A local practitioner's guide to internal audit services.by Braiotta, Louis, Jr.
Typically, a local or regional practitioner's perception of the internal audit function is associated with a large public company. A review of SAS 65, "The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements" (1990), the Report of the National Commission on Fraudulent Financial Reporting (Treadway Commission, 1987), and the Internal Control-Integrated framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), support this observation. Specifically, the Treadway Commission recommended that, "public companies should maintain an effective internal audit function staffed with an adequate number of qualified personnel appropriate to the size and nature of the company."
Notwithstanding this recommendation, many public companies are too small to economically justify such an internal audit function. As an alternative, several local or regional firms are providing internal audit services for publicly held companies.
NATURE AND SCOPE OF INTERNAL AUDITING
As defined by the Institute of Internal Auditors (IIA), "internal auditing is an independent appraisal activity within an organization, established for the review of the accounting, financial, and other operations as a basis for protective and constructive service to management. "An internal auditing group plays a significant role within a corporation since it is a service to management and owners. For example, internal auditors may evaluate the internal control structure as well as review adherence to the company's other policies and procedures.
With the issuance of SAS 55, "Consideration of the Internal Control Structure in a Financial Statement Audit," and SAS 65, the external auditors are also required to consider environmental aspects of the internal control structure, including management philosophy and operating style, organizational plan, personnel management methods, budgeting, the internal audit function, and the audit committee. Thus, auditing pronouncements describe how the work done by internal auditors may serve to reduce the amount of substantive testing performed by the external auditors. This, of course, is contingent upon their reliance on the internal auditors1 contribution to the internal control structure.
It should be noted that SAS 55 uses a broader concept of "test of controls" which includes the external auditors' review of policies and procedures refated to control and detection risk. Hence, internal auditors can assist external auditors with their understanding of an entity's control environment, accounting system, and control procedures. The local or regional practitioner's assistance to the external auditors may provide a stronger internal control environment and lead to greater audit efficiency at minimum cost.
INDEPENDENCE AND OBJECTIVITY
The internal auditing group of an entity is not independent as defined by AICPA rules, since members are employees. An auditing firm retained to perform internal auditing activities, likewise, is not independent with respect to that entity. The internal auditing activity is generally considered to be part of the control environment established by management.
SAS 65 discusses the matter of independence in the relationship between internal auditors and their employers. The IIA's standard for the Professional Practice of Internal Auditing defines internal auditing as an independent appraisal function and requires internal auditors to be independent of the activity they audit. This concept of independence is different from the independence the auditor maintains under the AICPA Code of Professional Conduct. When considering the use of internal auditors' work, the independent auditor obtains and assesses information about the internal auditors' objectivity as described in paragraphs 10 and 11 of SAS 65.
The IIA recommends that the director of internal auditing be responsible to an executive whose authority is sufficiently high in the organization to provide the necessary objectivity and independence. Thus, the director of internal auditing should have a solid-line reporting responsibility to this executive, such as the executive vice president of administration, and a dotted-line reporting responsibility to an independent audit committee.
The director of internal auditing must have free access to meet regularly with the audit committee. Accordingly, this reporting arrangement within the entity's structure helps engender a high degree of integrity in both the audit and the financial reporting processes.
MARKETING INTERNAL AUDIT SERVICES
While a formal internal audit function is common in a large company, it is somewhat unusual for a small company to have such structure. For small companies, a local or regional practitioner is in an excellent position to assume the role of the internal audit department. A partner can perform the role of director of internal auditing. The practitioner's professional staff would serve as the internal auditing group.
The local or regional practitioner can assist the company's management with the establishment of an internal audit function which is tailored to the desired level of auditing coverage. Local and regional accounting firms have substantial experience reviewing and evaluating internal control and operating systems, and many have expertise in a number of selected industries. As a consequence of having another firm perform internal audit services, as opposed to the principal auditing firm, the client receives the following advantages:
* Independent Evaluation. A second look by someone outside the organization can provide new and innovative ideas for improvement.
* Experience. Typically, the firm's personnel will have provided accounting and consulting services for a number of years and have reviewed, tested, and evaluated internal controls and operating systems for many organizations in many industries.
* Industry Expertise. Specialists will often be available for a variety of industries, including manufacturers, wholesalers, retailers, contractors, financial institutions, nonprofit organizations and governmental units.
* Flexibility. Staff possessing the appropriate level of experience can be made available when the work needs to be done.
* Affordable Cost By utilizing the firm's personnel, the cost of a full-time staff is avoided. In addition, the firm's internal audits may be used by the external auditors to reduce the scope of their internal control reviews and testing.
THE COST/BENEFIT EQUATION
It is reasonable to expect that the advantages of having an internal audit function outweigh the costs to the company. Therefore, during the initial interview with a prospective client, it is important to 'effectively communicate the benefits of an internal audit function. Management gains an additional degree of control over the financial and operating policies of the company. An effective internal audit function enhances the objectivity in management's decision-making process and provides a higher degree of integrity and credibility in the financial reporting process. And, more specifically, the key benefits of an internal audit function fall into two major areas, the internal control environment and the financial reporting process.
The Internal Control Environment
The partners and staff of a local or regional firm can provide a number of benefits by participating in or performing the following internal audit activities directly impacting on the internal control environment:
Audit Findings Resolution. Internal control will be enhanced and the full benefits of the external audit received by an internal audit review of the external auditor's management letter with follow-up of managementIs cost/benefit implementation of the recommendations.
* Operational Auditing. Management can evaluate the achievement of its operational objectives through the findings and recommendations of operational audits.
* Risk Assessment Risk assessment procedures can be performed to alert management of financial exposures, potential loss areas, and changes in operational areas. This includes an assessment of business risk and audit risk (inherent risk, control risk, and detection risk).
* EDP Controls and Security Evaluation. Internal reviews of the company's data processing controls, both general and application controls, and security policies, are an important element of the internal control structure. In addition, the internal audit function can use the power of the computer to select and identify transactions for review.
* Management Evaluation. An internal audit function can assist in the valuative process relative to the financial and accounting management.
* Corporate Conduct Development and Enforcement Assistance can be given to management with development and monitoring of corporate conduct policies.
The Financial Reporting Process
Clearly, a prospective client wishes to obtain maximum auditing services at reasonable cost for both the interim reviews and the annual audit of the financial statements. With the adoption of an internal audit function, the enterprise can realize a number of benefits:
* Assistance to External Auditor.. Assistance can be given to the external auditor in gaining an understanding of the internal control structure and assessing control risk. Through a cost/benefit approach, the local practitioner, acting as internal auditor, can demonstrate how his or her firm's tests of controls as part of the internal control structure can help the external auditor assess control risk at less than the maximum and thereby reduce substantive audit testing. The resuit should be lower external audit costs.
* Improved Audit Efficiency. A coordinated effort between the external auditors and the local or regional practitioner will maximize audit resources and provide for greater audit efficiency. * Improved Accounting Policy and Significant Transaction Identification. An active internal audit function can lead to early evaluation and development of significant accounting policies and related financial information, such as the accounting treatment of significant or unusual transactions.
* More Effective Review. With the availability of knowledgeable professionals, the internal review process for quarterly financial statements, annual stockholders' report, and the SEC Forms 10Q and 10K filings can be enhanced.
* Evaluation of Performance of External Auditor. A common role of the internal audit is to assist in the valuative process with respect to recommending appointment of the external auditors. Related activities would be to assist in the review of the scope of non-audit services provided by the external auditors and the related fees.
* Analysis of Impact of Accounting Changes. There may be benefits of an early assessment of the overall impact of proposed new accounting changes on the financial statements.
Preparing for the Presentation to a Prospective Client
The preceding provides a basis for an introductory dialogue with CEOs and CFOs who mav benefit from the internal audit function. To complement this, the local or regional practitioner should stress the potential benefits that go bevond internal control and financial management. For example, the firm's internal audit services can help a company:
* Identify management needs and concerns and areas of risk in non- financial areas within the organization.
* Develop a clear set of objectives and a strategy to meet those objectives.
* Test the level of compliance with present operational policies and procedures.
An example of a summary to present to the prospective client is demonstrated in the experience of one firm:
"Our firm's approach to an internal audit is to identity and concentrate on 'key' areas, those in which there is the greatest possibility of material error or the greatest opportunity for improvement. We carefully tailor our work to meet the objectives of the engagement in an effective and practical manner. We emphasize a business perspective in all phases of our work and make our evaluations and recommendations on a cost/ benefit basis."
Another firm states that they found their internal auditing services to be practical and effective for any size organization.
Internal auditing can be especially useful in specific industries or special circumstances as illustrated in the following areas:
* Audit of regulated entities, such as insurance companies, performed at the request of state insurance commissioners in conformity with National Association of Insurance Commissioners' (NAIC) rules.
* Audit of sales and revenues to verify additional lease payments for landlords.
* Audit of construction cost contracts for buy/sell construction management and incentive compensation arrangements.
* Audit of subsidiaries not within consolidated group for either management, investors, or potential acquisitions with management audit as an important component.
* Audit of certain cost components to determine potential damages due to casualty loss, contract cancellation, or numerous other reasons.
* Directors' examination for banks and savings and loans.
* Lenders' audits of collateral such as floor plan checks, inspection of completed manufactured goods, and tests of research and development expenditures.
* Audits of step-down cost for hospitals and other health care facilities for the management company's incentive compensation and other contractual reimbursement for cost sharing, cost reimbursement and cost improvement campaigns.
PERFORMING INTERNAL AUDIT SERVICES
There are basic steps in planning a strategy for internal audit service that should be oriented toward the segments of the auditing cycle. Typically, the auditing cycle consists of: 1) a preliminary segment; 2) a pre-audit segment; 3) a post-audit segment; and 4) a review segment. The following discussion presents the steps and model agenda for each segment.
First: Preliminary Segment
Although the local or regional practitioner is not the principal engagement auditor for the annual financial audit, he or she should become oriented toward the qualitative characteristics of the client's business and its industry with particular emphasis on its operational characteristics. This also includes a study and review of the functional aspects of the company. Such an overview would include a review and discussion with the CEO and CFO on the following matters: Industry Matters
* Competitive and economic conditions;
* Government regulations; and
* Industry accounting practices.
* Business Matters
* Organizational plan;
* Business location;
* Product distribution;
* Operational aspects;
* Accounting policies and practices;
* Internal control structure; and
* Legal obligation.
External Auditing Matters
* Prior year's annual and interim reports, Forms 10Q and 10K;
* Key documentation, such as the engagement letter, management letter, client representation letter, and lawyer's letters;
* Financial reporting disclosures in both audited and unaudited financial statements;
* Potential conflicts of interest; and
* Tax and management advisory services provided.
Second: Pre-Audit Segment
The next step is to set the stage for the pre-audit segment and address the following points during planning:
* Clearly define the scope of internal audit services via a needs analysis of the annual financial audit and operational audits. This involves access to all auditable areas and coordination with the external auditors' audit plan. Also, a review of the external auditors' management letter and follow-up will provide information for potential operational audits.
* Determine client personnel assigned to assist the engagement,
* Discuss the locations to be audited and past practices related to rotation of auditing activities.
* Review established audit fees.
* Review proposed non-audit services and related estimated fees.
* Discuss significant changes in accounting principles, estimates, and company activities.
* Review new accounting and auditing developments.
* Develop an agreement in principle with respect to a set policy for the internal audit services.
Third: Post-Audit Segment
During the post-audit segment, the local or regional practitioner can provide assurance to a client that the audit policy and pre-audit segment activities were effectively and efficiently executed. This segment preferably occurs near the completion of the financial audit, but prior to release of financial statements. The major objective of this segment is to review audit findings and prepare the annual stockholders' report. The typical agenda items for this segment includes the following:
* Discuss any significant deviations from the coordinated audit plan.
* Review the completeness of financial reporting disclosures with respect to new accounting and auditing developments and significant audit adjustments. This also includes risk areas, uncertainties, and any related-party transactions.
* Discuss significant discovery items in the areas of revenue recognition policies and deferred expense recognition.
* Determine the disposition of any scope restrictions, unresolved matters, or disagreements with management.
* Discuss with management any actual or possible illegal acts or questionable payments.
Fourth: Review Segment
The review segment of an auditing cycle occurs after issuance of the annual stockholders' report. The agenda for this segment usually includes:
* Review of the external auditors' recommendations for improvements in internal control structure (i.e., the external auditors' management letter).
* Review and approval of internal audit services for the following year.
* Discuss the appointment of the external auditors for the following year's audit engagement.
* Discuss the client's accounting and auditing policies relative to current industry practices.
* Review of audit and non-audit fees.
* Evaluate the external auditor's services for the prior year's audit engagement.
Subsequent to the initial audit engagement, the local or regional practitioner could establish, maintain, and monitor the following activities:
* Discuss the overall internal audit policy and obtain approval for continued internal audit activities.
* Review the scope of both internal and external auditing plans to maximize resources allocated to the audit function. This action may help to minimize fees.
* Review copies of key managerial accounting reports and critically evaluate management's response and courses of action taken.
* Review disposition of the recommendations in the independent auditor's management letter.
* Obtain assurance from management that the local or regional practitioner has access to the board of directors and its audit committee and the functional areas within the company.
* Determine the need and authorization for special assignments.
From the preceding discussion, it is evident that a local or regional practitioner can provide important and valuable internal audit services which enable managements of small companies to maintain an effective and efficient internal control structure and engender a high degree of integrity in the financial reporting process.
The author is grateful to James Castellano, CPA, Managing Partner of Rubin Brown Gornstein & Co.; Jacob Cohen, CPA, Partner of Walperr, Smullian & Blumenthal; and Jack Mitchell, Editor of PCPS Advocate (AICPA) for their assistance with this article.
Louis Braiotta, Jr. CPA, is Associate Professor of Accounting State University of New York at Binghamton and he is also author of "The Audit Director's Guide How to Serve Effectively on the Corporate Audit Committee" and co-author of "The Essential Guide to Effective Corporate Board Committees." Professor Braiotta is a frequent contributor to professional journals including The CPA Journal.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.