August 2002
The CPA’s Transition to the World of Internal Auditing
By David O’Regan
Despite its importance, little guidance pertains to the challenges facing CPAs that have moved into internal auditing as full-fledged internal auditors rather than as consultants or advisors. Large numbers of CPAs become internal auditors, either en route to the corporate sector or as a long-term career.
A public accountant’s transition to a corporate audit environment can be tricky. Internal auditing is no longer just a soft landing for the public accountant moving into industry; it has a challenging agenda all its own. The CPA-turned–internal auditor will notice several major differences in the professional environment. Compared to the well-defined ambience of public accounting, internal auditing can often seem insubstantial. The sophisticated internal resources and networks of the large, multinational auditing firms are lacking, as are the day-to-day pressures of client fees. However, the sheer scope of activities that can fall within internal audit are substantial: corporate risk assessment, fraud investigations, operational efficiency analysis, reviewing compliance with the Foreign Corrupt Practices Act, and assisting external auditors—not to mention the general ledger account reviews.
The public accountant who moves into such an environment may find a mastery of accountancy insufficient to grapple with some of these areas. But internal auditing’s body of knowledge has been maturing over time. The internal auditor must draw on resources of creativity and imagination to give coherence to a messy set of raw materials and impose order on the auditing agenda.
The challenges facing the internal auditor are magnified in the case of smaller corporate audit departments. Although such corporate auditing functions may have some advantages over their larger peers—less bureaucracy, a more fluid and flexible structure, flatter reporting lines, and close proximity to senior management—tight resources can make delivering a professional internal auditing service extremely difficult.
Moreover, the social downside of belonging to a small audit shop can be substantial. Auditors in smaller departments may find themselves working in isolation, deprived of the exchanges of ideas that occur in larger work groups, which provide an environment more easily conducive to mutual reassurance, inspiration, and learning.
Professional Standards
Public accountants that move into internal auditing find themselves swimming in waters of a different color. They may find themselves at a rather awkward junction of overlapping jurisdictions, caught between the standards of their professional association, their corporate loyalty and confidentiality, the dictates of in-house procedural manuals, the methodologies of external consultants, and even the literature of internal auditing. One frequent response to this bewildering proliferation of sources of authority is for the internal auditor to create an idiosyncratic framework to operate in, possibly deciding to defy the pronouncements of professional associations like the Institute of Internal Auditors (IIA). Although the CPA internal auditor owes no formal obligation to the IIA, neglecting pre-existing thinking on internal auditing that reflects the accumulated wisdom of several decades would be unwise.
The IIA’s Professional Practices Framework (PPF) has a threefold structure. The first part deals with ethics and standards, which are mandatory guidance for IIA members. Second, practice advisories offer nonmandatory guidance and advice on the best auditing practices. Third, and perhaps of most relevance to the CPA internal auditor, are the development and practice aids that cover educational products and research literature.
Credibility of Organizations
The importance of establishing a solid basis for an internal auditing function within an organization cannot be overstated. For day-to-day matters, the internal auditor may report to a senior executive of sufficient authority and credibility, possibly the CEO. The internal auditor’s main reporting line is generally the main board or “top table.” Auditor access to the main board is normally achieved through the audit committee. Establishing a firm basis in an organization, however, goes beyond the formalities of audit committees and reporting lines.
The CPA internal auditor should also be concerned with mechanisms for locking the auditing function into the organization’s informal networks. These alternative, semi-hidden structures form a separate, complementary entity within an organization. A conversation in the canteen or whispered gossip at the photocopier can be as informative as details divulged at formal meetings. What happens in the corridor before and after a control self-assessment workshop can be as important as what takes place in the workshop itself. Members of the audit shop should, therefore, strive to keep close to the heart of their organizations.
Such close involvement with the organization is essential on several grounds. On an immediate and practical level, the internal auditor needs to implement the recommendations arising from reviews as well as the cooperation of colleagues in their organization. Colleagues are a good source of information on risks and potential control weaknesses. When areas for improvement are identified, these same individuals can provide invaluable input. And we cannot overlook the indisputable fact that fraudulent activity is often brought to the auditor’s attention through informal channels, tip-offs, and whistle-blowing. The CPA in public accounting is surrounded by like-minded colleagues, but the internal auditor’s role in a corporation may be a lonely one. Participation in the life of an organization is a good way to avoid the sort of corrosive suspicion that often hampers internal audit activities.
The Audit Charter
A well-drafted charter is another crucial ingredient in a successful internal auditing function. The charter is more than just a mission statement; it is a formal statement of its duties and the scope of its activities. It may also define access to the information (documents, records, systems, and personnel) necessary to perform and reach conclusions on the work, and it is a vehicle for asserting that there are no unreasonable limitations on the scope of the audit work. The charter should clearly identify and record any limitations.
The charter is a dynamic, living document that needs to be adapted to reflect the environment. Regular revision of the charter is essential over time. Factors that may influence audit activities, and by extension the audit charter, include developments in corporate governance and advances in auditing technologies and methodologies, such as the increasing emphasis on risk assessment and real-time auditing.
Performance Monitoring
Internal audit departments should cut administration to the bone, keeping only those who are essential. One essential area is the administration that monitors the performance of service delivery. A self-evaluation of performance and proficiency normally implies the use of performance metrics. Commonly used measurements include the following:
Auditing inputs:
Auditing processes:
Auditing outputs:
Whatever measurements are adopted must be pursued consistently to be meaningful. The implications of performance indictors must be acted on once areas of potential corrective action become clear, which may be achieved by setting tolerance limits for a particular measurement so the auditor can take corrective action as soon as there is evidence of slippage.
Qualitative assessments can also be useful, covering areas such as audit committee feedback on the quality of internal auditing, and the results of customer satisfaction questionnaires. External assessment in the form of peer review or benchmarking data with other auditing departments can also be valuable.
Risk Assessment
Despite the immense labor undertaken by many internal audit departments, one sometimes wonders how much thought has been put into the rationale underlying the department’s activity. One way to systematically guide audit activity is to use risk assessment. It is almost impossible to envision a corporate audit department operating successfully today without the underpinning of a rigorous risk assessment philosophy. In the December 1998 Internal Auditing, David McNamee and Georges Selim, prominent figures in internal auditing theory, assessed the situation as follows:
Internal auditing … has passed through two dominant paradigms and is poised on the edge of a third. The first internal auditing paradigm focused on observing and counting … [Later,] a new concept of the system of internal control changed the internal audit paradigm from a focus on reperformance to a focus on controls. We are at another crossroads today, and a third paradigm for internal auditing is emerging, based on auditing the business process through a focus on risk.
Corporate risk is a widely discussed topic with a rich, though confusing, literature. Risk assessment in the context of internal auditing may be defined as a systematic review of the risks facing an organization (i.e., the likelihood of adverse conditions or threats to an organization’s objectives and goals), and a definition and prioritization of ways to address such risks. Audit shops may adopt a risk management paradigm based on the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to facilitate their risk assessment exercise review. The results of the review exercise should drive the audit plan, determining the scope and nature of the audit work to be undertaken.
In organizations where risk assessment has not matured as a corporate process, the internal audit department might find itself a pioneer. This can be beneficial in raising the profile of the internal auditing department and can also enhance corporate governance procedures. Nevertheless, the internal auditor may face challenges deriving from the size and complexity of the risk assessment task. The auditor should research the topic well, and adopt an approach that doesn’t overtax its resources. Because the balance between compliance and consultancy is at the heart of all internal auditing schedules, a risk-based audit plan should always consider the need to adequately cover the entire auditing universe. It may be necessary to combine risk-based methodologies with a certain amount of cyclical or rotational work in fundamental areas. This balancing act faces any internal auditor, but for small audit departments in particular, decisions on resource allocation can be crucial to success.
Relations with External Auditors
Both external and internal auditors recognize the benefits of a cooperative relationship. These benefits can include joint audit planning, the mutual exchange of audit reports, and the use of complementary methodologies and software tools. Above all, sharing the knowledge of the organization and its risks should encourage more focused planning by both sides, as well as eliminate duplicated work in overlapping areas of responsibility.
Some activities will remain the exclusive field of either the internal or external auditor, but in some cases mutual assistance can be more efficient. For instance, if an organization has subsidiaries around the world, the two sets of auditors could establish a shared program of visits to the operating units to ease the burden of visiting all the entities. Internal auditors could perform periodic or annual inventory reviews that external auditors could also use, thereby saving an organization external audit fees. Of course, the internal auditing contribution to the partnership must be credible for the external auditor to rely on this work.
Using external providers of internal auditing services. Small internal audit departments may not be able to fully cover their own organizations. When tight resources overstretch the internal audit staff, external support may be the answer. In a one-person internal audit group, the auditor might coordinate the outsourcing of most of the day-to-day auditing work to external suppliers. At the other extreme, only one aspect of the auditing work, such as a technical systems review, might be outsourced.
The following list summarizes some of the main advantages and disadvantages of relying on external support:
Advantages:
Disadvantages:
In addition, there are growing regulatory restrictions on and disclosure requirements for the use of internal auditing services provided by external auditing firms. Finally, it is worth drawing attention to the potentially dangerous overreliance on external support: Internal auditing departments must ensure that their organizational status and independence are unimpaired by relationships with external service providers. The internal auditing department is responsible for the quality of all audit work, and it cannot let external consultants make executive decisions. To help prevent any potential imbalance between the two, the nature of any service provided should be formally stated to ensure appropriateness and clarity.
Making the Leap
A training in public accounting is perhaps the most solid foundation for the internal auditor, yet to assume that the transition is simply a case of applying existing skills elsewhere oversimplifies the case. Successful internal audit departments are staffed with experienced, empowered, and innovative self-starters, capable of displaying sharp business acumen. They proactively manage customer expectations, embrace time-saving technology by cutting administration, set clear productivity goals, and actively search for the principles behind the best professional practices.
The internal auditor can mold the internal audit function to their liking. Faced with the bewildering avenues of potential action, it is worth bearing in mind one of the postulates of auditing, articulated 40 years ago by pioneering philosophers in the field, that the existence of satisfactory systems of internal control eliminates the probability of irregularities. This is perhaps the one beacon of truth to hold aloft, whatever approach to internal auditing is taken.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
Visit the new cpajournal.com.