BACK TO BASICS - Who Has An Upper Hand?
Picture from https://gtsudbury.ca/podcast/back-to-basics-part-1/

BACK TO BASICS - Who Has An Upper Hand?

December 21st 2020

A famous ancient quote in The Art of War by Sun Tzu states that: [1]

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Auditees and auditors are not enemies and in battle with each other, literally, but definitely there are occasions where a party has a very strong opinion different from the other party. The International Standards for the Professional Practice of Internal Auditing (Standards) 1130 - Impairment to Independence or Objectivity suggests that in order to achieve the degree of independence necessary to effectively carry out the responsibilities of internal audit activities, the chief audit executive (CAE) should disclose the details of an impairment to senior management and the board. Such impairment is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations.[2] This particular standard seems to provide an internal auditor a “straight flush” in a poker game and hence an upper hand whenever there is a work-related dispute with auditee.

In reality, is it the case? Two elements, closely related to each other, may change how you perceive this “straight flush”.

Independence

You should have no difficulty finding from an internal audit charter stating the independence of an internal audit function and auditors. However, there is no absolute independence in practice due to the inherent human nature. Whitmire in his article Is There Really Such A Thing As An Independent Audit? states that despite the changes made to prevent further similar scandals that destroyed Enron and Arthur Anderson from happening, there were still plenty of problems of audit profession. He reasoned that the audit firm had aligned their interests with those of their client as soon as the firm was hired.[3] This argument can apply to internal auditors easily as they are being paid and managed by the same employers of the auditees.

Standards 1100 – Independence and Objectivity states that the chief audit executive has direct and unrestricted access to senior management and the board,[2] and it translates to whom an internal audit function is reporting to within an organization. Nowadays, we often see an internal audit function is reporting to either the Chief Executive Officer (CEO) or Chief Financial Officer (CFO) administratively. On that note, there is a suggestion the reporting to CEO instead of CFO can offer better audit’s independence since financial auditing is a key activity of an internal audit function.[4,5,6]

In Why Good Accountants Do Bad Audits published in year 2002, the authors reckoned how unconscious bias can undermine the independence of an auditor.[7] The article highlights “ambiguity”, “attachment” and “approval” these three structural elements which promote bias and three aspects of human nature can amplify unconscious biases. In summary, they are:

  • Familiarity – people were more willing to harm strangers than individuals they knew, especially when those individuals were paying clients with whom they had ongoing relationships.
  • Discounting – people tended to be far more responsive to immediate consequences than delayed ones, especially when the delayed outcomes were uncertain. For example, auditors may hesitate to issue critical audit reports because of the adverse immediate consequences – damage to the relationship and possible unemployment.
  • Escalation – it was natural for people to conceal or explain away minor indiscretions or oversights, sometimes without even realizing that there were doing it. For example, sum of small judgments might become large and correcting this long-standing bias might require admitting prior errors.

A similar study after almost two decades, Singer and Zhang published an article on the duration of auditor tenure and the timeliness discovery of misstatement in year 2018.[8] They concluded that that longer auditor tenure had led to misstatements of greater magnitudes, and that the Sarbanes-Oxley Act had mitigated, but not eliminated, the negative effect of long auditor tenure.

?From the above observations from different studies, we can ask if there is a job rotation program for internal auditors or how effective is this program in order to preserve “independence” as far as possible.

Relationship Management

The article “The Audit Love Triangle” puts a joke on the relationship between auditees and auditors as follows:[9]

“Auditor: We’re coming to audit you soon. Will you guys be available?”

“Auditee: Sure, you know we love you guys!”

?“Auditor: REALLY?”

?“Auditee: Well, we hate to see you coming and love to see you going.”

Unlike the relationships among different business units within a company, the relationship between auditees and auditors is unique since we human beings do not like people come to tell us that you are “wrong” or “not good enough”. Of course, there are people who are believers of partnering with auditors for greater good and acting accordingly.

Nowadays, stakeholder relationship (or even partnership) management in internal audit is a popular topic. You can easily find articles implying that you are a good auditor in the eyes of stakeholders when you can build and maintain a “healthy” relationship with them. But who are the stakeholders (the senior executives of different business functions, the boss of internal audit function, members of the board, shareholders and investors)? Another question is, what does “healthy relationship” mean?

To answer the first question, a revisit to the history of internal audit and the nature of work the internal audit should be performing is necessary.

In the book Research Opportunities in Internal Auditing, co-author Ramamoorti points out that the establishment and progression of the modern internal auditing profession was closely linked to the history of The Institute of Internal Auditors (IIA) founded in the United States (US) in 1941.[10] He describes that historians believed formal record-keeping systems were first instituted by organized businesses and governments as far back as 4000 B.C., and the need for and indications of audits could be traced back to public finance systems in Babylonia, Greece, the Roman Empire, the City States of Italy, etc. The European systems of bookkeeping and auditing were then introduced into the US, a separate formal internal assurance function, internal audit, within a company with a duty to evaluate the honesty of its employees had emerged at the turn of the 20th century.

Standards 2100 – Nature of Work states that internal audit activity must evaluate and contribute to the improvement of the organization’s governance, risk management, and control processes. In respect of evaluating risk management, Standards 2120.A.2 elaborates that internal audit should evaluate the potential for the occurrence of fraud and how a company is managing the fraud risk in each engagement.[2]

?The 2020 Report to the Nations (the Association of Certified Fraud Examiners’ 11th study on the costs and effects of occupational fraud) reports the median loss amount due to frauds committed by owner/executive was three times larger than those frauds committed by an employee or manager.?This observation suggested those in the highest positions had the ability to damage the company more severely than lower-level personnel,[11] and it was consistent with the same studies conducted in previous years.

The article Internal Audit's Relationship With Management Can Say a Lot About Organizational Culture by Chambers provides an insight to the second question, i.e., the definition of “healthy (or poor) relationship”.[12] He specified six signs of poor relationship and they are:

  • Attitude toward internal audit: Management's response to internal audit's inquiries was to circle the wagons and limit access to information.
  • Carousel of chief audit executives: Management cycles through a number of CAEs seeking one it can most easily control or manipulate.
  • Pressure to change or hide findings: Management made clear it did not want to hear the truth.
  • Redirecting or misdirecting internal audit: Management manipulated the choice of audits based on an agenda other than one based on the organization's risk.
  • Manipulating internal audit's budget: Management limited resources in staff, accessed to expertise (co-sourcing), or limited internal audit's ability to do its job.
  • Limiting internal audit's access to the board or audit committee: Management wanted to control the message from internal audit to the board.

I think no one will be surprised if you have experienced one or more abovementioned telltale signs.

CONCLUSION

Those organizations with CAE reporting to CEO instead of CFO or other senior executives do possess a better independence. However, the inherent human behavior (to “survive”) is the key determining factor. As long as internal auditors are paid by the companies they are working for, there is no genuine independence.

While a key responsibility of an internal audit function is to evaluate the adequacy of control over different risks, specifically the fraud risk, and there are studies suggesting senior executives (stakeholders) cause more harm than general employees in events of fraud, there are pressures exerted on internal auditors to maintain a “healthy relationship” with stakeholders. These pressures could be originated from stakeholders or internal auditors themselves for "better" relationship management. Sometimes they are reflected by conducting internal audit satisfaction survey, designing and performing audit projects entirely based on stakeholders, or putting unnecessary burden of audit issues follow-up to internal audit.[13]

Your thoughts are welcome.

REFERENCE

[1] The Art of War

?https://suntzusaid.com/book/3/18

[2] International Standards for the Professional Practice of Internal Auditing

https://www.theiia.org/globalassets/documents/standards/standards-2017/ippf-standards-2017-english.pdf

[3] Is There Really Such A Thing As An Independent Audit?

https://www.forbes.com/sites/forbeslacouncil/2018/12/03/is-there-really-such-a-thing-as-an-independent-audit/

[4] Internal audit reporting line to CEO gains steam as Fed weighs in

https://www.journalofaccountancy.com/news/2013/feb/20137291.html

[5] Should Internal Audit Report to the CFO?

?https://www.cfo.com/accounting-tax/2006/10/should-internal-auditor-report-to-the-cfo/

[6] Managing Multiple Bosses

https://hbr.org/2011/08/managing-multiple-bosses.html

[7] Why Good Accountants Do Bad Audits

https://hbr.org/2002/11/why-good-accountants-do-bad-audits

[8] Auditor Tenure and the Timeliness of Misstatement Discovery

https://corpgov.law.harvard.edu/wp-content/uploads/2018/06/AR318-AuditrTenureMisstateJNL.pdf

[9] The Audit Love Triangle

?https://thatauditguy.com/the-audit-love-triangle/

[10] Research Opportunities in Internal Auditing - Chapter 1: Internal Auditing: History, Evolution, and Prospects

https://na.theiia.org/iiarf/Public%20Documents/Chapter%201%20Internal%20Auditing%20History%20Evolution%20and%20Prospects.pdf

[11] 2020 Report to the Nations

https://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf

[12] Internal Audit's Relationship With Management Can Say a Lot About Organizational Culture

https://iaonline.theiia.org/blogs/chambers/2016/Pages/Internal-Audits-Relationship-With-Management-Can-Say-a-Lot-About-Organizational-Culture-.aspx

[13] Back to Basics – Audit Issue Follow-Up

https://www.dhirubhai.net/pulse/back-basic-audit-issue-follow-up-ellis-wong/

Whitney Bell

Vice President, Global Technology Audit at Walmart

3 年

Great summary

要查看或添加评论,请登录

Ellis Wong的更多文章

社区洞察

其他会员也浏览了