Mobile Edition
Print
Get the Mag
Weekly UpdatesAbstract
In the wake of the major accounting scandals, internal auditing has emerged as a powerful force in promoting effective controls, risk management, and governance in U.S. companies. This article highlights recent internal audit-related problems that were revealed in SOX Section 404 reports and offers specific recommendations for building an effective, value-adding internal audit function.
Introduction
Since the major accounting scandals in 2001 and 2002, as well as the passage of the Sarbanes-Oxley Act of 2002 (SOX 2002), the internal auditing profession has experienced unprecedented growth and prominence. Internal audit budgets, staffing, and boardroom exposure have increased (Carcello, Hermanson, and Raghunandan 2005), and the Institute of Internal Auditors (IIA) has seen an explosion of membership and interest. In fact, one prominent CFO stated, "[Internal] auditors are rock stars now. This is their day in the sun" (Liebs 2004).
Internal auditors are experts in governance, risk management, and internal control--areas that many companies have emphasized to achieve compliance with SOX. Many public companies have dealt with SOX Section 404 audits of the effectiveness of internal control over financial reporting, and a host of organizations are exploring the implementation of enterprise risk management tools. On top of these challenges, the pressure to produce reliable financial reports has caused many audit committees to lean more heavily on their internal auditors for information and technical guidance related to risks and controls.
Given recent developments, we believe that almost any organization can benefit from an effective internal audit function. In this article, we (a) describe the role of internal audit in the organization, (b) highlight some recent internal audit problems revealed in SOX Section 404 reports, and (c) offer practical suggestions for building an effective, value-adding internal audit function. We hope that the insights provided will be useful to managers and audit committee members in a variety of organizations.
The Role of Internal Audit
The IIA (2007b) defines internal auditing as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The key to internal audit adding value is that it provides objective evaluations of an organization's processes and operations. The main focus is on improving risk management, internal controls, and governance so that stakeholders' value is preserved. In other words, internal audit seeks to improve the organization's operations and to reduce the chance of negative surprises, including those created by unreliable financial reporting. Through its monitoring efforts in such areas as fraud prevention, improving business processes, and promoting reliable information (including financial reports) and sound controls, a properly designed and functioning internal audit group can add significant value to an organization. Effective internal audit functions also can contribute greatly to SOX Section 404 audits, performing some work on which the external auditor can rely. Such arrangements can reduce Section 404 compliance costs. (1)
New York Stock Exchange companies are required to have an internal audit function. For other U.S. companies, internal audit is a voluntary mechanism. Internal auditing appears to be growing rapidly in popularity, whether implemented as an in-house function or outsourced to an accounting firm or other provider. Research suggests that there is significant protection in having an internal audit function. For example, Beasley, Carcello, Hermanson, and Lapides (2000) found that the presence of an internal audit function was much less common in companies that had been accused of accounting fraud by the Securities and Exchange Commission. The differences between fraudulent and non-fraudulent firms were particularly noticeable in two industries. In the technology industry, none of the fraud firms had an internal audit function, versus 82 percent of the no-fraud firms. In the healthcare industry, 13 percent of the fraudulent firms had an internal audit function, versus 74 percent of the non-fraudulent firms. Clearly, there is a strong association between the presence of an internal audit function and reduced accounting fraud risk.
Recent Internal Audit Problems
We believe that one way to learn how to "do internal audit right" is to study cases where there have been internal audit-related problems. To highlight deficiencies in the internal audit arena, we recently searched SOX Section 404 internal control reports for cases where there were material weaknesses in internal control related to the company's internal audit function. (2)
Section 404 of SOX requires the external auditor to test the company's internal control over financial reporting, and to highlight any material weaknesses that existed as of the end of the fiscal year. Compliance with Section 404 currently is required for public companies with over $75 million in public float and will be required for smaller public companies in the future.
According to PCAOB Auditing Standard No. 2 (PCAOB 2004, para. 10), "A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected." The standard states that one strong indicator of a material weakness is (para. 140): "The internal audit function or the risk assessment function is ineffective at a company for which such a function needs to be effective for the company to have an effective monitoring or risk assessment component, such as for very large or highly complex companies." (3)
The Audit Analytics database revealed 16 public companies from late 2004 through mid-October 2006 with internal audit-related material weaknesses or remediation plans. In each case, either the Section 404 report highlighted an internal audit-related material weakness, or management's plan to remedy a material weakness included some discussion of enhancing the internal audit function. While these 16 companies represent a very small percentage of public companies subject to SOX Section 404, we believe that these weaknesses illustrate important issues for managers and audit committee members to consider.
Exhibit 1 provides an overview of the 16 companies' size, industry, auditor, and material weaknesses. The companies are reasonably large, with median market value, revenues, and assets in the $500 million or higher range, and they are primarily manufacturing or financial firms. Most of the companies have Big 4 external auditors and typically have other internal control problems in addition to their internal audit issues (the median number of material weaknesses per company is 4.5, with a range of 1-10).
Exhibit 2 presents wording quoted or adapted from the 16 companies' 10-Ks (which contain the management and external auditor reports on internal control) that describes the internal audit problems and management's efforts to fix/remediate the problems. While many of the disclosures do not provide much detail (we provide the full text of the relevant portions in Exhibit 2), some interesting overall patterns emerge from reviewing this table.
In terms of material weaknesses, the most commonly cited issue is the lack of a comprehensive or effective internal audit program/function (seven companies). This problem generally refers to a pervasive failure to implement effective internal auditing, which means that internal auditors do not adequately monitor key risks and controls. This problem also can result from internal audit getting "sidetracked" by management requests. For example, the disclosure for Ligand Pharmaceuticals Inc. indicates that the internal audit department was redirected to help with the company's restatement of its financial statements, the Director of Internal Audit resigned, and the company did not complete much of its internal audit work.
Other problems with internal audit include (a) a lack of independence in the internal audit function (Composite Technology and Ligand Pharmaceuticals), (b) insufficient oversight of internal audit/internal audit focus (Cellstar and Ultra Petroleum), and (c) issues related to inadequate auditing of international operations (H. B. Fuller and Thermadyne Holdings). Other problems mentioned include having too few internal auditors, having inexperienced internal auditors, not having an internal audit function at all, or internal audit failing to address problems found in control testing.
Management's discussion of any remediation efforts most commonly addresses staffing issues--hiring an Internal Audit Director, hiring additional internal audit staff, or engaging an outside consultant. Having the right people in place is absolutely critical to effective internal auditing, but internal audit talent is in high demand in today's market. Thus, it is challenging for some companies to attract and retain top internal audit talent.
Other remedial steps cited include:
* enhancing international auditing efforts,
* evaluating the overall internal audit function in light of company characteristics,
* developing/enhancing a comprehensive internal audit function, and
* addressing such issues as compliance auditing, additional testing/scope, greater communication through internal audit reports, better tracking of outsourced internal audit work, and increased training.
FEED