Why Internal Auditors Are Annoyed
Today I want to circle back to that proposal from the Public Company Accounting Oversight Board about third-party confirmations in financial audits, a seemingly reasonable idea that in practice has alienated legions of internal auditors. We should take a few minutes to understand why that is.
For those who missed our first post on this issue, the recap is as follows. Just before Christmas the PCAOB proposed a new standard for how external audit firms manage the process of confirming a company’s financial information with outside parties. Such procedures are known as third-party confirmations, and they’ve long been a crucial part of financial audits.
The PCAOB’s proposal would prohibit internal auditors from selecting the financial disclosures to be confirmed, sending confirmation requests, and receiving confirmation responses. Why? Because “involving internal auditors or other company employees in these activities would create a risk that information exchanged between the auditor and the confirming party is intercepted and altered.”
Internal auditors were quite peeved at the insult implied in those words, that they would ever sully themselves by participating in a corporate fraud. The Institute of Internal Auditors even published a statement expressing “deep concern” that the PCAOB’s proposed new standard “could have the unintended consequence of implying that internal auditors would intentionally ‘intercept’ and ‘alter’ information.”
And the horse you rode in on, PCAOB.
From the outside this debate might seem rather esoteric, but the internal auditors taking exception to the PCAOB’s language do raise a valid question: to what extent can external auditors — and the board, and regulators, and other important corporate overseers — rely on the integrity of the internal audit team? Even more fundamentally, if we’re not supposed to trust internal auditors with tasks like this, what’s the point of having internal auditors at all?
Frame it that way, and no wonder these folks are so upset.
Audit Standards and Internal Auditors
External auditors already have a standard from the PCAOB about how they should interact with internal auditors: Audit Standard 2605, Consideration of the Internal Audit Function.
According to AS 2605, external auditors should first decide whether they want to rely on internal auditors at all; it’s not required, after all. But if the external auditor does want direct assistance from internal audit, the external auditor should first evaluate the internal auditors competence and objectivity. That means considering criteria such as the internal auditors’ professional experience and education, and whether the head of internal audit reports to a sufficiently senior executive that audit findings get acted upon.
Assuming that, yes, internal audit does have the competency and objectivity to work with external audit, AS 2605 says the external audit team must still “supervise, review, evaluate, and test the work performed by internal auditors to the extent appropriate in the circumstances.”
Thoughtful and leading voices in the internal audit world generally say the debate should end there. That is, if the external auditor believes the internal audit function is competent, objective, and independent, that’s enough to clear internal audit for active duty. We don’t need to revisit the issue again in other auditing standards, such as the proposed new AS 2310 for third-party confirmations.
For example, when the external auditor is preparing an audit of SOX controls, he or she can use the work performed by, or receive direct assistance from, internal auditors. All that’s necessary is that the external auditor first evaluate the reliability of internal audit as described in AS 2605. If the internal audit team passes muster, then the external auditor can, say, use previous control tests done by internal audit or even direct internal audit to perform new tests. Why would third-party confirmations need a different standard from that?
Why Are We Caring About This?
Foremost, we should care about this because the world already has too many audit requests in the world, and further separating internal and external audit only creates more work.
If the PCAOB starts questioning internal audit’s integrity here, with third-party confirmations, that makes one wonder whether the PCAOB will start blocking internal audit from working with external audit on other issues as well — which would mean external audit still needs to get that work done somehow, and rest assured, that will mean more audit fees piled onto your bill.
We’ve seen some hints that this new pressure on external auditors might be coming. Last fall the top accountant at the Securities and Exchange Commission warned external auditors that they need to do better at fraud risk assessments. Erica Williams, chair of the PCAOB, delivered a speech last month where she told auditors: “Your vigilance must be higher. Unfortunately, right now, the trendline is moving in the wrong direction.” The implication in those messages is that external auditors must trust their clients less, and be more skeptical of all statements the client makes.
The funny part is that by and large, internal auditors aren’t interested in working on third-party confirmations. They’re particularly disinterested in doing administrative legwork for external auditors, such as sending out confirmation requests and collecting the mail that comes back. What they resent is the implication that they can’t be trusted to handle certain audit activities simply because they’re employed by the company.
We could imagine other scenarios, too. If external audit does more work by itself, and then briefs the board or audit committee on its findings — could that lead to more disputes with the internal audit team, if it reaches a different conclusion? Typically that shouldn’t happen; if internal and external audit haven’t resolved a disagreement before it reaches the audit committee, they’ve already screwed up. But if the PCAOB and SEC are going to pressure external audit to be more skeptical, and to do more work by itself, you could see such tensions becoming more possible.
So maybe this esoteric battle over language and slights in a PCAOB audit proposal isn’t so esoteric after all.