October 2002

Good Internal Controls and Auditor Independence

By Mary Locatelli

Enron’s auditors have paid the ultimate price for their role in the bankrupt company’s failure. Andersen, if it survives at all, will be a mere shadow of its former self. When the dust settles, thousands of innocent partners will have lost much, if not all, of their life savings and even more employees will have lost their jobs. Some say this was necessary to reform the system and restore confidence in financial reporting. This may be true. Renewed confidence, however, will depend on adopting new practices that are responsive to the problems—not knee-jerk reactions designed to be seen as “doing something.”

Auditor independence, or the perceived lack thereof, is a major focus of the Sarbanes-Oxley Act of 2002. Many have suggested that auditor independence has been impaired because outside auditors are hired and paid by the company they are charged with auditing. And generally, it is the person most involved in the company’s financial records, the CFO, who has had primary responsibility for hiring and retaining the outside auditor. The Sarbanes-Oxley Act requires that the audit committee be “directly” responsible for appointing, determining compensation, and overseeing the work of the outside auditors. This is a positive step and should improve auditor independence as long as audit committees take their responsibilities seriously and do not delegate them to management.

The act also attempts to deal with auditor independence by addressing so-called nonaudit services. The fact that Enron paid Arthur Andersen slightly more in nonaudit fees ($27 million a year) than it did in audit fees ($25 million a year) strikes many as strong evidence that Andersen could not have been independent. The fear of losing such large consulting fees, they say, may have caused Andersen to be less skeptical when faced with evidence of financial shenanigans by Enron management. The fact that Andersen’s consulting services included internal audit services strikes a particularly sour chord. As a result, Sarbanes-Oxley specifically prohibits public accountants from performing certain nonaudit services for their audit clients.

I am unconvinced that a blanket prohibition on public accountants performing certain nonaudit services is helpful, and concerned that it may actually have unintended negative consequences. The lack of an effective internal control structure, rather than a lack of auditor independence, is often the more serious problem.
Attempts to address auditor independence through a proscription on public accountants performing nonaudit services does not address the perceived problems. Two services—internal auditing and financial information services consulting—receive further consideration.

Internal Audit

The discussions of business and audit failures reveal a lack of understanding of internal controls. In the case of Enron, there has been some discussion of internal control procedures as they relate to specific board-mandated transaction review requirements. The fact that Andersen performed internal audit work for Enron has led some to believe that therefore Andersen must have known what was going on inside Enron.

These elusive references to internal controls are what resulted in the ban on CPA firms performing internal audit services for a company whose financial statements they audit. The rationale is that a CPA firm which performs both functions for a company compromises its independence, making it impossible for it to adequately fulfill its public reporting responsibilities. In my view, this misses the point.

Internal audit work is significantly different from audit work related to certifying a set of financial statements. I believe a different skill set and auditor availability, rather than a lack of independence, are what contribute to ineffective internal audit work on the part of external auditors. I also believe a failure to understand the root cause of the problem will lead to an ineffective solution.

What are internal controls? The confusion stems from a lack of understanding of internal controls. The general assumption is that external auditors are experts in this area. External accountants often do evaluate internal controls, but what is not commonly understood is that such review is limited. An external auditor’s primary purpose is to express an opinion on a company’s financial statements. To the extent that a review of certain controls can further that purpose, external auditors include such a review within the scope of their work.

Two points are worth considering. First, in some cases an auditor may find it more cost-beneficial to audit specific financial transactions and avoid any reliance on controls. This is perfectly acceptable, but it results in no independent external look at controls.

Second, external auditors are primarily concerned with financial controls, which are only one of three important control areas, the others being operational and administrative controls. External auditors generally don’t include these other control areas within the scope of controls reviewed for the financial statements. Such control areas are included in the scope of work performed by internal auditors. The question is, what, in their experience as external auditors, qualifies public accountants to perform internal audit procedures in these areas?

For example, in assessing the adequacy of financial controls over loan origination, an external auditor would look at a sample of loans to ensure that they were approved by an appropriate manager. For larger loans, particularly larger delinquent loans, the external auditor would also assess the prospects that the bank would ultimately collect the loan. In addition to checking approvals and assessing collectability, a good internal auditor would reunderwrite the sample loans, review the loans to ensure that underwriters were following board-approved guidelines, and assess the effectiveness of the underwriting decision. In addition, she would look at underwriter hiring and training processes to assess the competence of the underwriting staff. The internal auditor would also look at any incentive compensation systems to ensure that they were compatible with bank objectives.

Not only are the various types of controls different, the approach to auditing those controls differs as well. In general, the scope of an external audit is much more defined and closed-ended, while the scope of an internal audit is broader and more open-ended. External auditors focus after the fact on a distinct event (a set of financial statements) and ask the question “What, if anything, went wrong?” On the other hand, internal auditors focus on an ongoing process and assess risks and controls to answer the question “What could go wrong?” While one can develop the skills to perform both types of audits, experience in one doesn’t imply competence in the other.

In addition to the different skills required of external and internal auditors, another problem is that outsiders are not insiders. A good internal audit staff will develop valuable working relationships with employees at all levels throughout the company. If the internal auditors are on site full time, those relationships grow stronger and employee concerns are likely to surface more readily and can be addressed in a more timely fashion. Not only are external auditors not generally on site full time, the AICPA code of ethics precludes external auditors from being connected with a client in a capacity similar to that of an employee. As a result, a good in-house internal audit staff is better able to identify issues and reallocate its resources throughout the year to those areas that present the greatest risk.

Why do companies outsource? Most companies say they outsource their internal audit staffs to save money, but I believe the real reason is one of value. Many companies turn to external auditors to perform internal audit work because they are dissatisfied with their internal audit staff, and often have no idea how to improve their performance.

Many senior executives and board members, including many members of audit committees, have only a superficial understanding of internal controls. In-house internal audit departments bear much of the responsibility for this lack of understanding. A good internal audit department will educate senior executives and board members on the importance of controls and on designing an effective internal control structure. Absent an effective in-house department, and with a superficial understanding that equates external auditors with controls experts, management and the board often make what they think is a good business decision to hire outside experts to perform the internal audit function.

Improving the control structure. The solution begins with senior corporate executives and corporate boards developing a better understanding of and appreciation for internal controls. Controls should be viewed in a positive light, as reinforcement designed to help a company achieve its goals and objectives, not as an onerous requirement unrelated to the company’s business. A good internal control structure starts with the tone at the top—the board and senior management. They must make controls a central part of the company culture and communicate that culture to everyone in the rest of the organization. In fact, failure to set an appropriate tone at the top may have been Kenneth Lay’s and the Enron board’s major failing. A company without active board and management interest and support, regularly communicated to the rest of the organization, is unlikely to have an adequate internal control structure.

Of course, it isn’t enough to talk the talk: The board and senior management must also walk the talk. The fact that the Enron board waived the company’s conflict of interest policy to allow its CFO to invest in the corporation’s special purpose entities (SPE), then failed to follow up to ensure the mandated compensating controls were being adhered to, is an example of not walking the talk. It is easy in situations like that for management and employees alike to conclude that controls are just not important. For controls to be effective, senior managers must consider the design of an effective control structure to be a central part of their jobs. To that end they must identify the major risks facing their operating areas and develop control practices and procedures for employees to follow during the normal course of performing their duties to minimize those risks to an acceptable level. They also must design management review procedures that regularly verify that employees are following the required control practices.

A company’s employees are the first line of defense in ensuring that policies are followed and business transactions are entered into and recorded in accordance with management’s intent. Employees must believe that the company expects them to operate ethically in performing their job-related duties. Internal or external auditors, even if they’re performing their roles adequately, cannot prevent fraudulent transactions that have the blessing of unethical employees, particularly senior employees.

The second line of defense in the control environment is management review. The way management ensures that employees are following its controls dictates is by establishing regular management review requirements for significant transactions and a sample of other transactions. A company is headed for trouble if it relies on its internal or external auditors, who may spend only a few weeks each year in any particular business unit, to ensure the effectiveness of its controls.

For both lines of defense to be effective, audit committees must hold senior management accountable for their roles in the internal control structure. Top managers should periodically report to the audit committee on the state of the control structure in their operating areas. Committees should consider requesting such managers to submit annual attestations on the adequacy of the portion of the control environment for which they are responsible, thereby underlining the importance the committee attaches to internal controls and making clear the committee’s belief that the control environment is a critical part of each executive’s job.

The company must also take positive steps to develop its third line of defense: an effective in-house internal audit function. It isn’t enough to throw up one’s hands, hire so-called experts, and then plead ignorance when things go wrong. Senior management and the audit committee must hire competent internal audit leadership. The head of the internal audit department should be part of the senior management team. To avoid conflicts, this position should report directly to the audit committee and administratively to the CEO.

Like senior management, audit committees must hold internal auditors accountable. They should ensure that significant risks are appropriately identified and controls adequately assessed. They should also require written, understandable reports that describe significant risks and the related control structure; identify the scope of work; report identified issues; and make recommendations. The practice in many internal audit reports of listing the areas audited and the number of exceptions noted is not sufficient. An audit committee member who doesn’t understand a report should persist until he does. To complete the circle, the committee should insist that management responses to audit recommendations be part of the process, either in the reports or separately. Auditors should be required to follow up and report back to the committee on the progress made toward resolving significant issues.

Banks have been reporting on internal controls for some time now, and the Sarbanes-Oxley Act extends that reporting requirement to all companies subject to its provisions. In my experience, however, the knowledge and interest of the audit committee members, not a legislative mandate, are what make internal control reporting effective. To that end, I’m disappointed that Sarbanes-Oxley, in discussing audit committee member qualifications, refers only to internal “accounting” controls.

Financial Information Systems Consulting

There are two types of controls: those that prevent bad things from happening (or those that ensure things go right), and those that detect bad things once they have happened. The advent of information systems has made prevention not only more effective but less costly than after-the-fact detection. To take advantage of their cost effectiveness, preventive system controls are best designed and implemented as part of new systems.

This may seem straightforward, but systems technicians generally have little knowledge of or appreciation for the types of controls that companies would find valuable. They will seldom recommend controls as part of their installations and can be quite pessimistic when modifications are requested. It takes someone knowledgeable about both systems and internal controls to ensure that a new system installation has adequate controls.

Unlike general internal audit services, which are best performed in-house, new systems development issues usually require resources beyond most internal audit staffs. With the possible exception of those at very large companies, in-house audit staffs cannot afford to hire and retain the expertise necessary because the limited work available for each specialist would render full-time employment uneconomical.

A more sensible approach is to hire systems control experts from a company that has the economies of scale necessary to create a stable of talent. The consulting arms of large CPA firms are a prime source. Working under the direction of in-house internal auditors, such consultants can ensure that appropriate preventive controls find their way into company information systems. Precluding CPA firms from performing such work on the behalf of internal staff could mean that systems would be implemented without these controls, resulting in weaker overall internal control environments.

No empirical or anecdotal evidence indicates that performing systems consulting work impairs an external auditor’s independence. This claim is merely inferred from the fees involved. Some argue that, on the contrary, understanding how a company’s systems work makes the external auditors more efficient and better able to develop systematized audit procedures. I would maintain that companies should be encouraged to hire the best systems consultants they can find. The independence issue is best resolved by knowledgeable audit committees that are more involved in hiring and monitoring the work performed by consultants.

The Solution

Short of turning over the responsibility of auditing financial statements to a government entity, the best way to enhance auditor independence is to strengthen audit committees and give the committees more responsibility, including the hiring and firing of the outside accountants (as Sarbanes-Oxley now requires). Committee members must be sufficiently knowledgeable to perform their tasks and must not delegate them to company management.

Currently, audit committee members must be “financially literate” and at least one of them must have “accounting or related financial management expertise.” Sarbanes-Oxley adds the requirement that companies disclose whether at least one of its audit committee members is a “financial expert.” I don’t think this goes far enough. The prerequisites should be changed to require all audit committee members to have significant accounting, auditing, finance, or legal expertise. General management responsibility without direct involvement in one of those areas should not be sufficient.

Significant accounting, auditing, finance, and legal expertise are essential qualifications for audit committee members so they won’t be intimidated or overwhelmed by the complex issues that may be presented to them. In addition, members with such qualifications are more likely to ask management the probing questions necessary to ensure an understanding of the substance of the issues brought to their attention. For example, members with accounting and auditing experience will be better able to review companies’ accounting for reserves, an area that has been the subject of numerous SEC probes. And such members will be better able to effectively judge the performance of both internal and outside auditors. Finally, adding legal expertise to audit committees would assist committee members in understanding the complex organizational and transaction structures that many companies now employ.

When Things Go Wrong

The issue of auditor independence is often a red herring that draws attention away from the internal control environment. Executive management often does not take internal controls seriously, and audit committees often lack the expertise necessary to challenge the effectiveness of a company’s control environment. This lack of appreciation and understanding leads companies to leave controls to outside experts. When something goes wrong, the natural tendency is to blame those experts. When things go horribly wrong, as they have recently, there is a cry to reform the experts.

To the extent that CPA firms allowed companies to believe they could substitute for an effective control structure, they certainly deserve some blame. But the truth is that even the best firms cannot create an effective control environment; only senior management, under the watchful eye of the board of directors, can do that. Companies can start by enhancing the skill set of their audit committee members. Reconstituted audit committees can demand that senior management establish an effective internal control structure—from the tone at the top of the organization, to a commitment by senior management to internal controls, to an effective in-house internal audit presence. And the audit committee can adequately monitor the outside auditors.

The independence conflict attributed to CPAs is no worse than that of investment bankers. The Sarbanes-Oxley solution to the investment banking conflict is better disclosure of the conflict, not a prohibition against otherwise useful services. Likewise, I believe positive steps to improve a company’s governance and control systems would improve the accountability of companies to their shareholders without blanket prohibitions against CPA firms providing consulting services.

In some cases, such services might better be performed by someone other than the company’s external auditor. For example, the skill set involved in internal audit services, as well as an ethics code that precludes CPA firms from functioning in a way that would enhance their effectiveness, favor such services being performed in-house. Prohibiting only a company’s outside auditor from performing internal audit services continues to allow companies to design less-than-optimal internal control structures. For other services such as financial information systems consulting, using CPA firms—even those that also function as a company’s external auditor—may in fact benefit the company.

Independence itself is often not the issue. A more knowledgeable audit committee, not a government agency, is in the best position to judge the overall
effectiveness and potential conflicts of interest.

Mary Locatelli, CPA, is a former executive vice president and director of audit at American Savings Bank, and a former partner at Ernst & Young. She has taught corporate finance at the University of Southern California and currently consults with companies on internal controls.

Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2006 The CPA Journal. Legal Notices

Visit the new cpajournal.com.