The internal auditing world is in an uproar this week over a proposed new auditing standard from the Public Company Accounting Oversight Board — one that throws some notable shade at the internal audit profession, and prompted the Institute of Internal Auditors to declare that it is “deeply concerned” about the idea.
The proposed standard is meant to address how external audit firms manage the process of confirming a company’s financial information with outside parties. The PCAOB’s proposal would cut internal auditors out of that picture, because “involving internal auditors or other company employees in these activities would create a risk that information exchanged between the auditor and the confirming party is intercepted and altered.”
The internal audit world resented the implication that its members might participate in schemes to deceive audit firms.
“I am deeply concerned by the potential precedent the PCAOB’s proposed standard may set regarding the work of internal auditors,” Anthony Pugliese, president and CEO of the Institute of Internal Auditors, said in a statement on Thursday. The proposed standard “could have the unintended consequence of implying that internal auditors would intentionally ‘intercept’ and ‘alter’ information. Like external auditors, internal auditors have an obligation to exercise due care in the handling of all information.”
Let’s pause here to review what’s actually going on. Earlier this week the PCAOB proposed an update to Auditing Standard 2310, which governs how audit firms seek outside confirmation of a company’s financial data: cash balances, accounts receivable, and so forth. Confirmations are an important part of financial audits, and audit firms have been performing them for decades.
Historically, the audit firm would seek confirmation by, say, sending a letter to a bank and asking, “Hey, the company says it has this much money in a savings account with you all. Is that correct?” The bank would reply, and that reply would count as evidence the auditor can use in the audit.
Now the PCAOB wants to update AS 2310 for the modern era, since most audit firms, companies, and third parties communicate electronically. Moreover, many companies and audit firms now use third-party service providers to manage confirmation requests, since so many requests zip back and forth over the interwebs every day.
Smack in the middle of the 87-page proposal, however, is a section governing how external auditors can rely on internal auditors to help with the confirmation process. That section expressly says the external auditor cannot use a company’s internal auditors for selecting items to be confirmed, sending confirmation requests, and receiving confirmation responses.
What Are You Trying to Imply, PCAOB?
Pugliese also posted his statement on LinkedIn. That prompted numerous voices in the internal audit world to add their thoughts — and they weren’t happy with the PCAOB’s stance either.
Most didn’t oppose the abstract idea that internal audit shouldn’t be involved in confirmations (“If external audit wants to do this without our assistance, have at it,” one person said). They simply took umbrage at the PCAOB’s insinuation that internal auditors might participate in the subversion of confirmations.
Hal Garyn, an audit consultant and longtime trainer on audit issues: “What’s egregious is to make the argument that the reason is due to a “risk of manipulation”, as if there is some track record and history of internal auditor manipulating data when doing work for, and on behalf of, the external audit process. That is extremely troubling and, quite frankly, wholly out of line for what would be any professional body and/or regulator.“
Robert Berry, another freelance audit consultant: “If they want this task done independently, that’s OK. What is not OK is to use a profession with over 200,000 members as the scapegoat.”
Ian Mutswiri, chief audit executive of an industrial manufacturer in Texas: “I find the comment by the PCAOB as both unfortunate and disturbing. It diminishes the important role internal audit plays in maintaining the integrity and reliability of financial records and operations.”
Perturbed though the IIA might be, Pugliese did say his group “looks forward to working constructively with the PCAOB to address the underlying concerns” and does plan to file a formal comment on the proposed standard in due course.
Before we go any further, I should make a personal disclosure: the IIA pays me to write a column on boardroom governance issues. The IIA did not pay me to write this post, and did not see an advance copy of it.
What Happens Next on Confirmations
What happens next is that the PCAOB gets an earful of comment on its proposed new standard, and the agency then moves forward sometime next year with a final version. My hunch is that the PCAOB will drop its clumsy language about internal auditors along the way, since this is a spat the agency doesn’t need with an important constituency in the auditing world.
Pugliese does raise a good question. To what extent are internal auditors involved in the confirmation process, exactly?
The PCAOB is under the impression that by and large, internal auditors aren’t. The proposal even asks: “We understand auditors’ use of internal audit in a direct assistance capacity to send confirmation requests or receive confirmation responses to be infrequent. Are commenters aware of information to the contrary?”
Pugliese said it’s “common” for external auditors to rely on work performed by internal auditors, “and for internal auditors to directly assist external auditors in the performance of certain duties.” All of that is certainly true, although Pugliese didn’t expressly say confirmations are one of those certain duties.
Anyway, aside from this potshot against internal auditors, the PCAOB is correct to say that the audit standard for confirmations needs an overhaul. AS 2310 hasn’t been updated since 2003 and a lot has changed since then. For example, we’ve seen a decline in the number of parties that respond to confirmation requests — but at the same time, modern data analytics could let audit firms get the same level of assurance they want without those replies anyway.
We just need to get to that better, more modern standard without peeing in other people’s Cheerios.