Internal Audit Outsourcing

By George R. Aldhizer III and James D. Cashell

Both the accounting firm and client may benefit when the firm performs some of the functions of an internal audit department. However, there are a number of problems, the major one being a possible impairment of independence. The AICPA has issued an interpretation of rule 101 that addresses this issue. The authors tell us what CPAs can and cannot do under this interpretation and provide guidance on other possible problem areas.

During the past few years, many accounting firms have sought to provide internal audit services to their audit clients. This outsourcing of internal audit services offers advantages to both the accounting firm and the company. For example, the accounting firms can generate revenues during their offseason when staff are traditionally underutilized. The company can benefit by replacing fixed cost employees with a variable cost service.

While the benefits of providing internal audit services are fairly apparent, there are risks associated with such services that accounting firms need to consider. One is the possible loss of independence. Walter Schuetze, while serving as the chief accountant of the SEC, dropped a bombshell on the public accounting profession during a speech at the AICPA's 19th Annual Conference on Banking in November 1994. He claimed external auditor independence may be impaired by performing internal audit outsourcing activities that involve management functions or by becoming an integral part of internal controls.

This view was echoed by William
Bishop III, president of the Institute of Internal Auditors (IIA). In a news release to IIA membership, he denounced the total outsourcing of internal audit services to external auditors as a threat to the objectivity and independence of the auditing process.

To address the independence concerns posed by outsourcing, the AICPA Professional Ethics Executive Committee recently issued an interpretation under rule 101 on Extended Audit Services. This interpretation provides fairly explicit guidance on the committee's position as to the types of internal audit activities that would and would not impair an external auditor's independence. The interpretation supersedes ethics ruling no. 97.

Potential Benefits of Outsourcing

For many years, companies have outsourced commodity-type services including food, security, and janitorial services. More recently, they have begun to outsource professional services such as payroll, tax, legal, data processing, and internal audit. Internal audit outsourcing has become popular because it offers many potential benefits to all parties involved.

For external auditors, the knowledge obtained while performing internal audit activities can increase the efficiency of the annual independent financial statement audit. For example, the internal control knowledge obtained while performing internal audit services should reduce the amount of work needed to document internal controls, assess control risk, and design tests of controls. It should also enhance the auditor's awareness of specific client related risks. This would help in planning an effective and efficient substantive audit program and should assist with detecting fraudulent financial reporting.

Outsourcing also creates a potentially large new source of revenue. In addition, since much of the outsourcing work could be performed during the offpeak season, external audit firms should be able to better balance their workloads across the entire year.

For companies, outsourcing the internal audit function offers potential cost benefits. Internal audit outsourcing may reduce overlapping positions and audit effort by creating more flexibility in increasing and decreasing workloads. Additionally, outsourcing allows a company to replace "fixed" cost employees with "variable" fees for services. Finally, a wide range of expertise is available from large firms that would be too expensive for a company to maintain internally.

Former Professional Guidance

The effect of outsourcing internal audit services on external auditor independence was addressed in AICPA ethics ruling no. 97 under rule 101, Performance of Certain Extended Audit Services. The ruling stated that it was unacceptable for external auditors to concurrently perform internal audit services that include management functions such as making management decisions for the company. An example cited in the ruling was reviewing loan originations as part of a client's approval process. It was acceptable under the ruling, however, to review the client's processes, such as the loan origination process, or to perform tests of the client's process of internal control beyond those required by generally accepted auditing standards, provided such services do not involve making management decisions.

Ethics ruling no. 97 had been a source of controversy since its inception. One concern involved the limited definition of what constitutes a management function. Specifically, the ruling did not mention whether internal audit scope decisions constituted a management function. In Mr. Schuetze's speech, referred to earlier, he stated that the determination of the projects to be performed under the scope of internal audit work would constitute a management function. From this, it could be inferred that an accounting firm's independence would be impaired if it provides all of the internal audit services for a client. His position on this topic was significant because bank regulatory agencies such as the Federal Deposit Insurance Corp. and the Office of the Controller of the Currency have typically relied on the SEC on issues relating to auditor independence. In fact, banking regulators also voiced their disapproval with ethics ruling no. 97.

Another issue not addressed in ethics ruling no. 97 dealt with the external auditor becoming an integral part of the client's internal controls. As noted earlier, Mr. Schuetze specifically stated that such a condition would impair independence. In their report, Internal Control Integrated Framework, the Committee for Sponsoring Organizations (COSO) maintains that the internal audit function plays an integral role in monitoring internal controls.

Specifically, it states that since "... internal auditors evaluate the effectiveness of control systems and thus contribute to ongoing effectiveness..., an internal audit function often plays a very significant role in effective internal control." This suggests a lower threshold for impairing external auditor independence than the performance of a management function. It could be construed that any party who is responsible for actively monitoring a company's internal controls is an integral part of the internal controls and, therefore, is not independent with respect to that company.

Not everyone shares the above view. The Public Oversight Board (POB) staff has taken the position that monitoring the internal control process over and above that required by generally accepted auditing standards, when performed by external auditors, is not part of the internal controls as defined by the COSO report. In his letter explaining the POB position, Jerry Sullivan, its executive director, stated that the board's reasoning was based on COSOs recognition that parties external to the organization, such as regulators and external auditors, assist management in fulfilling its responsibility to monitor internal controls but are not considered part of the internal control process. From this, the board concluded that monitoring activities conducted by external auditors, as replacements for the internal audit function, are not internal to the organization and thus are not part of the internal control monitoring component. Mr. Sullivan did note, however, that such extended audit situations warrant cautious oversight and that the line between managerial and nonmanagerial functions needs to be carefully drawn and monitored by external audit firms providing internal audit services.

The above POB position was challenged by William Bishop III, president of the IIA, in a position statement to Michael Sutton, chief accountant of the SEC. Mr. Bishop declared that "the internal audit function provides the major supporting assurance that allows management to make a public assertion as to the adequacy and effectiveness of its organization's internal control structure." Furthermore, he argued that the performance of all internal auditing activities by a company's external auditors would make them, at the very least, indirect advocates of management's internal control assertion. Such an advocacy position, he claimed, could result in reduced public confidence in the integrity of the external audit process and is, therefore, "a threat to the objectivity and independence of the auditing process."

The New Interpretation

In response to the demand for more guidance, the AICPA Professional Ethics Executive Committee, in August 1996, published an interpretation under rule 101 to address a member's (hereinafter referred to as CPA) responsibilities related to the performance of extended audit services for a client. The interpretation is applicable to situations where the CPA performs other services for the client that require independence (i.e., attestation services). As defined in the interpretation, extended audit services include assisting in the performance of client internal audit activities and/or extensions of audit procedures beyond those required by generally accepted auditing standards.

The interpretation states that the performance of extended audit procedures does not impair independence provided the CPA does not act, or appear to act, as a member of management or as an employee of the client. It also provides explicit guidance on client versus CPA responsibilities and what activities are expressly prohibited.

Client Responsibilities. The client is responsible for establishing and maintaining internal control and for directing the internal audit function, if any. As part of their internal control responsibility, management monitors internal controls to assess their quality over time. This monitoring can be accomplished through ongoing monitoring activities, separate evaluations, or both. Ongoing monitoring activities include normal recurring management or supervisory activities, comparisons, reconciliations, and other routine actions.

Specifically, the client, not the CPA, must assume responsibility for the following:

* Designating a competent individual(s), preferably within senior management, to be responsible for the internal audit
function.

* Determining the scope, risk, and frequency of internal audit activities, including those to be performed by the CPA as extended audit services.

* Evaluating the adequacy of the audit procedures performed and their findings (including those performed by the CPA).

CPA Responsibilities. The interpretation states that the CPA's independence would not be impaired by performing audit procedures in accordance with guidelines established by the client or by performing procedures of the type considered extensions of the audit scope related to the financial statement audit (e.g., account confirmations, analyzing fluctuations in account balances, etc.) even if such procedures exceed the requirements of generally accepted auditing standards. The CPA is responsible for performing and reporting on such extended audit procedures in accordance with the terms of the engagement. The CPA should direct, review, and supervise the day-to-day performance of the audit procedures. The report should include information that allows the individual(s) responsible for the internal audit function to evaluate the adequacy of the audit procedures performed by the CPA and their findings. It may also include recommendations for improving system processes or procedures.

To avoid potential problems, the CPA should be satisfied that the client's board of directors and/or audit committee are informed of the roles and responsibilities of both management and the CPA. This is to help ensure that management establishes appropriate guidelines and adequately monitors the engagement. To
promote this understanding, the interpretation recommends including a statement of the client's responsibilities in the engagement letter and explicitly noting that the CPA may not perform management functions, make management decisions, or act in a capacity equivalent to that of an employee.

Activities that Impair Independence. According to the interpretation, the CPA's independence would be impaired by undertaking any of the above mentioned responsibilities of the client or of the individual(s) assigned responsibility for the internal audit function. It includes the following examples of activities that would impair independence:

* Performing ongoing monitoring or control activities that affect the execution of transactions or ensure that transactions are properly executed and/or accounted for and performing routine activities in connection with the client's operating or production processes that are equivalent to those of ongoing compliance or quality control functions.

* Determining which control process recommendations should be implemented.

* Reporting to the board of directors or audit committee on behalf of management or the individual(s) responsible for the internal audit function.

* Authorizing, executing, or consummating transactions or otherwise exercising authority on behalf of the client.

* Preparing source documents on
transactions.

* Having custody of assets.

* Approving or being responsible for the overall internal audit work plan including the determination of the internal audit risk and scope, project priorities, and frequency of audit procedures.

* Being connected with the client in any capacity equivalent to a member of management or as an employee (e.g., being listed as an employee in client directories or other publications, permitting references to self as supervisor or in charge of client's internal audit function, or using client's letterhead or internal correspondence forms in communications).

Performance of Management Functions. Compared to ethics ruling no. 97, the interpretation under rule 101 cites a broader range of management functions that would impair independence. In addition to including operating type management decisions, the interpretation agrees with Mr. Schuetze that overseeing the internal audit function would impair independence. Specifically, the interpretation states that independence would be impaired by approving or being responsible for the overall internal audit plan (including determining the scope, risk, or frequency of internal audit activities) or by determining which control recommendations to implement.

Serving as a Client Employee. The interpretation states that independence
is not impaired by performing and reporting on extended audit procedures in accordance with the terms of the engagement as specified by management. Allowing the external auditor to perform
services in accordance with management established guidelines is more liberal than Mr. Schuetze's view. In his speech, he stated that "... to the extent that Federal or state banking regulations require (internal auditors) to be under (management control), the outsourcer is essentially functioning in an employee role." Under the interpretation, management is expected to establish the scope, risk, and frequency of internal audits, while the CPA is expected to direct, review, and supervise the day-to-day performance of audit procedures within these management established parameters.

Being an Integral Part of the Internal Control Process. Although the interpretation does not specifically use the terminology "being an integral part of the client's internal controls," it does address the issue of the external auditor performing monitoring functions related to the client's internal control process.
The interpretation states that monitoring can be accomplished through ongoing activities or through separate evaluations. In general, performing ongoing activities would impair independence but performing separate evaluations would not.

Ongoing monitoring activities are defined as those built into normal recurring activities of the entity. They include regular management and supervisory activities, comparisons, reconciliations, and other routine actions. The interpretation states that independence would be impaired by performing ongoing monitoring activities that affect the execution of transactions or that ensure transactions are properly executed and accounted for. It further states that independence would be impaired by performing routine activities in connection with the client's operating or production processes that are the equivalent of ongoing compliance or quality control functions.

Independence would not be impaired by performing separate evaluations that focus on the effectiveness of the client's internal controls. This includes separate evaluations of the client's ongoing monitoring activities.

Other Issues

While the interpretation addresses the primary issues related to auditor independence, there are still other issues that concern external auditors who also perform internal audit services for their client. Two of these issues are outsourcing fees and auditor litigation.

Magnitude of Outsourcing Fees. An additional independence issue is the magnitude of internal audit service fees. Although consulting service fees have traditionally not been considered an impairment to independence, outsourcing services are significantly different from conventional consulting services. It is possible that extremely lucrative outsourcing fees could affect the auditor's state of mind to such an extent that objectivity is impaired.

Research during the past decade has addressed the effects of providing consulting services on external auditor independence. One study found that accounting firms' revenues from accounting and auditing services were approximately five times higher than their consulting service revenues for SEC clients. A related study found that SEC clients demanded proportionately fewer consulting services from their auditors than non-SEC clients and that accounting firms do not normally provide consulting services to the same SEC clients year after year. In both studies, there was evidence that traditional consulting services did not pose a serious threat to external auditor independence. The finding was, at least, partially attributable to the relatively small fees and nonrecurring nature of the consulting engagements.

In contrast to traditional consulting services, however, the IIA estimated that an accounting firm's revenues from providing internal audit services could be up to 10 times higher than their accounting and auditing service revenues for SEC clients. Also, internal audit services would likely be provided on an ongoing basis year after year. Because of the magnitude of these revenues and the ongoing relationship, the external auditors may unconsciously become biased in the client's favor. Also, even if the auditor is able to maintain complete objectivity, the public appearance of independence may be harmed.

Increased Exposure to Litigation. In addition to the independence issues related to performing internal audit services, external auditors should also consider their litigation exposure for failure to detect fraud. In the external audit role, SAS Nos. 53 and 54 limit the accountant's responsibility, as with any misstatement, to providing only reasonable--not absolute--assurance of detecting misstatements in financial reporting because of fraud. The AICPA has diligently worked to gain acceptance of this position by maintaining that management, not the external auditor, has the primary responsibility for fraud control. It is possible, however, that the primary responsibility for fraud control would shift to external auditors if they concurrently perform internal audit roles
that constitute key processes management uses to meet their fraud control responsibility.

The limitation on external auditors' responsibility for detecting misstatements because of fraud, however, may not apply where the external auditors also perform internal audit services. The internal audit function plays a key role in fraud control. By performing internal audit functions, the external auditor may be accepting the internal audit function's primary responsibility for detecting and controlling fraud, and any related litigation exposure that goes with it.

Before contracting to provide internal audit services, external auditors should carefully evaluate the engagement's actual impact on fraud detection and control. This is especially critical if a firm plans only to
perform internal audit services on a part-time basis, such as during the less
busy months. One study by KPMG
Peat Marwick found that some of the key elements in detecting fraud were customer notification and anonymous letters. Such factors may lose their
effectiveness if someone is not immediately available to receive the communication. The auditors' engagement letters relating to the performance of internal audit activities should perhaps contain language that would restrict the auditors' responsibility for fraud detection.

Another factor to consider before accepting the internal audit function's responsibility for fraud is the company's future ability to control fraud. The corporate reengineering movement within many companies has resulted in a reduced emphasis on internal control activities such as proper authorization and segregation of duties. Most fraudulent financial reporting has historically occurred outside the normal transaction flow. As a result, many companies view control activities as a non-value-added service. Another KPMG Peat Marwick report noted, "Individual employees are now assigned responsibility for many phases of a transaction (the 'one stop shopping' idea)." For example, individual transaction approvals and segregation of duties are being eliminated for certain transactions to reduce costs or because of management's relatively low risk assessment. Such conditions may increase the risks associated with performing the internal audit function since the opportunity for fraud may now increase in the normal
transaction flow.

While it seems obvious that external auditors increase their responsibility for fraud detection by undertaking internal audit services, it is not clear how providing such services might impact their litigation exposure. To date, there is no legal precedent in which internal auditors have personally been held liable for failure to detect fraud. One important distinction between internal and external auditors, however, is that internal auditors do not issue an opinion, or any other form of assurance, to the public. External auditors are required to issue a public opinion that under law (i.e., the Securities Acts of 1933 and 1934) may result in "unforeseen" third parties filing suit against them for not detecting fraudulent financial reporting. The reporting responsibilities of external auditors who also perform internal audit services may increase their litigation exposure for failure to detect and report fraud. *