Internal Audit’s New Role

EXECUTIVE SUMMARY

NYSE-LISTED COMPANIES MUST HAVE INTERNAL audit departments in place in advance of an October 31 deadline. Internal auditors also are evaluating the scope of work their departments should take on to comply with Sarbanes-Oxley and other rules. A COMPANY STILL PUTTING TOGETHER ITS INTERNAL audit department should proceed logically, hiring a new director first and letting him or her develop a plan for the audit function. In the search for a new director companies should involve not only the CFO but also human resources and the board of directors. THE BIGGEST TASKS THE INTERNAL AUDIT DEPARTMENT faces are determining the scope of work and having the personnel and budget to complete it. In instituting internal controls over financial statements, companies must decide how they will document their compliance and how much of this work they expect internal auditors to complete. In most cases the department also will need to balance this work with its pre-404 tasks. COMPANIES SHOULD EXPECT TO PAY BETWEEN .03% and .2% of annual revenues for an effective internal audit function that also fulfills Sarbanes-Oxley requirements. Companies that pay at the top of the range typically are highly regulated, decentralized entities with facilities spread across the globe. AS INTERNAL AUDIT DEPARTMENTS SHED SOME of their operations focus, they must evaluate existing staff to see who has the financial expertise the department needs to perform its new functions. Communication skills also will be important to internal auditors as they undertake their new responsibilities, especially building relationships with the board’s audit committee.

CYNTHIA HARRINGTON, CFA, has been a money manager specializing in large-cap value stocks for high-net-worth individuals and small institutions. She’s now a full-time journalist whose work has appeared in Bloomberg Wealth Manager, Plan Sponsor and CFA Magazine.

ot since WorldCom whistle-blower Cynthia Cooper graced the cover of Time magazine has internal audit been in such sharp focus. The New York Stock Exchange (NYSE) now requires all companies listed there to “maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control”—and do it before October 31, 2004.

This rule will affect CPAs in many companies. While most of the 2,800 NYSE-listed companies already maintained internal audit departments, the fact that some did not prompted the exchange to require them. Experts estimate about half of NYSE companies, including some that already had internal audit departments, will need to take action to comply with the ruling. An Institute of Internal Auditors (IIA) survey in late 2003 showed 80% of the large companies included in the Fortune 1,000 already had an internal audit function. Even though the Nasdaq declined to require the same of the 3,400 companies trading there, it supports an internal audit function as a best practice.

Since the NYSE stopped far short of fully defining the role the now-required internal audit function must fulfill, each company is left to determine on its own what constitutes a properly structured internal audit department. CPAs who serve as internal auditors or as CFOs or controllers who oversee their employer’s internal audit department will find themselves needing to decide what ongoing assessments might be necessary. New internal audit directors must determine the scope of work their group should address, the skills required, the cost of the task and what framework to follow. Companies that currently have internal audit departments can answer some of these questions. By reporting the experiences of some of these entities, this article will help CPAs introducing or expanding an internal audit function to better understand the task they face.

HEAD FIRST
“The move to establish internal audit functions will spread because a properly structured internal audit department adds value” to any company, says Robert Hirth, CPA, a managing director of internal audit services at Protiviti Inc., a risk management and internal audit consultant in Menlo Park, California. “Audit committee members of NYSE companies who go through the internal audit process are likely to demand the same support at Nasdaq or private boards on which they serve.” Any company that decides to add an internal audit function—required or not—should proceed carefully, however, to get the desired results.

CPAs should advise companies putting together a new internal audit function to proceed in a logical order.

Begin the process of hiring the head of internal auditing first.
Involve the board of directors’ audit committee and human resources in the search.
Hire a candidate with specific internal audit experience.
Make certain the candidate understands the company’s business.

F irst things first is the advice from those experienced with internal audit. Hire the director and let him or her develop a plan for the audit function, says Norman D. Marks, vice-president of internal audit at Solectron Corp. in Milpitas, California. A NYSE-listed company, Solectron provides electronics manufacturing services to leading equipment manufacturers. “Give that person a flavor of the expected costs and ask him or her to come back with a plan.”

Finding a new head of internal audit can be challenging. The demand for top candidates is high now and the supply limited. In addition to networking through their external auditors for possible candidates, companies also will find top recruiters to be a good resource. “Be sure the recruiter you work with has direct experience filling the job of head of internal audit,” says Marks. “If your regular contact at the search firm has that experience, ask for them to supplement the search team.”

An exhaustive search is only the beginning. While the CFO may have screened candidates in the past, the new regulatory environment demands the participation of additional company personnel in filling the top spot. “It’s important to involve not just the CFO but human resources and the board of directors as well,” says Marks. At many companies the chairman of the audit committee interviews all prospective internal audit directors. In screening candidates the audit committee should assure itself that any potential new hire fully understands the importance of responding to the committee’s requests for information in a timely manner.

Companies today want a broader range of skills for their new internal audit directors than previously. “Finance is still number one, so the ideal candidate should really understand financial controls,” says Marks. “But you need somebody who also understands the bandwidth of the business.”

The new head of internal audit control services at Cisco Systems, a Nasdaq-traded company in San Jose, California, represents the qualities many companies are looking for today. When Cisco’s management and audit committee sought to upgrade its internal audit oversight prior to the passage of the Sarbanes-Oxley Act of 2002 and independent of the NYSE regulations, it targeted candidates who were professionally trained as internal auditors and finance experts with lots of operational experience. “Cisco’s executives and audit committee were thinking ahead and were visionary about the need for effective internal audit,” says Emily Kwong, CPA, who has filled her post as senior director of internal audit control services since 2003.

Kwong’s background includes 25 years in public accounting as a Big Four senior audit partner specializing in high-tech clients in Silicon Valley and Asia. Her tours of duty gave her expertise in financial reporting, sensitivity to government reporting and international experience with her firm’s overseas development arm. Kwong also gained operational and finance experience while in charge of some of her firm’s service lines that provided controller functions to companies that had outsourced them.

RESOURCES

AICPA Audit Committee Effectiveness Center, www.aicpa.org/audcommctr/homepage.htm . This Web site provides guidance and tools for audit committee best practices. The AICPA Audit Committee Toolkit (# 991001JA). A resource to help audit committees achieve best practices in managing their role within the company, including working with internal auditors. Managing the Audit Function: A Corporate Audit Department Procedures Guide (# W1281190P0200DJA). An updated manual that reflects the radical changes in the internal audit profession. For more information or to place an order, go to www.cpa2biz.com or call the AICPA at 888-777-7077. Other Converging Roles: The Changing Role of Internal and External Auditors. Conference cosponsored by the Institute of Internal Auditors and the AICPA, November 7–9, 2004, Orlando. Visit the Institute of Internal Auditors Web site, www.theiia.org , for more information and to register. Also visit the IIA Web site for an up-to-date list of resources including a variety of webcasts, seminars, conferences and publications.

MARCHING ORDERS
Once a company fills the top position, the real work begins. The answers to the questions of cost, size, required skills of internal audit staff and implementation plan lead back to what functions management will ask the internal audit department to perform. Because this issue is still uppermost on the minds of many company executives, CPAs both inside and outside an entity can be helpful in setting the scope of work. According to an IIA study, only one-third of companies have addressed the need to reallocate resources to respond to the expanded role of internal audit.

“At Cisco, we’ve added a couple of people but some of my peers are talking about adding 25% to 30% to their current staff to meet the requirements of Sarbanes-Oxley,” says Kwong. Cisco’s internal audit staff is lean. Only 12 people serve the needs of the $20 billion global technology company. Kwong credits the company’s decentralized approach to Sarbanes-Oxley compliance. Each business unit takes ownership of controls, processing and testing.

Even established internal audit departments face expense increases to comply with the new legislation, primarily section 404 of Sarbanes Oxley, which mandates that management evaluate its internal controls over financial reporting and file a report with its financial statements about the effectiveness of those controls. The companies themselves decide the depth of the documentation and how much of the work they expect internal audit to complete. Since established departments had a full workload prior to Sarbanes-Oxley, internal audit directors have had to make tough decisions about how to apportion staff time and focus. “In many cases, departments had been charged mostly with maximizing operational efficiencies,” says Marks. “Now complying with section 404 has taken over the department’s entire focus.”

Marks sees this seismic shift in emphasis as a slippery slope. In the unlikely event the audit department gives up all of its pre-404 tasks to stress compliance, the audit committee will question the need for a return to the previous focus on controls to improve operational processes. “The key to 404 is not simply to accomplish what it requires but to leverage the resulting knowledge,” Marks says. “We want to look at how this legislation can help us to identify best practices that both standardize processes and increase efficiencies and spread them throughout the company.”

F irstEnergy Corp., based in Akron, Ohio, has been managing internal audit issues for 65 years. The nation’s fifth largest investor-owned utility, FirstEnergy set out to integrate the new demands with its ongoing responsibilities (see “ FirstEnergy: Integrating Internal Audit ”).

David A. Richards, CPA, CIA, director of internal audit for FirstEnergy before his recent retirement, says “the first issue in setting up an internal audit shop is how to do it.” He directs CPAs to the IIA as a source for materials to help set up a department. “The IIA is positioned to guide companies in setting up an infrastructure, provide access to people experienced in this process and help establish standards for what constitutes a good audit shop,” says Richards, the 2001-02 chairman of the organization’s board.

Not all companies want to do the set-up. Those outsourcing the process to a public accounting firm should first clarify the department’s purpose. Protiviti’s Hirth says his company “leads clients through a reasonable approach to setting up a department that begins with the audit committee developing and approving a charter. Then we help get a chief auditor in place, determine how risks will be assessed and develop an audit plan.” (For guidance on drafting a charter, see “ Developing an Audit Committee Charter. ” Also see the AICPA Audit Committee Charter Matrix at www.aicpa.org/audcommctr/toolkits/01.htm .)

Developing an Audit Committee Charter
A strong internal audit function begins with a strong board of directors’ audit committee. For committees that still don’t have charters, here is some information CPAs can use to help them draft one. Define the purpose of the charter: to help the board of directors fulfill its oversight responsibilities. Detail the authority the audit committee will have: to conduct or authorize investigations into any matters that are within its scope of responsibility. Define the expertise and number of people required on the committee: at least three and no more than six members of the company’s board of directors. Each committee member will be both independent and financially literate. Specify the number of meetings the committee will hold and the scope of its responsibilities, which include the following:	Perform financial statement review. Understand the company’s internal controls. Review the internal audit plan, ensure compliance and effectiveness and meet with the chief audit executive regularly. Review the external audit plan, ensure the performance of the external auditors and meet separately with them. Review plan to comply with laws and regulations, and communicate required code of conduct to company personnel. Report to board of directors and shareholders and keep avenue of communication open between internal audit, external auditors and the board.
Source: Institute of Internal Auditors, www.theiia.org .

What does all this cost? Hirth points to an IIA study that says companies should expect to pony up between .03% and .2% of annual revenues for an effective internal audit function that meets Sarbanes-Oxley requirements. Companies that are highly regulated and decentralized with facilities spread across the globe will find themselves at the top end of the cost range. “Risk assessment drives the cost,” says Hirth. “Well-managed companies, with few past problems, that narrowly define the audit function will spend less than those with opposite characteristics.”

NEW ENVIRONMENT, NEW SKILLS
Even established internal audit departments will find they need to upgrade or add financial expertise to the operations focus that has dominated their responsibilities over the past decades. Hirth, for example, advises clients to look at the background of their current internal audit staff before adding new personnel—to determine where they came from and to evaluate each person’s whole career. “Even if staff members have moved to an operations focus, they might still have the financial background that is so important today,” he says.

In addition to beefing up the department’s financial expertise, new internal auditors are being asked to expand their interpersonal skills. Janet McKinley, chief corporate auditor at BellSouth Corp. in Atlanta, embodies the qualifications of an ideal internal audit director. Her background includes 25 years in audit and finance positions at BellSouth’s various operating divisions. McKinley lists communication ability as a top requirement for herself and her staff: “Fulfilling all the requirements means developing personal relationships vs. sitting behind closed doors assessing everything from a distance.”

PRACTICAL TIPS TO REMEMBER

CPAs should recommend a broad spectrum of company personnel participate in the search for an internal audit director, including human resources staff and the board of directors’ audit committee, as well as the CFO. CPAs can offer their expertise to help companies determine the scope of work the internal audit department will take on and what resources in terms of both money and personnel the department will need to do the job. Before adding new internal audit personnel, companies should look at the background of existing audit staff members. Examining an employee’s career might reveal he or she has the financial background that is so important in the refocused internal audit function. Companies then can add new employees with the appropriate expertise to fill in the gaps. A best practice CPAs can recommend is that the internal audit department outline to the company’s external audit firm ahead of time the approach it will take in complying with SEC standards to make sure the company is conducting the appropriate tests to satisfy the auditors.

At BellSouth the communication flow is formalized. Either McKinley or one of her staff attends the officers’ staff meetings in each of the company’s business units. They take an active role in the proceedings by reporting on internal controls and audit issues and seeking input from managers about the processes. “We also make ourselves available at any time,” she says. “We want to establish the internal audit as an event not to be feared but almost welcomed.”

CPAs will find managing the relationship with the board’s audit committee occupies a considerable amount of the internal audit director’s time. The responsibilities include formal activities such as delivering reports at board meetings and less formal ones such as responding to ongoing information requests and educating new board members. For internal audit, direct contact with the audit committee is a significant result of the new regulatory environment. While McKinley reports to the corporate secretary, she counts on the solid line to the audit committee to execute her duties. “It’s important to have the full support of the board and upper management,” she says. “And equally important is understanding the board’s expectations over and above what the law says.”

Auditor qualifications. McKinley says her employer was retooling its internal audit staff even before Sarbanes-Oxley and section 404. “We were looking for more accountants with Big Four audit experience, more with finance and accounting backgrounds as well as candidates with the certified internal auditor designation.” A major focus at BellSouth also is on audit staffers with strong information technology skills, including hiring people who have the certified information systems auditor designation. For a comprehensive list of skills and expertise an internal auditor should have, see “ Internal Audit Director/Staff Qualifications. ”

MEETING A GROWING NEED
The big job for internal audit—satisfying section 404 requirements to establish, document and monitor controls—will be accomplished over the near term. Plans for the future vary greatly by company, and few CPAs know exactly what internal audit’s ongoing workload will look like. They will understand better once the full annual cycle is complete and the external auditors’ needs have been satisfied. “SEC standards are so tight that any weakness in a control will cause the external auditor to give a negative opinion,” says Richards. “We’re laying out an approach with our external auditor ahead of time to see if our testing will be sufficient for its needs.”

Despite the uncertainty of the times, the internal audit profession is growing. And CPAs are filling many of the critical positions. Demand for auditors is up and internal audit staff have open career paths to management positions throughout bigger companies.

That’s good news for the profession and cautionary news for companies just starting up internal audit functions. “Everybody is out pounding the pavement for good and experienced staff,” McKinley says.

While internal audit still is a major player in the company-wide compliance effort, its tasks now are shared throughout the entity. The diverse team that leads the project reflects the breadth of the integration required to provide the new information. The team includes the company controller who oversees the project as well as the internal audit director, the chief legal officer, the chief risk officer, the head of IT and top managers from two business units. The team works in part as a steering committee that reports to the board through the audit director.

The company’s now-retired audit director, David A. Richards, budgeted close to 15,000 hours of compliance time, with half spent by the end of 2003. His team defined 75 business processes throughout the company and then took apart the company’s financial reports to see where the compliance risks were in their accounting and reporting methods. “Each process we identified was fairly elaborate,” says Richards. “Fortunately we had just changed over our entire accounting software system in June 2003, so we were not faced with the more difficult task of documenting a legacy system.”

The compliance future is quite unclear even for FirstEnergy. It hasn’t yet been through the full cycle including an external audit. No one knows what’s going to be needed on an ongoing basis. “We’ll need to update and go back and do maintenance,” says Richards. “But what that will entail and how frequently we’ll do it are still outstanding questions.”