Francine McKenna at re: The Auditors has an interesting post and set of comments about internal audit functions at public companies and the importance of internal auditors.
External auditors look at a company’s financial statements and a small amount of underlying transactions in order to issue a report that the financial statements are properly presented. (It’s really a check of math and application of accounting rules.) The financial statement audits aren’t designed to detect fraud, and so they almost never do.
In contrast, the internal audit function is engaged in ongoing audits of the financial reporting process and other numbers-related projects. The scope of internal audit work varies greatly from company to company.
In theory, the work of internal audit should help give greater confidence in the accuracy of the financial statements. In reality, you have question how likely it is that problems identified by internal audit will be corrected if upper management is against the corrections. (Why would they be against corrections? They might negatively impact the planned financial statements.)
If you read Extraordinary Circumstances: The Journey of a Corporate Whistleblower, you get a feel for the unenviable position internal auditors are in. The author, Cynthia Cooper, was the head of internal audit at WorldCom. She and her team uncovered some irregularities in the company’s numbers, and the minute they tried to look into them further, upper level executives told her to stop, or else.
Cynthia and her team continued to investigate secretly, and eventually Cynthia blew the whistle on the massive fraud upper management was engaged in. Cynthia was threatened for carrying out the job she was hired to do – – make sure that the company had good systems that helped report accurate numbers. Yet when she got too close to the fraud, she was warned and feared for her job.
At re: The Auditors, the discussion about internal audit is focused on the outsourcing of the internal audit function. It’s not unusual for the Big 4 auditing firms to offer these services to companies. So what should really be an internal function really is no longer so internal, as it’s done by external parties.
I don’t really care so much about the debate on who should really perform this internal function. What I care about is the complete ineffectiveness of internal audit at so many companies. It’s not because the internal auditors are doing anything wrong. On the contrary… It’s often because they’re doing so something right and upper management doesn’t want the internal auditors messing up their results.
Here is the story of one auditor who commented on Francine’s site:
Let me give you one example from personal experience (from a few years ago). I was at [insert name of Big 4 firm here]. Our fully outsourced IA team was assigned to review revrec at a smaller subsidiary of a multi-billion dollar global manufacturer of goods. (Percentage of completion, cost-to-cost under SOP 81-1 if that matters.) We judgmentally pulled the smaller contracts, reasoning that prior audits had focused on the bigger ones. Results: Nearly 30 percent of all contracts tested failed to properly recognize revenue in some fashion. Nearly one-third of the sample had a failure.
At the company’s request all results were color-coded into the usual green, yellow, red. Guess what? We gave the subsidiary a red in revrec. A red meant the report went to the Audit Committee. Did we get a prize for our astute findings? Nope.
Next thing I knew the local Controller called the VP of IA at Corporate, who called my Partner, to complain about our over-agressive and incorrect findings. Mind you, we outbriefed very day and the local Controller had agreed with every one of our findings as we went along. But now that was forgotten. Seemed our big mistake was not to acknowledge how much work the local team had put into improving revrec (it was a special corporate initiative) and there was NO WAY they could be getting a red. A red would mean telling the Audit Committee that the special initiative had not resulted in the improvements that they had been told to expect.
Our findings had to be wrong, and my team was obviously not working with the local folks in the appropriate way. So I was yanked off the account (the partner never called me to get my side of the story, she just called my local managing partner and about two hours later I was told I was to brief my replacement and would be off the account within 48 hours). The findings were changed to yellow and Big 4 firm got to keep its multi-million IA engagement for another year. That was when I got pretty cynical about the “outsourced IA” business.
In a “for profit business,” when your profits depend on the goodwill of your client but you are supposed to deliver bad news (when it’s required), there is an obvious conflict of interest. As I learned (and saw repeated later at a different Big 4 firm) findings can get changed quickly when the client is upset.
More frequently — in fact, almost always — negotiation of the IA fees leads to scoping and quality compromises. The client doesn’t want to pay? Fine, then let’s assign junior staff and tailor the work plan to minimize the hours. That happens all the time. I’ve seen one instance, maybe two, where we walked rather than take the work at a budget we knew we couldn’t both manage to AND do a quality job.
This type of story is all too common. The internal auditors find a significant problem, and are told that they must be wrong and their opinions should be changed.
This isn’t much different than what happens with external auditors (supposedly independent!) either. I used to say that the partners came out to the audit site merely to “wheel and deal” on the proposed audit adjustments. That is…. The external auditors uncover errors or irregularities in the numbers and they propose changes to comply with the financial accounting rules. The audit partner and the CFO then sit down and play a game to determine how many of those changes will actually be made.
Of course, this all sources back to the integrity level of executives at companies. If they are truly acting with integrity, they’d want their numbers to be as accurate as possible, no matter what. Unfortunately, that is sometimes not the case, as the goal of achieving certain revenue and earnings figures wins out. Because of that, the audit function (whether internal or external) is often ineffective in achieving the goal of accurate financial statements.
Some refer to a financial statement audit as the purchasing of a “clean” opinion by the company paying the auditors. They certainly aren’t paying the auditors to say their numbers are bad. And the audit firms’ interests? They’re interested in continuing to collect the fees from the audits. Auditing is a lucrative business, especially for the partners.
On another thread at re: The Auditors, Francine seems to agree with me in her comments:
I was never an external auditor and admit I am no expert on the technical aspects of that product or various FASBs. However, as a reasonable person and one with much more knowledge and experience regarding how auditors do their job than most, I think I can safely say it seems like quite a major screw-up occurred somewhere given none of the companies that have failed or been taken over on the last 45 days had anything other than unqualified audit opinions. It seems the audit itself is not serving any purpose for inventors other than to provide fees to the audit firms.
And on the same thread, Independent Accountant boldly (and correctly) opines:
Anonymous can do a “perfect by-the-book audit”. So? Most audits are worthless! That is one of the many dirty secrets of the auditing business. As long as the typical CPA can fill in his program steps, he’s happy. Most CPAs are terrified to address “substance vs. form” issues. If the Big 87654 earned their say $47 million audit fees at large financial institutions, they would do things like see that risks are carefully disclosed.
An anonymous commenter chastises Independent Accountant:
You possess an antiquated view of auditing; the loner accountant in a dark room crunching numbers, checking boxes in an audit program, with a solitary partner signing an audit opinion. If you existed in the audit world post-Sarbanes, you would understand the current environment, where there is infinitely more collaboration among partners and between partners and senior management of the Big 4 firms. There is no longer an audit “checklist” of procedures, and the substance of complex transactions are looked at over form; where the accounting guidance allows it.
Yet I have to ask: If the auditing is so much better post-Sarbanes-Oxley, why has financial statement fraud NOT decreased? Why aren’t audits doing more to protect shareholders? It’s clear that audits are no more effective than they were pre-Sarbanes-Oxley. So that leads me to ask… If the procedures are so much better than they used to be, yet audits are no more effective than they used to be, then is it just that they auditors are more incompetent than they used to be?
There are many, I’m sure, who can argue that auditing firms are working harder than ever before… checking more things, advocating a position that the client may not like, standing up for the regulations… Except where is the proof? It seems to me that these massive failures with no warning suggest that auditors are failing miserably.