control, and governance
control, and governance
A Heavier Weight to Carry
Despite initial pressures to emphasize financial controls more than governance, internal auditors are now bearing additional responsibility for both — and raising their stature as a result.
Russell A. Jackson
Freelance Writer
If you left internal auditing five years ago to ranch minks or produce film documentaries and just returned, you'd be forgiven if you hardly recognized the myriad new ways companies now focus on internal controls. Laws have changed throughout the world, famously, and companies have changed — in some cases dramatically — where they allocate resources within the internal controls space. But has there been an intentional, meaningful, and permanent abandonment of an emphasis on governance in favor of a focus on financial reporting? According to experts, despite a great deal of attention to such a shift, the answer is: "Probably not."
Granted, the flurry of corporate misbehavior in recent years did lead to the U.S. Sarbanes-Oxley Act of 2002 and the "Sarbanes-Oxley Lite" and "Little Sarbanes-Oxley" laws and regulations it spawned around the world. And the spell of accounting fraud scandals — epitomized by the likes of Enron, HealthSouth, and WorldCom — also wrought dramatic changes in the way companies allocate and maintain their internal audit resources. Further, it's true that some companies, in their zeal to comply with a law so gigantic in scope, have devoted huge chunks of manpower and money to financial reporting controls at the expense of other types of audit activities — including governance-related activities. But the big news of the past five years isn't internal audit departments leaving governance behind in favor of financials.
Instead, companies have responded to the emphasis on financials by expanding and contracting their focus on governance or financials to varying degrees, with some focusing on one at the expense of the other and others adding human and financial resources for both. Some companies, similarly, have expanded the entire audit function as needed to fully change to a new focus on integrated areas of internal controls — with governance, ethics, and financials linked and coordinated in innovative ways — and later contracted the size of the department as the new systems became routine. Others have launched internal audit departments for the first time and operate them at full capacity. Approaches to the post-Sarbanes-Oxley internal audit environment differ significantly, but they all share one thing: Internal auditors have a higher profile than ever at many companies, and many of them enjoy an unprecedented level of influence and authority.
Companies have gone through different stages in the compliance process, explains Lynn Fountain, vice president of risk assessment and audit services at energy distribution company Aquila Inc. in Kansas City, Mo. "In the first couple of years after Sarbanes-Oxley, there was such a heavy focus on just getting the work done that many people didn't focus on actually understanding the intent of the act," she says. "We all focused on tactics." After looking for ways to make compliance work more efficient in recent years, she notes, internal auditors are shifting their focus to understanding the control environment itself. "Practitioners are getting past all the tactics and are starting to dip their collective toe into the governance pool, asking how internal auditing can meet its objectives in that space. It's a balancing act."
EXPANDED AUTHORITY AND INFLUENCE
Steve Jameson, executive vice president and chief internal audit and risk officer at Community Trust Bank in Pikeville, Ky., can attest to that enhanced stature. Jameson was hired in March 2004 to reestablish internal auditing as an internal function — it had been outsourced previously. Although an emphasis on the financial reporting control mandates in Sarbanes-Oxley was a natural element of that mission, Jameson took care to ensure that governance issues fell within the newly created audit department as well. He leveraged his company's aggressive Sarbanes-Oxley compliance effort to create a department that coordinates internal controls across key assurance disciplines. He also established his role at a high level in the organization with the insider credibility needed to get things done and the independence needed to do them right. Jameson brought a background in internal auditing and risk management — and experience working on The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management-Integrated Framework — to the new position, which led bank executives to change their plans for the job. Rather than hiring an audit manager who would handle just internal auditing and enterprise risk management (ERM), they decided to combine all the critical control functions — ERM, internal auditing, compliance, security, and loan review for governance purposes — under one executive. And instead of establishing the position at the senior vice president level, bank leaders elevated the position to executive vice president status.
In some instances, the corporate response to Sarbanes-Oxley and its cousins worldwide has actually been more pro-financials and less pro-governance. But a careful look at the individual circumstances shows that the changes are often temporary fixes — while the alteration in the internal auditor's influence remains after the focus has been modified again and again over time. Indeed, the reverberations from Sarbanes-Oxley didn't shape Hubertus Buderath's audit shop the way they did Jameson's. The DaimlerChrysler vice president for corporate audit — who heads the Moensheim, Germany-based global automotive giant's worldwide audit operations — led an existing department, not a newly formed shop. But he did face a dilemma Jameson did not encounter in balancing internal audit resources in the wake of a new focus on financials: Just as Sarbanes-Oxley and the environment it represents caused a shift in the company's allocation of those resources, information requests from the U.S. Securities and Exchange Commission (SEC) taxed the already-stretched department even further. Sarbanes-Oxley didn't shape his shop, but it did reshape it and, in doing so, repositioned Buderath within the corporate controls hierarchy.
In the first complete fiscal year after Sarbanes-Oxley passed in 2002, Section 404 work represented half of total internal audit capacity for the U.S. segment of Buderath's sphere of operations. At the same time, the automaker faced a related but separate issue in the form of an SEC investigation of some lesser allegations of fraud. "We suddenly had two new priorities," Buderath comments. "We had to focus on Sarbanes-Oxley, especially Section 404, and we had to focus on the fraud issues." DaimlerChrysler streamlined its audit timetable to emphasize fewer, but more thorough, audits over more, but less-detailed engagements. "We did not do the same number of audits as a way to assure that quality remained high," he says. "Our audit work did not cover all areas that it used to cover." Specifically, DaimlerChrysler scaled back its audit operations in all areas that focus on process optimization, such as production control, engineering processes, and purchasing processes. The company beefed up its audit efforts in financial reporting and, he adds, "strongly increased our engagement in matters of forensic auditing, including fraud detection and prevention."
As times change, though, that distribution of corporate focus likely will change as well, returning to something closer to the responsibility mix many internal auditors had before Sarbanes-Oxley. Many companies have, in the first few years of compliance, already updated all their internal control systems, so the requests for audit departments to review such big individual chunks of controls will likely ebb, leaving those departments with greater capacity for other areas — including corporate governance. For various reasons, companies increased internal audit staff in a variety of areas in response to a new emphasis on financial controls, Fountain observes. "As companies try to move internal auditing from a primary focus on testing back to a process orientation," she says, "many of them will continue to maintain larger audit departments, but will rebalance their efforts to make sure they're picking up all the other risks as well."
Ray Broek, executive vice president at WithumSmith+Brown Global Assurance, based in Princeton, N.J., agrees. "There's change in the wind," he says. "In the first two years of Sarbanes-Oxley, companies focused on process documentation, developing the required tests, and performing them. Now that they've got three or four years behind them, they're becoming a lot more efficient as a result of the learning curve, and partially because the automated controls that many companies put in place require less testing. Companies are going back to their internal audit roots to really get involved in operational work again."
GET USED TO THE SPOTLIGHT
One thing that likely won't change, Buderath notes, is his enhanced stature within the decision-making hierarchy at DaimlerChrysler. "I am personally involved more strongly than in the past in all financial reporting matters," he says. "And I collaborate directly with the chief financial officer (CFO) and with the audit committee. That's new for me."
It's new, too, for Michael Marinaccio, director of internal audit at Biogen Idec, a biotech company based in Cambridge, Mass. "The greater focus on all the areas of internal audit influence has definitely been a good thing for the profession," he says, noting that since Sarbanes-Oxley was enacted, "many companies that didn't have an audit function have established one." That's especially true for many companies like his, he adds — young firms, often operating in the fast-paced biotech sector or similar, high-growth, highly technology-dependent fields that run especially lean.
What, exactly, internal auditors are focusing on isn't as key to the profession's stature as how much other parts of many companies are focusing on the internal audit function. The elevated status of internal auditors gives them a platform to demonstrate their value to management, Marinaccio adds. The recent changes in the way some firms balance internal controls — governance versus financials, risk management versus ethics — have also increased awareness of controls. "We don't have to fight the education battle so much anymore, explaining to people what controls are," he says. Now, colleagues at Biogen Idec make sure to run ideas by him in the developmental stage on an informal basis, instead of waiting until established projects reach the audit department through the natural course of control processes. "They tell us what they're thinking about doing," he comments, "and they take our input seriously."
There's a potential downside to the new role internal auditors are playing in many companies as a result of their recently modified focus on governance, financials, and ethics. Just as the spotlight illuminates all the good internal auditors can contribute, it also casts an unforgiving light on mistakes internal auditors can make. "More internal auditor positions have been elevated to the level of the executive suite," Jameson points out. "That has been good for the profession as a whole, but I suspect there are certain individual internal auditors the changes haven't been good for." Some audit directors turned chief audit executives (CAEs) who struggle to measure up to higher expectations and more significant audit issues may be replaced by more experienced CAEs, he notes. "There's certainly more pressure to make the right calls and do the right thing."
CHANGES ON THE SURFACE
In fact, you might say that's where the real pressure on internal auditors rests these days: Doing it right. Throughout the profession, the pressure isn't so much to perform governance work, financial reporting work, or any other specific audit engagement. Rather, the brave new world of internal auditing brings greater responsibility to assist organizations in managing global risks in many areas, governance and financial reporting among them.
As director of the Corporate Governance Center and a professor of management and entrepreneurship in the Coles College of Business at Kennesaw (Ga.) State University, Paul Lapides studies internal audit departments in transition. His perception is there has been more talk about dramatic changes in the way companies allocate internal audit resources for governance-related or financial report-related work than there has been real change. Audit departments didn't focus considerable efforts on governance issues in the past and, for the most part, they don't now, he says. Any enhanced emphasis on financial reporting controls is simply that — enhanced emphasis, not a seismic shift in the way corporations approach controls.
"I haven't seen anything interfering with good financial auditing," Lapides comments. "The reality is internal auditors — and external auditors — still don't do much related to looking at the governance of an organization. For most internal audit departments, it's probably good to have fairly light review authority, because it's difficult to say to board members, 'By the way, your audit committee stinks and your board process is a joke.'" Indeed, in his ongoing research, he's interviewed more than 1,000 audit committee members and determined that, while some may emphasize governance, he doesn't see a trend toward that kind of focus. "It's not much different from 20 years ago," he says.
What has changed is the magnitude of internal audit work. "I've seen a wide diversity in companies' allocation of resources," Lapides says. "Internal audit departments are not doing less in any areas. In fact, they're doing more in every area." Operational and financial auditing are becoming more integrated as well, he notes.
Marinaccio sees the same thing. Many companies' initial reaction to Sarbanes-Oxley was to place too much emphasis on auditing financial controls and financial statements — "probably to the detriment or peril of other areas," he says. But now, "there's pressure to start rebalancing our whole approach to everything." Increasingly, internal auditors like Marinaccio are taking a top-down approach and putting together risk-based audit plans that will attempt to strike a balance among their various spheres of influence, including compliance, information technology, and finance. Biogen Idec plans to hire a corporate compliance officer with responsibility for both risk and compliance — although financial controls likely will remain separate, a responsibility of the CFO. "If you look at risks individually and try to manage them all separately, you can fall into a silo trap," Marinaccio says. "You have to look globally — at the entire worldwide enterprise — and determine the risks you face."
AN INDIVIDUALIZED EMPHASIS
That word, "globally," comes up often when internal auditors talk about their jobs in a post-Sarbanes-Oxley environment. Their talk also reveals that the specifics of a global approach — how much emphasis on governance, how much on financials, how much elsewhere in the company—is subject to change with the changing corporate environment throughout the world. Any new emphasis on internal control over financial reporting is probably going to be as time- and corporation-specific as the moves away from financials were before the arrival of the new regulatory regime. Indeed, Hans Spoel, director of group audit services at Alcatel-Lucent SA, Paris, calls internal controls "the bread and butter of the internal auditor." And internal control over financial reporting is part of the core business of any internal audit shop, he says, because internal auditors deal with corporate governance, internal control, and risk management in all the work they do, whether in an assurance or an advisory mode. Sarbanes-Oxley and its kin worldwide, in fact, didn't herald a move away from one discipline and to a new one, he says. Rather, they simply served as "wake-up calls" for the profession.
In other words, what seems like a seismic shift away from governance and toward financials is really more business operations refinement than a complete rethinking of a corporate approach to controls. "At the heart of all this is the never-ending allocation-of-resources issue," Spoel points out. "You never have enough people to do it all." Alcatel-Lucent, for example, expended almost 80 percent of its available internal audit human resources in year one to become compliant with the new laws. That wasn't a dramatic shift in internal audit priorities, though; it was a reflection of the company's circumstances at that time. "We were going through a major crisis and we could not afford to bring in outside help," Spoel explains. "Therefore, internal auditing was involved in not only the testing part of Sarbanes-Oxley, but also very much in the design, implementation, and project management pieces. Will that also be the case going forward? No."
In fact, Spoel doesn't understand all the fuss about a distinction between a pre-Sarbanes-Oxley focus on governance and a post-Sarbanes-Oxley focus on financials. Internal auditing is internal auditing, he stresses, and its reach should extend to every aspect of internal controls in the organization. Even under the law, he explains, "the financials may be the origin for determining scope, but Sarbanes-Oxley is a top-down, risk-based exercise in which the key issues are control-environment and managing-the-entity considerations. You can't get more governance-related than that."
Jameson, too, sees a continuum including financial reporting controls and governance-related activity, and he sees it flowing in both directions. "Actually, the focus by Sarbanes-Oxley on controls drives some of the governance processes," he says. "In the end, everything affects the financial statement — everything we do in the company. Our processes all seem to link back to the financials, even on the governance side."
THE NEXT FIVE YEARS
Rarely is opinion undivided on issues of the appropriate structure of internal auditing within an organization. Jameson says he wouldn't be surprised to see internal auditors extend their reach even further. "As the focus on internal auditing is incorporated more fully into the routine of businesses' processes and activities, I'm going to speculate that internal auditing will broaden into additional areas of governance and risk management," he explains. "As Sarbanes-Oxley fades from the spotlight, internal auditors may see opportunities to use beefed-up budgets to make their companies better in other respects. There will be some additional opportunities for internal auditors to look at some things they traditionally haven't looked at."
On the other hand, Buderath comments, "it is not useful to combine the compliance office with internal auditing. One is a management function, and the other is an audit function." Internal auditors should not be the risk manager either, he notes, as they must audit risk management systems and procedures. Interestingly, Buderath developed DaimlerChrysler's risk management processes and was, by board mandate, made its risk manager for three years. "It was a conflict of interest for me," he says now. "There's no doubt there should be very strong collaboration between internal auditing, compliance, and risk management, but, based on my experience, they should be strictly separated."
Governance is another matter entirely. It was not the focus of internal audit work at most companies before Sarbanes-Oxley, and it likely will not be the focus looking forward to the next five years. Rather, Buderath and the others agree governance always will be a component of an effective audit department, not its main line of business or area of influence. "Governance should not be a special function in a company," Buderath stresses. "Governance is an issue for all management, whether line managers with operations responsibilities, risk managers, compliance auditors, or internal auditors. Governance is a task for all departments."
To comment on this article, e-mail the author at russell.jackson@theiia.org.
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
