Francine McKenna at re: The Auditors has an interesting post and set of comments about internal audit functions at public companies and the importance of internal auditors.
External auditors look at a company’s financial statements and a small amount of underlying transactions in order to issue a report that the financial statements are properly presented. (It’s really a check of math and application of accounting rules.) The financial statement audits aren’t designed to detect fraud, and so they almost never do.
In contrast, the internal audit function is engaged in ongoing audits of the financial reporting process and other numbers-related projects. The scope of internal audit work varies greatly from company to company.
In theory, the work of internal audit should help give greater confidence in the accuracy of the financial statements. In reality, you have question how likely it is that problems identified by internal audit will be corrected if upper management is against the corrections. (Why would they be against corrections? They might negatively impact the planned financial statements.)
If you read Extraordinary Circumstances: The Journey of a Corporate Whistleblower, you get a feel for the unenviable position internal auditors are in. The author, Cynthia Cooper, was the head of internal audit at WorldCom. She and her team uncovered some irregularities in the company’s numbers, and the minute they tried to look into them further, upper level executives told her to stop, or else.
Cynthia and her team continued to investigate secretly, and eventually Cynthia blew the whistle on the massive fraud upper management was engaged in. Cynthia was threatened for carrying out the job she was hired to do – – make sure that the company had good systems that helped report accurate numbers. Yet when she got too close to the fraud, she was warned and feared for her job.
At re: The Auditors, the discussion about internal audit is focused on the outsourcing of the internal audit function. It’s not unusual for the Big 4 auditing firms to offer these services to companies. So what should really be an internal function really is no longer so internal, as it’s done by external parties.
I don’t really care so much about the debate on who should really perform this internal function. What I care about is the complete ineffectiveness of internal audit at so many companies. It’s not because the internal auditors are doing anything wrong. On the contrary… It’s often because they’re doing so something right and upper management doesn’t want the internal auditors messing up their results.
Here is the story of one auditor who commented on Francine’s site:
Let me give you one example from personal experience (from a few years ago). I was at [insert name of Big 4 firm here]. Our fully outsourced IA team was assigned to review revrec at a smaller subsidiary of a multi-billion dollar global manufacturer of goods. (Percentage of completion, cost-to-cost under SOP 81-1 if that matters.) We judgmentally pulled the smaller contracts, reasoning that prior audits had focused on the bigger ones. Results: Nearly 30 percent of all contracts tested failed to properly recognize revenue in some fashion. Nearly one-third of the sample had a failure.
At the company’s request all results were color-coded into the usual green, yellow, red. Guess what? We gave the subsidiary a red in revrec. A red meant the report went to the Audit Committee. Did we get a prize for our astute findings? Nope.
Next thing I knew the local Controller called the VP of IA at Corporate, who called my Partner, to complain about our over-agressive and incorrect findings. Mind you, we outbriefed very day and the local Controller had agreed with every one of our findings as we went along. But now that was forgotten. Seemed our big mistake was not to acknowledge how much work the local team had put into improving revrec (it was a special corporate initiative) and there was NO WAY they could be getting a red. A red would mean telling the Audit Committee that the special initiative had not resulted in the improvements that they had been told to expect.
Our findings had to be wrong, and my team was obviously not working with the local folks in the appropriate way. So I was yanked off the account (the partner never called me to get my side of the story, she just called my local managing partner and about two hours later I was told I was to brief my replacement and would be off the account within 48 hours). The findings were changed to yellow and Big 4 firm got to keep its multi-million IA engagement for another year. That was when I got pretty cynical about the “outsourced IA” business.
In a “for profit business,” when your profits depend on the goodwill of your client but you are supposed to deliver bad news (when it’s required), there is an obvious conflict of interest. As I learned (and saw repeated later at a different Big 4 firm) findings can get changed quickly when the client is upset.
More frequently — in fact, almost always — negotiation of the IA fees leads to scoping and quality compromises. The client doesn’t want to pay? Fine, then let’s assign junior staff and tailor the work plan to minimize the hours. That happens all the time. I’ve seen one instance, maybe two, where we walked rather than take the work at a budget we knew we couldn’t both manage to AND do a quality job.
This type of story is all too common. The internal auditors find a significant problem, and are told that they must be wrong and their opinions should be changed.
This isn’t much different than what happens with external auditors (supposedly independent!) either. I used to say that the partners came out to the audit site merely to “wheel and deal” on the proposed audit adjustments. That is…. The external auditors uncover errors or irregularities in the numbers and they propose changes to comply with the financial accounting rules. The audit partner and the CFO then sit down and play a game to determine how many of those changes will actually be made.
Of course, this all sources back to the integrity level of executives at companies. If they are truly acting with integrity, they’d want their numbers to be as accurate as possible, no matter what. Unfortunately, that is sometimes not the case, as the goal of achieving certain revenue and earnings figures wins out. Because of that, the audit function (whether internal or external) is often ineffective in achieving the goal of accurate financial statements.
Some refer to a financial statement audit as the purchasing of a “clean” opinion by the company paying the auditors. They certainly aren’t paying the auditors to say their numbers are bad. And the audit firms’ interests? They’re interested in continuing to collect the fees from the audits. Auditing is a lucrative business, especially for the partners.
On another thread at re: The Auditors, Francine seems to agree with me in her comments:
I was never an external auditor and admit I am no expert on the technical aspects of that product or various FASBs. However, as a reasonable person and one with much more knowledge and experience regarding how auditors do their job than most, I think I can safely say it seems like quite a major screw-up occurred somewhere given none of the companies that have failed or been taken over on the last 45 days had anything other than unqualified audit opinions. It seems the audit itself is not serving any purpose for inventors other than to provide fees to the audit firms.
And on the same thread, Independent Accountant boldly (and correctly) opines:
Anonymous can do a “perfect by-the-book audit”. So? Most audits are worthless! That is one of the many dirty secrets of the auditing business. As long as the typical CPA can fill in his program steps, he’s happy. Most CPAs are terrified to address “substance vs. form” issues. If the Big 87654 earned their say $47 million audit fees at large financial institutions, they would do things like see that risks are carefully disclosed.
An anonymous commenter chastises Independent Accountant:
You possess an antiquated view of auditing; the loner accountant in a dark room crunching numbers, checking boxes in an audit program, with a solitary partner signing an audit opinion. If you existed in the audit world post-Sarbanes, you would understand the current environment, where there is infinitely more collaboration among partners and between partners and senior management of the Big 4 firms. There is no longer an audit “checklist” of procedures, and the substance of complex transactions are looked at over form; where the accounting guidance allows it.
Yet I have to ask: If the auditing is so much better post-Sarbanes-Oxley, why has financial statement fraud NOT decreased? Why aren’t audits doing more to protect shareholders? It’s clear that audits are no more effective than they were pre-Sarbanes-Oxley. So that leads me to ask… If the procedures are so much better than they used to be, yet audits are no more effective than they used to be, then is it just that they auditors are more incompetent than they used to be?
There are many, I’m sure, who can argue that auditing firms are working harder than ever before… checking more things, advocating a position that the client may not like, standing up for the regulations… Except where is the proof? It seems to me that these massive failures with no warning suggest that auditors are failing miserably.
“Some refer to a financial statement audit as the purchasing of a “clean” opinion by the company paying the auditors.”
Do you suppose this is why Deloitte demanded that their client fire the CEO and CFO for knowingly leaving unmentioned a mere $8 million intercompany transaction misstatement in the rep letter, and then proceeded to resign as auditors after the client refused to do so?
I’m not saying all audit firms are perfect, but I think it’s going a bit far to say audits are completely worthless. If there were no audits, don’t you think financial reporting would get a little out of control? At least there is something there to “assure” the public that the financials are reasonably free of misstatement (And audits ARE designed to provide reasonable assurance of detecting fraud).
“I think I can safely say it seems like quite a major screw-up occurred somewhere given none of the companies that have failed or been taken over on the last 45 days had anything other than unqualified audit opinions.”
Just because a company receives an unqualified opinion does not make that company a wise investment. I’m sure the auditors wouldn’t be in the auditing profession if they could see into the future and predict such an economic recession.
Andy wrote: “(And audits ARE designed to provide reasonable assurance of detecting fraud).”
Sorry, Andy, but your statement is 100% false. Audits have never been designed to detect fraud.
I knew I should’ve looked it up before I said that. However, they are still designed to detect MISSTATEMENT (what I should have said), whether by error or fraud. So I guess it’s not directly designed to detect fraud, but they are still designed on a risk-based approach, or at least should be. So if fraud is suspected in certain areas, those areas should be tested more than others.
No, they’re not designed to DETECT misstatement by fraud. Audits are supposed to ASSESS THE RISK of misstatement by error or fraud. But they are not designed to detect misstatement due to fraud.
Isn’t the assessment of the risk performed in the planning stage and then the audits are designed based on those assessments?
AU312.36 “The auditor must perform the audit to obtain reasonable assurance of detecting misstatements that the auditor believes could be large enough, individually or in the aggregate, to be quantitatively material to the financial statements.”
SAS 107 par. 18: “In determining the nature, timing, and extent of audit procedures … the auditor should design audit procedures to obtain reasonable assurance of detecting misstatements that the auditor believes … could be material… Auditors use various methods to design audit procedures to detect such misstatements.”
If you read the engagement letters and audit reports, you see that the auditors specifically disclaim responsibility for finding fraud.
Andy – Have you seen the types of letters that I reference? Would it be helpful for me to post examples?
Yes, please…
You have me curious. But audits are SUPPOSED to be designed to obtain reasonable assurance about whether F/S are free of material misstatement, whether caused by error or fraud, correct?
No, they are not. I will post a letter or two.
Here’s a good sample engagement letter:
http://naplia.com/resources/engagement%20letters/Example%20Audit.doc
It includes this:
Because an audit is designed to provide reasonable, but not absolute, assurance and because we will not perform a detailed examination of all transactions, there is a risk that material errors, fraud, or illegal acts, may exist and not be detected by us. In addition, an audit is not designed to detect immaterial errors, fraud, or other illegal acts or illegal acts that do not have a direct effect on the financial statements. Our engagement cannot, therefore, be relied upon to disclose errors, fraud, or other illegal acts that may exist. However, we will inform you of any material errors that come to our attention and any fraud that comes to our attention. We will also inform you of any other illegal acts that come to our attention, unless clearly inconsequential. Our responsibility as auditors is limited to the period covered by our audit and does not extend to any later periods of which we are not engaged as auditors.
I am mistaken in saying that the audit report disclaims responsibility regarding fraud. It is the management representation letter which does that. (i.e. The auditors give management a template letter that management must put on their own letterhead, and the wording of that letter states that fraud is management’s problem, not the auditors’.)
One has to understand that an act of fraud is usually accompanied by a series of premeditaded acts to conceal it, thus auditors are not to be held for non detection of fraud.Management and those charged with governance are actually responsible for putting in place systems that detect or deter fraud.
[…] companies? What on earth do their own financial statements have to do with whether or not audits are effective at protecting […]
[…] You can bet there was a serious fight between management and the auditors over this adjustment to the financial statements between Groupon’s announcement of earnings on February 8, and its filing of the 10-K on March 30. If I were a betting woman, I would place a large wager that the auditors wanted an even larger reserve (resulting in even lower net income) and the result we see in the 10-K is some negotiated amount in the middle of where management wanted to be and the auditors thought they should be. (Oh yes… management and the auditors indeed do negotiate on audit adjustments.) […]
I am concerned as a former internal auditor that the title initially implies that the auditing function is “Near Worthless” when audits are very important and insightful. If the reaction to them is mixed, then consider titling your article to target the failure of companies to implement the findings.
As a lawyer, I also always research and understand both sides. I conduct independent research as well so that I can make my own independent conclusions.
Having worked for a Fortune 500 company as an internal auditor, I uncovered the financial fraud of a VP and his entire department. As a 22 year old, I initially received kick back from that VP. However, the next meeting involved my superior, the VP in question, a separate VP and the major parties involved.
My superiors and the other VP stood WITH ME and the recommended changes were not only required but failure to implement them would result in the termination of those involved.
I realize reactions to audit results can vary but there are companies who benefit greatly and companies willing to embrace, accept and implement the changes.
Audits are not nearly worthless. Implementing them can vary based on the corporate environment.