Perspectives

February 2004

Why Internal Auditors Audit

By Peter Hughes

At the risk of offending executives that want an internal auditor who is really more of an in-house consultant or advisor, I must assert the relevance and importance of the internal audit as an independent check and balance on management.

The origins of the internal audit departments for many companies came from the 1977 Foreign Corrupt Practices Act. The SEC and Congress took action after finding out that executive management for a number of publicly held companies paid huge bribes to foreign officials as a way of securing large contracts. The role envisioned for internal auditors during the creation of the Foreign Corrupt Practices Act was one of double-check on management and not one of advisor or in-house consultant.

Back in 1977, with scandals still fresh in the public’s memory, the value of the internal audit was obvious to the SEC, the public, management, and investors. Internal auditors didn’t need elaborate mission statements, nor did we have to continually justify our existence to management. Internal auditors were “watchdogs,” plain and simple. During the 1990s, however, it became unfashionable to be a check and balance on management. This attitude persisted despite the Treadway Commission’s finding in 1987 that material fraud often begins with the CEO or CFO. The pressure from several CEOs and boards of directors to de-emphasize audits of sensitive and high-risk areas and to refocus on advising management on ways to increase the bottom line came at a cost.

The accounting misrepresentations and the alleged self-dealings of top executives at Enron, WorldCom, and Global Crossing have cost stockholders tens of billions of dollars. In the ’90s, just as in 1987 per the Treadway Report, most large frauds occured at the CEO and CFO level. Hence the importance and value of a truly independent and well-supported internal audit department that evaluates high-risk activities, especially in areas under the direct purview of top executives.

Unfortunately, during the high-flying ’90s, checking up on top management fell out of vogue. In this kind of atmosphere, many auditors presented themselves as “in-house consultants” or “advisors” to management in order to survive. With this retreat from the original purpose of internal auditing, it should come as no surprise that there was a rash of recent corporate fraud of such a magnitude as to bankrupt billion-dollar multinational corporations.

Our auditing standards require us to maintain “professional skepticism” for a reason. Human nature is still subject to temptations such as greed. As CPAs, we are neither to assume that management is dishonest nor assume unquestionable honesty. Moreover, we are required to obtain “persuasive evidence” to support any belief in management’s honesty as it regards any business issue or activity. And we are to do so each and every audit, for each and every issue.

If management wants to know what value traditional auditors add to the company, just look at the billions of dollars that could have been saved, the tens of thousands of employees that would still be working, and the retirements that would be secure if Enron hadn’t gone bankrupt. Furthermore, all of the corporate scandals that have been revealed to date involve exactly the kind of questionable and unethical practices that internal auditing was created to find and bring to light.
Internal auditing cannot be evaluated in the same way other business functions are. A simple formula cannot justify the “value” of a strong, independent internal audit department. If internal auditors don’t double-check, audit, or look over the shoulder of management on behalf of the common stockholder, who will?

Nonetheless, internal auditing cannot be effective unless it is able to audit all of the activities, decisions, and pet projects of the CEO, CFO, and other top executives. It is time that the audit committees quit undermining the internal auditors by having them report to the CEO or CFO, the most likely originators of fraudulent practices. The internal auditor should report both functionally and administratively to the audit committee.

Over the years, my colleagues and I have found the professional standards promoted by the Institute of Internal Auditors (IIA) to be useful in predicting and ensuring the effectiveness, if not vitality, of internal audit departments. The success of any internal audit function starts and ends with independence. Without exception, I have found that the most important factor in the effectiveness of internal auditing is its organizational status. The higher the level in the organization the internal auditor reports to, the more effective she can be in exerting independence in both selecting the areas to audit and drawing conclusions therefrom. An auditor that is independent from retaliation will be more likely to audit high-risk areas regardless of who oversees them.

Blue Ribbon Best Practices

My experience as a peer reviewer has led me to 10 internal audit best practices that can predict the effectiveness of the department. Any department that has adopted six or more of these best practices will be in full compliance with the standards for the professional practice of internal auditing.

These best practices were selected because of their proven, not theoretical, effectiveness by an informal panel of five experts in the field of internal auditing. These experts had worked for the Defense Contractor Audit Agency, the IRS, Fortune 500 corporations, governmental agencies, states, counties, cities, universities, and public accounting firms. Cumulatively, they possessed over 200,000 hours of audit experience.

Any organization that truly believed in what it asserts in its audit charter would voluntarily adopt every one of these 10 best practices. These 10 provisions would truly insulate internal auditing from organizational and executive pressure to subordinate their professional opinions and independence regarding the ethics, propriety, and soundness of organizational practices and activities.

I recognize that these best practices will, on their face, threaten many organizations and executives because, once they are in place, the internal audit department will have the independence that helps ensure that institutions live up to the promos in their brochures regarding ethical behavior and their commitment to such practices. Over the years, the panel has found that the level and degree of resistance mounted against the adoption of such provisions is a bellwether of the true attitude of boards and executives.

The panel is appreciative of this fact and understands why many internal audit departments have to ease their way into an organization and at times conform to its group dynamics. Furthermore, without the insulation of a no-cut contract, many internal audit directors have, and will continue to, put themselves in harm’s way when asserting their chartered independence. An informal survey completed by this panel noted that over a third of the internal audit directors queried had been pressured to leave their position, due to being either the bearer of bad news or the pursuer of information that was thought to be detrimental to top executives.

Unfortunately, many organizations parrot support of the independence and objectivity of their internal audit department, yet knowingly and calculatingly continue to put directors in harm’s way whenever they buck the system. The fact that many senior and seasoned directors of internal audit have been forced to leave for merely doing the job they were hired and chartered to do is alarming, and explains the recent rash of corporate scandals.

All the above underscores the challenge facing organizations to “walk the talk” and truly support the independence and objectivity of their internal audit departments. If organizations really do mean what they say about supporting a strong internal audit function, then these best practices are available for adoption today.


Peter Hughes, PhD, CIA, CITP, CFE, CPA, is the audit director for Orange County, California. Orange County adheres to every one of the blue-ribbon best practices. Readers that wish to share their experience with other organizations that comply should e-mail him at Peter.Hughes@gov.com.
This Month | About Us | Archives | Advertise| NYSSCPA
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2004 CPA Journal. Legal Notices

Visit the new cpajournal.com.