Summary
As economic conditions change, organizational priorities also require adjusting. By virtue of the Sarbanes Oxley Act (2002) (SOX), organizational resources, including internal auditors, have been heavily directed to what is essentially a legal compliance role, which is normally just one of the areas of internal audit focus. During the past 7 years organizations that needed to comply with SOX financial reporting requirements directed any competent internal audit and controls specialists to meet reporting deadlines to ensure a clean bill of health from external auditors, in order to avoid the opobrium resulting from any reported infractions. Some entities established dedicated internal controls functions to take care of the compliance efforts, while others simply directed the existing internal audit departments to take responsibility. In my opinion, this heavy emphasis on legal compliance resulted in a risky focus away from other key areas, contributing to the current economic crisis
Analysis
As the economic recession reaches its bottom and we can start looking forward to a slow upswing, it is a good time to take stock of a key issue which has contributed to the current malaise. After the introduction of the Sarbanes Oxley Act 2002 provisions the past 7 years has seen an increasing emphasis on internal auditors to assist in meeting the financial reporting requirements contained in the Act.
During this period, in line with greater organizational independence, internal audit executives increasingly reported to Audit Committees and the CEO, for functional and administrative purposes, respectively, as evidenced by surveys conducted by the Institute of Internal Auditors Inc (USA). However, a substantial number of Chief Audit Executives (CAE) continue to report directly to the CFO or senior Finance and Accounting executives in organizations, a situation I am quite familiar with. Due to the administrative reporting lines, many Internal Audit functions continue to be directed predominantly to finance and accounting issues, which has been exacerbated by the Sarbanes Oxley requirements which have increased the personal responsibilities of the CFO and the CEO of any compliant organizations. Even where strong reporting lines were established with the Board Audit Committee, the desire to ensure timely compliance with Sarbanes Oxley Act reporting requirements drove many organizations to emphasize the responsibilities of Internal Audit in this direction, rather than establishing a full time dedicated Internal Controls function.
The past period of exuberance, which normally precedes an adjustment as we are currently experiencing, also allowed senior executives to see the world through rose coloured spectacles and created a greater appetite for risk throughout organizations. Any internal audit functions reporting operational risks and issues were therefore often subject to the common retort that "if it ain't broke, why fix it", a response not dissimilar to the issues raised by many Risk Management Committees, which in hindsight have also been found to have often gone unheeded during those heady days.
I would even dare to suggest that we have experienced a period not dissimilar to the Barings Bank case, where internal audit reporting, recommendations and risk management committee proceedings were subject to override by senior executives bent on reaching their operational performance indicators and annual bonuses.
The heavy emphasis on legal compliance and ensuring a clean bill of health for financial reports, driven by Finance executives, Chief Executive Officers and Boards of organizations has therefore, in my opinion, contributed to the current crisis and has been a detrimental reversal in enlightened progress which commenced in the 1940's when Internal Audit functions were finally recognized as being able to contribute in a much wider arena, including operational and internal management consulting capacity, due to certain economic and developmental pressures then prevailing. I recall a CFO at a NYSE listed organization who was so adamant that he would not be the "fall guy" that he directed the CAE to stage coach the senior executives to provide the "right" answers to the external auditor's end of year risk based questionnaire, an infraction of Sarbanes Oxley section 303 (c), (Improper Influence on Conduct of Audits) but obviously a risk well worth taking in comparison with the likelihood of personal culpability for financial misreporting, as noted in my case studies on www.balfoort.com.my
The current crop of fraud cases which is seeing the light of day is no surprise to seasoned internal audit professionals, as evidenced by articles in the Financial Times, as it is well known that reported fraud cases increase during any recessions, as evidenced by previous economic downturns. Clearly little has been learnt from those experiences, which is why we are largely back to square one.
When I wrote a professional services brochure on forensic and fraud investigations services for a major US listed professional firm in early 2008, executives at my firm were scratching their heads about my writing and logic, as at that time there was little evidence of any recession, let alone any signs of increase in the incidence of fraud.
How do internal auditors now re invent themselves to regain their position as corporate risk advisory consultants/ management consultants, thereby widening their scope in line with standards and guidelines promulgated by the Institute of Internal Auditors? Although it may seem a major challenge, the current crisis does provide a major opportunity for professionals to present their skills to Boards to allow them to create a platform and track record inside organizations, away from the compliance focus in finance and accounting.
I would even suggest that this is an opportune moment for internal audit executives to present their case for even greater independence, allowing them to drive the risk based audit planning, gain greater and more professional support from competent Audit Committees and thereby create a much more holistic and relevant audit plan and service to their client organizations. While external consultants and professional services firms have already seen the light, as evidenced by the comments from the partner at E & Y quoted in the article referred to, it is not too late for internal audit functions and Chief Audit Executives to identify the same opportunity to re invent themselves anew as an internal service centre of excellence to meet the new challenges. Necessity, who is the mother of inventions, as Plato so profoundly stated in his book Πολιτεία, or The Republic, as we know it in English.
