludes that oversight of the company’s external financial reporting and ICFR by the company’s audit committee is ineffective, the auditor must communicate that conclusion in writing to the board of directors (section 79). The auditor also should communicate to management, in writing, all deficiencies in ICFR— those deficiencies in ICFR that are of a lesser magnitude than material weaknesses— which have been identified during the audit and inform the audit committee when such

113

NEW INSIDE PAGES FINAL copy.indd 113

13/02/2012 12:58

Effective Auditing for Corporates a communication has been made. When making this communication, it is not necessary for the auditor to repeat information about such deficiencies that have been included in previously issued written communications, whether those communications were made by the auditor, internal auditors, or others within the organization (section 81). In conclusion, management needs to understand AS No. 5 since it explains how the external auditor will review and evaluate management’s assessment process. Management should maximize reliance on its assessment and testing procedures in order to help to minimize audit fees. Management also needs to ensure that its process satisfies the principles of Section 404 of the Sarbanes–Oxley Act and that it provides a fair assessment of its internal controls as of the company’s year-end, reflecting whether the system provides reasonable assurance that material misstatements will be prevented or detected. One action that management can take during the current audit period is to address any deficiencies identified by the external auditor during the previous audit period. Another thing that management can do is to provide additional information in its report on ICFR. For example, management may include disclosures about new controls that were implemented or other corrective actions taken by the company during the current audit period which strengthen the overall system and how such controls will prevent misstatements. In addition, management may include disclosures about its plans to implement new controls or how the cost of correcting a material weakness would exceed the benefits derived from implementing a given control or how other controls may mitigate the risk associated with a deficiency and thereby prevent a misstatement.

Summary of Key Provisions and Regulatory Requirements

Table 1 provides a summary of the key provisions of the Sarbanes–Oxley Act and the regulatory requirements of the Securities and Exchange Commission discussed in this chapter. Table 1. Summary of key provisions of SOX and regulatory requirements of the SEC Feature Form of Certification

302 Separate certification by CEO and CFO

Reports covered

Annual and quarterly reports

Disclosure control Recommended committee by SEC Audit committee communications

Section of Sarbanes–Oxley Act 404 906 Separate certifications by CEO and CFO or may be single statement signed by both officers Annual and quarterly Annual and reports quarterly reports Recommended by SEC CEO and CFO must disclose material weaknesses

Recommended by SEC

Certifications delivered

Filed as separate exhibit with each periodic report

Filed as separate exhibit with each periodic report

Enforcement jurisdiction

SEC and PCAOB

SEC and PCAOB

Department of Justice

Penalties for false certifications

SEC civil action

SEC civil action

Department of Justice criminal prosecution

For details of the provisions of the sections of the Sarbanes–Oxley Act covered here, see the first section of this chapter: “Roles and Responsibilities Under the Sarbanes–Oxley Act and Securities and Exchange Commission Regulations.”

114

NEW INSIDE PAGES FINAL copy.indd 114

13/02/2012 12:58

Compliance and Corporate Audit Case Study

PepsiCo: “Be Young, Have Fun, Drink Pepsi”

“The most important governance mechanism for overseeing senior management is the corporation’s BOD, and the board’s various committees” (Carcello, 2009, p. 13). Between 1992 and 1993 the Pepsi slogan was “Be young, have fun, drink Pepsi” (PepsiCo, 2011b). Although this slogan conveys a lighthearted spirit, PepsiCo takes its regulatory responsibilities seriously. On the corporate governance page of its website, the company asserts that “PepsiCo has adopted strict corporate standards that govern our operations and ensures accountability for our actions” (PepsiCo, 2011a). PepsiCo’s business affairs are overseen by its board of directors. The board consists of one executive director and 11 independent outside directors. Only independent outside directors make up PepsiCo’s three standing board committees: the nominating and corporate governance committee, the audit committee, and the compensation committee. Each standing committee is governed by its own charter (PepsiCo 2011a). A review of PepsiCo’s audit committee charter (as amended, effective November 11, 2010) reveals that the company has addressed all the key provisions of the Sarbanes–Oxley Act. As specified in the charter, the audit committee meets at least four times each year, or more frequently as circumstances require. Topics addressed include the purpose and responsibilities of the committee and the qualifications of its members. In addition, reporting and disclosure requirements to the board of directors and the committee’s corporate oversight responsibilities are detailed. For example, the corporate oversight responsibilities include such issues as: compliance with respect to the company’s financial reporting and disclosure processes; accounting principles and the adequacy of internal controls; guidelines and policies with respect to risk assessment and the work and utility of the internal audit function; the establishment of procedures to handle complaints regarding the preparation of financial statements; internal accounting controls and auditing matters; and the establishment of procedures for the committee to receive, retain, and respond to confidential, anonymous submissions by corporation employees about concerns regarding questionable accounting or auditing matters. In short, PepsiCo’s audit committee charter is a comprehensive document that satisfies the key provisions of the Act. While not required by the Sarbanes–Oxley Act, the SEC recommended, but did not mandate, the creation of a disclosure committee “with responsibility for considering the materiality of information and determining disclosure obligations on a timely basis. As is implicit in Section 302(a)(4) of the Act, such a committee would report to senior management, including the principal executive and financial officers, who bear express responsibility for designing, establishing, maintaining, reviewing and evaluating the issuer’s disclosure controls and procedures” (SEC, 2002, p. 8). Shortly after Sarbanes–Oxley was enacted, PepsiCo established such an internal committee—its disclosure committee (charter originally adopted October 11, 2002, and amended July 25, 2003). The disclosure committee charter has been adopted by the CEO and CFO (the “senior officers”) of PepsiCo. The disclosure committee reviews and reassesses its charter annually and recommends any proposed changes to the senior officers for approval. The membership of the committee consists of the company’s controller, general counsel, general auditor, and head of investor relations. One member is appointed by the senior officers as chair. In discharging its duties, the committee has full access to all company books, records, facilities, and personnel, including the internal auditors. All responsibilities and tasks of the committee are subject to the supervision and oversight of the senior officers (PepsiCo, 2011a).

115

NEW INSIDE PAGES FINAL copy.indd 115

13/02/2012 12:58

Effective Auditing for Corporates Assessment of the Pre- and Post-Sarbanes Environments

Beasley et al. (2010) were commissioned by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to provide a comprehensive analysis of occurrences of fraudulent financial reporting investigated by the SEC between January 1998 and December 2007. Fraudulent financial reporting can be examined with reference to three risk factors or conditions: management or other employees have an incentive to, or are under pressure that provides a reason for them to, commit fraud; circumstances exist that provide an opportunity for a fraud to be carried out; and those involved are able to rationalize the committing of a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allows them to knowingly and intentionally commit a dishonest act (Messier, Glover, and Prawitt, 2010). These three conditions are depicted in Figure 1. Figure 1. The fraud triangle. (Reprinted with permission of the Association of Certified Fraud Examiners, Inc., Austin, Texas, 2011)

Perceived opportunity

THE FRAUD TRIANGLE

Perceived pressure

Rationalization

As used in the accompanying discussion, “the term ‘fraudulent financial reporting’ represents the intentional material misstatement of financial statements or financial disclosures (in notes to the financial statements or SEC filings) or the perpetration of an illegal act that has a material direct effect on the financial statements or financial disclosures” (Beasley et al., 2010, p. 7).

Pre-Sarbanes Environment

Beasley et al. (2010) analyzed 1,335 “Accounting and auditing enforcement releases” (hereafter AAER) issued by the Securities and Exchange Commission during the 10-year period 1998–2007. The research showed that the vast majority of public companies appeared to provide financial reports that are free from material misstatements due to fraud.

116

NEW INSIDE PAGES FINAL copy.indd 116

13/02/2012 12:58

Compliance and Corporate Audit The SEC alleged fraud involving 347 public companies over the period studied. In 72% and 65% of these cases the AAERs named the CEO and CFO, respectively, as being associated with the fraud. Collectively, the CEO and/or CFO were named in 89% of the 347 cases. These cases included major accounting scandals of the early 2000s, such as Enron and WorldCom. Because there is a significant time lag between the occurrence of fraudulent financial reporting and the issuance of an AAER related to that instance of fraud, most of the underlying instances of fraudulent financial reporting described in the 10-year period occurred before Sarbanes–Oxley was enacted. In only 61 (18%) of the 347 allegedly fraudulent cases examined in this study did the financial statements involve periods subsequent to 2002, and thus only a small number of the companies concerned were subject to the provisions of the Sarbanes–Oxley Act.

Post-Sarbanes Environment

Roybark (2011a) analyzed 91 AAERs issued by the SEC during 2011 (as of August 15, 2011) (see also SEC, 2011). Over the seven-month period, 31 (34%) of the 91 AAERs involved CEOs, CFOs, or both in some type of enforcement action. Four (4%) and 17 (19%) of the cases involved either the CEO or CFO, respectively, while 10 (11%) of the cases involved both. These data provide some limited evidence that financial reporting has improved in the post-Sarbanes–Oxley environment, but the existence of such enforcement actions that identify CEOs and CFOs as involved in fraudulent reporting creates concern. These results point to inadequate oversight and weak control environments (“tone at the top”). While the fraud triangle provides a conceptual framework, fraudulent financial reporting may be caused by other factors such as greed, revenge, or a “catch me if you can” rationale. Groupthink2 bias should be guarded against. Such a bias discounts opposing views when maintaining the cohesiveness and solidarity of a group is seen as more important than a realistic appraisal of the facts at hand. Groupthink coupled with a symbolic or ceremonial board, or one with a culture in which form has priority over substance, may be particularly problematic. When encountering fraud, it is a human tendency to fall back on preconceptions such as confirmation bias (where the auditor is seen as trustworthy) and selective perception (where people see only what they want to see) (Ramamoorti, 2008). Summary Every public company must have an annual integrated audit completed by an external auditor registered with the PCAOB, so how does an organization ensure regulatory compliance? To that end, some of the regulatory roles and responsibilities of the CEO and CFO, the audit committee, the internal audit department, and the organization’s external auditor have been discussed. The key regulatory provisions of the Sarbanes–Oxley Act and the SEC were considered, and a case study involving PepsiCo was presented, to illustrate the regulatory roles and responsibilities of a public company. The frequency of fraudulent financial reporting in the pre- and post-Sarbanes–Oxley environments was also discussed. The Sarbanes–Oxley Act includes a broad range of provisions that deal with corporate governance, so it affects how business is conducted. Given the legal mandates and

117

NEW INSIDE PAGES FINAL copy.indd 117

13/02/2012 12:58

Effective Auditing for Corporates expanded regulatory requirements, the organization must ensure that key individuals and groups clearly understand their roles and responsibilities in the post-Sarbanes–Oxley world. The Act has been called the most significant regulatory reform since the Great Depression for a good reason. Significant costs and human capital are required to comply with the provisions of the Act. However, noncompliance may be even more costly. Michael Sutton, former chief accountant of the SEC, argues that “without investor confidence, arguments about how financial reporting does or does not contribute to economic goals or market efficiency simply are moot—they are a waste of time. Failures in our financial reporting system are more than aberrations. They seriously undermine the confidence of investors and the public in the institutions that are supposed to protect them” (Sutton, 2002, p. 321). Although the evidence shows that the vast majority of public companies appear to provide financial reports that are free from material misstatement, the existence of enforcement actions that include alleged fraud and where CEOs and CFOs are identified creates concern. In summary, good governance demands that an organization’s board of directors ensure that the highest ethical behavior is maintained throughout the organization and that its public disclosures are reliable, timely, and satisfy all legal mandates. This sends a clear message to the public, stakeholders, and regulators about the board of directors’ and management’s role and responsibilities (IIA, AICPA, and ACFE, 2008). After all, stakeholders want to know how all actors—the CEO and CFO, the audit committee, internal auditors, and the external auditor—are responding to heightened regulations and to their roles and responsibilities with regard to oversight and leadership.

More Info Book: Messier, William F., Steven M. Glover, and Douglas F. Prawitt. Auditing and Assurance Services: A Systematic Approach. 7th ed. New York: McGraw-Hill/Irwin, 2010. Articles: Beasley, Mark S., Joseph V. Carcello, Dana R. Hermanson, and Terry L. Neal. “The audit committee oversight process.” Contemporary Accounting Research 26:1 (Spring 2009): 65–122. Online at: dx.doi.org/10.1506/car.26.1.3 Carcello, Joseph V. “Governance and the common good.” Journal of Business Ethics 89:S1 (May 2009): 11–18. Online at: dx.doi.org/10.1007/s10551-008-9904-z Carmichael, Douglas R. “The PCAOB and the social responsibility of the independent auditor.” Accounting Horizons 18:2 (June 2004): 127–133. Online at: dx.doi.org/10.2308/acch.2004.18.2.127 Geiger, Marshall A., and Porcher L. Taylor, III. “CEO and CFO certifications of financial information.” Accounting Horizons 17:4 (December 2003): 357–368. Online at: dx.doi.org/10.2308/acch.2003.17.4.357 Information Systems Audit and Control Association (ISACA). “COBIT framework for IT governance and control.” Version 4.1. May 2007. Online at: www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx [registration required].

118

NEW INSIDE PAGES FINAL copy.indd 118

13/02/2012 12:58

Compliance and Corporate Audit PepsiCo. “Corporate governance.” 2011a. Online at: www.pepsico.com/Company/Corporate-Governance.html PepsiCo. “1992 milestones.” 2011b. Online at: www.pepsico.com/Company/Our-History/1992.html Ramamoorti, Sridhar. “The psychology and sociology of fraud: Integrating the behavioral sciences component into fraud and forensic accounting curricula.” Issues In Accounting Education 23:4 (November 2008): 521–533. Online at: dx.doi.org/10.2308/iace.2008.23.4.521 Roybark, Helen M. “An analysis of the accounting and audit enforcement releases issued by the Securities and Exchange Commission in 2011.” Unpublished. 2011a. Roybark, Helen M. “Are audit firms with public disclosure of Section 104 quality control criticisms different from audit firms with no such public disclosure?” Unpublished. 2011b. Sutton, Michael H. “Financial reporting at a crossroads.” Accounting Horizons 16:4 (December 2002): 319–328. Online at: dx.doi.org/10.2308/acch.2002.16.4.319 United States v. Arthur Young & Co., 465 U.S. 805 (1984). Online at: supreme.justia.com/us/465/805 Reports: Beasley, Mark S., Joseph V. Carcello, Dana R. Hermanson, and Terry L. Neal. “Fraudulent financial reporting: 1998–2007. An analysis of U.S. public companies.” Committee of Sponsoring Organizations of the Treadway Commission (COSO), May 2010. Online at: www.coso.org/documents/COSOFRAUDSTUDY2010_001.pdf Committee of Sponsoring Organizations of the Treadway Commission (COSO). “Internal control—Integrated framework.” American Institute of Certified Public Accountants (AICPA), July 1994. Online at: tinyurl.com/6re5jwt [PDF]. Institute of Internal Auditors (IIA). “Sarbanes–Oxley Section 404: A guide for management by internal controls practitioners.” 2nd ed. January 2008. Online at: www.theiia.org/download.cfm?file=31866 Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), and Association of Certified Fraud Examiners (ACFE). “Managing the business risk of fraud: A practical guide.” April 2008. Online at: tinyurl.com/2csuuz2 [PDF]. Public Company Accounting Oversight Board (PCAOB). “Guidance: Staff audit practice alerts.” Main website page for alerts, Q&A, and guidance issued by PCAOB staff on various dates, 2006–11. Online at: pcaobus.org/Standards/Pages/Guidance.aspx Public Company Accounting Oversight Board (PCAOB). “Standards.” Main PCAOB website page for auditing standards and related materials. Online at: pcaobus.org/STANDARDS/Pages/default.aspx Public Company Accounting Oversight Board (PCAOB). “An audit of internal control over financial reporting that is integrated with an audit of financial statements.” Auditing Standard No. 5. July 27, 2007. Online at: pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5.aspx Public Company Accounting Oversight Board (PCAOB). “Audit risks in certain emerging markets.” Staff Audit Practice Alert No. 8. October 3, 2011. Online at: pcaobus.org/Standards/QandA/2011-10-03_APA_8.pdf

119

NEW INSIDE PAGES FINAL copy.indd 119

13/02/2012 12:58

Effective Auditing for Corporates US House of Representatives, Committee on Financial Services (USHR). “Public law 107204.” (Short title: “Sarbanes–Oxley Act of 2002.”) July 30, 2002. Online at: www.sec.gov/about/laws/soa2002.pdf Securities and Exchange Commission (SEC). “Final rule: Certification of disclosure in companies’ quarterly and annual reports.” August 28, 2002, modified August 30, 2002. Online at: www.sec.gov/rules/final/33-8124.htm Securities and Exchange Commission (SEC). “Final rule: Management’s report on internal control over financial reporting and certification of disclosure in Exchange Act periodic reports.” June 5, 2003, modified August 28, 2008. Online at: www.sec.gov/rules/final/33-8238.htm Securities and Exchange Commission (SEC). “Revisions to accelerated filer definition and accelerated deadlines for filing periodic reports.” December 21, 2005. Online at: www.sec.gov/rules/final/33-8644.pdf Securities and Exchange Commission (SEC). “Amendments to rules regarding management’s report on internal control over financial reporting.” Corrected release. June 20, 2007. Online at: www.sec.gov/rules/final/2007/33-8809.pdf Securities and Exchange Commission (SEC). Accounting and auditing enforcement releases (AAER) nos. 3223–3313. January 6–August 15, 2011. Online at: www.sec.gov/divisions/enforce/friactions.shtml Websites: Association of Certified Fraud Examiners (ACFE): www.acfe.com Committee of Sponsoring Organizations of the Treadway Commission (COSO): www.coso.org Institute of Internal Auditors (IIA): www.theiia.org Public Company Accounting Oversight Board (PCAOB; US): www.pcaobus.org Securities and Exchange Commission (SEC; US): www.sec.gov Wikipedia on “Groupthink”: en.wikipedia.org/wiki/Groupthink

Notes 1. N  ote that while the standards for the audit of the financial statements are beyond the scope of this chapter and thus are not outlined, all SEC regulations and PCAOB standards must be followed when auditing a public company. 2. “ Groupthink is a psychological phenomenon that occurs within groups of people. It is the mode of thinking that happens when the desire for harmony in a decision-making group overrides a realistic appraisal of alternatives. Group members try to minimize conflict and reach a consensus decision without critical evaluation of alternative ideas or viewpoints” (Wikipedia, 2011).

120

NEW INSIDE PAGES FINAL copy.indd 120

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing and Other Services by Curtis C. Verschoor DePaul University, Chicago, Illinois, USA

This Chapter Covers 8 The advantages of engaging an external audit firm for nonaudit services. 8  Regulatory bars to audit firms providing nonaudit services for their clients. 8 Threats to professionalism identified in the code of ethics of the International Federation of Accountants (IFAC). 8  A proposal to enhance the quality of external audit firms in Europe by limiting the services provided. 8  Use of the client’s external audit firm for internal auditing. 8  Advantages and disadvantages of alternative staffing models for internal auditing.

Introduction:

For many decades, independent auditing firms have employed the strategy of achieving growth in size and, more importantly, profitability, by expanding the scope and range of services they offered to new and existing clients. In addition to conducting audits of the effectiveness of internal controls over financial reporting as well as financial statements and expressing their opinion thereon, firms in the public accounting industry have offered tax consulting and compliance services and also consulting services that are largely related to information systems and other administrative matters not involving strategic decisions by management. Consulting services were limited to administrative and procedural areas of client operations rather than more strategic areas due to regulatory and professional ethics rules that barred a firm’s participation in the client’s decision-making. Thus, firms tended to provide consulting services that involved issues of technology systems, risk management, and security. Over the years, performance evaluations of the partners in many of the major firms have included an emphasis on the individual’s ability to garner greater fees from existing and new clients. Selling additional services has been viewed as more important to career success in a firm than having an exceptional knowledge of accounting. The boom in the use of computer systems that began in the 1950s gave rise to a substantial need for expertise in information technology that was required to design and install new systems and maintain existing ones. Public accounting firms participated greatly in providing these services and found the business highly lucrative. In a speech made in December 2003, Douglas R. Carmichael, chief auditor of the Public Company Accounting Oversight Board (PCAOB), commented on the reduced emphasis which auditing was receiving as a result and stated that some firms “sought to capitalize on this position of trust earned as auditors and transfer that stature to other services. At times it seemed the only criteria for these other services was whether they made money” (Carmichael, 2003).

121

NEW INSIDE PAGES FINAL copy.indd 121

13/02/2012 12:58

Effective Auditing for Corporates There has always been a huge difference between the growth prospects and profitability of these nonaudit services and those of traditional auditing. Traditional auditing has always been viewed by many as largely a commodity that was required for regulatory purposes, and so fees were subject to downward pressure by management. Consequently, the growth of nonaudit services triggered a number of high-level struggles for power and control of the management of several of the major public accounting firms. The entrenched hierarchy of audit partners who were traditionally in charge of running the firm clashed with the younger nonaudit partners who were newly responsible for bringing high profits to the firm. Most of the nonaudit partners had not completed the legal requirements to perform auditing. As a result, many of the large firms established separate entities based on the consulting division that existed within the firms. These entities were later either sold to existing firms or spun off as independent entities. Some of these businesses have been very successful. Most notable of the independent entities perhaps is Accenture plc, which began life as the business and technology consulting division of Arthur Andersen LLP. Accenture is listed on the New York Stock Exchange and had fiscal August 2011 revenues of US$25.5 billion. It calls itself a global management consulting, technology services, and outsourcing company, and currently employs more than 223,000 people serving clients in industries in more than 120 countries around the world. Traditional auditing has always been viewed by many as largely a commodity that was required for regulatory purposes.

Advantages of Engaging an External Audit Firm for Nonaudit Services

There are several benefits to utilizing an independent auditing firm for a number of nonaudit services. Such firms develop expertise in some business areas and industries that other types of consultants cannot match. Some firms are well known for their ability to advise on how to manage operations to minimize the burdens of taxation. Others develop tax protocols to accomplish delays or avoid the incidence of taxation. Another benefit is that public accounting firms are subject to rules of professional ethics, and a number of these are intended to protect the interests of clients. The argument has been advanced that the major firms in the public accounting industry are better able to attract the highest quality of personnel, at least at the lower entry levels. This conclusion has been disputed by some thought leaders, at least regarding industrial companies of comparably large size and prominence, which are believed to be able to compete effectively for talented employees and motivate their superior performance. Another factor to be considered is the relative amount of education and training provided to employees of public accounting firms and industrial companies. Auditors and management accountants who hold professional accreditations are required to continue their education on a regular basis. These requirements are undoubtedly enforced more stringently for independent auditors than for others. Larger corporate entities are finding that investment in continuing education for their accounting and financial employees does bring returns. Thus, some of the perceived benefits of using an external service provider because it might offer superior quality may be diminishing in importance.

122

NEW INSIDE PAGES FINAL copy.indd 122

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing To consider engaging the services of the same public accounting firm that a company utilizes for its audit of financial statements for internal auditing and other services adds complexity to the decision-making process. In this case, there are ethical and sometimes regulatory considerations in addition to the usual criteria for the selection of a vendor to provide services. The advantages to the client of using the same firm that does the audit include the fact that within the firm considerable knowledge already exists about the client, its systems and personnel, and the industry in which it operates. Thus, the firm does not need to spend time and bill the client for familiarization or “training” efforts. The service provider may also have developed considerable experience of dealing with challenges unique to the client’s industry and can bring industry best practices to benefit its client’s operations and systems. Conversely, some clients have avoided the use of accounting firms that have other clients in the same industry to avoid the possibility of losing valuable information to a competitor. There are important cost and other benefits to be gained from the use of a company’s audit firm for tax-compliance activities, such as the preparation of its annual income tax return. As part of every audit, the audit firm must be familiar with details of the company’s relationship with the tax authorities. Additionally, informal consulting on industry-specific tax issues may take place during either the review of the fairness of the presentation of the provision for taxes in the financial statements or in the preparation of tax returns itself. Representation by the client’s auditing firm in matters coming before the tax authorities, however, could well involve adopting an advocacy position that would compromise the independence of the audit firm. It is interesting to note that there is no specific bar to an independent audit firm providing tax services to an audit client in the provisions of the US Sarbanes–Oxley Act of 2002. Prohibited services are discussed in the next section.

Regulatory Bars to Audit Firms Performing Nonaudit Services for Clients

The Sarbanes–Oxley Act of 2002 (see pp. 29–39) for additional discussion of the provisions of this statute) lists a number of nonaudit services that auditors of public companies whose securities are traded in the United States are precluded from performing for their audit clients. These services include: 8  Bookkeeping or other services related to the accounting records or financial statements of the audit client. It is a conflict of interest for auditors to be responsible for both preparing financial statements and also providing an independent opinion on their fair presentation. This prohibition has been a long-standing rule of the US Securities and Exchange Commission and has been extended to audit firms in other jurisdictions if they audit a company that is traded in US markets. 8  Design and implementation of financial information systems. These services are deemed to represent management prerogatives and involve internal control systems, so an expression of an audit opinion on financial statements that utilize the results of such systems would appear to lack independence.

123

NEW INSIDE PAGES FINAL copy.indd 123

13/02/2012 12:58

Effective Auditing for Corporates 8  Appraisal or valuation services, fairness opinions, or contribution-in-kind reports. These services have been deemed to be outside the scope of the practice of auditing. 8  Actuarial services. These services are used to determine information contained in the financial statements, so an expression of an audit opinion on financial statements that utilize the results of such services would appear to lack independence. 8 Internal audit outsourcing services. These services relate at least in part to evaluating the effectiveness of a client’s system of internal control. A conflict of interest would arise if the same audit firm both functioned as an element of management’s internal control system and also relied on that system in connection with its independent audit or expressed an opinion on the effectiveness of the system. Auditing one’s own work is obviously a conflict of interest. The use of external auditors to perform internal auditing is covered in greater depth later in this chapter. 8  Management functions or human resources. These services have been deemed outside the scope of the practice of auditing and inconsistent with the required principles of independence. 8  Broker or dealer, investment adviser, or investment banking services. These services involve advocacy and have been deemed outside the scope of the practice of auditing and inconsistent with the required principles of independence. 8 Legal services and expert services unrelated to the audit. These services have been deemed outside the scope of the practice of auditing and inconsistent with the required principles of independence.

Threats to Professionalism Identified in the IFAC Code of Ethics

Guidance governing the practices of all professional auditors, both internal and external, is provided on a global basis by the International Federation of Accountants (IFAC) (see IFAC, 2010). Through its independent standard-setting boards, IFAC develops and encourages the adoption by local professional bodies of international standards on ethics, auditing and assurance, education, and public sector accounting standards. These local bodies create and enforce specific standards governing the practice of various classes of professional accountants, including external and internal auditors. The IFAC code of ethics sets forth five fundamental principles of professionalism. They are integrity, objectivity, professional competence and due care, confidentiality, and professional behavior. The circumstances in which professional accountants, such as internal and external auditors, operate may create specific threats to compliance with these fundamental principles. The threats that most affect internal and external auditing include: 8  Self-interest threat. The threat that a financial or other interest will inappropriately influence the professional accountant’s judgment or behavior. 8  Self-review threat. The threat that a professional accountant will not appropriately evaluate the results of a previous judgment made or service performed by the professional accountant, or by another individual within

124

NEW INSIDE PAGES FINAL copy.indd 124

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing the professional accountant’s firm or employing organization, on which the accountant will rely when forming a judgment as part of providing a current service. 8  Advocacy threat. The threat that a professional accountant will promote a client’s or employer’s position to the point that the professional accountant’s objectivity is compromised. 8  Familiarity threat. The threat that due to a long or close relationship with a client or employer, a professional accountant will be too sympathetic to their interests or too accepting of their work. The Independence section of the IESBA Code of Conduct discusses specifics of the application of these concepts to the provision of internal auditing services to audit clients. The Code states that “a firm’s personnel shall not assume a management responsibility when providing internal audit services to an audit client.” Paragraph 290.197 of the Code contains examples of internal audit services that involve assuming management responsibilities. These include: (a) Setting internal audit policies or the strategic direction of internal audit activities; (b) Directing and taking responsibility for the actions of the entity’s internal audit employees; (c) Deciding which recommendations resulting from internal audit activities shall be implemented; (d) Reporting the results of the internal audit activities to those charged with governance on behalf of management; (e) Performing procedures that form part of the internal control, such as reviewing and approving changes to employee data access privileges; (f) Taking responsibility for designing, implementing and maintaining internal control; (g)  Performing outsourced internal audit services, comprising all or a substantial portion of the internal audit function, where the firm is responsible for determining the scope of the internal audit work and may have responsibility for one or more of the matters noted above. Paragraph 290.198 contains guidance to enable a firm to avoid assuming a management responsibility. The firm shall only provide internal audit services to an audit client if it is satisfied that: (a) The client designates an appropriate and competent resource, preferably within senior management, to be responsible at all times for internal audit activities and to acknowledge responsibility for designing, implementing, and maintaining internal control; (b) The client’s management or those charged with governance reviews, assesses and approves the scope, risk and frequency of the internal audit services; (c) The client’s management evaluates the adequacy of the internal audit services and the findings resulting from their performance; (d)  The client’s management evaluates and determines which recommendations resulting from internal audit services to implement and manages the implementation process; and (e) The client’s management reports to those charged with governance the significant findings and recommendations resulting from the internal audit services.

125

NEW INSIDE PAGES FINAL copy.indd 125

13/02/2012 12:58

Effective Auditing for Corporates Proposal to Enhance External Audit Firm Quality in Europe by Limiting Services Provided

On November 30, 2011, the European Commission (EC) issued a proposal to significantly alter the auditing industry as a result of the considerable shortcomings highlighted by the financial crisis of 2008. Among other provisions, its press release states that “Audit firms will be prohibited from providing non-audit services to their audit clients. In addition, large audit firms will be obliged to separate audit activities from non-audit activities in order to avoid all risks of conflict of interest” (EC, 2011). On the very same day, the Federation of European Accountants (Fédération des Experts Comptables Européens (FEE)), the organization representing 45 institutes of professional accountants and auditors from 33 European countries, issued a strongly critical rebuttal of the EC proposal. The FEE’s press release states: “The proposals relating to the creation of audit-only firms, as well as the overly restrictive rules on limiting nonaudit services, will severely limit the ability of the auditor to provide services that rely on the depth and breadth of expertise that stakeholders demand, especially in complex businesses” (FEE, 2011). Augmenting the EC proposal to strengthen independence by limiting the scope of services provided by external auditors, EC Internal Markets Commissioner Michel Barnier stated: “The crisis has tarnished this image (of auditors) by highlighting certain conflicts of interest. Today, independence must be visible, obvious. You can’t at the same time cumulate the functions of audit, internal audit and strategic consulting” (Institute of Chartered Accountants of England and Wales (ICAEW), 2011). The response by the ICAEW was: “We are always open to ideas to improve the independence of auditors but do not agree with the assumption that audit can only be performed objectively if there is no business or other relationship. It adds to the value of an audit and costs can be minimised if the auditor’s knowledge can be continually improved by enabling multidisciplinary skills to be applied by practice always, of course, with a consideration of the threats and safeguards of such engagements” (ICAEW, 2011).

Use of the Client’s External Audit Firm for Internal Auditing

An organization’s decision whether to outsource part or all of its internal auditing function to an external service provider has been a debated issue for many years. The subject of the sourcing of internal auditing is discussed later in this chapter. Use of the same firm for internal auditing that performs the external audit leads to additional issues, including a lack of independence. In the 1990s, Arthur Andersen was the primary advocate of the idea that independent audit firms should be able to provide “extended auditing services”—i.e. internal auditing—to their clients. One of Andersen’s clients that had totally outsourced its internal auditing to the Andersen firm was Enron Corporation. It is widely believed that one of the primary contributing factors to Andersen’s audit failure in the Enron case was the fact that it received such large fees for its consulting and internal auditing services and had apparently failed to concentrate sufficient attention on its responsibilities for the auditing of the financial statements. Basic to consideration of the benefits of utilizing the services of an external provider for internal auditing is the realization that internal auditing differs in several meaningful respects from an audit of financial statements provided by an independent firm. The

126

NEW INSIDE PAGES FINAL copy.indd 126

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing major focus and approach of external auditors involves the expression of an independent opinion on the client’s financial statements for the benefit of external parties. External auditors base their audit plans on prescribed auditing standards that are the same for all companies in all industries as well as not-for-profit organizations. Internal auditors have a broader mission that may have differing goals in each organization. In general, internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organization’s operations (IIA, 2011). Internal audit work is intended to benefit the organization itself rather than an external audience. The mandate for the existence of the internal auditing function is unique to the needs of each organization and is set forth in a written charter that should be approved by the organization’s board of directors or equivalent governing body. In addition to evaluating the quality of policies and procedures, internal auditors are expected to make recommendations for improvements to those policies and procedures, especially in the areas of risk management, controls, and governance. The practice of independent auditing is subject to regulatory oversight by governmental bodies in most jurisdictions of the world. Companies are required by law to obtain audits of their financial statements. In contrast, although internal auditors have a global professional organization, the Institute of Internal Auditors, that provides guidance, the use of its standards is voluntary (IIA, 2011). In fact there are few mandatory requirements for a company to have any internal auditing, although in the United States the New York Stock Exchange rules require listed companies to have an internal auditing function—albeit those requirements have little specificity. Another country, Israel, does have a legal mandate for internal auditing. Mirroring the fact that the objectives of internal and external auditing are not the same, the reports of each differ markedly. The report of an independent audit on financial statements is brief, standardized, limited to a pass or fail opinion, and intended for an audience external to the entity. Comments concerning the possibilities of enhanced reporting by independent auditors were requested in a PCAOB concept release issued in June 2011 (PCAOB, 2011). In September of that year the Center for Audit Quality (CAQ) published the results of a series of stakeholder roundtable discussions on changes to the auditor’s reporting model and the role of the auditor (CAQ, 2011). The International Auditing and Assurance Standards Board also issued a consultation paper in May 2011 titled “Enhancing the value of auditor reporting: Exploring options for change” (IFAC, 2010). In contrast to the standardized reports issued by independent auditors, internal audit reports are, or at least should be, tailor-made to fit the circumstances of each engagement. They should contain much more detail that is intended to inform a knowledgeable audience within the organization. Internal audit reports typically include a detailed description of findings, their impact, and perhaps most importantly a recommended solution. Some internal audit reports also include an opinion or rating of the process that was reviewed. In summary, a key consideration for evaluating the use of an independent audit firm to provide internal auditing services is whether that firm has a group that specializes in internal auditing. To ask external auditors whose training and experience deals with financial statements to change their perspective and then perform internal auditing runs the risk that the mindset of the external auditor might lead him or her to concentrate

127

NEW INSIDE PAGES FINAL copy.indd 127

13/02/2012 12:58

Effective Auditing for Corporates too heavily on evaluating the fairness of financial presentation rather than the broader mission of internal auditing. Internal auditors should have a wider outlook and be concerned with evaluating the efficiency and effectiveness of the systems and functions they review, not just the reliability of the financial information.

Pros and Cons of Alternative Staffing Models for Internal Auditing There are four ways of staffing an internal audit function:

8 by having a totally in-house team dedicated to internal auditing; 8 with an in-house internal auditing team supplemented by rotational staffing from elsewhere in the organization; 8 with an in-house internal auditing team augmented by cosourcing from an external service provider; 8 by total outsourcing to an external service provider.

Dedicated In-House Team

Advantages of using only a dedicated team of in-house auditors to perform internal auditing include the benefits of having a reservoir of knowledge about the company that an outsider would have difficulty obtaining or would be costly to have an outsider acquire. Nuances concerning the organization’s culture and strategies and how best to recommend changes in practices and achieve other results are more likely to reside with insiders than with externally contracted personnel. A major advantage of this staffing model is that (except when key staff leave the organization) all of the personal development and experience in dealing with the challenges of the organization stay within it, rather than going to an outside group. Perhaps the most beneficial aspect of staffing completely internally is that employees should build up a loyalty and vested interest in the success of the organization. Outsiders are less likely to look on their experience with the organization as providing a long-term career opportunity. Another benefit of total inhouse staffing is the avoidance of the cost of the external service provider’s overhead burden. The major disadvantage of the totally in-house staffing model is that the team may not always have all of the requisite competencies, skill sets, and expertise. Long-term career opportunities for specialized types of auditors are very difficult to provide. Another disadvantage arises if the internal audit function requires significant travel. As noted earlier, the argument that external service providers are more easily able to attract superior talent has been disputed.

In-House Team Augmented by Rotational Staffing

This method of staffing is reported to be quite popular, especially in large organizations. A cadre of experienced management-level internal auditors provides continuity and experience, and they can explain internal auditing to newcomers from other areas of the organization. Persons in other functions or business units have the opportunity to gain, in a short-term assignment, considerable valuable and broad-based knowledge of various operating aspects of the organization that deal with issues in which internal auditing has expertise. Experience in internal auditing may provide the high-level exposure that can prove to be very desirable to the organization as a development process for persons with high potential. The organization also benefits from having

128

NEW INSIDE PAGES FINAL copy.indd 128

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing employees scattered in various roles throughout the organization who have had hands-on experience dealing with internal auditing issues such as risk management, controls, and governance.

In-House Team Augmented by Cosourcing

Cosourcing involves the utilization of external service firms to provide internal auditing expertise and skills that may be too expensive to maintain in-house. Cosourcing may also be helpful in organizations with operations in widely dispersed locations or where knowledge of the local language, business environment, culture, and customs, or any other specialized technical skills, is required. Some specialized audit skills may be too costly to maintain in-house. Cosourcing may also result in the ability to choose the service provider who can bring the most benefit at the least cost. There is no single or best answer to the question when or whether an outside auditing or other financial services provider should be employed. Hearsay evidence indicates rather widespread satisfaction with the cosourcing alternative.

Total Outsourcing to an External Service Provider

Complete outsourcing to an external service provider, with only high-level management of the internal auditing function remaining as an internal responsibility, may prove beneficial for certain types of companies. These include smaller organizations, those with widely geographically dispersed entities in many countries, or organizations that require specific technical expertise which is not economically feasible to maintain inhouse. Outsourcing also results in the perception, at least, of greater independence from management. A downside to total outsourcing is the need for the client to assume the cost of the outside service provider’s overhead burden and profit. With respect to sourcing the internal auditing function, the global professional internal auditing organization, the IIA (2009, 2011), believes that: 8 the oversight and responsibility for establishing the scope and evaluating the performance of internal auditing cannot be outsourced; 8 the audit committee of the board of directors (or equivalent governing body) and senior management should have functional responsibility for internal auditing; 8 the internal auditing function should be managed within the organization by a chief audit executive who is accountable to the organization’s board of directors (or equivalent body) and its chief executive officer. An outsource advisory consulting firm has published a checklist of ten practical insights for organizations contemplating expanding an existing or creating a new outsourcing relationship (Business Finance 2012). They are: 1. Decide on “black box” vs. “white box” outsourcing. 2. Determine the evaluation approach upfront. 3. Control the agenda. 4. Get the provider’s “A” team.

129

NEW INSIDE PAGES FINAL copy.indd 129

13/02/2012 12:58

Effective Auditing for Corporates 5. Model real-world transition costs. 6. Encourage innovation that benefits the buyer. 7. Plan for a challenging transition. 8. Develop meaningful Service Level Agreements. 9. Prepare for negotiations. 10. Remember that the right answer might be to not outsource (see Borowski, 2012). Summary

There is no single or best answer to the question when or whether an outside auditing or other financial services provider should be employed. Hearsay evidence indicates rather widespread satisfaction with the cosourcing alternative for internal auditing. Users report that the ability to engage skills which it is not economically feasible to maintain internally is a big plus point. The selection of a professional firm to perform services requires greater scrutiny than is necessary for selection of other vendors, as indicated below.

8 Ascertain that each firm being considered for employment has the specialized staff with the knowledge and experience in your industry to effectively implement its proposal to service your needs. Not all firms perform every service equally well. 8 Carefully design the objectives of both limited-term projects and longer-term assignments. 8 Provide executive-level monitoring as well as general oversight during the engagement to assure accomplishment of the planned objectives within the predetermined cost parameters. 8 Evaluate the effectiveness of the engagement at its conclusion or renewal point. 8 Maintain awareness of possible regulatory changes that may affect the financial services industry, particularly external audit firms. 8 Consider all long-term as well as immediate aspects of employing an outside contractor rather than staffing a project or function internally.

More Info Books: Institute of Internal Auditors (IIA). International Professional Practices Framework (IPPF). 2011 edition. Altamonte Springs, FL: IIA Research Foundation, 2011. Online at: tinyurl.com/79nzmne International Federation of Accountants (IFAC). 2010 Handbook of the Code of Ethics for Professional Accountants. 2010 edition. New York: IFAC, 2010. Online at: tinyurl.com/83oh6fb Articles and Reports: Borowski, David. “2012 outsourcing checklist.” Business Finance (January 17, 2012). Online at: businessfinancemag.com/article/2012-outsourcing-checklist-0117

130

NEW INSIDE PAGES FINAL copy.indd 130

13/02/2012 12:58

Pros and Cons of Using External Auditors for Internal Auditing Carmichael, D. R. “Professionalism is primary.” Speech delivered to AICPA National Conference, December 12, 2003. Online at: tinyurl.com/7gw3bjs Center for Audit Quality (CAQ). “Observations on the evolving role of the auditor: A summary of stakeholder discussions.” Washington, DC: CAQ, 2011. Online at: tinyurl.com/8y8ujnr European Commission (EC). “Restoring confidence in financial statements: The European Commission aims at a higher quality, dynamic and open audit market.” Press release, November 30, 2011. Online at: tinyurl.com/6v7u87r Fédération des Experts Comptables Européens (FEE). “FEE initial views on European Commission proposals on audit policy.” Press release, November 30, 2011. Online at: www.fee.be/publications/default.asp?library_ref=4&content_ref=1456 Institute of Chartered Accountants of England and Wales (ICAEW). “Key themes being set by governments and regulators.” In “The future of audit,” London: ICAEW, 2011. Online at: tinyurl.com/bngpef8 Institute of Internal Auditors (IIA). “IIA position paper: The role of internal auditing in resourcing the internal audit activity.” Altamonte Springs, FL: IIA, January 2009. Online at: tinyurl.com/7mdgpu3 International Federation of Accountants (IFAC). “Enhancing the value of auditor reporting: Exploring options for change.” International Auditing and Assurance Standards Board (IAASB) Consultation paper, May 2011. Online at: tinyurl.com/7hy3u5l Public Company Accounting Oversight Board (PCAOB). “PCAOB issues concept release on auditor’s reporting model.” Press release, June 21, 2011. Online at: tinyurl.com/6dcm3zn Public Company Accounting Oversight Board (PCAOB). “Concept release on possible revisions to PCAOB standards related to reports on audited financial statements and related amendments to PCAOB standards.” PCAOB release no. 2011-003, June 21, 2011. Online at: pcaobus.org/Rules/Rulemaking/Docket034/Concept_Release.pdf Websites: American Institute of Certified Public Accountants (AICPA): www.aicpa.org Fédération des Experts Comptables Européens (FEE): www.fee.be Institute of Chartered Accountants of England and Wales (ICAEW): www.icaew.com Institute of Internal Auditors (IIA): www.theiia.org International Federation of Accountants (IFAC): www.ifac.org Public Company Accounting Oversight Board (PCAOB; US): www.pcaobus.org

131

NEW INSIDE PAGES FINAL copy.indd 131

13/02/2012 12:58

132

NEW INSIDE PAGES FINAL copy.indd 132

13/02/2012 12:58

Data-Driven Continuous Risk Assessment: How Internal Audit Keeps Pace With the Speed of Business by Joe Oringel Visual Risk IQ, Charlotte, North Carolina, USA

This Chapter Covers 8  We live in a connected world where the pace of change is accelerating. 8  New business initiatives, often supported by significant investments in new processes or new systems, are the norm. 8  Despite these changes, internal audit most often sets its audit plan only once each year, and input into the risk assessment is often based more on subjective interviews and/or survey data than objective, data-driven analysis. 8  Guidance is provided on how frequent risk assessment can be made the center of a modern, data-driven internal audit process.

Introduction: Professional Guidance on Risk Assessment

Professional standards issued by the Institute of Internal Auditors (IIA)1 require that a documented risk assessment be undertaken at least annually. In practice, this risk assessment results in the identification and prioritization of risks and a response (i.e. an internal audit plan) to measure and mitigate these risks. This process is documented in a written internal audit plan for the organization. Figure 1 shows the steps in the internal audit process.

IIA Standard 2010.A1 “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.”2 Figure 1. Internal audit process diagram, part 1

The internal audit plan is then presented to senior management and the audit committee of an organization’s board of directors for approval, usually prior to or sometimes early in the (fiscal) year. Periodic status reports on any changes to the audit plan are provided to these key stakeholders, based on the results of audit projects and also on any changes to the risk assessment. An internal audit plan may be based on internal audit’s risk assessment or a broader enterprise risk assessment (see Appendix 1 for a comparison of enterprise risk management (ERM) and risk assessment by internal audit).

133

NEW INSIDE PAGES FINAL copy.indd 133

13/02/2012 12:58

Effective Auditing for Corporates Statement of Problem

The strengths of an annual audit plan can be its weakness. As recently as 2007, most (64%) internal audit departments did not have a systematic process to update their audit plan on more than an annual basis.3 Considering the dramatic pace of change in the world’s economy and the resulting impact on business and business strategies, this offers an opportunity for much improvement. A hockey metaphor seems appropriate: internal audit departments that do not systematically update their audit plan more frequently than annually are skating to where the puck used to be.

Components of a Risk Assessment: Units and Measures

The internal audit profession describes an audit universe, which is a master inventory of potential business processes, systems, activities and/or locations that could be audited in a given year or multiyear plan. Audit units within the audit universe are then ranked by relative risk to set the internal audit plan. Whether the audit units are business processes, systems, activities, or locations, the most common measures of risk for these audit units are likelihood (i.e. probability of occurrence) and impact (i.e. measure of loss, in terms of dollars, people, or reputational impact). Measures of likelihood are often expressed as a percentage, but they can also be expressed in subjective, qualitative terms such as probable, possible, and unlikely. In either case, a recommended practice is to express the likelihood within a specific period of time, such as the current fiscal quarter, fiscal year, or even the next five or 10 years. Measures of likelihood are more meaningful when associated with a specific time period.

Likelihood A common language for likelihood is important, because understanding when an adverse event may happen is important, whether for a risk assessment or when planning for other possible adverse events. Understanding that there is a 50% likelihood of rain tomorrow is interesting. But if a picnic is from 3:00 pm till 6:00 pm and the likelihood of thunderstorms is 80% in the morning until noon and for the remainder of the day there is a 20% likelihood of light showers, the risk of a ruined afternoon picnic calls for a different, lower level of contingency planning. Similarly, expressing the time horizon for an adverse risk event (for example, the likelihood of a supply chain interruption that impacts net sales by more than $20 million in the current financial quarter) may also call for a different level of planning. Important considerations in expressing the likelihood of this adverse event are the number of days of inventory that the organization keeps on hand, and the number and availability of product substitutes that may be quickly available. Examples of likelihood measures that combine qualitative and quantitative measures are remote, possible, and probable, where each term is associated with the specific percentage likelihood within a one-year period. Remote would mean that an event has less than a 10% chance of occurrence in the next 12 months. Events that are possible

134

NEW INSIDE PAGES FINAL copy.indd 134

13/02/2012 12:58

How Internal Audit Keeps Pace With the Speed of Business are those that have a likelihood between 10% and 50% within the next 12 months, and those that are probable would have greater than a 50% likelihood of occurrence. The most common measure of impact is financial loss. Some organizations specifically consider impact on reputation, or even potential loss of human life, as part of their assessment of impact. While subjective measures such as high, medium, and low are sometimes used, most organizations find that specific thresholds for increasing levels of impact help to facilitate more meaningful discussions of risk. Scales can vary from threelevel (e.g. high, medium, low) to five-level (e.g. 1 to 5) or more. Specifying a dollar amount of loss within a time frame (e.g. the current fiscal year) is a recommended technique. So, setting $250,000 or less as low impact, $250,000 to $2,500,000 as medium impact, and more than $2,500,000 as high impact will help to ensure more consistent language and measurement with respect to potential impact. Figure 2 is an example heat map that shows the relationship between likelihood and impact for risks and audit units using a five-point scale. The audit units represent different company locations by region. Figure 2. Example of a simple heat map

Advanced Techniques in Heat Maps: Visual Reporting

Below are a series of updated heat maps based on the same input data as presented in Figure 1. Normally these maps use a color gradient—from green (low risk) through yellow and orange (medium risk) to red (high risk)—to represent an increasing risk gradient from lower left on the diagram to upper right. Here it has been necessary to represent the color gradient by a corresponding grayscale gradient. Nevertheless, it can be seen how color quickly communicates the current risk rating (Figure 3) and also

135

NEW INSIDE PAGES FINAL copy.indd 135

13/02/2012 12:58

Effective Auditing for Corporates the relative revenues of the various regions or units (Figure 4). A high-impact, highlikelihood risk event for a small business segment or location is less significant than one for a larger business segment, and this is more easily communicated with the balloons, or bubbles, used in Figure 4. Figure 3. Heat map (gray-scale representation—see text for explanation of color gradient)

Figure 4. Heat map with relative size of units by revenue (bubbles). Explanation of gradient as for Figure 3

136

NEW INSIDE PAGES FINAL copy.indd 136

13/02/2012 12:58

How Internal Audit Keeps Pace With the Speed of Business Depending how important changes in likelihood or impact are, heat maps can be modified to reflect prior risk rankings as well. In Figure 5, Unit 1 and Unit 5 are units facing medium risks of similar impact. This fact is interesting, but understanding that Unit 1 is facing increasing risk while risk at Unit 5 is decreasing may influence the audit plan. Figure 5. Heat map showing change in risk over time

Depending on audience members and/or the number of audit units being expressed, either color or directional arrows may be the preferred method to show both current and prior risk ratings. In any case, note how these heat maps communicate quickly and simply the relative risk of many different audit units. After the risk assessment and accompanying heat map has been created, a risk-based internal audit plan can be effectively constructed.

Audit Projects: Components of the Audit Plan

Internal audit groups complete their audit plans by scheduling and completing individual audit projects, as depicted in the lower three boxes in the larger diagram of audit processes shown as Figure 6. Audit project planning drives the evaluation of risks and controls within each audit unit, and as each audit project is completed an audit report is written. Audit reports are then periodically summarized and reported to the board of directors, along with any updates to the audit plan and risk assessment.

137

NEW INSIDE PAGES FINAL copy.indd 137

13/02/2012 12:58

Effective Auditing for Corporates Figure 6. Internal audit process diagram, part 2

This flow of information is common. But a drawback of this approach is that there is not sufficient feedback from each individual audit project into the risk assessment and overall audit plan—basically, skating to where the puck has been, in our hockey metaphor. What is the best way to let auditors skate to where the puck will be going? Let’s review the inputs to a risk assessment and evaluate how to provide more frequent information on the state of the organization as input into more frequent risk assessment.

Data Sources: Interviews, Surveys, Internal and External Data

As described above, the annual internal audit plan is created based on the results of this risk assessment. As required by the IIA standards, the risk assessment should include input from senior management and the board—usually in the form of interviews. These interviews can include qualitative questions or quantitative data, such as surveys. Examples of qualitative questions are listed below. 8 W  hat are our primary business objectives or strategies? How do we measure their success? 8 What are the key components of our business objectives or strategies? 8 What internal or external factors could keep our organization from achieving its objectives? Which of these factors are most likely or most impactful? 8 What exposure do we have to third parties (e.g. customers, vendors, joint venture partners) that might affect us? 8 How are we being affected by financial markets or regulatory actions? 8 What are the three factors that are most likely to keep us from achieving the organization’s objectives? 8 Are there actions or activities being taken by legal or regulatory bodies that are affecting our ability to execute against our objectives or strategies? What are they? A challenge with qualitative data (e.g. high, medium, low) is that they are highly subjective. What is a high risk to some individuals may be considered a medium risk by others, and vice versa. Answers depend on the risk tolerance of the individuals being interviewed. The senior vice-president of sales may be conservative and place a high impact or likelihood on external risks, like the threat of competitor pricing actions. But a senior vice-president of human resources may be more concerned about internal risks, like employee turnover or succession planning, and therefore subjectively place

138

NEW INSIDE PAGES FINAL copy.indd 138

13/02/2012 12:58

How Internal Audit Keeps Pace With the Speed of Business a higher impact or likelihood on other risks. How should these judgments be factored into a risk assessment? One technique that audit teams use to normalize a risk assessment is to measure objective data. If competitor pricing actions or employee turnover are identified as risks, then these factors can and should be quantitatively measured. During interviews with the senior vice-president of sales, and, importantly, with other executives, it would be important to understand what level of competitor price action might impact net sales or net income, and by how much. If medium- and high-impact risks to net income are agreed to be, respectively, $250,000 and $2.5 million, ask what level of price drop would be likely to impact net income by these amounts. If only one executive suggests that a 5% drop in competitor prices will impact net income by $250,000, while most others believe that a 15% or greater drop would be required to create a medium-impact loss, then measuring competitor price actions throughout the year would be an important input into financial risks such as missing a sales or profit target. Similarly, if employee turnover, especially in accounting or finance positions, is considered an indicator of operational risk, then measuring employee turnover throughout the year across different audit units would identify locations where greater than normal risk exists. An agile and flexible audit plan could direct audit resources to locations with the highest levels of employee turnover. As such, measuring employee turnover on a quarterly or monthly basis would be a more effective indicator of risk than measuring this turnover only annually.

One Effective Technique: Use of a Rolling Internal Audit Plan

A rolling audit plan differs from an annual audit plan in that it identifies audit projects to be completed on a near-, intermediate-, or long-term basis. Instead of identifying all scheduled audits in an upcoming 12-month period, a list of audit projects for the next one or two quarters may be listed, with other possible candidate projects listed for more than six months out in the future. This rolling project list is then updated each quarter based on changing business events and priorities. Audit report results, as well as internal or external data points regarding risk, will influence a rolling audit plan via a timing shift for certain audits. Higher-risk business processes or locations may be audited sooner, and other changes may cause other units to be audited later than originally scheduled. Organizations that have transitioned from an annual audit plan to a rolling audit plan have generally seen improved customer satisfaction through increased relevance.

Improved Technique: Continuous Risk Assessment

Figure 7 basically takes the same six steps as introduced in Figure 6, but strategically moves risk assessment to the center of the process. Data analysis is also added as an internal audit activity, and that analysis provides input into both risk assessment and stakeholder reporting. Development of an audit plan begins with risk assessment, and at the conclusion of each individual audit project the risk assessment is also updated to provide input into the scoping of each sequential audit project. Periodic

139

NEW INSIDE PAGES FINAL copy.indd 139

13/02/2012 12:58

Effective Auditing for Corporates scheduled updates to the risk assessment through interviews and surveys with senior management and the board provide additional insights. Figure 7. Risk assessment as the center of the audit model

Data-Driven Risk Assessment: Continuous Use of Exception and Trending Queries

In Figure 7, the inputs into a quantitative risk assessment begin to include data analysis and a review of statistics, or key performance indicators (KPI), that represent the summary of many underlying transactions. These KPIs are often captured and computed by financial or operating reporting systems and should be interrogated as part of the risk assessment. Examples of KPI queries include actual vs budgeted financial performance (e.g. quarterly sales), actual vs budgeted operational performance (e.g. number of new customers), gross or net profit margins, and employee turnover, among many other measures. These KPIs are important to understand new and emerging risks and mid-year changes to an audit plan, so inspecting and explaining changes to KPIs should be part of an internal audit’s periodic updates to its risk assessment and audit plan. Trending queries or KPIs differ from exception queries—which are the kinds of data analysis reports that internal auditors often prepare to measure compliance with a key control. Examples of exception queries for manually prepared general ledger journal entries (manual JEs) might include counts of manual JEs that were approved by the person that entered them, or counts or dollar impact of manual JEs that were made during one month and reversed in the subsequent month. Using exception queries as inputs into a risk assessment for internal audit project selection or prioritization is an advanced technique of continuous risk assessment. Combining the results of exception queries and trending queries together for a risk assessment is even more beneficial.

140

NEW INSIDE PAGES FINAL copy.indd 140

13/02/2012 12:58

How Internal Audit Keeps Pace With the Speed of Business Over time, management’s control monitoring action or follow-up regarding exception queries should also serve as an input into the risk assessment process. After all, it’s more important to understand how finance has researched, evaluated, and resolved any unusual manual JEs than simply how many JEs were identified as unusual. These techniques of using audit output as an input into subsequent audits and also as input into an updated audit plan represent a significant change to internal audit methodology, especially when completed in a rigorous, repeatable manner. Whether alone or combined with a rolling audit plan, by updating the risk assessment and resulting audit plan based on recent audit results, internal audit can soon be skating like hockey hall-of-famer Wayne Gretzky—to where the puck is heading. Summary To increase their relevance and stature, internal audit departments should increase the frequency of their analysis and incorporate a data-driven approach in assessing and reporting on risk. This can be accomplished through the following steps. 8 Divide the audit universe into meaningful audit units. 8 Gain senior management and board-level input when conducting a risk assessment. 8  Communicate risk data using heat maps that incorporate color, movement, and size to indicate risk measures. 8  Identify KPIs and exception queries that can identify changes in risk levels throughout the year. Redeploy audit resources to areas of higher risk. 8 Incorporate audit output as input into subsequent audits.

More Info Reports: Committee of Sponsoring Organizations of the Treadway Commission (COSO). “Enterprise risk management—Integrated framework: Executive summary.” September 2004. Online at: www.coso.org/ERM-IntegratedFramework.htm Information Systems Audit and Control Association (ISACA). “COBIT framework for IT governance and control.” 2007. Online at: tinyurl.com/82tosls Institute of Internal Auditors (IIA). “International professional practices framework (IPPF).” 2011. Online at: www.theiia.org/guidance/standards-and-guidance International Organization for Standardization (ISO). “New ISO standard for effective management of risk.” Press release about “ISO 31000:2009, Risk management—Principles and guidelines.” November 18, 2009. Online at: www.iso.org/iso/pressrelease.htm?refid=Ref1266 PricewaterhouseCoopers (PwC). “PricewaterhouseCoopers 2007 state of the internal audit profession study: Pressures build for continual focus on risk.” 2007. Online at: tinyurl.com/6wppyf4 [PDF].

141

NEW INSIDE PAGES FINAL copy.indd 141

13/02/2012 12:58

Effective Auditing for Corporates Sobel, Paul. “Internal auditing’s role in risk management.” IIA Research Foundation, March 2011. Online at: tinyurl.com/6teskqh Websites: Committee of Sponsoring Organizations of the Treadway Commission (COSO): www.coso.org Information Systems Audit and Control Association (ISACA): www.isaca.org Institute of Internal Auditors (IIA): www.theiia.org See Also: “Charting a company-specific path toward continuous auditing and monitoring” (pp.197–208) Establishing a schedule for repeated, managed data analytics (i.e. modern continuous auditing) is covered in greater detail in “Charting a company-specific path toward continuous auditing and monitoring” (pp. 197–208) which features the CA maturity model/capability maturity model.

Appendix 1: How Enterprise Risk Management (ERM) is Similar to and Different from Internal Audit’s Risk Assessment

In practice, an internal audit department’s risk assessment process is generally organization-wide and focuses on prioritizing the risks that are to be considered in the internal audit department’s (usually annual) plan. This risk assessment is distinctive from an enterprise risk management (ERM) risk assessment, which is broader in scope and is most often effected by an entity’s board of directors. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission defines ERM as “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004). Though the framework(s) used in an internal audit risk assessment and in an ERM risk assessment may be the same, the risks—and especially the risk responses—identified in an ERM risk assessment are nearly always broader in scope. ERM risk assessments usually result in the identification of strategic and other risks that are the primary responsibility of management to measure and mitigate. Because of internal audit’s role in providing independent, objective assurance to management and the board of directors, a list of an enterprise’s top risks will likely differ from the list of risks and controls that ought to be the scope of an internal audit department’s plan. An internal audit risk assessment is designed to identify which audit units ought to be reviewed as part of the annual audit plan. Assessing and providing assurance on controls that address financial, compliance, and operational risks make up a greater portion of an internal audit plan than those activities that help to address strategic risk. Internal audit executives, particularly because of their domain expertise in risk management, can lead and should contribute to the formation of an ERM risk assessment. For reasons of independence, their role should be to evaluate the risk responses prepared by management, not to plan or to execute those risk responses.

142

NEW INSIDE PAGES FINAL copy.indd 142

13/02/2012 12:58

How Internal Audit Keeps Pace With the Speed of Business For additional reading on this topic, see also the IIA Research Foundation publication (Sobel, 2011) titled “Internal auditing’s role in risk management.”

Appendix 2: Review of Risk Assessment Methodologies: COSO, ISO, and COBIT

The most widely accepted risk assessment framework was published by COSO in 2004, and is referred to as the COSO ERM Framework.4 This framework built on the original COSO framework, which was published in 1992. It has seen a significant rebirth in implementation due to the United States’ Sarbanes–Oxley Act of 2002, which mandates internal control requirements for public companies. The International Organization for Standardization (ISO) 31000 Framework5 was published in 2009 and is gaining support in practice. The Control Objectives for Information and related Technology (COBIT),6 published by the Information Systems Audit and Control Association (originally in 1996 and updated most recently in 2007), is a narrower control framework, focusing on IT risks and governance, but it may also be used. It is most prevalent when an IT risk assessment is performed that is distinct from a broader, company-wide risk assessment. Each of the above frameworks has features and merits that should be considered when completing a risk assessment, either for an internal audit department or for a broader enterprise risk assessment activity

Frameworks: The Strategic, Financial, Operational, and Compliance Risks of COSO

The COSO ERM framework begins by describing the kinds of objectives that an entity seeks to achieve: 8 8 8 8

Strategic: high-level goals, aligned with and supporting its mission. Operations: effective and efficient use of its resources. Reporting: reliability of reporting. Compliance: compliance with applicable laws and regulations.

Examples of objectives for each category are listed below. 8 S trategic. Our enterprise will be no. 1 or no. 2 in all market segments and product categories that we compete in, as measured by total sales and market share. Achieving this positioning yields a desired financial return and allows us to attract and retain the kinds of people we need to maintain and extend this advantage. 8 Operations. Our global shared services organization is fundamental to success because it results in standardized processes and a corresponding decrease in our general and administrative costs relative to peer organizations. We measure this success by sales per employee and general and administrative expense as a percentage of total company sales. 8 Reporting and compliance. Our financial statements and related regulatory, operational, tax, and other compliance reporting documents will be filed consistently, accurately, and on time. Errors and missed deadlines, as measured by amended documents or corrections identified by audits from external authorities, will be very infrequent.

143

NEW INSIDE PAGES FINAL copy.indd 143

13/02/2012 12:58

Effective Auditing for Corporates Risks are expressed as those events or activities that may prevent the above objectives from being achieved. Risk responses are those activities or actions selected by management to respond to these risks and may include avoiding, accepting, reducing, or sharing, either alone or in combination. Control activities are the policies and procedures in place to ensure that risk responses are carried out. Internal audit’s role in risk responses is generally to evaluate the effectiveness of these control activities and to report as to the adequacy of the responses. The COSO ERM framework, as summarized above, is an especially useful framework when establishing or updating an internal audit plan.

ISO 31000: Defining the Risk Management Process

The ISO 31000 standard is considered to be broader in scope than COSO, yet they can complement each other. Its strengths are in its principles—namely that risk management creates and protects value and that risk management should be an integral part of decision-making and all organizational processes. As a framework, its primary difference is that COSO is focused more on risk events than on the consequences of those risk events. Risk management under ISO 31000 becomes part of the fabric of the decision-making process and explicitly addresses uncertainty. It is especially compatible with the frequent, or continuous, risk assessment described and advocated in this chapter, because new or updated information often reduces uncertainty.

COBIT: A Framework For IT Governance

As described above, the COBIT framework is more narrowly focused on IT risks and IT governance, and is typically used for IT risk assessments rather than either audit risk assessments or enterprise risk assessments. Its primary strength is its ability to help to align organizational goals with IT goals and IT strategy through a prescribed approach for resource management, risk management, and performance management.

Notes 1. 2. 3. 4. 5. 6.

Institute of Internal Auditors (2011). Institute of Internal Auditors (2011). PricewaterhouseCoopers (2007). Committee of Sponsoring Organizations of the Treadway Commission (2004). International Organization for Standardization (2009). Information Systems Audit and Control Association (2007).

144

NEW INSIDE PAGES FINAL copy.indd 144

13/02/2012 12:58

Auditor Sensitivity to Source Reliability by Denise Cicchella and Stuart Gardner Auspicium, Fair Lawn, New Jersey, USA

This Chapter Covers 8 The importance of understanding the source of information and the reliability of that source. 8  The challenges and constraints auditors face in current environments. 8 The importance of kinesics-based techniques, neurolingusitics, and professional skepticism. 8  The role of management in ensuring that audit staff and other resources have the skills necessary to assess reliability of information. 8  The importance of techniques necessary to select and interview “experts.”

Introduction

The auditor is always playing catch-up. Both external and internal auditors have to review the work of people who do the same job day-in, day-out and who, if competent, are usually intimately familiar with the processes, systems, and information that are under their control. Looking at the transactions on a historical basis further hampers the certified public accountant, chartered accountant, or other audit professional. These difficulties have been overcome by structured professional training, on-the-job training, and thorough review of audit work. Auditors face numerous challenges in assessing the evidence behind the statements which they are auditing: 8 a constantly evolving landscape of technology that feeds service delivery, distribution, resource management, reporting, decision-making, and a host of other systems; 8 regulatory environments that change rapidly and are rarely consistent from jurisdiction to jurisdiction; 8 expanded reporting requirements (e.g. corporate social responsibility statements); 8 complex new financial products whose risks may not be completely understood; 8 assessing the work of nonfinancial staff, who often have an asymmetric advantage in their area of expertise. What do these challenges have in common? Much of the risk from these areas stems from change, lack of experience, and the unknown. What else do these challenges have in common? Most will result from companywide projects and programs. The project that addresses a new regulatory requirement, product, system, service, or building, places organizations at substantial risk. Key vendors supporting change often possess greater knowledge and experience than internal staff, further increasing the

147

NEW INSIDE PAGES FINAL copy.indd 147

13/02/2012 12:58

Effective Auditing for Corporates risk of fraud or substandard delivery. Many projects are delivered late, fail to meet expectations, and exceed budget. Such projects need to be included within the audit universe of internal audit. High-risk projects must be audited. External audit, equally, must consider any project that impacts their client as a “going concern.” Project audits provide an opportunity to ensure that appropriate governance is in place to report progress to senior management, ensure effective control of change, and provide quality assurance that, if absent, may well lead to adverse or even disastrous results. An audit of a project should also include an assessment of future audit trails for new products, services, and systems. This should be performed before completion of the project, when any changes or reengineering cost are likely to be far higher. It is at this stage that audit can most readily address the systemic reliability of evidence issues. A fundamental skill is the ability to quickly assess the reliability of both people and information while applying appropriate “professional skepticism.” This chapter will explore the use, evaluation, and assessment of information—how auditors should consider reliability, and the red flags to consider when evaluating information sources in the context of a project audit. The Institute of Internal Auditors (IIA) states: “Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives” (Standard 2310). The Institute further clarifies this to mean: “Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals.” It is often the case that the information obtained or given to an auditor is subject to interpretation. This is particularly true of project audits, where information may be presented as optimistically as possible to present the best possible case rather than the most realistic. There is often external “noise” that may cloud project reporting as various stakeholders interpret results to meet their own agendas, which may or may not be aligned with the goals of the project. Auditors are faced with constraints that may tempt them to jump to conclusions or misinterpret information—or simply to “go with the flow.” Audit management should work toward eliminating or mitigating these constraints through a proper structured review of projects and supervision of assignments. Some of the constraints faced by auditors are: 8 the time assigned to perform project audits; 8 understanding of project processes as written and as practiced, which are often not the same; 8 full comprehension of the subject matter being audited—products, lines of business, business constraints, system functions, etc.; 8 acceptance of issues with client management, who sometimes force issues to be negotiated for “softer” wording;

148

NEW INSIDE PAGES FINAL copy.indd 148

13/02/2012 12:58

Auditor Sensitivity to Source Reliability 8 access or ability to get messages fully communicated to an audit committee or senior management with possibly limited time before a project becomes operational (the audit committee may read only the first few lines of an audit report and will not take the time to read all the evidence supporting an opinion).

Systems and Processes

As the range of activities that audit reports on is expanded (for example, to include social responsibility reporting) audit is examining many additional nonfinancial systems that historically would not have been subject to detailed audit review—if they were considered at all. Frequently such systems are not overly complex or difficult to understand in principle (e.g. facilities management, nonpayroll human resource systems, records management systems, sales databases, etc.) and should not present a major challenge for an experienced auditor. Areas to consider during review/audit of these systems should include the following. 8 The impact of additional resources. 8 Understanding and interpreting the source and reliability of the data. 8 Spreadsheets, end-user databases (e.g. Microsoft Access), internal Wikis, SharePoint, and other information repository/report software developed by end-users to solve project-specific needs may often be encountered. The auditor may have difficulties reconciling information back to reliable sources as these ad-hoc applications frequently lack audit trails or enforce strict accountability. The auditors should look for evidence to assess the sources of information, such as the formulae used for calculations programmed into the reports. If the auditor is not an expert in the field of the project, this involves additional challenges. When evaluating systems the auditor should test, or ask an expert to test, for questions such as the following. 8 Are “dummy” or test accounts active and, if so, can they be used to conduct “illicit” transactions? 8 Are safeguards in place to protect the confidentiality of data or to detect unauthorized access to information? I.e. are data and information held securely to prevent them being manipulated, copied, or stolen? Obviously, the more sensitive the data, the more important these questions become. 8 How sensitive are the data and information stored? A leak of customer data can be catastrophic, whereas a database of paint colors used to redecorate a building would be less sensitive. 8 Are data stored in such a way that they can be restored if they are hacked or penetrated? 8 Are the data backed by source documentation so that they can be authenticated and tested for reliability? 8 Does the system track changes and leave a sufficient trail to ensure accountability? 8 Are procedures for change sufficient to restore systems back to the original code if necessary?

149

NEW INSIDE PAGES FINAL copy.indd 149

13/02/2012 12:58

Effective Auditing for Corporates Auditors may also find it difficult to assess risk in an area unless they are comfortable with such systems. They will often need to rely on programmers, coders, or manuals to truly understand how the systems work.

The Human Aspect People

In many organizations the need to operate in a multicultural environment that may span continents, operate in different languages, encompass different cultural norms, work across multiple time zones, etc., creates a unique challenge to which auditors must adapt and work effectively, efficiently, and economically.

Your Team

It goes without saying that every audit leader must understand the strengths, weaknesses, intellect, skills, and motivation of each team member. Increasingly the staffing of audits is complicated by an increased reliance on temporary staff, cosourcing, outsourcing (possibly even offshore), and a rising rate of staff turnover. For audit leadership, the most critical aspect of information reliability is based on understanding the quality of the team it deploys. This understanding impacts every aspect of audit delivery: 8 the realism of budgets; 8 the identification, classification, and assessment of fundamental risks; 8 appropriate high-quality reporting; 8 practical and pragmatic solutions to the mitigation of risks; 8 the ability of auditors to influence management and staff at all levels; 8 the reliability of staff members in executing the work that is planned and to adapt to changing circumstances; 8 and, finally, the integrity, honesty, and ethical and professional standards toward which each staff member should work. Audit leaders must be able to quickly assess their team and ensure that there are the appropriate resources to audit a project effectively and provide adequate supervision. This may be achieved by: 8 hiring or contracting a resource with significant audit experience in the project area; 8 a selection process that identifies a team with the background, skills, and understanding to ensure the success of the project—possibly including the recruitment and training of professionals from non-audit backgrounds to meet project-specific needs that address critical skill gaps; 8 timely performance feedback that is both formal and informal; 8 mentoring and on-the-job training that helps non-auditors or junior auditors to adapt to the audit department; 8 an understanding of the relative merits of the myriad of professional qualifications and designations; 8 project-specific training—for example, application- or system-specific or in project management;

150

NEW INSIDE PAGES FINAL copy.indd 150

13/02/2012 12:58

Auditor Sensitivity to Source Reliability 8 structured training to ensure core audit, interpersonal (communications, leadership, time management), and technical skills.

Assessing Project Roles and Responsibilities

A fundamental skill that can give the auditor an edge—or at least partly compensate for any skill gap—is the ability to “read” people and a strong social intelligence. Effective interpersonal skills are critical to the success of project audits. With the pressure of project delivery, conducting work in a manner that will not adversely impact the progress of a project is essential. Each team member must be able to effectively interact with third-party vendors, employees from multiple disciplines, coworkers, and management to deliver effective audits. Although this sounds easy enough, along with multiple interaction levels the individual personality traits of these communication channels only adds to the challenge. The ability to establish credibility, understanding, trust, and rapport with project team members is key. This can be hampered by the overuse of conference calls, e-mails, text messages, and even video conferencing, which, while indispensable and cost-effective, are no substitute for meeting in person. For example, auditors are spending less and less time in the field—an area where valuable insights can often be gained. This can have the effect that clients feel more detached from the audit process and are less open or comfortable with auditors or audit management; and the client’s staff may be too relaxed if they do not “see” audit staff in person and the preventive effects of feeling that “the auditors are watching” is therefore diluted. See Appendix 1 for more information on the advantages and disadvantages of alternate means of information gathering. How might an auditor overcome these issues? Interpersonal skills do make a tacit appearance at the fringes of accountancy education, in MBA schemes, and in professional qualifications, but it would be an understatement to say they are close to being “front and center.” Whether or not this should be the case is beyond the scope of this article or the qualifications of its authors. However, practical experience has repeatedly demonstrated to us that the most effective auditors, investigators, and examiners are those who can rapidly develop effective rapport, identify deception, and facilitate the extraction of information. In many instances such techniques have been taught to sales people to help them to identify the needs of customers. Although these skills are innate in some people, more often than not they can be taught with varying degrees of success to others who do not have them. Some of the fundamental approaches to learning these skills include: 8 kinesics-based interviewing techniques (Walters, 2003); 8 an understanding of personality types and of personality types associated with criminality 8 neurolinguistic programming (Bandler and Grinder, 1981). Kinesics-based techniques use the body language of the interviewee as an aid to assessing the truthfulness of information relayed during interviews and conversations. Some of these body cues include:

151

NEW INSIDE PAGES FINAL copy.indd 151

13/02/2012 12:58

Effective Auditing for Corporates 8 shifting of the eyes; 8 pupil dilation or other signs of increased heart rate; 8 sweating in a cold room or, conversely, acting overly cold in a warm room; 8 wringing of hands and excessive movement of feet; 8 crossed arms; 8 pointing of feet toward doors or windows—as if an interviewee is looking to flee; 8 overly physical gestures while talking (being careful not to misinterpret culturally normative gestures as signs of possible deception). When interviewing experts or sources of information, auditors should look for behaviors above and beyond normal that may indicate deception or misleading information. Remember that outside influences may come into play. Assess behavior over time and against known facts. These techniques also look for cues in speech patterns and wording to help to pick up on deception. They teach the interviewer to look for signs of changes in vocabulary such as depersonalization, or if an interviewee suddenly shortens his or her answers. They teach the auditor the optimal room set-up and interview positioning to relax the interviewee and obtain optimal benefit from the interview. Aside from looking for cues of deception, an auditor can also assess whether an auditee really understands the audit process, the relative risks, and the scope of the engagement. Please see Appendix 2 for more information of effective interview tips. Understanding personality types will help an auditor to customize the interview and information-gathering process by understanding what makes the interviewee most comfortable, as well as how to pick up on signs of criminal behavior or personality disorders that may raise flags during an audit. This understanding will also aid an auditor should the audit uncover indications of fraud, criminal behavior, or other irregularities that require an intensification of effort. Knowledge of personality types will also help the auditor to understand certain cues that a person may be giving off. Neurolinguistic programming (NLP) as a method of interviewing is diminishing in popularity, but an understanding of the method can help an auditor to place reliance on information gathered during the audit. NLP was originally used to create solutions for dealing with phobias. Applied to the field of auditing, it can be used to help an auditor to extract more information from a client and in developing a degree of trust with the auditee. Formal education and in-depth training in any of these types of interviewing techniques will help an auditor to reduce the “noise” in interpreting what an interviewee is saying and will increase the reliability of the information-gathering process. Along with this training, in a multinational environment auditors should also be trained in cultural sensitivity so that cues are not misinterpreted and relationships are not marred by language or behavior that may be perceived as insulting by the client. Experts have long known that nonverbal signals (body language) are an important component of communication. Traditionally used by investigators, interrogators, and auditors, whether during initial meetings or in later discussion of control weaknesses,

152

NEW INSIDE PAGES FINAL copy.indd 152

13/02/2012 12:58

Auditor Sensitivity to Source Reliability deficiencies, or findings, the use of kinesic techniques can give interviewers valuable insights. During communications and interviews it is important that the auditor has the ability to talk to people on their level and that he or she can listen actively and collate information. This information then needs to be collated with information received outside the course of the interview in the hopes that they are consistent. The goal of the interview is simply to gather the facts and clear up any confusion or inconsistency—not to form conclusions. Active listening is a skill that auditors should learn and practice. I have often seen auditors complete sentences for clients, a practice that can lead to a lack of clarity in the information gathered. Auditors should ensure that interviews are done in such a way that they are free from distractions and create an environment that is neutral for all parties.

Outside Experts

In many instances the organization may need to rely on external professionals to assist in performing audit work, providing audit supervision, training of internal staff, creating audit programs, or assessing the reliability of information received during an audit. When using external experts, the organization must exercise due professional care in both the selection of and the contracting with these individuals. The case study below illustrates the risks of not doing so. Management should be concerned that the following considerations are given proper attention. 8 Management must be able to determine that the expert possesses the knowledge and competency necessary to complete the work in question. This may or may not include specific licensing (which should be verified with relevant licensing boards), expertise (which can be demonstrated and verified through references or personal observations), and other qualifications necessary to ensure competency. 8 It must ensure that the relationship with the professional does not hinder the latter’s ability to make a sound judgment free of bias or partiality. For example, when a professional is asked to make a value assessment of an asset, his/her fee should not be related to the assessment value arrived at (e.g. a percentage of the value assessed). 8 Communication with the expert should be kept formal but frequent to ensure that the work performed is consistent with management expectations and objectives of the assignment. Careful consideration has to be made to ensure that the expert does not scope-creep or create work for him or herself beyond what is necessary to get the job done. 8 Management should determine beforehand that the risk of using the outside professional (who will have access to confidential information) is outweighed by the benefit of securing the professional’s services. 8 Any use of outside experts should be disclosed to and agreed on by key stakeholders, the audit committee, and the board of directors/executive management. Experts may be used in the performance of audit work. Assurance should be made that experts possess the required experience and training. Key stakeholders should be informed when experts are being used.

153

NEW INSIDE PAGES FINAL copy.indd 153

13/02/2012 12:58

Effective Auditing for Corporates The techniques we have described to interview clients should also be applied when interviewing experts. In addition, auditors may wish to consider asking technical questions to ensure that the expert really does have expertise in his or her field. They should make sure that they themselves know the correct answers before doing this, and they may wish to consider contacting their own experts first to help in building and answering such assessment questions. Case Study

A Cautionary Tale

A recent client was relocating its corporate headquarters to a number of new and refurbished buildings in the neighborhood as the current facility was being sold. Several locations were scouted out and selected to move into; formerly in one building, headquarters was being moved into six. There was an experienced team of facility managers within the corporate structure, but it was decided that due to the complexity of the project an external project manager would be used. Because of the streamlined design and the priority given to time, the company was looking for a project manager with experience in construction, engineering, and handling large projects. A formal bidding process was started, firms were eliminated, and a shortlist of qualified candidates followed. The selection committee unanimously selected a firm based on the qualifications of the project manager (Bob), who they wanted to work on this project. The team was particularly impressed by his educational credentials, as he had graduated from the Massachusetts Institute of Technology (MIT), a school well known for its strength in mathematics and engineering. There was no indication that Bob was a licensed project management professional, but during interviewing he was able to list with confidence the many projects he had worked on. Several months into the project it was obvious that cost overrun was imminent and that the project was falling way behind schedule. Executive management was concerned about the financial impact, and project management was concerned as it feared that employees would not be relocated on time. Audit was called in to investigate. Audit interviewed the general contractor to find out why the project was so far behind. The general contractor admitted that there were conflicts between himself and Bob and that at times Bob had hindered the project more than helping it. The contractor expressed concern that he was not getting paid on time and that some of his proposed value engineering solutions were ignored or overlooked by Bob. Audit interviewed Bob, who defended his position by stating that he was a proven expert in the field and should be trusted. However, when asked basic construction questions he seemed confused or answered inaccurately. Audit asked for proof of his expertise and received his résumé, which stated that he had attended MIT. When asked, he would not produce a copy of his diploma. Audit called MIT to verify his attendance. It was confirmed that he had graduated from the university but that his degree was in history. He had received no formal training in engineering or construction while there.

Evaluating Evidence of Project Progress

Often the percentage of completion is used as a basis for paying for services, especially for IT projects and capital improvements. With percentage of completion, invoices come in that need to be paid with reference to an overall contract price on the basis of estimated completion points along the course of the project. The problem comes in

154

NEW INSIDE PAGES FINAL copy.indd 154

13/02/2012 12:58

Auditor Sensitivity to Source Reliability estimating how much has been done and what the total costs will be. Coupled with that is that the overall project will most likely include change orders, scope changes, or other requests for changes, so a project that is at one stage of completion may actually go backward, in whole or by line item, as time goes on. Ideally the percentage of completion is assessed by an independent source prior to payment. Auditors need to assess the accuracy of invoices that come in for these services to ensure that due diligence has been done prior to making a payment. This may require an assessment of the current stage of completion and progress over time by comparing with the intended final result (total project completion), an interview with the independent party that certified the estimate, and knowledge of the project at hand. An auditor may not be familiar enough with the project to determine if the estimated percentage of completion is accurate. Auditors may be limited as to what they can verify; they need to trust that the independent assessment was accurate and that the mathematical flow makes sense. An auditor should concentrate on the control environment around how assessments were made and approved, as well as confirming the independence of the expert who verified the percentage completed. Auditors should examine several other matters related to the use of the expert by: 8 obtaining background information on the expert and testing the relevance of their experience; 8 checking the contract to ensure that the scope of services includes making independent assessments; 8 ensuring that the expert has duly documented the assessment; 8 if possible, obtaining the expert’s notes and calculations to determine how they made their assessment. Whether obtained through interview, audit testing, or expert advice, audit evidence from different sources or of a different nature may indicate that a particular item of audit evidence is not reliable. It is then up to the auditor to play an objective role and evaluate the evidence. Additional testing may be required to support the evidence that has been obtained. International audit standards, such as ISA 500, guide an auditor as to how to obtain evidence and how evidence should be used to support audit findings and conclusions. The auditor must determine the relevance and reliability of evidence obtained using several methods: 8 audit steps to recalculate or come to the same conclusion as the evidence; 8 evaluation of the consistency of audit material; 8 identifying the source of audit material, recognizing that the more independent a source is of the audit the more reliable the evidence is likely to be; such independent sources may consist of confirmations, benchmarks, or reports from analysts/appraisers; 8 verification of evidence against source documentation, keeping in mind that evidence that is a “copy” or replication is less reliable than original material; such verification may be difficult as it is often difficult or impossible to differentiate between an original and a copy; 8 evidence obtained from an environment where an auditor has performed tests of controls and has concluded favorably for that environment.

155

NEW INSIDE PAGES FINAL copy.indd 155

13/02/2012 12:58

Effective Auditing for Corporates 8 Information is only as valuable as its source. 8 An auditor must be able to trace sources and originality. 8 Understanding independence is key to assessing validity of information. Conflict occurs when audit evidence contradicts itself or contradicts the conclusions of the audit report. An auditor needs to feel comfortable that his or her interpretation is correct and should be sure that another reasonable person would make the same interpretation. At times, it may be useful for an auditor to ask someone else, independent of the audit, what conclusion they would draw to see if it is in agreement with their own. This independent person should be asked in such a way that bias is eliminated. As an example, the auditor should present the facts and ask “what do you think?” being careful not to say “I concluded such and such, do you agree?” If the independent person cannot draw a conclusion, the auditor may need to gather or present more evidence to both form and justify an appropriate opinion. Summary

8 Information gathering is a fundamental skill that every auditor must have and is an integral part of every audit.

8 Many auditors gather information without taking steps to confirm, validate, and give credibility to the information obtained. This can lead to improper conclusions, whether for or against the client. Most clients will likely dispute an unfavorable audit result, but they may not be so quick to question conclusions that suggest they have done a better job than they actually have. 8 An auditor needs to have determination and the confidence to persevere in the conclusion they reach. Documentation showing how the conclusions were arrived at should be part of the audit records and should be kept in case the auditor has to defend his or her position at a later time. 8 Time needs to be devoted to training staff in interpersonal skills and communication. 8 Additionally, audit management should ensure that enough time and resources are allocated to an audit so that audit team members have the time they need to obtain efficient and reliable information during the information-gathering stages of an audit.

156

NEW INSIDE PAGES FINAL copy.indd 156

13/02/2012 12:58

Auditor Sensitivity to Source Reliability More Info Books: Bandler, Richard, and John Grinder. Trance-formations: Neuro-Linguistic Programming and the Structure of Hypnosis. Moab, UT: Real People Press, 1981. Walters, Stan B. Principles of Kinesic Interview and Interrogation. 2nd ed. Boca Raton, FL: CRC Press, 2003. Standards: Institute of Internal Auditing (IIA). “ International standards for the professional practice of internal auditing.” Online at: tinyurl.com/7xg5rlw International Federation of Accountants (IFAC). “International Standard on Auditing 500: Audit evidence.” Online at: tinyurl.com/6qph7p2 Website: International Federation of Accountants (IFAC): www.ifac.org

157

NEW INSIDE PAGES FINAL copy.indd 157

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 158

Time spent on site is limited and auditor may not pick up on key areas where there are defects or missing controls Time and resource-consuming

Auditor can observe issues as they arise

Validates data gathered from other sources

Visits may be hazardous for an auditor not trained to be on site

Visits may be distractive to productivity

Allows in a lot of “noise” that may lead to incorrect conclusions or assessments of the environment. Staff are on best behavior while audit is present

Must be carefully scheduled well in advance

Auditor may not fully “get into” the site and may be reluctant to ask questions

More difficult to verify source of information as one does not know who completed the survey

Auditor may have to chase up unreturned surveys

Answers may be reviewed and reworked so that information is filtered and details are omitted

Improves interviewer’s understanding of the working project environment and he/she sees how it is done versus how it should be done

Site visit

Answers are documented and it is easier to keep evidence of what was stated

Information given may be brief and lack sufficient detail No opportunity to clarify ambiguous answers

No physical connection with auditee

Interviewees can complete in their own time and be more relaxed in giving answers

Respondent’s environment may be noisy or distracting

Difficult to get calls returned

Answers are not as susceptible to bias as in phone interviews

Mailed survey

Respondents tire quickly during interviews

Least expensive type of interview Difficult to schedule in advance

No opportunity to establish rapport with the interviewee Scope of interview is not necessarily limited but it may become scripted if conducted by an inexperienced interviewer

Interviewer can clarify questions if answers are not understood

Disadvantages

Fastest way to collect information and has better response rate than mail surveys

Telephone

Advantages

Appendix 1: Advantages and Disadvantages of Alternate Means of Information Gathering

Effective Auditing for Corporates

158

13/02/2012 12:58

Auditor Sensitivity to Source Reliability Appendix 2: Effective Interview Tips 8 Auditors must be prepared for interviews by gathering background information and knowing as much as possible about the area that is being audited. An interview conducted “blind” will lead to confusion and may cause the auditor to overlook obvious concerns. 8 Interviews should be held in a “neutral” area and should be free of distractions. There should be no opportunity for others to stop by and ask questions, nor should there be telephones nearby or an area where phones are constantly ringing. It should be quiet. 8 Auditors need to practice active listening techniques and ensure that they do not provide answers or finish sentences for the auditee. 8 Auditors must be able to talk to people at all levels without being condescending, rude, or giving offence. 8 Interviews should be documented as they proceed. However, the auditor should maintain as much eye contact with the auditee/interviewee as possible. If necessary an additional person should be brought in to note the proceedings. The auditor should give a copy of the notes to the interviewee to review for accuracy. 8 Auditors need to collate and corroborate information received during an interview, questioning any inconsistencies as soon as they arise. 8 The goal of an interview is to gather facts and clear up inconsistencies. Auditors must focus on this goal. 8 The setting or meeting room should be set up so that the auditor has a clear view of the interviewee that allows them to interpret nonverbal clues/body language. 8 The auditor should watch for changes in tone of voice or eye contact, which may be a sign of deceitfulness. 8 Interviews should be scheduled at a time when neither party has other constraints or schedule conflicts as these will be distracting.

159

NEW INSIDE PAGES FINAL copy.indd 159

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 160

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance by Robert G. Eccles,a Michael P. Krzus,b and Liv A. Watsonc Harvard Business School, Boston, Massachusetts, USA Mike Krzus Consulting, Chicago, Illinois, USA c XBRL International, Clark, New Jersey, USA a

b

This Chapter Covers 8  A brief background on integrated reporting and the important role the accounting profession has played in developing it. 8  The meaning of “materiality” for both financial and nonfinancial information. 8  The key challenges faced in providing an integrated assurance opinion. 8  Recommendations for overcoming these challenges in order to make integrated assurance opinions a reality.

Introduction

Interest in integrated reporting is growing around the world. It is now required in South Africa by the approximately 450 companies listed on the Johannesburg Stock Exchange on a “comply or explain why not” basis.1 Although other countries may follow South Africa’s lead and mandate integrated reporting over the next several years, today it is an otherwise entirely voluntary activity by companies. Nevertheless, a growing number of companies are adopting it because of the substantial benefits they receive, including a better understanding of the relationship between financial and nonfinancial performance, improved internal measurement and control systems for producing reliable and timely nonfinancial information, lower reputational risk, greater employee engagement, more committed customers who care about sustainability, more long-term investors who value sustainable strategies, and improved relationships with other stakeholders.2 There are approximately 240 companies using the Global Reporting Initiative’s (GRI) G3 Guidelines that identified themselves as producing an integrated report during 2010.3 Although many of these are European companies, notable companies producing an integrated report in the United States include American Electric Power, Pfizer, PepsiCo, Southwest Airlines, and United Technologies Corporation. In nearly all cases, the companies that produced an integrated report first started out by producing a corporate social responsibility or sustainability report.4 The number of such reports has grown dramatically over the last 10 years. For example, data from CorporateRegister.com showed 3,287 companies publishing a sustainability report in 2010, compared to 830 companies in 2001.5 Similarly, the number of GRI reporters had grown from 125 in 2001 to 1,864 in 2010.6

161

NEW INSIDE PAGES FINAL copy.indd 161

13/02/2012 12:58

Effective Auditing for Corporates Though the growth in sustainability reporting is impressive, the growth in the extent to which these reports have any form of assurance on them, whether by a Big Four accounting firm or a specialist boutique, is less impressive. As shown in Table 1, in 2010 Spain had the largest percentage of companies obtaining an assurance opinion on their report, at 44%, and the United States had the lowest, at 6%. Providing an assurance opinion on nonfinancial information is a necessary, albeit incomplete, step toward providing an integrated assurance opinion. Table 1. Sustainability reports with an external assurance statement 2001–107 2001 Sustainability Sustainability reports reports issued with assurance

2010 Proportion of reports with assurance (%)

Sustainability Sustainability reports reports issued with assurance

Proportion of reports with assurance (%)

Australia

117

31

26

248

52

21

Canada

61

4

7

213

26

12

Denmark

26

16

62

74

20

25

Finland

27

6

22

71

19

27

France

29

3

10

223

32

14

Italy

58

30

52

566

66

12

Japan

164

25

15

558

56

10

Netherlands

46

14

30

159

39

25

Norway

35

8

23

52

12

23

South Africa

9

4

44

119

29

24

Spain

12

3

25

256

113

44

Sweden

37

6

16

163

49

30

United Kingdom

169

62

37

566

107

19

United States

156

10

6

629

37

6

We believe that the full value of integrated reporting will only be realized when integrated assurance is provided on the report. After all, how much would investors rely on financial reports if they weren’t accompanied by an audit? It is the audit that, despite the occasional shortcoming, makes financial reports reliable and comparable. Reliability comes from the fact that the user knows that an objective third party has carefully reviewed the reported figures to ensure that the report has been prepared according to the relevant accounting standards—typically, International Financial Reporting Standards (IFRS) or US Generally Accepted Accounting Principles (US GAAP).

162

NEW INSIDE PAGES FINAL copy.indd 162

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance Comparability of information across companies, at least within a country and a sector, comes from the fact that they have used the same accounting standards and that the auditor has used audit procedures that are subject to oversight and review to ensure their efficacy in ensuring the reliability of the reported information. To make integrated reports as reliable and comparable as financial reports, an integrated assurance opinion will have to be provided. Ideally, it will be in the form of “positive assurance” (“the company did it right”) rather than the “negative assurance” (“nothing leaped out at us as terribly wrong”) that is typically provided today. What we are calling for are “integrated audits” that have the same degree of rigor, including the review of internal systems and controls, as today’s financial audits. And while we prefer the term “integrated audit” to “integrated assurance” to reinforce this connotation, we will use the latter because the Public Company Accounting Oversight Board (PCAOB) in the United States has already established its own, and much more limited, definition of an “integrated audit.”8 The US Sarbanes–Oxley Act of 2002 established the PCAOB as the US standard-setter for audits of public companies and reserved the term “audit” for an examination of financial statements.9 Similarly, the International Auditing and Assurance Standards Board (IAASB) limits use of the term “audit” to an examination of the financial statements.10 The IAASB is the audit and assurance standard-setting organization of the International Federation of Accountants (IFAC).11 In this chapter we will provide some brief background on integrated reporting and the important role which the accounting profession has already played in developing it, discuss the meaning of “materiality” for both financial and nonfinancial information, identify the key challenges in providing an integrated assurance opinion, and make recommendations for overcoming these challenges in order to make integrated assurance opinions a reality.

Background on Integrated Reporting

On August 2, 2010, the Prince of Wales’ Accounting for Sustainability (A4S) project and the GRI announced the formation of the International Integrated Reporting Committee (IIRC).12 The mission of the IIRC is “To create a globally accepted integrated reporting framework which brings together financial, environmental, social and governance information in a clear, concise, consistent and comparable format”13 in order to “help business to take more sustainable decisions and enable investors and other stakeholders to understand how an organization is really performing.”14 The accounting profession, through participation in the IIRC and in other ways, has already made a substantial contribution to the integrated reporting movement. Representatives from seven accounting associations (ACCA, CICPA, CIMA, FASB, IASB, ICAEW, and IFAC) and six accounting firms (BDO Seidman, Deloitte Touche Tomahtsu, Ernst & Young, Grant Thornton, KPMG, and PricewaterhouseCoopers) sit on the steering committee of the IIRC.15 These firms have also contributed valuable resources in the form of secondments. Deloitte,16 Ernst & Young,17 KPMG,18 and PricewaterhouseCoopers19 have all written white papers on integrated reporting. On July 27, 2011, the ACCA sponsored a live broadcast “Integrated reporting: A framework for the future” as part of their annual Research and Insights Conference.20 It is our hope that these firms and associations will soon start contributing ideas and resources to the topic of integrated assurance.

163

NEW INSIDE PAGES FINAL copy.indd 163

13/02/2012 12:58

Effective Auditing for Corporates Integrated reporting involves reporting both financial and nonfinancial (environmental, social, and governance (ESG)) information in a single document, ideally showing the relationship between the two in terms of how strong performance on ESG issues contributes to strong financial performance and vice versa. A recent study by Eccles, Ioannou, and Serafeim (2011) shows that a set of 90 “high sustainability” firms significantly outperform a matched set of 90 “low sustainability” firms, providing evidence that attention to ESG issues contributes to financial performance.21 Today all listed companies are required to report on their financial performance on at least an annual basis, but reporting on nonfinancial performance is a voluntary exercise in most countries. We believe that integrated reporting of both financial and nonfinancial performance should ultimately be mandated. Ioannou and Serafeim (2011) have shown the benefits to companies and society of mandated ESG reporting.22 The same, and even more so, will be true of integrated reporting.

What is Integrated Reporting? In simple terms, integrated reporting combines a company’s key financial and nonfinancial information into a single document. However, the integration of financial and nonfinancial reporting is about much more than publishing a single paper document. An integrated report serves as a means of reporting financial and nonfinancial information in a way that explains their impact on each other, answering a fundamental question: Just how does nonfinancial performance contribute to financial performance, and vice versa? The International Integrated Reporting Committee’s discussion paper23 adds, “Integrated Reporting brings together material information
about an organization’s strategy, governance, performance
and prospects in a way that reflects the commercial, social
and environmental context within which it operates. It provides
a clear and concise representation of how an organization demonstrates stewardship and how it creates and sustains value.” Integrated reporting has the potential to significantly change how both companies and investors make capital allocation decisions, shifting the focus from that of meeting short-term financial goals to developing a long-term business strategy that defines sustainability as the creation of economic value over the long-term. Integrated reporting involves more than a static document. It also entails providing performance information in a more integrated way on the company’s website, along with providing more detailed information of particular interest to shareholders and other stakeholders. Analytical tools for exploring the relationship between financial and nonfinancial performance using data from the company and other sources, as well as comparing the company’s performance to its competitors, can also be provided. Finally, the company’s website can be used to improve its dialogue and engagement with all stakeholders. Integrated reporting is as much about listening as it is about talking.24

164

NEW INSIDE PAGES FINAL copy.indd 164

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance Long-term sustainable value creation requires the company to take a holistic view of the consequences of its decisions regarding financial, natural, and human resources in terms of how decisions about each type of resource affects the others. It also requires good governance and risk management in order to ensure that decisions producing short-term performance do not threaten the company’s long-term performance or, in more extreme cases, even existence. As expressed by the IIRC, through integrated reporting a company is able “to demonstrate the linkages between an organization’s strategy, governance and financial performance and the social, environmental and economic context within which it operates. The IIRC’s Framework will support an organization in addressing, in a clear and concise manner, the material issues affecting its ability to create and sustain value in the short, medium, and longer term.”25

Sustainable Strategies and Value Creation Companies operate in a multi-faceted world. The global economy is complex and intertwined, the demand for finite natural resources is accelerating, and the lingering effects of the 2008 financial crisis have left society skeptical and untrusting of corporations. Accordingly, a company’s strategy and business must reflect an inherent understanding of the relationships between the economic, governance, environmental, and social dimensions of performance. A sustainable strategy sets a company on a course towards value creation over the long term. Sustainable strategies include, but are not limited to (Eccles and Krzus, 2010): 1. Long-term view. Sustainable strategies require a long-term view by the company and, by implication, its shareholders, who are one class of stakeholder. 2. Multiple-stakeholder perspective. Sustainable strategies require the recognition of the legitimacy of the interests of other stakeholders, who must also take a long-term view. 3. Engagement processes. Sustainable strategies depend upon processes of engagement for understanding the expectations of all stakeholders. 4. Value creation for all stakeholders. Doing so contributes to value creation for shareholders as well as to meeting the needs of other stakeholders. Failure to adopt a sustainable strategy will put a company’s reputation and its ability to create shareholder value at risk. Success in the 21st century will belong to organizations that have learned to balance the imperative for longterm viability of the company and the world it relies on to create economic value, with the demands for short-term competitiveness and profitability. Integrated reporting is both the most effective way for a company with a sustainable strategy to report on its performance and a form of discipline to ensure that it has a sustainable strategy in the first place. Integrated assurance will enhance the credibility of the integrated report to both management and investors, thereby increasing its utility to both.

165

NEW INSIDE PAGES FINAL copy.indd 165

13/02/2012 12:58

Effective Auditing for Corporates The seeds for an integrated assurance opinion are already being sown. For example, KPMG does both the financial audit and provides negative assurance on the nonfinancial information reported by Philips Electronics in its integrated report.26 PricewaterhouseCoopers does the same for the Novo Nordisk integrated report.27 But to get to a single integrated audit assurance opinion, the question of defining “materiality” for nonfinancial information needs to be addressed. Case Study

The Challenges of Integrated Assurance at Philips Electronics

Interest in nonfinancial (e.g., environmental, social, and governance) information is growing (see Eccles, Krzus, and Serafeim, 2011). From an investor perspective, a link between sustainability performance and a company’s ability to create economic value over the long term has been demonstrated (see Eccles, Ioannou, and Serafeim, 2011). Credibility is one of the keys to increased demand for, and more widespread acceptance of, nonfinancial information by shareholders and other stakeholders. An increasing number of companies have asked their auditor to provide an assurance report on their nonfinancial information. KPMG found that of the 250 largest companies publishing environmental, social, and governance reports, 46% of those reports include formal assurance. This is up from 29% in 2002.28 One of the issues facing companies when they contemplate a request for positive rather than negative assurance on their nonfinancial information is data quality. Sustainability and other nonfinancial information are not typically produced by systems subject to robust controls and processes, as is financial information. As a result, assurance providers may not be able to apply their methodologies and procedures to nonfinancial information. This doesn’t mean that the data are inherently inaccurate. However, sustainability managers will be required to establish preventive and detective controls and complete internal control questionnaires for systems and processes. A complicating factor for both Philips and KPMG is the absence of generally accepted global standards for measuring and reporting nonfinancial information. Standards promote reporting that provides relevant and useful information to stakeholders. Standards are necessary so that nonfinancial information is meaningful, especially across sectors. Absent standards, comparative analysis is virtually impossible. The discussion about integrated assurance at Philips challenged KPMG to carefully weigh the benefits and risks of providing assurance on nonfinancial information. Certainly, KPMG was in a position to develop a new revenue stream. However, KPMG—like the other Big Four accounting firms—realize that their market position depends on the firm’s credibility and reputation. Anything that threatened the firm’s reputation would be thoroughly and cautiously reviewed. While some might argue that financial statement audit methodologies can be easily applied to nonfinancial information, neither KPMG nor other audit firms had fully developed approaches to provide positive assurance on nonfinancial information. The lack of nonfinancial accounting standards and related high quality assurance methodologies for nonfinancial information prevented KPMG from delivering an integrated assurance report. The process to deliver integrated financial and nonfinancial assurance required a significant investment of time and people at both Philips and KPMG. Ultimately, Philips shareholders and other stakeholders need to respond to the question of whether the increased quality and reliability provided by assurance on nonfinancial information will be judged as adding value.

166

NEW INSIDE PAGES FINAL copy.indd 166

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance Materiality

The IIRC, quoted above, refers to “the material issues” that affect the organization’s “ability to create and sustain value in the short, medium, and longer term.” The concept of materiality is critical to both financial statement disclosure and the reporting of nonfinancial information. In addition, judgments about materiality influence accounting firms’ audit and assurance processes. Ultimately, each user of business information—management, shareholders, analysts, regulators, civil society, and a variety of others—determines what is material. The omission or misstatement of an item in a financial report is material if, in consideration of relevant facts and circumstances, the magnitude of the item is such that it is probable that the judgment of a reasonable person would be changed or influenced by the inclusion or correction of the item. In other words, a matter is material if there is a substantial likelihood that a reasonable person would consider it important. The International Accounting Standards Board (IASB) and the US Financial Accounting Standards Board (FASB) captured this point when both organizations adopted the same definition of materiality. Materiality is “…an entity-specific aspect of relevance based on the nature or magnitude (or both) of the items to which the information relates in the context of an individual entity’s financial report.”29, 30 The concept of materiality in financial reporting has both quantitative (magnitude) and qualitative (nature) aspects. Regulators and standard-setters often state that materiality cannot be reduced to a numerical formula, yet numerical “rules of thumb,” such as 5% of earnings before income taxes or 10% of a given account balance, are often used as a basis for determining materiality. Since the determination of what is material must reflect both the nature and the magnitude of an item, simply quantifying the magnitude of an error or misstatement in percentage terms cannot be used as a substitute for a full analysis of relevant considerations. Qualitative factors, such as: 8 whether the misstatement masks a change in earnings or other trends, 8 whether the misstatement hides a failure to meet analysts’ earnings expectations, 8 whether the misstatement changes a loss into income or vice versa, 8 or whether the misstatement affects the compliance with laws or regulations, may cause quantitatively small amounts to be material. The Supreme Court of the United States reinforced the importance of considering qualitative and quantitative factors by ruling that a fact is material if there is “a substantial likelihood that the… fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”31 Materiality guidance for auditors of financial statements is similar to guidance provided to companies in preparing their financial statements. For example, the IAASB does not prescribe any specific methodology for determining materiality, but states that “The auditor’s determination of materiality is a matter of professional judgment, and is affected by the auditor’s perception of the financial information needs of users of the financial statements.”32 Similarly, the PCAOB does not prescribe any methodology for determining materiality. Instead, the PCAOB standard refers to a US Supreme Court decision.33

167

NEW INSIDE PAGES FINAL copy.indd 167

13/02/2012 12:58

Effective Auditing for Corporates There are no standards for the preparation of nonfinancial information equivalent to either IFRS or US GAAP, and there is therefore no materiality guidance for companies. Yet there is guidance on assurance and attestation methodologies, and the international and US versions are very similar. The IAASB and the PCAOB use the terms “assurance” and “attestation” in reference to engagements other than audits or reviews of historical financial information. PCAOB guidance on attestation states: “In expressing a conclusion, the practitioner should consider an omission or a misstatement to be material if the omission or misstatement—individually or when aggregated with others—is such that a reasonable person would be influenced by the omission or misstatement. The practitioner should consider both qualitative and quantitative aspects of omissions and misstatements.”34 Note that the term “reasonable person” anticipates users of the information other than investors. Similarly, the IAASB provides the following guidance to assurance providers: “Materiality is considered in the context of quantitative and qualitative factors, such as relative magnitude, the nature and extent of the effect of these factors on the evaluation or measurement of the subject matter, and the interests of the intended users. The assessment of materiality and the relative importance of quantitative and qualitative factors in a particular engagement are matters for the practitioner’s judgment.”35 Again, the term “users” is clearly a broader one than “investors,” raising the question of whether materiality lies in the eyes of the beholder. In summary, international and US guidance on materiality for financial and nonfinancial information is substantively the same and can be broken into two parts. First, materiality is a matter of professional judgment. Second, the determination of materiality is based on the company’s and the auditor’s perceptions of the information needs of users. Both of these elements pose challenges to companies and assurance providers. There is also the question of whether the absence of detailed rules or fear of litigation inhibits professionals from exercising judgment. Another issue is whether it is possible to know if a “reasonable person” would consider a given matter to be important enough to influence his or her decision-making. Given that authoritative guidelines for determining materiality for nonfinancial information are very general at best, companies are developing their own ways to put this concept into practice. According to the CorporateRegister.com database,36 almost 3,300 sustainability reports were published in 2010, and approximately 800 of those reports included a discussion of materiality. Seventy-one of these 800 companies presented a materiality matrix to identify matters that were important to stakeholders and to the company. Like the reports themselves, there was a wide range in the quality of the disclosures within the materiality matrix. For example: 8 B  anco Bradesco used a materiality matrix in its 2009 report, but did not populate it.37 8 BASF did not provide a materiality matrix in the paper version of the BASF Report 2009, but provided a link to an online matrix. Clicking on a topic takes the reader to a more detailed discussion of the issue. The company identified approximately 40 key issues (i.e., ranking higher than 0.5 on a scale of 0.0 to 1.0).38

168

NEW INSIDE PAGES FINAL copy.indd 168

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance 8 L ’Oréal mapped topics of concern to stakeholders and relevance to the company and, similar to BASF, clicking on a link in the online 2009 sustainability report enabled a reader to download a factsheet summarizing L’Oréal’s approach to these challenges.39 8 Petrobras disclosed over 40 issues in their 2009 sustainability report as highly relevant to stakeholders and the company.40 8 SolarWorld noted in its 2009 annual report that materiality is determined by the economic, environmental, and social impact of the topics and indicators. However, the materiality matrix did not specifically identify any issues.41 8 State Street Corporation disclosed a small number of critical issues in its 2009 materiality matrix. Key topics and concerns included the company’s role as a fiduciary, marketplace issues in the current environment, business conduct, community impacts, and fraud and corruption.42 The materiality disclosures of the six companies identified above are representative of the information provided by the 71 companies that provide a materiality matrix. These companies are trying in their own ways to understand which issues should influence their decisions and actions in order to deliver on dimensions of performance that are important to the company, its shareholders, and other stakeholders. From these examples, the following questions are raised that will need to be addressed in providing integrated assurance opinions: (1) How are the dimensions of the matrices defined? (2) What is the value of providing a materiality matrix without reporting on what issues the company regards as material? (3) How does materiality differ across groups, such as shareholders vs. stakeholders? (4) Can 40 or 50 nonfinancial factors truly be material?

Challenges to Providing an Integrated Assurance Opinion

There are three major challenges to producing an integrated assurance opinion: 8 d  eveloping a global set of credible standards for measuring and reporting nonfinancial information which have the appropriate governmental support, just as is true for accounting standards; 8 developing methodologies for providing positive assurance on nonfinancial information; 8 integrating standards and assurance methodologies for financial and nonfinancial information in a way that provides a “true and fair view of an organization’s sustainability.”

Credible Standards for Measuring and Reporting Nonfinancial Information

Standards for nonfinancial information provide the foundation for being able to provide an integrated assurance opinion that is backed by the same degree of rigor as a financial audit. This is also the most difficult challenge and one fraught with contention, as is always the case when establishing standards. Two issues must be addressed. The first is “Who should be responsible for doing this?” Today there are a number of organizations that are doing good work in this domain, such as:

169

NEW INSIDE PAGES FINAL copy.indd 169

13/02/2012 12:58

Effective Auditing for Corporates 8 T  he Carbon Disclosure Project (CDP). As the secretariat to the Climate Disclosure Standards Board (CDSB), the CDP has developed the Climate Change Reporting Framework.43 Modeled in some ways after how accounting standards are set and with significant input from the Big Four firms, the CDSB has established standards for measuring carbon emissions and could build on this work to set standards for other environmental issues, such as water. 8 The European Federation of Financial Analyst Societies (EFFAS). EFFAS built on work done by the Society of Investment Professionals in Germany (DVFA) and published its own set of key performance indicators with an emphasis on information that is of particular interest to investors.44 These standards are both general and industry-specific, which is also true of the G3 Guidelines. 8 The Global Reporting Initiative (GRI). The GRI is one of the oldest standardsetting organizations for nonfinancial information and its G3 Guidelines for economic, environmental, and social metrics are currently the most commonly used set of standards for reporting on ESG performance. The GRI is currently working on developing its G4 Guidelines to ensure that its efforts support the work of the IIRC.45 In August 2011, the GRI launched a G4 Public Comment Period46 to solicit comments and ideas from organizational stakeholders and the public to help shape G4. 8 The International Organization for Standardization (ISO). The ISO published ISO 14000,47 which focuses on environmental management systems, and ISO 26000,48 and addresses matters of social responsibility. 8 Impact Reporting and Investment Standards (IRIS). IRIS developed performance indicators and metrics for companies and investors. The indicators are organized in a framework that is designed to apply across sectors and geographies.49 8 The Organization for Economic Development and Cooperation (OECD). The OECD published its most recent version of “Guidelines for reporting by multinational enterprises” in 2008.50 8 The United Nations Conference on Trade and Development (UNCTAD). UNCTAD’s Intergovernmental Working Group of Experts on International Standards of Accounting and Reporting (ISAR) released voluntary guidance in 2008 to assist enterprises in their efforts to communicate with investors and other stakeholders.51 The GRI, the CDSB, the DVFA, and other groups attempting to set standards for nonfinancial information need to collaborate rather than compete with each other so that the history of “country-GAAP” does not repeat itself. Assuming that this cooperation emerges—an admittedly big assumption—the question then becomes “How will these standards become institutionally legitimized and enforced?” Accounting standards, such as those set by the FASB in the United States, are ultimately backed by governmental authority; for example, the Securities and Exchange Commission in the United States. Little to no such governmental support exists for the work done by the organizations cited above. Until it does, companies will not know which set of standards to use, comparability of performance measures across companies will be compromised, and the ultimate reliability of the reported information will be in doubt.

170

NEW INSIDE PAGES FINAL copy.indd 170

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance Methodologies for Providing Assurance on Nonfinancial Information

The second challenge is to develop audit methodologies—and we use the term “audit” on purpose—for nonfinancial information that are as rigorous as they are for financial information. Having a rigorous and institutionally legitimate set of standards for nonfinancial information greatly facilitates the development of audit methodologies. Procedures for evaluating the quality of the internal control and measurement systems also need to be developed. Though a crude metric, we suggest that that the hours (and costs) of auditing nonfinancial information should be roughly the same level as for financial information. Today there are orders-of-magnitude differences between the two—one of many factors that contribute to the greater attention paid to financial information. One obvious concern is whether this will lead to a “windfall” for external auditors’ fees. If the auditing profession is providing a valued service, it should be paid for doing so. Our view is that shareholders will ultimately determine the level of effort and cost applied to the audit of nonfinancial information, and thus the fees paid to those who perform these audits, based on the value shareholders are getting from having more reliable information. We also believe that technology can be used to dramatically reduce the cost of integrated audits, although this will depend on the development of standards for nonfinancial information which, in turn, requires a clear concept of materiality for nonfinancial information, as discussed above.

Rigor of Financial Audits and What Goes into Them The standard auditor’s report, whether prepared under US or international auditing standards, includes a paragraph that describes the auditor’s responsibility. This paragraph describes, among other things, the auditing standards used and that the audit has been planned and performed to obtain reasonable assurance about whether the financial statements are free of material misstatement. Also explained is that the auditor tested evidence supporting the amounts and disclosures in the financial statements and assessed the accounting principles used and significant estimates made by management. Finally, the auditor states that the audit provided a reasonable basis for our opinion. The Center for Audit Quality explains52 processes and practices for the performance of a financial statement audit. Audit procedures for financial statement audits that could be replicated to provide assurance on nonfinancial information include: 1. Inspection. The examination of records or documents, whether internal or external, in paper form, electronic or other media, or physically examining an asset. For example, inspecting a sample of invoices. 2.  Observation. Observing a process or procedure being performed by company personnel or others. For example, observing a company’s physical inventory count, and re-performing counts on a test basis. 3.  Inquiry. Seeking information from knowledgeable persons in financial or nonfinancial roles within the company or outside the company. 4.  Confirmation. Obtaining information or representation of an existing condition directly from a knowledgeable third party.

171

NEW INSIDE PAGES FINAL copy.indd 171

13/02/2012 12:58

Effective Auditing for Corporates 5.  Recalculation. Checking the mathematical accuracy of documents or records. 6.  Analytical procedures. Comparison of recorded amounts, or ratios developed from recorded amounts, to expectations developed by the independent auditor. 7.  Re-performance. The auditor’s independent execution of procedures or controls that originally were performed
as part of the company’s internal control over financial reporting.

Integrating Standards and Assurance Methodologies for Financial and Nonfinancial Information

The third challenge is to integrate accounting and auditing standards for financial and nonfinancial information in order to provide a “true and fair view of an organization’s sustainability.” Today, the “true and fair”53 view of a company’s financial statements—a concept that is more common outside of the United States, where the term “presents fairly”54 is used—asserts that the overall picture provided in the financial statements is more than simply a collection of “the right numbers” taken one at a time. There is a rebuttable presumption in both the “true and fair” view and “presents fairly” that the company is an ongoing concern for one year, unless stated otherwise. This perspective is a relatively short-term one which is focused solely on shareholders. Since integrated reporting is intended to give shareholders and other stakeholders information about the company’s ability to create value over the long term, an integrated assurance opinion needs to be a “true and fair” view of the company’s long-term sustainability, explicitly taking into account the extent to which the company is meeting the needs of other stakeholders in order to be able to continue creating value for its shareholders.

Who Should Provide Integrated Assurance Opinions?

Once these challenges are overcome, the question then becomes which organizations should issue integrated assurance opinions. We believe that accounting firms, especially the Big Four and others like BDO Seidman and Grant Thornton, which audit public companies, have a central role to play. They have the necessary global networks, established relationships with all public companies, and the skills and a long tradition of conducting rigorous audits. As a practical matter, at least in the short term, we do not see any other types of organization as interested in and able to perform this role. This could change over time as technology advances and other firms, such as software and IT services firms, develop the capabilities to perform continuous audits, albeit in a rather different way that will require major adaptations by auditing standard-setting bodies. But for the world’s major auditing firms to conduct integrated audits, two other challenges need to be faced. The first is building the necessary capabilities, and the second is liability reform. The accounting firms need to take responsibility for the former, but the latter is a question of public policy and the firms cannot resolve it on their own. Once an assurance opinion goes beyond financial information based on accounting standards to include information on environmental, social, and governance performance, a much broader range of capabilities becomes necessary. None of the major accounting firms have even close to the necessary capabilities, although some are working to develop them.

172

NEW INSIDE PAGES FINAL copy.indd 172

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance Practice Protection Costs According to the October 2008 final report of the Advisory Committee on the Auditing Profession to the US Department of the Treasury,55 the six international auditing firms paid approximately US$5.7 billion to bring 362 cases to closure during the period 1997–2009. Of that amount, about US$3.7 billion, or 65%, was related to the audits of public (listed) companies. Litigation and practice protection costs include all litigation-related costs—costs of outside counsel and other experts, settlements and judgments, internal litigation-related costs, and insurance premiums, less insurance recoveries. The amount is equal to 6.6% of these firms’ revenues and 15.1% of these firms’ audit- related revenues. Litigation is clearly of significant concern to the auditing firms but is also of concern to investors and other market stakeholders. The challenge, certainly from the perspective of the auditing firms, is that they are an easy target for litigation. Audit firms are often sued when a company suffers a sudden and dramatic drop in its stock price or when a company goes bankrupt. Other stakeholders question whether efforts to limit liability are in the interest of investors and the capital markets, believing that the firms can best protect themselves by performing high quality and informative audits in full compliance with US or international professional standards. Ultimately, the legal system must balance the needs of auditing firms and the public interest. The extent to which accounting firms have the incentives and resources to build these capabilities partially depends on their expected and actual liabilities in conducting integrated audits. Liability reform remains a hot topic in the auditing profession, especially in the litigious United States. The debate today centers on the audits of financial statements, especially when accounting problems are confounded with a company’s bankruptcy, or when major fraud, especially in top management, is detected. This debate needs to be extended to the liabilities that will emerge from giving as much prominence to nonfinancial information as to financial information. Legislators and regulators will have to address this topic in a reasoned and responsible way. Ultimately, laws and regulations must balance the need to punish incompetence and malfeasance while creating an environment that encourages the accounting firms to make the investments necessary to provide high-quality assurance on nonfinancial information.

Summary and Further Steps

We will conclude with five recommendations which address the above five challenges. Each of these recommendations requires the active engagement of the accounting profession, including those in auditing firms, corporations (such as those in the finance function and internal audit), and academia. Failure of the accounting profession to help address these challenges puts its long-term relevance at risk. More importantly, it also puts at risk the development of a sustainable society.

173

NEW INSIDE PAGES FINAL copy.indd 173

13/02/2012 12:58

Effective Auditing for Corporates 8 First, working with the agencies of the government that give authority to their efforts, accounting standard-setters, such as the FASB and the IASB, should initiate projects to determine how to develop an institutionally legitimate set of standards for nonfinancial information. These bodies have deep expertise in the standardsetting process, although their domain knowledge is exclusively in the financial realm. Working with organizations that have expertise in the nonfinancial realm, they can develop a set of standards for nonfinancial information that have the same credibility as do standards for financial information. We also suggest that greater use could be made of technology to speed the development process. Setting accounting standards is a notoriously slow process, taking years or even decades, and a greater sense of urgency is necessary if a sustainable society is to be created. 8 Second, auditing standard-setters, such as the PCAOB in the United States and the IFAC, through the IAASB, should initiate projects for developing auditing standards for nonfinancial information, with respect both to individual metrics and to the internal control and measurement systems that produce them. As with accounting standard-setters, they should leverage their expertise in standard-setting and extend it by collaborating with organizations that have relevant expertise in the nonfinancial domain, such as organizations that audit supply chains and adherence to principles of human rights. 8 Third, both accounting and auditing standard-setting bodies should collaborate on initiating a project to define the meaning of “a true and fair view of an organization’s sustainability.” This definition will inform how measurement and auditing standards for financial and nonfinancial information are forged, rather than spliced, together in order to produce a truly integrated assurance opinion—a true “integrated audit” that takes into account the relationship between financial and nonfinancial performance. This project will require substantial input from organizations that have the relevant expertise in standard-setting and the assurance of nonfinancial information. 8 Fourth, the major accounting firms should build the necessary capabilities to conduct an integrated audit. This will be done through a combination of hiring individuals with technical skills outside of accounting (such as in engineering and supply-chain management), acquisitions of firms that have such skills, and building alliances and partnerships with such firms. The first two approaches raise an important practical question which the accounting profession and the entities that regulate it should address: What are the roles and responsibilities of the nonaccountant professionals within the audit and assurance hierarchies of the firms? Failure to address this question will leave them forever as “second class citizens,” to the detriment of placing nonfinancial information on an equal footing with financial information. The third approach, in which the accounting firm would be functioning as a “general contractor,” raises issues of liability exposure and risk-sharing. As experience in the construction industry shows, this is a difficult question to resolve and no clean and simple solution exists. International Standards on Auditing56 (ISA) and US Generally Accepted Auditing Standards57 (GAAS) provide similar guidance to auditors who use the work of an expert or specialist in performing an audit. Both standards apply to the work of, for example, actuaries, appraisers, attorneys, engineers, environmental consultants, and geologists. Under international and US standards, the auditor is not permitted to refer to the work or findings of the specialist to avoid the risk that such a reference

174

NEW INSIDE PAGES FINAL copy.indd 174

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance might be misunderstood to be a qualification of the opinion or that any division of responsibility exists.  Of course, it is conceptually possible to split the responsibilities for auditing the financial and nonfinancial information between two audit firms, or have a nonaccounting firm do the latter, or even have a nonaccounting firm issue the integrated audit with input from an accounting firm on the financial audit. At least in the short term, we don’t see any of these models as being practical due to regulations and the unlikelihood that investors would find a nonaccounting firm to be credible in issuing an integrated audit. 8 Fifth, the politically contentious issue of limiting the liability of accounting firms should be addressed. Opponents of this idea cite the substantial incomes earned by partners in the major accounting firms, point out that audit failures and the inability to detect fraud are still too common, and legitimately worry about the moral hazard problem if the risk of failure is shifted away from the firms. They may also point out that the substantial new revenue opportunities made possible by integrated audits should be enough of an incentive for auditing firms to do them. However, given the current concentration in the auditing industry,58 especially with respect to the world’s largest companies, the public risk of losing another large accounting firm due to litigation is simply too great. In the long term, this concentration is a public policy question that should be addressed, but in the short term we need to ensure that sufficient capacity exists to provide integrated assurance opinions for all listed companies.

More Info Book: Eccles, Robert G., and Michael P. Krzus. One Report: Integrated Reporting for a Sustainable Strategy. Hoboken, NJ: Wiley, 2010. Article: Eccles, Robert G., and Kyle Armbrester. “ Integrated reporting in the cloud: Two disruptive ideas combined.” IESE Insight 8 (First Quarter 2011): 13–20. Online at: tinyurl.com/7tkqojj Reports: Eccles, Robert G., Ioannis Ioannou, and George Serafeim. “The impact of a corporate culture of sustainability on corporate behavior and performance.” Working paper 12-035. Harvard Business School, November 4, 2011. Online at: www.hbs.edu/research/pdf/12-035.pdf Ioannou, Ioannis, and George Serafeim. “The consequences of mandatory corporate sustainability reporting.” Working paper 11-100. Harvard Business School, 2011. Online at: www.hbs.edu/research/pdf/11-100.pdf

175

NEW INSIDE PAGES FINAL copy.indd 175

13/02/2012 12:58

Effective Auditing for Corporates Websites: Carbon Disclosure Project (CDP): www.cdproject.net Climate Disclosure Standards Board (CDSB): www.cdsb.net CorporateRegister database: www.corporateregister.com European Federation of Financial Analyst Societies (EFFAS): www.effas.net Global Reporting Initiative (GRI): www.globalreporting.org Impact Reporting and Investment Standards (IRIS): iris.thegiin.org International Integrated Reporting Committee (IIRC): www.theiirc.org

Notes 1. South African Institute of Chartered Accountants. “An integrated report is a new requirement for listed companies.” Press release. June 4, 2010. Online at: tinyurl.com/8845pl9 2. For a more complete discussion of the benefits to companies of integrated reporting, see Eccles and Krzus (2010), and Eccles and Armbrester (2011). 3. GRI reports list: tinyurl.com/7jmt2yw 4. Terminology regarding the reporting of nonfinancial information is inconsistent and confusing. Some people use the terms “corporate social responsibility” (CSR) and “sustainability” interchangeably, whereas for others they mean different things. Each term also has different meanings. For some companies, their CSR report is about philanthropic contributions and community activities. For others, it is about their ESG performance more broadly. Similarly, for some companies their sustainability report is solely about carbon emissions and other environmental concerns, while for others it is about ESG performance more broadly. We will use the term “sustainability report” to refer to the entire range of ESG performance information. For a discussion of the origins of the concepts of corporate social responsibility and sustainability see chapter 5 in Eccles and Krzus (2010). 5. CorporateRegister.com (see www.corporateregister.com/about.html). The database is available on a subscription-only basis. 6. GRI, op. cit. 3. 7. CorporateRegister.com, op. cit. 5. 8. Public Company Accounting Oversight Board. “Auditing standard no. 5: An audit of internal control over financial reporting that is integrated with an audit of financial statements.” Online at: tinyurl.com/ye5sprj; para. 6–7. 9. The Sarbanes–Oxley Act of 2002, Section 2, Definitions (2), defines an “audit” as “an examination of the financial statements of any issuer [a publicly traded or listed company] by an independent public accounting firm in accordance with the rules of the Board [Public Company Accounting Oversight Board] or the Commission [the US Securities and Exchange Commission]…” 10. I nternational Auditing and Assurance Standards Board. “International standard on auditing 200: Overall objectives of the independent auditor and the conduct of an audit in accordance with international standards on auditing.” Online at: tinyurl.com/6oyvbat [PDF]. 11. T  he International Federation of Accountants develops international standards on ethics, auditing and assurance, education, and public sector accounting standards through its independent standard-setting boards, which include the International Auditing and Assurance Standards Board. See web.ifac.org/download/Facts_About_IFAC.pdf 12. See tinyurl.com/75eoxuw 13. See www.theiirc.org/the-iirc 14. See www.theiirc.org/about 15. See www.theiirc.org/the-iirc 16. Deloitte. “Integrated reporting: Is your message lost in regulation?” 2011. Online at: tinyurl.com/7vdphmt [PDF]. 17. Ernst & Young. “Integrated report: Content outline.” 2011. Online at: tinyurl.com/6wdssod [PDF]. 18. KPMG. “Integrated reporting: Closing the loop of strategy.” 2010. Online at: tinyurl.com/6m8swmq [PDF]. 19. PricewaterhouseCoopers. “Insight or fatigue? FTSE 350 reporting.” 2010. Online at: www.pwcwebcast.co.uk/cr_ftse350.pdf 20. The ACCA event can be accessed at tinyurl.com/6we2ndm 21. Eccles, Ioannou, and Serafeim (2011). 22. Ioannou and Serafeim (2011). 23. I nternational Integrated Reporting Committee. “Towards integrated reporting: Communicating value in the 21st century.” September 12, 2011. Online at: tinyurl.com/6k4y8w4; p. 3. 24. F  or discussions of the role of the Internet in integrated reporting, see chapter 7, “The Internet and integrated reporting,” in Eccles and Krzus (2010), and Eccles and Armbrester (2011).

176

NEW INSIDE PAGES FINAL copy.indd 176

13/02/2012 12:58

Integrated Reporting Requires Integrated Assurance 25. See tinyurl.com/88w5tvv [PDF]. 26. P  hilips Annual Report 2010: www.annualreport2010.philips.com/downloads/. See Section 14.5, page 206, for the KPMG independent auditor’s report on the 2010 Philips financial statements, and Section 15.7, page 221, for the KPMG independent assurance report on the 2010 Philips sustainability statements. 27. N  ovo Nordisk Annual Report 2010: tinyurl.com/87vmptm. See page 110 for the PricewaterhouseCoopers independent auditor’s report on the 2010 Novo Nordisk financial statements and page 111 for the PricewaterhouseCoopers independent assurance report on the 2010 Novo Nordisk nonfinancial information. 28. K  PMG. “KPMG international survey of corporate responsibility reporting 2011.” November 2011. Online at: tinyurl.com/7z46ne8 [PDF]. 29. D  eloitte IAS Plus. “Summaries of international financial reporting standards … Conceptual framework for financial reporting 2010.” September 2010. Online at: www.iasplus.com/standard/framewk.htm. Note: International Financial Reporting Standards are only available through a subscription service. 30. F  inancial Accounting Standards Board. “Statement of financial accounting concepts no. 8: Conceptual framework for financial reporting.” September 2010. Online at: tinyurl.com/86c5dr9; para. QC11. 31. T  SC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976). See also Basic, Inc. v. Levinson, 485 U.S. 224 (1988). 32. International Auditing and Assurance Standards Board. “International standard on auditing 320: Materiality in planning and performing an audit.” Online at: tinyurl.com/7mekuor [PDF]; para. 4. 33. TSC v. Northway, op. cit. 29. 34. P  ublic Company Accounting Oversight Board. “AT section 101: Attest engagements.” Online at: pcaobus.org/Standards/Attestation/Pages/AT101.aspx; para. 67. 35. I nternational Auditing and Assurance Standards Board. “International standard on assurance engagements 3000: Assurance engagements other than audits or reviews of historical financial information.” Online at: tinyurl.com/7h2fez7 [PDF]; para. 23. 36. CorporateRegister.com, op. cit. 5. 37. B  anco Bradesco. “2009 sustainability report.” Online at: tinyurl.com/75yj2ug [PDF]; p. 65. Bradesco is one of Brazil’s largest private banks (not controlled by government) in terms of total assets. 38. B  ASF is the world’s leading chemical company. BASF employed about 110,000 people and had approximately 385 production sites worldwide. See tinyurl.com/7xd3s3q 39. L  ’Oréal is the world’s leading cosmetics group. Based in France, the company employed 66,600 people in 130 countries. See tinyurl.com/8ydjhtp 40. P  etrobras was a publicly traded corporation and its the majority stockholder was the government of Brazil. It ranked as the third-largest energy company in the world with a presence in 28 countries. See tinyurl.com/7clh779 41. S  olarWorld was one of the world’s largest solar energy businesses with more than 3,600 employees at production facilities in Germany and the United States. See tinyurl.com/7qlc8dp 42. S  tate Street Corporation was founded in 1972. The company was a global leader in financial services and provided a wide range of products and services for large pools of investment assets. See tinyurl.com/75ga2tb [PDF]; p. 5. 43. Climate Disclosure Standards Board. “Climate change reporting framework.” Edition 1.0. September 2010. 44. S  ociety of Investment Professionals in Germany. “KPIs for ESG: A guideline for the integration of ESG into financial analysis and corporate valuation.” Version 3.0. 2010. Online at: tinyurl.com/6z2msgz [PDF]. 45. GRI G4 developments: tinyurl.com/bvf7rsp 46. GRI G4 first public comment period—survey: tinyurl.com/5t6gmyo 47. International Organization for Standardization. “ISO 14000 essentials.” Online at: www.iso.org/iso/iso_14000_essentials 48. I nternational Organization for Standardization. “ISO 2600 social responsibility.” Online at: www.iso.org/iso/social_responsibility 49. Impact Reporting and Investment Standards. “IRIS standards.” Online at: iris.thegiin.org/iris-standards 50. O  rganisation for Economic Co-operation and Development. “Guidelines for reporting by multinational enterprises.” 2008. Online at: www.oecd.org/dataoecd/56/36/1922428.pdf 51. U  nited Nations Conference on Trade and Development. “Guidance on corporate responsibility indicators in annual reports.” 2008. Online at: www.unctad.org/en/docs/iteteb20076_en.pdf 52. C  enter for Audit Quality. “In-depth guide to public company auditing: The financial statement audit.” May 2011. Online at: tinyurl.com/6lunkeu [PDF]. 53. F  inancial Reporting Council. “True and fair.” July 2011. Online at: tinyurl.com/75trdvx [PDF]. Also: Moore, Martin. “The true and fair requirement revisited: Opinion.” April 21, 2008. Online at: tinyurl.com/5qpfen [PDF]. 54. P  ublic Company Accounting Oversight Board. “AU section 411: The meaning of present fairly in conformity with generally accepted accounting principles.” Online at: pcaobus.org/Standards/Auditing/Pages/AU411.aspx 55. A  dvisory Committee on the Auditing Profession. “Final report.” October 6, 2008. Online at: tinyurl.com/6myfvw5 [PDF]. 56. I nternational Auditing and Assurance Standards Board. “International standard on auditing 620: Using the work of a auditor’s expert.” Online at: tinyurl.com/7fqgrto [PDF]. 57. P  ublic Company Accounting Oversight Board. “AU section 336: Using the work of a specialist.” Online at: pcaobus.org/Standards/Auditing/Pages/AU336.aspx 58. A  dvisory Committee on the Auditing Profession, op. cit. 55, section V, pp. 5–6.

177

NEW INSIDE PAGES FINAL copy.indd 177

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 178

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value through Deeper Environmental, Social, and Governance (ESG) Practices by Henning Dräger BDO, Kyiv, Ukraine

This Chapter Covers 8 The rise of ESG practices in strategic decision making. 8 An overview of the main barriers and opportunities to greater ESG integration. 8 Integrated reporting—a promising evolution of current ESG reporting practices. 8 Practical tips for effective corporate ESG engagement.

Introduction

The path to a fully fleshed out concept of environmental, social, and governance (ESG) concerns has been a long and illustrious one spanning many centuries, a myriad of philosophies and political concepts, and the refinement of ethical behavior and practices. That decisions about potential investments, asset valuation, risk appraisal, and partnerships should be based on more than financial returns has found proponents in many corners over time, ranging from the Quakers, abolitionists, philanthropists, progressive company owners, and environmental and social movements all the way to today’s socially responsible investment (SRI) fund managers. Jumping to the latter part of the 20th century, a string of events—including the Bhopal gas disaster in 1984, the Chernobyl nuclear disaster (1986), the Exxon Valdez oil spill (1989), and the increased focus on companies operating in apartheid South Africa— led to renewed debate and pressure for greater accountability beyond the bottom line. These events were accompanied by a number of impactful books and reports, from Rachel Carson’s Silent Spring (1962), which documented the detrimental effects of pesticides on the environment, and the Club of Rome’s Limits to Growth (1972), on the consequences of global population growth based on a finite resource base, to E. F. Schumacher’s Small Is Beautiful: A Study of Economics as if People Mattered (1973), which outlined appropriate use of technology and highlighted the sustainability problems inherent in the modern economic system. One of the first examples of involving investors in applying political pressure to companies materialized in 1989 when the Ceres coalition of investors and environmental groups was formed. By leveraging the power of its collective investors to encourage companies and capital markets to incorporate environmental and social challenges into their day-to-day decision-making, Ceres was one of the pioneers in catalyzing the formalization of ESG practices. Today the Ceres coalition represents one of the world’s strongest investment groups, with more than 60 institutional investors from the United States and Europe managing over US$4 trillion in assets.1

179

NEW INSIDE PAGES FINAL copy.indd 179

13/02/2012 12:58

Effective Auditing for Corporates The 1992 Rio de Janeiro Earth Summit catalyzed further corporate interest in exploring the concept of sustainable development. This spawned the 1995 World Business Council for Sustainable Development (WBCSD), which was formed to share knowledge, experiences, and best practices, and to advocate business positions on these issues in a variety of forums, working with governments, NGOs, and intergovernmental organizations.2 However, it was sustainability consultant John Elkington’s seminal book Cannibals with Forks: The Triple Bottom Line of 21st Century Business (1998) that brought the concept of a financial, social, and environmental bottom line to a global audience. As well as widening the debate on companies’ nonfinancial value creation and destruction, its attempt to monetize their social and environmental impacts remains a key contribution that is reflected in many of today’s corporate social responsibility, ESG, and sustainability initiatives. Today a growing number of global initiatives, including the UN Environment Programme Finance Initiative (UNEP FI) and UN Global Compact, promote the formalization of linkages between sustainability and social and financial performance. It is, however, fair to say that the agreement and promotion of ESG practices is still met by dominant behavior of the type already identified by influential economist Milton Friedman when in the 1970s he put forward his arguments for businesses to abandon any other role than to maximize profits. Friedman wrote that “there is one and only one social responsibility of business—to use its resources and engage in activities designed to increase its profits…”3 Friedman’s core arguments continue to echo in today’s debate about the role of companies in engaging in and profiting from solutions to the global environmental and social challenges posed by climate change, poverty, and the energy needs of a growing population. For all the headway proponents of ESG have made, this ingrained and systemic view is quite possibly the biggest obstacle to mainstreaming social, environmental, and governance criteria for corporate activities in the absence of global legislation. However, the evidence base that corporate engagement with ESG practices can be positive and profitable is growing, as will hopefully be reflected in the rest of this chapter.

The ESG Concept and its Peers

It will be helpful to start with a clarification and framing of the sometimes overlapping concepts that share the ESG space. As our focus here is the ESG concept we start with that, and brief explanations of rival concepts, such as corporate social responsibility (CSR), follow at the end of the section.

ESG

ESG refers to a company’s environmental, social, and governance policies and practices, which can be studied by investors to evaluate its corporate behavior, wider risk profile, and the impacts these policies and practices may have on its future performance. Disclosure of ESG data has a clear investor focus, often including key performance indicators (KPIs), continuous data streams, links with annual reports, and the position

180

NEW INSIDE PAGES FINAL copy.indd 180

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value relative to any industry-specific benchmarks. The inclusion of the governance aspect clearly differentiates ESG from other concepts, such as CSR. As calls from investors for increased ESG disclosure grow louder, a number of countries are mandating, or taking steps toward mandating, disclosure on ESG performance. In the United Kingdom, for example, requirements for a business review are laid out in the Companies Act 2006 and are also required under the EU Accounts Modernisation Directive.4 In the case of a listed company, the business review of that company must include information on a range of ESG issues to the extent necessary for an understanding of the development, performance, or position of the company’s business. This includes information about the impact of the company’s business on the environment, the company’s employees, and social and community issues, as well as information about any policies adopted by the company in relation to these issues and information on the effectiveness of those policies.5 ESG factors are a subset of nonfinancial performance indicators that includes sustainable, ethical, and corporate governance issues such as managing a company’s carbon footprint and ensuring that there are systems in place to ensure accountability. It can be argued that the application and corresponding scrutiny of ESG practices is dominated by listed companies and investment-related stakeholders, as reflected by initiatives such as the FTSE4Good index series, the Johannesburg Stock Exchange SRI Index, and Bloomberg’s inclusion of ESG data on its terminals. Nonlisted, privately held companies—including millions of small and mediumsized enterprises (SMEs)—are currently missing from the ESG debate. It is worth remembering that this group collectively makes significant economic and social contributions in many countries, including the European Union with its 23 million SMEs representing 99.8% of all EU enterprises and employing more than 90 million people.6 SMEs also have a marked environmental footprint, accounting for roughly 64% of industrial pollution in the EU7 and thought to be responsible for around 60% of global carbon dioxide emissions.8 Further discussion of the application of ESG in the SME space is beyond the scope of this chapter, so the focus returns to the evidence of unlocking strategic value presented by overwhelmingly listed companies. We will now illustrate each component of ESG with a list of commonly formalized policies dependent on the respective legislative requirements, corporate emphasis, and ambition to, for example, set reduction targets. In addition, recent examples of headline-grabbing corporate incidents will be used to underscore the risk that a lack of coherent ESG policies can pose.

Environment

This component concerns energy use, water consumption, waste management, and emissions management, as captured in formalized environmental management systems and standards such as ISO 14001.

181

NEW INSIDE PAGES FINAL copy.indd 181

13/02/2012 12:58

Effective Auditing for Corporates The Deepwater Horizon oil incident, which ran from April to July 2010, is the largest recorded accidental marine oil spill in the history of the petroleum industry. Eleven workers lost their lives, and the spill continues to have enormous environmental, community, and economic impacts. Despite the complex web of contractors that worked on the Macondo oil platform, the US government named BP as the responsible party and ordered the company to pay for all clean-up costs and other damages. Both external and BP internal investigations showed that better strategic management of decision-making processes within BP, better communication within and between BP and its contractors, and effective environmental risk and safety training of key engineering and rig personnel would have prevented the Macondo incident. An expected US$40.9 billion cleanup and settlement bill,9 stringent government oversight of clean-up operations, implementation of expensive new safety procedures, and continued publicity from oil-drenched beaches and affected communities make for a significant dent in the public brand and reputation of a global company that has stressed its desire to go “beyond petroleum.” It has been argued that more attention to ESG disclosure on BP’s operations in the Gulf of Mexico would have raised issues concerning the role of subcontractors and their application of environmental and health and safety standards. This conclusion was reached by the National Commission on the BP Deepwater Horizon oil spill and offshore drilling, which stated that “industry [was] unprepared to respond to a massive deepwater oil spill, even though such a spill was foreseeable…oil and gas companies are in this together, and they must adopt rigorous standards through an industry-wide Safety Institute, or risk losing access to these leases and resulting profits…”10 FairPensions, a United Kingdom-based foundation promoting responsible investment by pension schemes and fund managers, found that “The recent oil spill off the Gulf of Mexico is the latest in a growing list of avoidable environmental, social and corporate governance (ESG) crises to have serious negative impacts on UK pension funds…the neglect of ESG risks could constitute a breach of fiduciary duty.”11

Social

The social element of ESG covers equal opportunities policy, employee training, fair labor and supply chain practices, customer policy and fulfillment systems, employee volunteering and community engagement programs, and health and safety procedures. In 2010, 13 suicide attempts by Chinese workers at manufacturing giant Foxconn, one of the world’s largest manufacturers of electronics and computer components for global brands like Nokia, Sony, Apple, and Dell, attracted international attention and condemnation for not addressing a working environment rife with exploitation and mistreatment. It highlights a historical issue of labor practices along an often very long and complex supply chain of multinational companies where expected profit margins often drive the need for low production costs. Apple’s due diligence and social audit of the plant in question brought much unwanted media attention in the run-up to, in particular, its global iPad launch. A number of global brands, including Apple, are reconsidering their contracts with Foxconn as a result of the increased scrutiny and, although the outcome has not been published yet, it highlights the fact that unchecked labor risks in the supply chain are very likely to point back to an often well-meaning outsourcing company. However, as a result of the public criticism, Apple launched its

182

NEW INSIDE PAGES FINAL copy.indd 182

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value first ever supplier responsibility report,12 which outlined a supplier code of conduct and disclosed partial results of its investigations. Many eyes remain on the firm to see how it addresses the root causes of these issues, including the adoption of greater ESG risk disclosure alongside its usually very strong financial results.

Governance

The governance component covers responsibility to stakeholders, ESG risk management, bribery policy, systems and reporting, codes of ethics, and remuneration policies. The Royal Bank of Scotland (RBS) and its chief executive Sir Fred Goodwin became embroiled in a national media storm in 2009 when it emerged that, despite receiving £45 billion in public funds to stabilize its operations during the financial crisis, it was pressing ahead with awarding the outgoing Goodwin a £17 million pension and other benefits. Outrage greeted Goodwin’s pension deal, his home was attacked, members of his family have been abused, and he was forced to flee to a secret location. The UK Treasury even took up the issue of reviewing the corporate remuneration policy of the part-nationalized bank in the absence of action within RBS.13 The bank’s remuneration committee decided to not to change this arrangement, declaring that it “would not be a cost effective route to take at this time…[and] that there was no wrongdoing or misconduct that could justify reducing his pension.”14 Increased scrutiny and pressure to revisit remuneration policies finally ended with Goodwin voluntarily foregoing £4.7 million of his pension, while RBS, which still is 70% owned by the British taxpayer, revamped its governance policies relating to future executive remuneration.

Corporate Social Responsibility

Corporate social responsibility (CSR) policies and practices have a much wider stakeholder focus, whereby business monitors and ensures its active and often voluntary compliance with the spirit of the law, ethical standards, and international norms. The economic benefits of social and environmental initiatives are often highlighted, yet often not well quantified, by companies reporting on CSR activities. The most prominent CSR reporting standard is the Global Reporting Initiative’s (GRI) G3 guidelines, which use a triple bottom line approach (environmental, social, and economic) to reporting alongside an elaborate management framework description. Extensive stakeholder mapping and engagement practices are often key elements of CSR programs and are instituted to create a dynamic two-way communication channel. Denmark remains the only country to require its largest private and stateowned companies to include corporate social responsibility information using GRI guidelines in their annual financial reports from the beginning of 2010.15 CSR activities are sometimes criticized for being “fluffy,” “nondescript,” and “windowdressing” by critics, who point to their potential to distract from damaging economic business practices. BP’s global advertising campaign to go “beyond petroleum” is an example of where investments in renewable energy are dwarfed by the continued expansion of traditional carbon-based energy sources, thus raising questions over the seriousness of the company’s commitment. Increasing evidence suggests that companies with documented and visible commitment to CSR strategies and practices receive more favorable recommendations by financial

183

NEW INSIDE PAGES FINAL copy.indd 183

13/02/2012 12:58

Effective Auditing for Corporates analysts, with positive impacts on value creation in equity markets.16 If this trend continues it could signal a significant change in the role of company auditors in including an evaluation of nonfinancial activities and the role of the latter in potentially adding or diminishing financial value.

Other Concepts and Standards

There are a significant number of hybrid reporting formats covering various parts of the ESG and CSR area which companies have adopted to showcase their activities. These go under various names, including corporate responsibility (CR), sustainability reporting, social reporting, and socially responsible investing (SRI) principles. A number of standards and reporting templates are available to companies that allow them to focus on material aspects and impacts of their activities and disclosure. These include the AA1000 standard for assessing and strengthening the credibility and quality of companies’ social, economic, and environmental reporting; ISO 26000 guidance on social responsibility; and Carbon Disclosure Project reporting. The AA1000 AccountAbility Standard (2008) demands that an organization actively engages with its stakeholders, fully identifies and understands the sustainability issues that will have an impact on its performance—including economic, environmental, social, and longer-term financial performance—and that it then uses this understanding to develop responsible business strategies and performance objectives.17 ISO 26000 is intended to assist organizations in contributing to sustainable development. Its aim is to encourage them to go beyond legal compliance, recognizing that compliance with the law is a fundamental duty of any organization and an essential part of its social responsibility. It is intended to promote a common understanding in the field of social responsibility and to complement other instruments and initiatives for social responsibility.18 Finally, the Carbon Disclosure Project (CDP) holds a database for companies and cities across the world’s largest economies to measure and disclose their greenhouse gas emissions, climate change risk, and water management strategies.19 Although voluntary standards, they all represent a significant step toward corporate adaptation and global standardization following the path of more established frameworks such as the International Financial Reporting Standards (IFRS).

ESG As a Corporate Value Driver

Before embarking on any examination of current practices or the development of existing ESG practices, it is helpful to look at the main aims of any planned activities. Many companies that are considered successful in planning, deploying, and linking ESG with their business strategy have started by looking at the rationale and drivers for any activity, as illustrated in Table 1.

184

NEW INSIDE PAGES FINAL copy.indd 184

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value Table 1. Aims and drivers to be considered in linking ESG to business strategy External aims and drivers

Internal aims and drivers

Trust

Cost-effectiveness

Transparency and accountability

Innovation

Compliance and preempting possible future legislation

Motivation

Corporate responsibility behavior

Benchmarks and KPIs

Competitiveness

Management systems and reward structure

Attractive valuation

Attracting and retaining quality employees

Supply chain relations

Culture-building

Brand- and reputation-building

Shared vision

Risk management Effective wider stakeholder engagement

The accompanying two case studies demonstrate the effectiveness of having a clear ESG aim before launching any activities. When looking at the drivers it is important to distinguish between efforts required by law, such as the 1974 UK Health and Safety at Work Act, and ESG activities that often go beyond compliance. Compliance is assumed, so our focus in the case studies is on corporate ESG practices that create tangible value beyond fulfilling environmental, social, health, and governance-related requirements. Case Study 1

Interface, Inc.

Founded in 1973, Interface has grown to be a global leader in the design, production, and sale of environmentally responsible modular carpet for the commercial, institutional, and residential markets and a leading designer and manufacturer of commercial broadloom. Listed on the US NASDAQ stock exchange, in 2010 the company had sales of US$961.8 million and an operating income of US$29.5million.20 In the mid-1990s, Interface’s chairman and CEO Ray C. Anderson radically shifted the company’s strategy, aiming to redirect its industrial practices to include a focus on sustainability without sacrificing its business goals, and he began building a model to fully integrate sustainability across all Interface’s business decisions. Anderson’s enthusiasm for his vision, which was later named “Mission Zero,” led to its becoming the company’s vision, embraced by employees at every level and integrated into the company’s culture and beliefs. Employees became ambassadors for Mission Zero, introducing the idea to customers as a way to meet their own clients’ needs and expectations.

185

NEW INSIDE PAGES FINAL copy.indd 185

13/02/2012 12:58

Effective Auditing for Corporates Mission Zero Interface’s management team realized and decided that for ESG value to be realized it had to be approached from a systems or “whole company” perspective. They set the company the extremely ambitious goal of having zero negative impact on the environment by 2020. This would be achieved through complete employee buy-in—spurring tangible innovation, which in turn would result in increased profits. The company has set out three strategic pathways with key steps toward achieving Mission Zero:

8  Footprint: Professional tracking and reduction of environmental impacts in the entire supply chain, fossil fuel-based energy usage, buildings, waste, distribution, and all transportation; all progress in these areas to be independently audited. 8 Products: Creating innovative products taking into account social and environmental impacts, and combining innovation with investment in technology to support Mission Zero. 8  Culture: Leading, sharing with, and empowering employees to use innovation to support mission aims, and the creation of an “Eco Dream Team” of employees and external environmental thinkers to bring fresh perspectives and challenge new thinking. In addition, Interface has distilled a number of success factors; these do not necessarily fit every company, but they are worth bearing in mind when embarking on a deeper ESG engagement.

8  Set very ambitious goals to drive innovation and constantly think of different, better ways to meet the goals.

8  Think about the legitimacy and credibility of all efforts and resources that are put into developing and integrating ESG practices.

8  Address material issues and challenges that are currently in the way of deepening ESG practices, including the possible redesign of core products and processes. 8  The long-term business case for ESG has to be made at all times, so always integrate ESG targets with your business strategy. 8  Start and catalyze discussions at all company levels about the benefits of engaging with ESG. 8  See ESG engagement as a source of innovation for new products and services. One result of Interface’s engagement with ESG is that the company has reduced its overall carbon footprint by 60%, with an estimated US$433 million in avoided waste costs since 1995.21 Finally, Interface’s ESG efforts have spawned a new line of business, InterfaceRAISE, which consults with organizations worldwide to imagine, plan, and execute new ways of advancing their business goals to be in line with the stringent ESG standards.

186

NEW INSIDE PAGES FINAL copy.indd 186

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value Case Study 2

Novo Nordisk

Novo Nordisk (Novo) is a Denmark-based global healthcare and pharmaceutical company with 88 years of experience in diabetes care. The company also has leading positions in hemophilia care, growth hormone therapy, and hormone replacement therapy. Novo is listed on the NASDAQ OMX Nordic (Copenhagen) and the New York Stock Exchange; in 2010 revenues were 60,776 million Danish kroner (kr) with an operating profit of kr18,891 million. The company has been a global pioneer in integrating ESG parameters into its core business strategy using a suite of connected approaches that include triple bottom line decision-making, innovative and extensive stakeholder engagement practices, and fully integrated reporting of financial and nonfinancial results. Novo’s articles of association state that the company “strives to conduct its activities in a financially, environmentally and socially responsible way.” The triple bottom line plays the key role in earning and maintaining Novo Nordisk’s license to operate and innovate. One of the key drivers for successful triple bottom line management has been Novo’s extensive use of ESG KPIs across the organization linked to business performance and individual remuneration. Linking potential individual financial benefit to the finding of new or innovative ways to service its key stakeholders within the core ESG framework has, just as with Interface, enabled the company to create positive value in financial, brand, patient service, and PR terms. The second differentiating factor contributing to Novo’s success is the engagement with its stakeholders using a multitude of platforms. Key stakeholders include people with diabetes and others who rely on the company’s products, customers (i.e. public healthcare providers and payers), employees, investors, suppliers, and other business partners, neighbors, and key publics. Novo has been one of the first companies to use YouTube, Twitter, Facebook, and LinkedIn to map and service its stakeholder network in addition to the more traditional events, surveys, and campaigns. Finally, in 2004 Novo adopted the practice of producing an integrated report—merging its financial and sustainability reports into one inclusive document—in order to reflect this ESG approach. By linking financial performance indicators with ESG practices and input, Novo was one of the earliest adopters of an increasingly prominent ESG reporting trend to a single report or integrated corporate reporting. Integrated reporting will be explained in more detail below. Novo remains a highly profitable, global leader in its field, with ESG practices at its strategic hub, and it believes that this approach will act as a “future-proofing” from sustainability and competitive challenges to come.

Barriers to ESG

Although Interface and Novo are not unique in their application of ESG practices, it is the clarity and depth of their commitment to grow positive financial and nonfinancial results in tandem as well as taking a truly strategic view as far as 50 years ahead that sets them apart from their ESG peers. The latter point—the need to take a longer-term

187

NEW INSIDE PAGES FINAL copy.indd 187

13/02/2012 12:58

Effective Auditing for Corporates view—was mentioned earlier as a significant barrier to ESG becoming mainstream. The markets and investor community are still heavily focused on short-term earnings and value creation, whereas investment in strategic ESG practices such as a robust carbon-reduction plan often will only lead to significant financial gains in the medium to longer term. Some observers argue that—in the absence of greater regulatory pressure, which is stalling efforts to bring about the international harmonization of ESG approaches as well as any truly visible and widespread demand from investors and stakeholders for enhanced ESG disclosure—companies should return their focus to purely financial duties, possibly adding some undemanding CSR activities. Indeed, there is a some considerable discrepancy between companies’ claims about their ESG implementation and what scrutiny by independent sources suggests. A recent report by UK environmental consultancy Carbon Smart reveals that the vast majority of the carbon and environmental claims made by FTSE 350 companies lack sufficient credibility and verification. Only 19% of FTSE 350 companies provided a formal assurance statement for their sustainability reports—i.e. the other 284 companies provided no thorough, independent verification of their claims Also, only 24% of the assurance statements that were provided met acceptable standards.22 In contrast 76% of FTSE 100 companies produced a sustainability report in 2010, and an impressive 82% of the FTSE Eurotop 100 companies published their ESG commitments—which begs the question whether companies are motivated to make a business case for sustainability. The Global Reporting Initiative (GRI), provider of one of the most comprehensive frameworks for producing ESG reports, published the following observations in its 2010 review: 8 there was a 22% year-on-year increase in the number of GRI reports worldwide; 8 47% of all reports were independently assured. A 2010 UN Global Compact survey that questioned more than 100 global CEOs and CFOs about drivers and barriers to the integration of ESG into core business strategy revealed a range of insights, catalysts, and brakes: 8 93% believed that sustainability issues would be critical to the future success of their business; 8 72% thought that strengthening brand, trust, and reputation was the strongest motivator for taking action on sustainability; 8 72% identified sustainability education across all functions as one of the critical development issues for the future success of their business; 8 49% cited the complexity of implementation across functions as the most significant barrier to implementing an integrated, company-wide approach to sustainability; 8 58% saw the consumer as most important stakeholder in influencing the way in which companies will manage societal expectations over the next five years;

188

NEW INSIDE PAGES FINAL copy.indd 188

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value 8 full integration of sustainability into performance management frameworks and approaches to training and development was seen by some respondents as some way off.

The Role of ESG Agents and Drivers

To overcome the real and perceived barriers to adopting ESG as a corporate value driver, a number of agents have launched innovative initiatives to raise awareness and prompt greater urgency in the light of the sustainability challenges that face societies globally. Before we examine some concrete initiatives that are being used to heighten the awareness of ESG practices on investor and corporate radar screens, let us look at Figure 1, which illustrates the agents and drivers that are currently interacting in the ESG arena. Figure 1. Map of ESG drivers and agents (see More Info for further details and links) Guidelines

Conventions

UN Global Compact Global Reporting Initiative International Integrated Reporting Committee

Management standards

Screening agencies

Indexes

OECD EU guidelines International Labour Organization

FTSE4Good Dow Jones Sustainability Indexes

ESG organizations Company

ISO 26000 ISO 14001 Carbon Disclosure Project

Assurance standards AA1000 Assurance Standard 2008 SA8000 Social Accountability

UN Environment Programme Finance Initiative World Business Council for Sustainable Development Eurosif International Integrated Reporting Committee World Economic Forum EU

Auditors BDO KPMG Ernst & Young

Investor

Rating and recognition Bloomberg Corporate Register SustainableBusiness.com

Ethical Investment Research and Information Service Innovest MSCI

Investor guidelines Carbon Disclosure Project British Insurers UN Principles for Responsible Investment

SRI asset managers SVM Asset Management Threadneedle Investments Aviva Investors

The different agents depicted in Figure 1 all play a role in either the company or the investment community in driving the development of ESG practices. Not all play an equally active role, as some work proactively on platforms to develop, for example, guidelines for reporting and incorporating ESG into the business. Two interesting and encouraging ESG initiatives in rating and reporting shown in Figure 1 are gaining increasing prominence in company and investor circles and so will be covered in more detail.

Bloomberg’s ESG Rating Terminal

An increasing push to greater ESG disclosure comes from the investment and rating world. In addition to the established sustainability indexes that link financial performance with ESG criteria, including the FTSE4Good and Dow Jones sustainability indexes, in July 2009 Bloomberg started to offer its corporate terminal subscribers ESG data and ratings at no extra cost.23

189

NEW INSIDE PAGES FINAL copy.indd 189

13/02/2012 12:58

Effective Auditing for Corporates More than 300,000 global terminal customers can now see ESG data—such as greenhouse-gas intensity per sale, water usage, employee fatalities, toxic discharge, and more than 100 other indicators—as part of their basic package alongside the other traditional indicators. Early results show that investors are using this facility: in the second half of 2010, 5,000 unique customers in 29 countries accessed ESG indicators via Bloomberg’s screens more than 50 million times—a 29% increase over the first half of that year. Meanwhile the competition is not sleeping—Goldman Sachs, Deutsche Bank, UBS, Merrill Lynch, and Credit Suisse are launching their own divisions to analyze ESG data and devise additional services. There is clearly increasing evidence that the market for ESG reporting and information is growing despite the overwhelming number of initiatives being voluntary. Multiple sustainability challenges and opportunities—for example, managing the impacts of predicted climate change, poverty alleviation, the provision of jobs, housing, and food for a growing population, and powering our economies using low-carbon energy—loom on the horizon. Engaging and integrating ESG metrics and practices alongside financial parameters can be seen as an extension of the corporate risk screen to anticipate future challenges.

Integrated Reports: The Future of ESG Reporting

What is an integrated report? The reason for creating an integrated report is to demonstrate the linkages between an organization’s strategy, governance, and financial performance and the social, environmental, and economic context within which it operates. By reinforcing these connections, integrated reporting aims to help business to take more sustainable decisions and to enable investors and other stakeholders to understand how an organization is really performing. Novo Nordisk has enthusiastically embraced integrated reporting as a strategic tool for linking financial and nonfinancial performance for investors and wider stakeholder groups to scrutinize.24 What form does it take? An integrated report is often a single report that is also the organization’s primary report—in most jurisdictions this is the annual report or equivalent. Each element of an integrated report should provide insights into an organization’s current and future performance. Central to integrated reporting is to address the material issues and challenges facing the organization in order to demonstrate in a clear and concise manner that it can create and sustain value in the short, medium, and longer term. Why is it needed? The last few years have seen the worst financial crisis since the 1930s—a crisis that was in part driven by individuals and organizations focusing on short-term profits and rewards irrespective of their long-term sustainability. The crisis has demonstrated the need for capital market decision-making to reflect long-term considerations and has called into question the extent to which corporate reporting disclosures, as they exist today, highlight systemic risks to business sufficiently. Integrated reporting is considered by proponents and an increasing number of reporting companies to provide an important step for organizations facing the challenges of the 21st century, challenges that include taking a longer view on value creation and attempting to quantify the contribution of nonfinancial intangible inputs to overall performance.

190

NEW INSIDE PAGES FINAL copy.indd 190

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value What is the current state of reporting? Current reporting standards, such as International Financial Reporting Standards (IFRS) or US Generally Accepted Accounting Principles (US GAAP), require organizations to produce a fair and reasonable account of their business in audited financial reports. Often, these reports do not fully consider the social, environmental, and long-term economic context within which the business operates. Some companies produce sustainability or ESG reports that consider these factors. However, these reports do not necessarily connect the risks and opportunities with the business strategy and model. Who is behind integrated reporting and what are their aims? The International Integrated Reporting Committee (IIRC) comprises an international cross-section of leaders from the corporate, investment, accounting, securities, regulatory, academic, and standard-setting sectors as well as civil society. The IIRC believes that integrated reporting will help to bring together data that are relevant to the performance and impact of a company in a way that will create a more profound and comprehensive picture of the risks and opportunities a company faces—specifically, in the context of the drive toward a more sustainable global economy. Financial professionals who wish to expand their knowledge of nonfinancial risk and ESG standards would do well to follow developments within the integrated reporting space. Such reporting aims to unite the leading ESG frameworks, including the Global Reporting Initiative, ISO, and AA1000, with the well-established financial standards of IFRS into a single, coherent framework. While a very ambitious aim beset by entrenched opinions on the perceived burden of additional reporting requirements and other complexities, integrated reporting is gathering momentum among corporate stakeholders.25

Summary This final section brings together learning points for professionals engaged in ESG and nonpractitioners alike based on the above examples, my experience, and latest developments in the ESG field. Every company and industry faces different challenges and opportunities by engaging with ESG in order to unlock strategic value. What Interface and Novo Nordisk, among others, have demonstrated is that the corporate ESG journey often starts with a single but significant step of deciding to engage with issues material to the company concerned. The learning points presented below should not be seen as prescriptive but, taken together, as a proven catalyst for better ESG engagement.

Strategic Engagement 8 As part of a gap analysis, review existing environmental, labor, and governance practices and policies; assess any opportunities and challenges that may arise from lack of integration.

191

NEW INSIDE PAGES FINAL copy.indd 191

13/02/2012 12:58

Effective Auditing for Corporates 8 Senior management buy-in and ownership is critical to success, so make ESG a priority by assigning it to a director with clearly defined responsibilities for the task. 8 Establish which ESG issues are material to your company’s operations—for example, high CO2 emissions or high employee turnover—and make them the starting line for engagement. 8 Consider establishing a cross-functional ESG taskforce to get feedback and generate ideas on how to frame an ESG business case. 8 Research your peers’ ESG efforts and any efforts that have been made by others in your industry; look for inspiration from ESG leaders, including Novo Nordisk and Interface.

Targets, Benchmarks, and Processes 8 Setting targets based on your ambitions, resources, and priorities is better than publishing ESG progress statements that say “we are looking at it.” 8 Always remember that if an ESG factor/activity can’t be measured, it can’t be managed—and certainly not reported credibly. An example of how to proceed is Unilever’s 2020 goal to help more than a billion people to improve their hygiene habits and bring safe drinking water to 500 million people.26 Through thorough research on reach and pilot projects, the company has been able to put in place ESG targets for the coming eight years and has made them open to scrutiny. 8 There are a number of robust templates for collecting, benchmarking, and reporting ESG data for each stage of the ESG journey. The Global Reporting Initiative’s G3 guidelines, the ISO standards, and AccountAbility’s AA1000 series (all explained in this chapter) are good places to start. Many leading companies have adopted a combination of these standards and provided feedback on how to improve their functionality, with the result that they are attracting a growing number of adopters from SMEs to multinational corporations.

Stakeholder Communication 8 Communicate and share your vision and plans with employees and key stakeholders. Not only will this gain buy-in and support for future ESG efforts, but the work will have much greater impact if vendors, suppliers, and customers have bought into the ideas both philosophically and practically. A mix of internal and external stakeholder input strengthens credibility and legitimacy. 8 Consider mapping your entire stakeholder web so that you can start engaging with their expectations and suggestions for your ESG efforts. 8 Successful companies make the links between the business case, future ambitions, and the role of ESG efforts clear to their audiences. This includes how KPIs and ESG data support the realization of the business strategy.

192

NEW INSIDE PAGES FINAL copy.indd 192

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value Horizon Scanning 8 Consider using platforms like Twitter, Facebook, and LinkedIn to keep abreast of ESG developments and best-practice examples. 8 Follow developments at EU Commission level on mandatory ESG reporting and the International Integrated Reporting Council’s consultations on the future format of integrated reporting.

Assurance 8 For added credibility, advanced ESG reporters should consider making use of independent assurance to established disclosure standards that are applicable to nonfinancial business reporting. More Info Websites: Assurance Standards: AA1000 Assurance Standard 2008 on sustainability assurance (AccountAbility): www.accountability.org/standards/aa1000as/ SA8000 Social Accountability (British Standards Institution): tinyurl.com/7bbd8m4 Auditors: BDO (Binder Dijker Otte & Co.): bdo.com.ua/lang_en-us KPMG (Klynveld Peat Marwick Goerdeler): www.kpmg.com/uk/en/pages/default.aspx Company Examples: Interface: www.interfaceglobal.com Novo Nordisk: www.novonordisk.com/sustainability/ Puma environmental profit and loss account: tinyurl.com/78ydjn5 Conventions: European Commission on sustainable and responsible business: tinyurl.com/82gyb7v HM Treasury on sustainability and environmental reporting: www.hm-treasury.gov.uk/frem_sustainability.htm International Labour Organization (ILO): www.ilo.org/global/lang--en/ Guidelines: Global Reporting Initiative (GRI): www.globalreporting.org UN Global Compact: www.unglobalcompact.org Indexes: Dow Jones sustainability indexes: www.sustainability-index.com FTSE4Good index series: www.ftse.com/Indices/FTSE4Good_Index_Series/ Investor Guidelines: Carbon Disclosure Project: www.cdproject.net/en-US/Pages/HomePage.aspx UN Principles for Responsible Investment (UN PRI): www.unpri.org

193

NEW INSIDE PAGES FINAL copy.indd 193

13/02/2012 12:58

Effective Auditing for Corporates Management Standards: ISO 14000 Environmental Management: tinyurl.com/23twm5g ISO 26000 Social Responsibility: www.iso.org/iso/social_responsibility News: Sustainability at Work: www.sustainabilityatwork.org.uk Sustainability HQ: www.sustainabilityhq.com Organizations: Eurosif: www.eurosif.org International Integrated Reporting Committee (IIRC): www.theiirc.org UN Environment Programme Finance Initiative (UNEP FI): www.unepfi.org World Business Council for Sustainable Development (WBCSD): www.wbcsd.org Rating and Recognition: Bloomberg: www.bloomberg.com Corporate Register: www.corporateregister.com Sustainable Business: www.sustainablebusiness.com Screening Agencies: Ethical Investment Research and Information Service (EIRIS): www.eiris.org Morgan Stanley Capital International (MSCI): tinyurl.com/78tvgls [PDF]. SRI Asset Managers: Aviva Investors: www.avivainvestors.co.uk SVM Asset Management: www.svmonline.co.uk Threadneedle Investments: www.threadneedle.com UK Sustainable Investment and Finance (UKSIF): www.uksif.org

Notes 1. Ceres: www.ceres.org/about-us/who-we-are 2. WBCSD: www.wbcsd.org 3. Friedman, Milton. “The social responsibility of business is to increase its profits.” New York Times Magazine (September 13, 1970). Online at: tinyurl.com/d86x9 4. EURLex. “Directive 2003/51/EC of the European Parliament and of the Council.” June 18, 2003. Also known as “EU accounts modernisation directive.” Online at: tinyurl.com/7vuxs48 5. EIRIS. “Taking stock: How leading stock exchanges are addressing ESG issues and the role they can play in enhancing ESG disclosure.” November 2009. Online at: tinyurl.com/6nyle47 [PDF]. 6. International Federation of Small and Medium Enterprises (page no longer available, originally accessed July 22, 2011). 7. European Commission—Enterprise and Industry. “Small and medium-sized enterprises (SMEs): Coping with the environmental challenge.” Updated November 19, 2011. Online at: tinyurl.com/7tspg3x 8. Parker, Craig M., Janice Redmond, and Mike Simpson. “A review of interventions to encourage SMEs to make environmental improvements.” Environment and Planning C: Government and Policy 27:2 (2009): 279–301. Online at: ro.ecu.edu.au/ecuworks/360/ 9.  International Business Times. “BP share price down on FTSE 100 as oil spill costs lead to FY loss.” February 1, 2011. Online at: tinyurl.com/84p2mno 10. gCaptain. “National Commission releases final report on Deepwater Horizon oil spill.” January 11, 2011. Online at: gcaptain.com/?p=20322 11. FairPensions. “Managing environmental risk: The Deepwater oil spill & its impact on UK pensions.” June 2010. Online at: tinyurl.com/394rb2s [PDF].

194

NEW INSIDE PAGES FINAL copy.indd 194

13/02/2012 12:58

Full-Spectrum Accounting—Unlocking Strategic Value 12. Supplier responsibility at Apple: www.apple.com/supplierresponsibility 13. Treasury Committee (UK House of Commons Select Committee). “Treasury—Ninth report. Banking crisis: Reforming corporate governance and pay in the City. 3. Remuneration policy in the part-nationalised banks.” Online at: tinyurl.com/7olos3y 14. The Times. “Revealed: The secrets of Sir Fred’s pension.” February 26, 2009. Online at: www.timesonline.co.uk/tol/money/pensions/article5808530.ece [subscription required]. 15. Ibid. 16. Ioannou, Ioannis, and George Serafeim. “The impact of corporate social responsibility on investment recommendations.” Working paper. Harvard Business School, August 2010. Online at: hbswk.hbs.edu/item/6484.html 17. AccountAbility. “AA1000 AccountAbility principles standard 2008.” Online at: www.accountability.org/standards/aa1000aps.html 18. International Organization for Standardization (ISO). “ISO 26000:2010. Guidance on social responsibility.” Online at: www.iso.org/iso/catalogue_detail?csnumber=42546 19. Carbon Disclosure Project: https://www.cdproject.net/en-US/Pages/About-Us.aspx 20. Interface. “Interface reports fourth quarter and full year 2010 results.” February 23, 2011. Online at: tinyurl.com/7nxfja2 21. InterfaceFLOR. “Interface Inc. raises sustainability bar: Zero environmental impact by 2020; environmental product declarations for all InterfaceFLOR products globally by 2012.” Online at: tinyurl.com/8x9nt7x 22. Carbon Smart. “Scandalous sustainability reporting revealed. The majority of leading UK companies lack credibility in their sustainability reporting.” Online at: tinyurl.com/7w2rtrg 23. Tullis, Paul. “Bloomberg’s push for corporate sustainability.” Fast Company (April 1, 2011). Online at: tinyurl.com/4aamozk 24. International Integrated Reporting Council (IIRC): www.theiirc.org 25. IIRC Pilot Programme, including list of companies participating in integrated reporting pilot program as of January 1, 2012: www.theiirc.org/about/pilot-programme 26. Unilever. “Unilever sustainable living plan.” November 2010. Online at: tinyurl.com/6qm2sss [PDF].

195

NEW INSIDE PAGES FINAL copy.indd 195

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 196

13/02/2012 12:58

Charting a Company-Specific Path Toward Continuous Auditing and Monitoring by Joe Oringel Visual Risk IQ, Charlotte, North Carolina, USA

This Chapter Covers 8 This chapter defines continuous auditing and monitoring and the techniques that can be used to provide this more frequent assurance. 8 Central is the use of a multidimensional maturity model that considers people, process, and technology implications and can be used to chart the journey from traditional to continuous auditing activities. 8 A journey toward continuous auditing is not all about technology, especially at first. 8 Internal auditing is about asking and answering the questions necessary to provide assurance to management that its objectives will be achieved. Providing this assurance on a more frequent basis, and with greater confidence through data analysis, increases the value of an internal audit function.

Introduction

Continuous auditing has seemingly been the “next great thing” in internal audit for nearly 20 years. From its roots in embedded audit routines that would send notifications from IT systems to an auditor’s email box, to more modern software for continuous control monitoring or continuous transaction monitoring, continuous auditing has been as much about hype as reality. PricewaterhouseCoopers’s annual state of the internal audit profession surveys regularly report that a majority of internal audit functions are planning to do continuous auditing in the “coming year,” but the number of organizations that have continuous audit programs in place remains much less than 50%. Tomorrow never seems to arrive.

The Audit of the Future: Can the Future Be Now?

Imagine an internal audit department that captures monthly financial and operational data directly from a variety of enterprise systems into a secure, independent data warehouse. An updated “heat map” that summarizes risk and control effectiveness by business process and business segment is calculated and scored based on output from a combination of continuous auditing and traditional auditing activities. Copies of transactions and master files are also compared to similar files from previous periods, and any exceptions or other unusual transactions are identified and researched by a combination of internal audit and management, depending on agreed-upon responsibilities between audit and management. For some exceptions, management is responsible for reviewing and researching the exceptions, and audit verifies management’s work as part of its validation of the updated heat map. For other, higher-risk queries, including many relating to fraud detection and prevention, the exceptions are reviewed by audit prior to review or investigation by management.

197

NEW INSIDE PAGES FINAL copy.indd 197

13/02/2012 12:58

Effective Auditing for Corporates As futuristic as this may sound, it is actually a description of a North American insurance company that first implemented its continuous audit program in 2005. Initiatives for continuous improvement help to ensure the relevance and freshness of its data analysis routines. These provide ever-increasing coverage of key risks to senior management and the board of directors—all while its staff numbers have shrunk by more than 50% since the inception of continuous audit. Although only one or two auditors in the department of 10 are data specialists, all team members are comfortable making basic edits to continuous audit queries on an as-needed basis. How have they accomplished this? What can others learn from them? Read on…

Professional Guidance

The Institute of Internal Auditors’ (IIA) Global Technology Audit Guide no. 3, often referred to as GTAG 3 and titled “Continuous auditing, implications for assurance, monitoring, and risk assessment” was published in 20051 and is still the definitive guidance for establishing a continuous auditing (henceforth CA) or continuous monitoring (henceforth CM) program. Its strengths are outlining the key steps for accomplishing CA and CM, from defining business objectives to acquiring data to evaluating and reporting results.

Key Definitions from GTAG 3 8 Continuous auditing (CA) refers to those methods used by auditors to perform audit-related activities on a continuous basis, including both control and risk assessment activities. 8 Continuous monitoring (CM) consists of processes to ensure that policies and processes are operating effectively and to assess the adequacy and effectiveness of controls. CM is performed by management. 8 Continuous assurance is the combination of CA activities and oversight of CM performed by management. There is an inverse relationship between CA and CM, as illustrated in Figure 1. CM programs often evolve from effective CA programs, as the more interesting and important CA queries tend to be requested by management as tests that they should be running themselves. This migration of CA queries from internal audit is central to the progression described in the maturity model later in this chapter. Figure 1. Monitoring internal controls, showing the inverse relationship between CA and CM Management response

Comprehensive monitoring of internal controls

Little monitoring of controls

Reduced effort

More effective and comprehensive CM programs require less activity and resources for CA. However, if limited CM is in place, greater CA effort is required.

Significant effort/greater resources

Audit effort

198

NEW INSIDE PAGES FINAL copy.indd 198

13/02/2012 12:58

Company-Specific Path Toward Continuous Auditing and Monitoring The Business Case for CA and CM

The IIA published a new GTAG (no. 16) titled “Data analysis technologies” in August 2011 that provides updated guidance on the tools that can be used to accomplish CA and CM (Lambrechts et al., 2011). Benefits of CA and CM, as cited in this publication and supported in practice, include: 8 productivity and cost savings; 8 efficiency in data access; 8 improved risk and control assurance; 8 improved audit coverage; 8 reduced audit risk; 8 shortened audit cycles. Internal audit professionals are strongly encouraged to use data analysis in the conduct of their work, as indicated by several of the IIA’s professional standards. 8 Standard 1220.A: Due professional care. In exercising due professional care, internal auditors must consider the use of technology-based audit and other data analysis techniques. 8 Standard 2300: Performing the engagement. Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. 8 Standard 2310: Identifying information. Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. 8 Standard 2320: Analysis and evaluation. Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations.2 However, the relationship between data analysis and CA is not always clear. Some data analysis is not CA, and some CA is not data analysis, as illustrated in Figure 2. Examples of data analysis routines that are not CA include ad hoc analyses that are executed once to satisfy a particular audit objective but are not repeated over time. CA includes continuous risk assessment activities such as updating a rolling audit plan on a periodic basis, which is often accomplished through interviews or surveys but not data analysis. Figure 2. The relationship between data analysis and continuous auditing—not all data analysis routines are part of CA, and vice versa Data analysis

Continuous auditing

199

NEW INSIDE PAGES FINAL copy.indd 199

13/02/2012 12:58

Effective Auditing for Corporates Beginning With the End in Mind: Answering Questions With Data Analysis

The word “audit” comes from the Latin auditus, “a hearing,” which itself is formed from the verb audire, “to hear.” As such, auditing is all about asking questions and listening to the answers. To use data analysis effectively for internal auditing, it is important to identify the business questions that one is looking to answer. Example questions for evaluating manual journal entries for authorization and completeness would include: 8 Does the sum of all debits equal the sum of all credits? For each journal entry and for all in total? 8 Were any journal entries approved by the same person as the person who entered them? 8 Were any journal entries posted by user accounts that belong to terminated employees? 8 Which journal entries were entered at the end of one month and reversed at the beginning of the next month? Why? 8 Were any journal entries posted to account ranges, company codes, or country codes by finance staff who are not responsible for these accounts? 8 Were any manual journal entries posted late at night or on weekends? Is weekend work for the accounting staff normal and expected? Data analysis and CA/CM projects should begin with a brainstorming session that identifies the business questions that are looking to be answered, per the QuickStart diagram in Figure 3. These questions should then be related or mapped to the data sources, which are the database files, tables, columns, and rows that contain digital answers to those questions as outlined in the acquire data step. The tasks shown in Figure 3 are not always linear and sequential. It is common for tasks in each step of the methodology to cause some work or rework in the preceding tasks. Iterations between these tasks are expected and beneficial, as they influence the refinements that make the data analysis efforts more valuable on a repeating or continual basis. Figure 3. QuickStart—a methodology for data analysis. (Source: Visual Risk IQ) Brainstorm

Refine and sustain

Analyze and report

Acquire data

Write queries

200

NEW INSIDE PAGES FINAL copy.indd 200

13/02/2012 12:58

Company-Specific Path Toward Continuous Auditing and Monitoring After data are acquired, to include balancing control totals back to an organization’s general ledger or other authoritative source, writing queries can begin. As described above, some refinements, including multiple passes of editing queries and analyzing and reporting, should be expected. In these steps, it is common for thresholds and other programming logic rules to be modified so that the number of exceptions for each query can be practically and effectively researched. The final step in the methodology is refine and sustain, which serves as a key transition from data analysis to CA. During the refine and sustain step, the most interesting queries from the preceding basic data analysis steps should be identified to be rerun at set intervals to address CA or CM objectives.

Refine and Sustain—The Secret Sauce of CA

Let us return to the audit department profiled at the beginning of this chapter. How has it continued to advance its CA initiative? During the second year of its CA program, the department was running 21 distinct CA queries for investigation and follow-up by the audit team. Queries evaluated a cross-section of business process areas, from claims through finance, legal, human resources, and investments, to actuarial. In 2010, its peak year, that number had grown to 33, an approximately 50% growth in total queries in nearly five years. During summer 2011, the number of CA queries had dropped below 30 again, a total similar to that in 2008. But these counts reflect only CA queries—those that are run and evaluated by internal audit. In 2011, the number of CM queries outnumbered the CA queries, and nearly all CM queries began as CA tests but have since migrated to the business. This transition has happened because of frequent meetings between internal audit and business unit management, and the strong desire by management to have a robust monitoring function. As a result, internal audit is continually transitioning queries to management as CM routines, and it is refreshing and redesigning new queries every quarter, based on current perspectives on risk and control effectiveness as identified from CA and traditional process-based audits. Internal audit’s CA and CM programs are continuously improving. Secret sauce indeed.

Capability Maturity Model and CA

GTAG 16 outlines five capability levels, similar to those in a maturity model (see below), that lay out the path between basic data analytics (i.e. Level 1) and continuous monitoring (i.e. Level 5). These five levels are discussed in greater detail in GTAG 16, and help to define a roadmap for moving up in maturity and effectiveness. 8 Level 1: Basic use of data analysis. 8 Level 2: Applied analytics. 8 Level 3: Managed analytics. 8 Level 4: Automated. 8 Level 5: Continuous monitoring. Like any roadmap, its value is to help you understand where you are, where you want to go, and to help identify the path to get there. The GTAG’s capability levels have considerable value in defining that path.

201

NEW INSIDE PAGES FINAL copy.indd 201

13/02/2012 12:58

Effective Auditing for Corporates Maturity Models The Capability Maturity Model (CMM) is a service mark registered to Carnegie Mellon University and most typically refers to a software development model that was first documented in a 1989 book by Watts Humphrey called Managing the Software Process. The model describes a five-step process that begins with initial or ad hoc software development, and progresses through to repeatable, defined, managed, and optimizing maturity levels. Optimizing, the fifth state, is considered ideal and includes mechanisms for continuous improvement. Optimizing is much like refining and sustaining a fully enabled continuous monitoring system. Through each of the five capability levels described above, software development processes become better documented and more repeatable or standard, such that they can be accomplished by a variety of individuals, instead of only the original creator(s). Since its development, the five-step model of CMM has been applied to a variety of business processes, including many that are unrelated to software development. Risk management, quality management, project management, software maintenance, and business continuity planning are all activities that work well within the CMM model.

Shortcomings of the Maturity Model from GTAG 16

Although the use of these capability levels is a plus, the problem is that they focus mostly on CA and CM technology and not on key supporting components, including people, process, audit methodology, governance, and reporting. Buying software is only one step in a multistep, multistage data analysis program. Rarely, if ever, should it be the first step. A further challenge is that at any point in time an organization may be in different stages of the maturity model, depending on the business process (e.g. Level 3 for supply chain vs Level 1 for revenue cycle) or business unit (e.g. Level 4 for the Americas vs Level 3 for Asia or Level 5 for Europe). Attempting to characterize the data analytics maturity for an entire enterprise using a single capability level is difficult, if not impractical.

Introducing an Alternate CA Maturity Model, and Advocating a Customized One

This author advocates a customizable CA maturity model that has a number of dimensions. It builds on a simpler CA maturity model that was first published by Oringel and Aldhizer (2009). One key dimension in this model is the stage in the data life cycle. Specifically, acquiring data, writing and repeating scripts, and analyzing and reporting results are distinct steps in that life cycle. As such, they may progress at a different pace or in a different sequence. Some audit teams may be highly experienced in acquiring data, but rely heavily on corporate IT or other outsiders to write and repeat scripts or to

202

NEW INSIDE PAGES FINAL copy.indd 202

13/02/2012 12:58

Company-Specific Path Toward Continuous Auditing and Monitoring analyze and report results. Similarly, other audit teams may want to advance quickly toward CA from an audit process perspective, but may do so more with manual audit testing than with data analytics. Another model dimension can be people, process, and technology. Because staffing and training is such a key element for an effective data analytics or CA/CM program, it is often beneficial to consider the people implications of building a plan for CA/CM. Examples of these implications include whether to dedicate resources to CA/CM, or to use financial, operational, or technology auditors to accomplish these tasks while they work on other audit projects. See Table 1 for an example of a more detailed maturity model, specific for the acquire data steps, including people, process, technology, and stakeholder expectations. Each row has five maturity steps or levels that allow identification of current and desired capabilities. See Table 2 for another example of a more detailed maturity model for writing and using scripts. The examples in Tables 1 and 2 are intended to be customized by an organization. Descriptions within each cell can and should be customized, depending on the current state and the desired destination. Developing a detailed project plan can result from identifying which specific rows an organization wants to progress, and in what sequence. In practice, we see organizations placing numbered arrows to identify which row and which boxes they want to progress from. These numbers then become the sequence for a project plan to advance their specific CA and CM project plan.

History of These CA and CM Maturity Models

The maturity model examples outlined in Tables 1 and 2 are two of many different maturity models that have been customized in CM boot camp training sessions that the author has helped to deliver to internal auditors as well as finance and compliance professionals across the United States. These tailored models are based on a series of similar models built for a Fortune 500 manufacturing company in 2007 that became the basis for the model published by Oringel and Aldhizer (2009) mentioned earlier. Those original models served as the multiyear communication plan for the organization’s chief audit executive to describe his team’s approach and progress against that plan for their first CA and CM initiative. Those initiatives incorporated a variety of audit process and methodology changes, along with software for trending queries and exception queries in several business process areas. Goals for progress on the maturity model were planned and sequenced, and often rotated between objectives related to people, process, and technology. The team made consistent, meaningful progress throughout a multiyear period, based in large part on the use of the maturity model. The repeatability and broader application of these CA and CM maturity models became apparent in subsequent discussions with other audit executives who had undertaken similar, multiyear CA program efforts with varying degrees of success. In those interviews, they described challenges related to having a sufficient understanding of the business processes for which data were being analyzed, as well as a variety of challenges related to timing and budget that seemed to relate to difficulties in data acquisition.

203

NEW INSIDE PAGES FINAL copy.indd 203

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 204

IA requests reports in digital form for audit projects. Response is timely and includes control totals for validation

Data analysis is a core competence, used on demand

IA requests reports from business or IT periodically. Turnaround times may be erratic. IA validates by tying control totals to ledger/ERP

Primarily manual data capture in MS Office application such as Excel

No expectations of data mining

Method and process

Technology

Stakeholder’s expectations

Standardized, scheduled scripts to retrieve data

Integrated CA and IT systems. IT consults IA before making changes to data

Expectation that enterprise data are fully utilized for risk assessment and audit report

Standardized data acquisition from enterprise systems using stored routines. Centralized storage for access any time

All auditors can acquire data as needed. Use of common libraries/ warehouses to store data

Level 4: Advanced continuous auditing

Reusable scripts for most data acquisition

Consistently use data in planning and executing audits. Acquired directly for each project from enterprise systems

Specialist can acquire data without help from others

Level 3: Scheduled data analytics

Acquire data

Key: CA, continuous auditing; CM, continuous monitoring; ERP, enterprise resource planning; IA, internal audit.

Basic expectations of data mining in audits

Can make specific requests for data needed for audit projects

Little understanding of where data are, what they mean or how to get them

People

 

Level 2: Repeatable data analytics

Level 1: Ad hoc data analysis

 

Table 1. An example CA maturity model view for acquiring data

Data-driven early warnings and risk alerts from businessowned CM system. Access and capability to create own reports

Full access to CM system and any data warehouses

CM performed by the business and IA has full access to data for planning and testing. IA may have a data warehouse which is updated frequently from enterprise data stores

No need for ad hoc data acquisition. All required acquisition embedded with business systems

Level 5: Integrated CM and CA

Effective Auditing for Corporates

204

13/02/2012 12:58

NEW INSIDE PAGES FINAL copy.indd 205

Script writing done mostly by internal resources. Selected IA staff have scripting skills

Limited use of scripts to assess risk and performance as part of audit project activities

Batch-oriented, ad hoc tools such as IDEA, ACL, or others are used

Script writing done mostly by IT or external resources. Selected staff have data mining skills and use output

Data are not used to assess risk and determine audit project activities

Queries in MS Office or from systems owned elsewhere in the enterprise

People

Method and process

Technology

Fully integrated CA/CM systems used and ongoing development

Changes to enterprise systems that require script changes are identified and communicated to IA

Scripts stored in libraries and run on a regular schedule

Output from audit projects becomes input for new scripts to be run at appropriate frequency

Dedicated time and resources for designing and writing scripts

Time allocated between audits for script writing. Limited need for involvement by business process owners

All team members can write scripts

Level 5: Integrated CM and CA

Scripts designed by all team members, written by most. Libraries exist for most processes

Level 4: Advanced continuous auditing

Scripts written by specialists in IA and team members can modify. Building libraries

Level 3: Scheduled data analytics

Write and use scripts

Key: CA, continuous auditing; CM, continuous monitoring; IA, internal audit. IDEA is auditing software produced by CaseWare, Inc.; ACL Desktop and ACL AuditExchange are produced by ACL Services, Ltd.

Level 2: Repeatable data analytics

Level 1: Ad hoc data analysis

 

 

Table 2. An example CA maturity model view for writing and using scripts

Company-Specific Path Toward Continuous Auditing and Monitoring

205

13/02/2012 12:58

Effective Auditing for Corporates None of those other audit executives had used a maturity model to chart their desired journey toward more frequent, data-driven CA or CM. In hindsight, they described their journeys as journeys with multiple starts and stops, and with considerable rework required. Nearly all of the audit executives became highly engaged when they reviewed the CA maturity model, and most had suggestions and stories to relate about how the model seemed to chronicle their journey so well.

Key Learning Points from Maturity Model Interviews

CA often seems more complicated than it really is. By asking members of senior management “what’s new,” one can often gain significant insight into an organization’s risk assessment and risk responses. These updated insights form the foundation of continuous risk assessment that is one element of a broader CA initiative. The most difficult parts of a CA program are scoping. Often organizations set out to answer a specific series of questions and then find that the data to answer those questions don’t exist in electronic form. Or even if the data do exist, then technical challenges such as large file sizes or even information security controls cause problems when the auditors seek to acquire the data. Overwhelmingly, the success of a CA or CM initiative seems to be based on the combination of having excellent knowledge of the underlying business and business processes and also excellent technical knowledge specific to data structures. The above findings are consistent with the IIA’s research in GTAG 16. That publication identified five potential barriers to success, namely: 8 poorly defined scope; 8 limited understanding of the data; 8 location of data and access; 8 data preparation; 8 manually maintained data. With effective planning—especially to connect business objectives to underlying data sources—the possibilities are endless. Instead of testing paper-based samples of transactions, auditors can evaluate 100% of transactions using data analysis techniques. With modern data analysis tools that support CA and CM, these transactions can be evaluated against a set of defined business rules as often as daily or even more frequently.

Summary Continuous auditing is as much or more about process and methodology than about technology. It begins with asking and answering questions, and then updating the answers to those questions on a more frequent basis—often, though not necessarily, using data analysis technology. Although required by professional standards, data analysis is still underutilized by the internal audit profession, primarily due to the uncommon combination of business skills and data understanding that is needed to help to ensure success.

206

NEW INSIDE PAGES FINAL copy.indd 206

13/02/2012 12:58

Company-Specific Path Toward Continuous Auditing and Monitoring To join the ranks of firms that have successfully implemented and consistently benefit from CA, leading-edge audit teams should implement the following approach.

8  Evaluate and customize a company-specific maturity model that identifies current and desired states and especially the timeline for a CA or CM program.

8 Establish a specific sequence for advancing the customized maturity model. 8  Identify key business and audit objectives and questions, along with design queries, that can answer the questions and satisfy the objectives. Then invest in technology if current in-house tools are insufficient. 8  Use the QuickStart methodology to plan and execute a data analysis project. Plan for multiple iterations between brainstorming, acquiring data, writing scripts, analyzing and reporting, and refining and sustaining, and back to brainstorming. 8  Transition more interesting queries from internal audit to management so that responsible managers form the front line for investigating exceptions. 8  Include audit’s independent evaluation of management’s CM program as part of the overall assurance provided by the audit team. 8  Watch out for known barriers or roadblocks to effective CA and CM programs, primarily around data acquisition.

More Info Books: Humphrey, Watts S. Managing the Software Process. Reading, MA: Addison-Wesley, 1989. Institute of Internal Auditors (IIA). International Professional Practices Framework (IPPF). 2011 ed. Altamonte Springs, FL: IIA Research Foundation, 2011. Article: Oringel, Joe, and George R. Aldhizer III. “Continuous auditing and monitoring: Enhancing the efficiency and effectiveness of auditing and ERM.” Internal Auditing 24:5 (September/October 2009): 17–26. Online at: tinyurl.com/733jtx7 [PDF]. Reports: Coderre, David. “Continuous auditing: Implications for assurance, monitoring, and risk assessment.” Global Technology Audit Guide 3 (GTAG 3). Institute of Internal Auditors (IIA), 2005. Online at: www.theiia.org/guidance/technology/gtag3 Lambrechts, Altus, Jacques Lourens, Peter Millar, and Donald Sparks. “Data analysis technologies.” Global Technology Audit Guide 16 (GTAG 16). Institute of Internal Auditors (IIA), 2011. Online at: www.theiia.org/guidance/technology/gtag-16 Ramamoorti, Sridhar, Michael P. Cangemi, and William M. Sinnett. “The benefits of continuous monitoring.” Financial Executives Research Foundation (FERF), 2011. Online at: tinyurl.com/76s2q5q Websites: ACL Ltd, for ACL auditing software: www.acl.com/products CaseWare, for IDEA auditing software: www.caseware.com/products/idea “Continuous auditing—making it real” blog: www.continuousauditing.blogspot.com Rutgers Accounting Web, host of 23 different world continuous auditing symposia: raw.rutgers.edu Visual Risk IQ, for QuickStart: visualriskiq.squarespace.com/vriq-for-internal-audit

207

NEW INSIDE PAGES FINAL copy.indd 207

13/02/2012 12:58

Effective Auditing for Corporates

Notes 1. Coderre (2005). 2. See the interactive version of the IIA’s International professional practices framework (IPPF) online at the bottom of this page: www.theiia.org/guidance/standards-and-guidance

208

NEW INSIDE PAGES FINAL copy.indd 208

13/02/2012 12:58

The Case for Continuous Auditing of Management Information Systems by Robert E. Davis Management Consultant, Philadelphia, Pennsylvania, USA

This Chapter Covers 8  Managers should concentrate on making business decisions based on management information systems that reduce the risk of inappropriate responses to the entity’s environment. 8  Since management is responsible for the entity’s controls, it should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. 8  Continuous auditing is an uninterrupted monitoring approach that allows IT auditors to examine controls on an ongoing basis and to gather selective audit evidence through the computer for timely opinions.

Introduction

Management information systems represent the aggregation of personnel, computer hardware and software, and associated policies and procedures, allowing data processing to generate information that can be used for decision-making. Corporations typically have management information systems with specific objectives designed to comply with external and internal business requirements. In this context, management information systems can exist at three configuration levels: decision support systems, expert systems, and continuous monitoring systems. Through an understanding of the development and deployment of these technologies, a case can be made for the continuous auditing of management information systems. Considering the impact on decision processes, automated management information systems necessitate a higher degree of reliability and integrity than other information technology deployments. This is a result of the common need to extract systemgenerated information as opposed to manually created information to aid in making business decisions. Hence, corporate auditors need to convey timely opinions on both the quality of management information systems and the information produced by management information systems utilizing continuous assurance techniques. On the benefit side, employing continuous auditing can reduce the risk of management initiating inappropriate actions based on faulty logic and/or data.

Decision Support Systems as an Aid to Enterprise Governance

Control systems can be categorized as being either technical systems or decision systems. Classically, corporate technical systems represent specialized configurations that support business units in achieving objectives, whereas decision systems represent information systems, or analytic models, designed to effectively aid managers and professionals in decision-making. Nonetheless, assistance for the decision-making process may be contained in a technology-based decision support system (DSS).

209

NEW INSIDE PAGES FINAL copy.indd 209

13/02/2012 12:58

Effective Auditing for Corporates Interpretatively, a technology-based information system represents an architectural component that collects data, processes transactions, and communicates operational results, while an analytical model is a set of relationships with variable continua of: 8 c omplexity, from one variable to many; 8 uncertainty, from deterministic to probabilistic; 8 time, from static to dynamic. Thus, through proper system or model construction, an entity-centric DSS is deployed to enable the evaluation of alternative courses of action and efficient choice from the presented options to achieve the defined business objective.

Optimizing IT Assistance for Making Decisions

Reliable decision support systems should provide accurate and complete disclosure of available options, while maintaining the confidentiality and integrity required to enable effective responses. The “quality of management” depends heavily on having managers evaluate alternatives and select from the available options as many correct responses as possible. To ensure managerial quality, most managers are under observation for situational responses that impact the entity. Therefore, the ratio of decisional hits to misses must weigh favorably in the direction of hits for a manager to retain his status within most organizational formations. In other words, a regular pattern of failure to make appropriate decisions usually disqualifies an employee from retaining directional authority within an entity. Generally, supporting decisions with software and hardware is wholly inadequate if there is no clear idea about the kinds of decisions that need to be made. Enterprise governance involves different types of decisions. The first type, routine decisions, is commonly treated within the entity’s framework of policies and procedures. The second type, nonroutine decisions, typically requires one-time or nonrepetitive solutions based on environmental considerations. The third type, nonroutine motley decisions, is generally ill-structured and complex, arising from one-of-a-kind situations, and for an optimal response relies on scientific assessment. Nevertheless, decision techniques have become largely synonymous with quantitative approaches or mathematical analysis, which are well suited to IT processes. Some types of the latter are financial and statistical analysis that, depending on the circumstances, may be addressed through game theory, linear programming, simulation, and operations research. At a minimum, governance decision support systems should include word processing, database, spreadsheet, and modeling capabilities. Of these, modeling is crucial to reducing uncertainty in the response to circumstances requiring a decision. Rudimentarily, a model comprises variables and objectives, where the structure must reflect the purpose for which it is constructed. The variables in a quantitative model constitute a mathematical description of the relation between elements that can be classified as decision, intermediate, or output variables. The decision variables are usually controlled by the decision-maker and vary with the alternative selected. Intermediate variables link decisions to outcomes, thus functioning as consolidation variables. Output variables measure decision performance, and are referred to as “attributes.”

210

NEW INSIDE PAGES FINAL copy.indd 210

13/02/2012 12:58

The Case for Continuous Auditing of Management Information Systems Right-Sizing the Governance Model

Many types of detail variables can be associated with a mathematical model. Binary variables are employed for “go” and “no-go” decisions. Discrete variables are utilized for any of a finite number of values. Questions of “which” and “when” are represented as specific discrete values. Such data need not be continuous; however, continuous variables present an infinite number of possible values, and all the values will lie within a specific range. Among the other characteristics of detail variables, they can be random variables that model uncertainty and are expressed as probabilities. They can also be exogenous variables, ones that are external to the model and cannot be influenced by decision-makers. DSS models are abstractions that operate as substitutes for the actual circumstances under evaluation. A model-driven DSS emphasizes access to and manipulation of statistical, financial, optimization, or simulation archetypes. Consequently, a modeldriven DSS utilizes data and parameters provided by users to assist decision-makers in analyzing a situation; however, they are not necessarily data-intensive. The construction of a DSS model for governance includes: making a large number of assumptions about the nature of the environment in which the entity’s programs, systems, processes, activities and/or tasks operate; selecting the operating characteristics of components; and making paradigm suppositions about the way animate and/or inanimate objects are likely to behave. A model is ready for use by management when it matches the set of objectives and attributes that require analytical consideration. The value of information assets is continuously increasing in this information age due to their integration into decision-making processes. Governance decisions are highly visible, often offer immediate results, tend to be goal-focused, and are directive. Although there are various techniques that can be applied to types of governance decisions, the final outcome is a matter of judgment. Normally, IT processes can be adapted to support judgmental decisions through the utilization of engineered business processes. To ensure robustness for the intended application, DSS models must pass three tests: relevance, accuracy, and aggregation. Relevance is measured by the alignment of the defined condition to possible problem solutions. Accuracy can vary depending on the decision that is being made. Aggregation permits the grouping of a number of individual quantities into a larger quantity.

Impact of Decision Support Systems

Decision-making is the process of evaluating alternatives and choosing from among them. Information may drive leadership; however, data accuracy and completeness are prerequisites to ensuring that appropriate decisions are made. A DSS commonly assists middle-level and upper-level managers in long-term, non-routine, and often unstructured decision-making. Typically, the deployed system contains at least one decision model, and it is usually interactive, dedicated, and time-shared—although it need not be real-time. Thus, a DSS should be viewed as an aid to decision-making rather than simply the automation of decision processes. Managers should concentrate on making professional governance decisions based on a DSS that reduces the potential for inappropriate responses to the entity’s environment.

211

NEW INSIDE PAGES FINAL copy.indd 211

13/02/2012 12:58

Effective Auditing for Corporates Expert Systems as an Aid to Compliance

Technology is an ever-changing tool driven by compliance requirements as well as entity-centric requirements to satisfy market demands. For compliance requirements, IT deployments tend to be reactionary rather than a continuous, proactive process. Consequently, IT compliance efforts are typically lacking in constancy and conformity. To combat this tendency, IT planners should focus design and transition efforts on three time frames that meet entity needs: the current state, the near-term state, and the long-term state of compliance requirements. Within this context, expert systems can be an invaluable tool for implementing mandates that satisfy immediate needs and simultaneously position the entity to meet the next potential compliance issue effectively.

Expert System Development Activities

IT usually pervades all organizational formations that are pursuing effective and efficient processing in response to compliance requirements, thus facilitating better decision-making through various information delivery mechanisms and offering opportunities for business model development that may lead to value creation as well as competitive advantage. To construct an expert compliance system a knowledge engineer—performing a function similar to a system or business analyst—is typically needed. A designated knowledge engineer is responsible for defining issues in manageable terms, soliciting the knowledge, skills, and abilities of experts, and translating these talents into electronically encoded formats. The development of an expert system is usually a four-step process. It starts with the knowledge engineer gaining an understanding of a particular judgment issue. This is followed by the acquisition of the thought processes of experts in solving the issue. Next, if a shell program is not available, a computer model is programmed to reproduce the thought processes that have been adopted for defined situations. Finally, the system is tested and certified to ensure that the resulting decisions are appropriate and usable. These steps are commonly known as knowledge representation, knowledge acquisition, computational modeling, and model validation.

Populating the Expert System

A knowledge engineer can obtain knowledge in several ways. One option is to go through textbooks and professional journals to extract definitions, axioms, and rules that apply to the issue. This type of knowledge acquisition is especially useful for teaching and reference situations because the question–response paths are direct. However, the way in which questions are posed to the expert system can lead to misleading results. Another method of acquiring knowledge is to ask human experts to explain their thought processes and ways of solving problem scenarios; this is sometimes referred to as verbal protocol analysis. Last, a human expert can enhance the information obtained from literary resources and will often bring unpublished knowledge, gained through experience, to the decision process paths. This combinational knowledge makes human-based expert systems a valuable technology. To incorporate human expert knowledge into a technology-based expert system, the right individuals must be identified and selected. Specialists tend to be trained in rather narrow domains and are best at solving problems within their defined realms of

212

NEW INSIDE PAGES FINAL copy.indd 212

13/02/2012 12:58

The Case for Continuous Auditing of Management Information Systems expertise. Assuming that experts do exist and are willing to participate, good experts are those who are able to solve particular types of problem scenarios that few others can solve with the same efficiency and/or effectiveness. Additionally, considerable time can be saved in developing an expert compliance system if the knowledge engineer has experience in the area that is being modeled. After experts have been selected, the knowledge engineer must take the expert knowledge and transform it into a computational model. However, issues may arise because an expert discovers that he or she is unable to describe how a situation is resolved. Typically, this is due to the way they may operate at a subconscious level while performing some tasks to address a scenario. In view of the possibility that undefined steps may generate misaligned logic paths in the inference engine, it is common for interdisciplinary teams of specialists to work together to formulate deductive reasoning processes for defined problems. To assist in assessing decisional acumen, most managers are under observation for situational responses that may impact the entity. The reliability of business-related information used in making decisions is therefore critical. During the final stage of preparation for deployment, an expert system has to be validated to ascertain the reliability and scope of its decisional processes. In the model validation step a knowledge engineer and/or IT assurance professional identifies errors, omissions, and mistakes in the knowledge base. Furthermore, since the constructed system is designed to simulate an expert’s decision-making process, it should be tested against the opinions of subject matter experts. Finally, if the system is later updated to keep the knowledge base current, reevaluation of the model is necessary to ensure its continued decisional reliability.

Impact of Expert Systems

From a technical perspective, the typical expert system can be divided into two essential parts: the knowledge base, and the inference engine. The knowledge base contains the body of knowledge, or set of facts and relationships, obtained in the knowledge acquisition phase. The rules associated with a knowledge base tend to be heuristic and take the form of conditional statements, whereas the inference engine is a collection of computer routines that control the system paths through the knowledge base to enable recommendations. In addition, the inference engine serves as a bridge between the knowledge base and the user. Methodologically, for expert systems the knowledge engineer defines the ambit of issues that the system will address. A logic path that is too broad may result in a system that is too difficult to manage and it may cause a system crash. Contrastingly, the knowledge engineer must be careful not to limit an issue overly because a logic path that is too narrow will produce a system so rudimentary that the results will be worthless.

Continuous Monitoring Systems as a Risk Management Aid

A management information system is often deployed to permit performance monitoring to assess compliance with adopted standards and enable corrective actions and/or process improvements to an entity’s control systems. A generally accepted key

213

NEW INSIDE PAGES FINAL copy.indd 213

13/02/2012 12:58

Effective Auditing for Corporates element that enables the risks inherent in many control systems to be successfully managed is the ability to monitor processes independently and continuously as close to the execution point as possible. Yet, analytic technologies capable of continuous monitoring are typically lacking in management information system deployments. Therefore, a continuous monitoring system that is conjointly implemented within management information systems can enhance the detection of variance as well as improve compliance verification and exception reporting systems. “Monitoring encompasses the tracking of individual processes, so that information on their state can be easily seen, and statistics on the performance of one or more processes can be provided.” From Wikipedia entry, “Business process management.

Foundations for Managing Processes

Prespecified and routine decisions, which form the policies and procedures that are typically documented by an entity, are designed to provide time for managers to address non-routine activities and consider improvements to the currently deployed control processes by removing them from the more mundane aspects of day-to-day operations. However, process monitoring is required to ensure that expected outcomes are achieved for assigned functional responsibilities and that irregular activities are detected on a timely basis. Conceptually, continuous monitoring systems generally consist of three levels: data provisioning, information management, and information presentation. Data provisioning is enabled by the collection and storage of specified items in an assigned location. Information management utilizes the combination of knowledge of IT architecture, analytic knowledge, and collected data to assess processing. Information presentation provides results from the conditions that are being monitored. To enable effective deployment, the three levels of continuous monitoring must operate harmoniously. The data provisioning level supplies raw data for analysis after the collection process has been completed. These collected data can be extracted from processed and formatted output that is produced by defined processes and/or through direct data access. The extracted data are commonly stored in a data repository and/ or retained in original form. However, certain data may also need to be stored at the information management level. This includes information about the structure of the systems that are being monitored as well as analytic definitions, such as conditional statements. Analysis of the data is performed using various tools, and the output is sent to the presentation level for evaluation by designated users.

Path to Continuous Monitoring

According to the Institute of Internal Auditors (2005), “Continuous monitoring of controls is a process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively.” Though manual performance monitoring may suffice in low-technology situations, in most high-technology environments automated controls become a necessary part of the IT architecture for ensuring information reliability and integrity. As suggested by John Verver (2003), the technology underpinnings to enable an effective continuous

214

NEW INSIDE PAGES FINAL copy.indd 214

13/02/2012 12:58

The Case for Continuous Auditing of Management Information Systems monitoring strategy should include several key components: independence from the system that processes the data; the ability to compare data and information across multiple platforms; the ability to process large volumes of data; and prompt notification to management of items that represent control exceptions. To ensure effective continuous monitoring, adequate segregation of functions must be sustained. Continuous monitoring and segregation of functions are not new control concepts. Yet technological integration issues can be a barrier to implementing continuous monitoring systems that are independent of operational processes and capable of easy configuration for specific risk tolerance requirements. Procedurally, achieving appropriate functional independence in an automated system necessitates defining IT and operational user work units with consideration of the control context. As a result, when properly implemented, the segregation of functions assures that organizational responsibilities do not impinge on the independence or corrupt the integrity of information system assets while data on individual processes are being tracked and collected. Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected data within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules, and tests via applied analytics that identify performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware, or software that is enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and that data are processed appropriately.

Impact of Continuous Monitoring

Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls in a timely manner. It enhances managerial capabilities and entity-level controls, while striving to facilitate the maintenance of acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel who are assigned responsibility for responding to reported exception conditions.

Case Study In this information age the value of information assets is continuously increasing due to their integration into decision-making processes. Assistance in the decision-making process may be contained in an IT DSS. Thus, utilizable decision support information should provide accurate and complete disclosure of available data while maintaining the expected confidentiality and integrity.

215

NEW INSIDE PAGES FINAL copy.indd 215

13/02/2012 12:58

Effective Auditing for Corporates Technology deployment and associated management information systems can provide a competitive advantage as well as increased control requirements. Considering the adamant demands for continuous process improvements, a focus on overall information protection and security delivery value in terms of enabled services has become the managerial norm. Information security service management is a set of processes that enable and potentially optimize IT security services for an entity to satisfy business requirements, while simultaneously providing strategic and tactical management of the IT security infrastructure. In this context, information security service level management should be considered a quality of service administration that makes demonstrable contributions to process improvement. Noncompliance risks are an irrefutable fact, where the consequences range from significant financial penalties to the threat of damage to an entity’s reputation. Fielding an appropriate response to a security incident is typically a crucial business requirement. To enable effective management, a security MIS should correlate data to intended usage to determine the repercussions of a security failure. Considering that the primary contingency management objective is to provide solutions through an understanding of risk, an adequate response to an IT security incident depends on timely, reliable information to assess the risks and subsequently apply resources. Auditors are indirectly, if not directly, an entity control mechanism which assures that mandated compliance expectations are adequately addressed by management. Amplifying the criticality of information security is the number of laws related to the protection of information assets and regulations that impact compliance expectations. In one form or another, assuring compliance serves as a significant information security audit objective for most entities which can best be served through continuous auditing of information security incidents. Therefore, an auditor should continuously audit whether effective procedures for the protection of information assets are implemented to manage and maintain the confidentiality and integrity of information throughout the information lifecycle.

Making It Happen 8 Survey the deployment of computerized management information systems. 8 Acquire support for the investigation of continuous auditing options. 8 Assess the risk of inappropriate decision-making based on unreliable and inaccurate information. 8 Present a transparent case for establishing continuous auditing of high-risk management information systems. 8 If necessary, confer with the IT department to establish service-level agreements for continuous auditing systems.

216

NEW INSIDE PAGES FINAL copy.indd 216

13/02/2012 12:58

The Case for Continuous Auditing of Management Information Systems

Summary Continuous auditing is an uninterrupted monitoring approach that allows IT auditors to examine controls on an ongoing basis and to gather selective audit evidence through the computer. Theoretically, in some environments it should be possible to significantly shorten the audit reporting time frame to render nearly instantaneous or truly continuous assurance. In particular, continuous assurance is well suited for use in high-risk, highvolume, paperless environments. As a technique, continuous auditing is designed to enable IT auditors to report on subject matter within a much shorter time frame than under other audit models. As a process, continuous auditing can be employed to enable timely reporting by IT auditors through continuous testing.

More Info Books: Akerkar, Rajendra, and Priti Sajja. Knowledge-Based Systems. Sudbury, MA: Jones & Bartlett, 2009. Davis, Robert E. Assuring IT Legal Compliance. Los Gatos, CA: Smashwords, 2011. Higson, Andrew. “Effective financial reporting and auditing: Importance and limitations.” In QFINANCE: The Ultimate Resource. 3rd ed. London: Bloomsbury, 2012; pp. 338–340. Online at: tinyurl.com/6mw6qe6 Laudon, Ken, and Jane Laudon. Management Information Systems. 11th ed. Upper Saddle River, NJ: Prentice Hall, 2009. Mainardi, Robert L. Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology. Hoboken, NJ: Wiley, 2011. O’Brien, James, and George Marakas. Management Information Systems. 9th ed. New York: McGraw-Hill, 2008. Seref, Michelle M. H., Ravindra A. Ahuja, and Wayne L. Winston. Developing SpreadsheetBased Decision Support Systems. Charlestown, MA: Dynamic Ideas. 2007. Article: Verver, John. “Risk management and continuous monitoring.” AuditNet, March 2003. Online at: tinyurl.com/6vmqu4p [PDF]. Report: Institute of Internal Auditors. “Continuous auditing: Implications for assurance, monitoring, and risk assessment.” White paper. 2005. Online at: www.acl.com/pdfs/wp_gtag_may05.pdf Websites: Information Systems Audit and Control Association (ISACA): www.isaca.org Institute of Internal Auditors (IIA): www.theiia.org International Federation of Accountants (IFAC): www.ifac.org

217

NEW INSIDE PAGES FINAL copy.indd 217

13/02/2012 12:58

INDEX.indd 2

13/02/2012 12:33

Index A

accounting standards audit committee roles and responsibilities auditing see external auditing; internal auditing auditor–client relationship

B

body language

Dräger, Henning DSS see decision support systems 17 105 41 147

C

Causholli, Monika 57 CEO and CFO see chief executive officer and chief financial officer charter internal auditing 69 chief executive officer and chief financial officer roles and responsibilities 105 Cicchella, Denise 147 client–auditor relationship 41 COBIT framework 105, 133 Committee of Sponsoring Organizations of the Treadway Commission see COSO framework continuous auditing 197, 209 continuous risk assessment 133 Control Objectives for Information and Related Technology see COBIT framework corporate responsibility 29 corporate social responsibility 179 COSO framework 69, 105, 133 cosourcing 121 creative accounting practices 3 CSR see corporate social responsibility cultural changes external auditing 17

D

data-driven analysis 133, 197 Davis, Robert E. 209 decision support systems (DSS) 209 De Martinis, Michael 57 disclosure financial 29

179

E

Eccles, Robert G. 161 enterprise risk management (ERM) frameworks 69, 105, 133 environmental, social, and governance (ESG) practices 179 expert systems 209 external auditing conducting internal audits 121 cultural changes 17 fees 41, 57 fraud detection 3 independence 29, 41 market 57 production 57 regulation 29 roles and responsibilities 105 standards 17

F

fees financial disclosure financial statement analysis fraud

41, 57 29 17 3, 17

G

Gardner, Stuart 147 globalization 17

H

Hay, David heat maps

57 133

I

independence external auditing 29, 41 information source reliability 147 information technology see IT systems integrated assurance 161 integrated reporting 161, 179 Interface, Inc. case study on ESG practices 179 internal auditing by external auditors 121

219

INDEX.indd 3

13/02/2012 12:33

Effective Auditing for Corporates internal auditing (cont.) charter 69 continuous 197, 209 department 69 integrated reporting 161, 179 IT systems 209 leadership 69 planning 87 prioritization 87 resource allocation 87 roles and responsibilities 105 risk assessment 69, 87, 133 source reliability 147 interviews 147 ISO 31000 framework 133 IT systems auditing 209



K

kinesics 147 Knechel, W. Robert 57 Krzus, Michael P. 161

L

leadership internal auditing 69 litigation 41 Livne, Gilad 41

M

Malaysia case study on creative accounting practices 3 management information systems (MIS) 209 Manohar, Jyothi 17 market external auditing 57 materiality 161 Mat-Isa, Yusarina 3 maturity model 197 MIS see management information systems Mohd-Sanusi, Zuraidah 3

N

nonaudit services nonfinancial information

41, 121 161, 179

Novo Nordisk case study on ESG practices

179

O

Oringel, Joe vii, 133, 197 outsourcing 121

P

PCAOB see Public Company Accounting Oversight Board PepsiCo case study on regulatory requirements 105 Peterson Kramer, Bonita K. 69 Pforsich, Hugh D. 69 Philips Electronics case study on integrated assurance 161 planning internal auditing 87 prioritization internal auditing 87 production external auditing 57 Public Company Accounting Oversight Board (PCAOB) 29

R

regulation external auditing 29 relationship between auditor and client 41 reliabillity information sources 147 reporting integrated 161 nonfinancial information 161 visual 133 resource allocation internal auditing 87 risk assessment continuous 133 data-driven 133 internal auditing 69, 87, 133 risk management see enterprise risk management (ERM) frameworks roles and responsibilities 105 Roybark, Helen 105

220

INDEX.indd 4

13/02/2012 12:33

Index S

Sanchez, Paul J. Sarbanes–Oxley Act (SOX) Schwan Food Company SOX see Sarbanes–Oxley Act source reliability standards accounting external auditing sustainability reporting

V

Verschoor, Curtis C. visual reporting

87 29, 105 69 147 17 17 161 29, 121 133

W

Waste Management, Inc. case study on auditor independence Watson, Liv A.

41 161

221

INDEX.indd 5

13/02/2012 12:33