Internal Control Systems for Auditor Independence

By Carolyn L. Lousteau and Mark E. Reid

In Brief

Design Controls to Enhance Independence

In 1999, the SEC disclosed numerous violations of auditor independence. Given the important role that auditors play in the financial reporting process, this discovery generated a great deal of attention in the financial media and spurred consideration for stricter independence rules that also dealt realistically with the organization of contemporary society. With the benefit of hindsight, however, the actual cause of the independence problems generally was not wanton disregard for the rules. Rather, internal control problems may have caused many of the violations. In this article, the authors examine the independence rules of the SEC and the AICPA, along with the role that internal control procedures could play in the process of maintaining auditor independence.

In 1999, the financial community was shocked to learn that the SEC had charged one of the Big Five accounting firms with numerous violations of auditor independence. Many observers assumed that most of the violations were the result of the merger that had created this Big Five firm. However, it was discovered that more than half of the violations had existed in the legacy firms. The question on everyone's lips: What happened?

Much of the sensationalism surrounding this case was tempered by the SEC’s final report on the internal investigation of the merged firm, released in 2000 (see www.sec.gov). While the investigation reported thousands of violations, it also revealed that many violations had been counted multiple times. For example, if a firm member made a prohibited investment in the names of several different family members, each investment was counted as a separate violation. Furthermore, the report revealed that, in most cases, the violations were not intentional. The violations were typically traceable to weaknesses in the internal control systems that tracked employees’ investments. Many of the violations occurred because individuals experienced difficulty in discovering on a timely basis which companies were audit clients.

SEC Independence Rule

The SEC issued a final rule on its revisions to auditor independence requirements on November 21, 2000, which went into effect on February 5, 2001. The AICPA has also recently published revisions to the Rule of Conduct 101. Both revisions emphasize an “engagement team approach” in determining independence. (The full text of the rule is available at www.sec.gov/rules/final/ 33-7919.htm. The AICPA revisions are available at www.aicpa.org.) The Sarbanes-Oxley Act of 2002 enacted additional auditor independence requirements, for which the SEC is currently in the rule-making process.

The SEC requirement for auditor independence originated with the Securities Act of 1933 and the Securities Exchange Act of 1934. Beyond the basic conditions listed in Regulation S-X (Rule 2-01), over the ensuing years the SEC has elaborated on the requirements through rules revisions, interpretations, and examples. Current information about the SEC’s positions and concerns related to independence are available at www.sec.gov under Information for Accountants.

The SEC’s test for independence relies heavily on the perceptions of a “reasonable investor” in possession of all “relevant facts and circumstances.” If that investor would perceive an auditor as having either a mutual or a conflicting interest with an audit client, or lacking objectivity and impartiality in judgment, then independence is compromised. Since investor perceptions are at issue, independence must exist in both fact and appearance.

To aid in determining independence, the SEC has characterized auditors’ financial interests in a client as direct or indirect. All direct financial relationships with an audit client, the audit firm, or a member of the firm, are prohibited during the period of the engagement or at the date of the report. Under the SEC’s Financial Reporting Release 10, a member of the firm is any “professional employee having managerial responsibilities in the engagement office” or in any other office of the firm that is a substantial participant in the audit. Partners and other principals are considered members of the firm.

Indirect financial relationships with a client or its affiliates are prohibited on the basis of a materiality test. The materiality test is “made primarily with reference to the net worth of the accountant, his or her firm, and the net worth of the client,” with 5% of net worth generally being the threshold for materiality. Determining precisely what constitutes an indirect financial interest, however, is the more difficult problem. Some interests that appear to be indirect in nature are treated as direct relationships by the SEC. In general, if a firm member has any degree of control over a financial interest in a client or related party, the appearance of independence would probably be compromised.

AICPA Rules

The independence rules of the AICPA are similar to those of the SEC in many respects. The following are some significant differences between the AICPA’s independence rules and the SEC’s:

Other differences between the AICPA and SEC rules include the scope of services permitted without impairing independence and the allowable financial interests in nonclients having investor or investee relationships with an audit client.

Although differences in the independence rules as applied by the SEC and the AICPA have been reduced somewhat by the SEC’s and the AICPA’s recent revisions, it is imperative that accounting firms (both those dealing with SEC and those dealing with non-SEC clients) have internal control systems that ensure that independence is maintained under both sets of standards.

Internal Control for Independence

The Committee of Sponsoring Organizations of the Treadway Commission (COSO, 1992) identified one purpose of an internal control system as providing reasonable assurance that an entity complies with “applicable laws and regulations.” Effective controls can be developed with different purposes, including directive, preventive, compensating, detective, and corrective (see the Exhibit).

The SEC’s recent revision of its rule on independence advocates the use of a “quality control system” by accounting firms to ensure auditor independence. Incorporated in the rule is a list of eight elements that would be a necessary part of a firm’s quality control system. While firms are not required to adopt such a system, many will desire to have a quality control system in place to take advantage of a limited exception provision that covers inadvertent noncompliance with the independence rule.

Directive controls. Directive controls relate to policies and procedures put in place by top management to promote compliance with independence rules. Although a firm may have policies and procedures designed to ensure independence, the SEC’s report on the merged firm’s independence viloations indicated that policies and procedures do not always work as intended. The SEC report noted that sometimes the independence policies of the merged firm or the legacy firms were actually more stringent than either the SEC or AICPA rules. Yet, lapses still occurred.

To ensure compliance with directive controls, a clear, consistent message from management that policies and procedures are important must permeate the organization. As a number of the offending members at the merged firm pointed out, their busy schedules caused them to pay insufficient attention to the independence policies and procedures. Not only must the firm ensure that firm members have the time to pay attention to independence requirements, firm members must perceive the policy as being of sufficient importance to warrant their time. Top management may emphasize the importance of independence policies either by rewarding exemplary conduct or by zero-tolerance policies for violation.

Preventive controls. Preventive controls relate to measures taken by a firm to deter noncompliance with policies and procedures. Very few of the merged firm’s instances of noncompliance with the independence rule appeared to be deliberate. Rather, the reason given most often by firm members for an independence violation (over 3,500 instances) was “a failure to check the lists of entities for which independence was required.” Additionally, in more than 1,500 instances of the merger violations, members cited “a lack of understanding of the relevant independence rules” as the reason for their noncompliance. According to the report, there was little formal education on independence issues. These findings suggest the most basic preventive control for maintaining independence: formal programs of education and training.

Firms should have continuing review and training sessions that include ethics, independence rules, and firm policies and procedures. These sessions should be mandatory for all professional employees, regardless of their level in the firm. If firms maintain an electronic database of their client list, review and training sessions should include hands-on training in accessing this database. Firms maintaining a printed list of clientele should include information about its location and use.

While most accounting firms provide training in policies, independence, and ethics to new hires, firms should also take care to require review in these areas in subsequent years. People tend to forget details when they are not required to recall them frequently. Continuous reviews of independence and ethics issues are important if firm members are expected to comply with detailed rules.

Another preventive measure is to make the materials and tools used in compliance accurate, efficient, and useful. Although the merged firm had a computerized database of restricted entities, “numerous” partners interviewed for the SEC report had difficulty in locating the names of prohibited entities in the database. If a company name were entered in a very specific and slightly incorrect manner (for example, the omission of a comma), the search function would simply indicate no matches. Difficulty was also encountered in the case of mutual funds, for example, because the name in the independence list sometimes varied from the name as it appeared on account statements.

While many database programs are available, searches can often be difficult and produce inaccurate results for a variety of reasons. Most database programs can be made more helpful, however, with the addition of customized menus and instructional screens. Given the importance of independence, a public accounting firm should do whatever is necessary to make its electronic client database as fail-safe as possible.

Regardless of whether a firm maintains a printed list of clientele or an electronic database, the firm should be diligent in updating such lists. These lists also need to be readily accessible to professional employees. Printed list accessibility would be enhanced if multiple copies were available in a central location, such as the firm's library. Having several copies of the client list can provide quicker access and may lead to fewer inadvertent compliance failures.

Professional employees should be required to attend independence reviews on a regularly scheduled basis. Tests conducted at the end of training sessions can provide evidence of any weaknesses in a training program, so that improvements can be made. Additionally, test results can also be used in determining the frequency needed for attending independence training.

Compensating controls. Compensating controls are intended to make up for a lack of controls elsewhere in the system. For example, firms with an electronic database could maintain a hard copy of the client list in the office library. Such a list would compensate for downtime in electronic systems and difficulties in locating client names in an electronic system. While the list would have to be reprinted from time to time to add new clients and delete ex-clients, memos sent immediately advising firm members of new clients would mitigate some of the obsolescence that exists with hard copies.

Detective controls. Detective controls are aimed at uncovering problems after they have occurred. Random checks of compliance could be performed by a firm as a detective control. Although necessary in a good internal control system, detection of an independence violation after the fact is less desirable than prevention in the first place. Detective controls rarely work well as a deterrent in the absence of severe penalties.

Corrective actions. When violations of independence are identified, some corrective action is required. This could entail counseling and additional training on independence, with more severe disciplinary action in cases of continued noncompliance.

While there is room for all types of internal control procedures in a CPA firm, directive and preventive controls are clearly the most useful. Once there is a suggestion that a firm is lacking independence, a great deal of time and energy is spent answering those charges and rehabilitating the public image of the firm.

Safeguarding Independence

Public confidence in the U.S. capital markets relies heavily on the appearance of auditor independence. While public accounting firms may have policies and procedures in place to ensure the independence of firm members, such policies and procedures are only as good as the compliance rate.

As the SEC report indicates, even large firms and senior firm members are not immune to breakdowns in the internal control system governing independence. A strong internal control system consisting of directive, preventive, compensating, detective, and corrective controls must be maintained by all public accounting firms in order to maintain the prerequisite independence necessary for the good of all parties.