Internal pressure is a pervasive threat to the objectivity inherent in internal audit, according to new research.
More than half of North American chief audit executives (CAEs) said they had been directed to omit or modify an important audit finding at least once, and 49% said they had been directed not to perform audit work in high-risk areas. That's according to a report by The Institute of Internal Auditors (IIA) Research Foundation, based on a survey of 494 CAEs and some follow-up interviews.
Sometimes, the threats are clear and easy to understand; some CAEs were told they would be fired. Other times, the pressure was more subtle; some CAEs reported budget cuts or a decline in internal audit staffing that they perceived as tacit pressure.
Many times, the follow-up interviews yielded positive lessons. For instance, sometimes the instruction to modify an audit finding could be worked out with a discussion between the CAE and the executive who asked for the modification. That's an easier discussion for auditors to have when they have built a relationship with the C-suite in advance and can explain why it matters to the organization as a whole to report the finding accurately.
Several codes of ethics address what finance professionals should do when asked to do something that they consider unethical. For instance, the IIA's Code of Ethics states, under the topic of objectivity, that all internal auditors "[s]hall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review."
The AICPA Code of Professional Conduct has a section for how business members should behave when facing a threat. The Conceptual Framework for Members in Business—part of both the AICPA code and the Code of Ethics for Chartered Global Management Accountants—addresses threat categories that may be encountered. One section mentions the undue influence threat, which could include the following: "A member is pressured to change a conclusion regarding an accounting or a tax position."
The AICPA code says members should take a three-step process in addressing threats: identify the threat, evaluate the threat's significance, and identify and apply safeguards.
NEARLY ONE-THIRD ASKED TO AUDIT LOW-RISK AREA
Larry Rittenberg, CPA, a professor emeritus at the University of Wisconsin, said he and report co-author Patricia K. Miller, CPA, former IIA global chairman and Deloitte & Touche LLP partner, found that 55% of survey respondents had been asked at least once, and some more than once, to omit or modify an audit finding.
Richard Chambers, president and CEO of The IIA, said, "I wouldn't want to suggest that it is commonplace, but I think, as [Miller and Rittenberg] have done an outstanding job of documenting, this is not that uncommon, either."
The survey found that 32% of respondents were asked to audit low-risk areas so that an executive could investigate or retaliate against another individual.
Sometimes, the blame for issues fell to ineffective audit committees, Rittenberg said. Other times, audit executives faced off with company lawyers who wanted to protect an executive.
Rittenberg said there was a sense of pressure not to communicate a finding with certain people so that those people could have plausible deniability.
Some survey participants took part in follow-up case studies. Among the lessons learned for how to handle political pressure while performing internal audit duties:
Know the culture of the organization, but understand that it can change. "One of the things that surprised us was how quickly an organizational climate can change," Rittenberg said. He said these changes caught CAEs off-guard as well. A new CEO or set of executives might be focused more on short-term, market-related goals than on long-term organizational objectives. "We see changes, maybe some investor-type pushes to change the organization to perform better," Rittenberg said. "There are changes in the board, changes in the CEO. The internal auditor has to be aware of those changes and build relationships, particularly with the audit committee." These changes, some respondents reported, also led to instances where "previously unacceptable behaviors became acceptable."
Business acumen is required. To demonstrate value and build credibility, internal audit must demonstrate a sound knowledge of the business and its strategies and apply that knowledge in assessing risk, the report said. "We would like to see internal auditors communicate more effectively from a business point of view," Rittenberg said. "We wanted to see communication [such as], 'These are the risks we addressed, these were the findings, this is the root cause, this is how we might go forward in mitigating those risks.' " The most effective CAEs, the report said, have the ability to convey audit findings from management's perspective, rather than the more narrow perspective of internal audit.
Anticipate political pressure. Some CAEs, according to the report, described decision models they developed to help them judge the significance of an issue. They also reported that it was vital to build relationships ahead of time to better understand other stakeholders' rationale and incentives. Getting clarity in advance from the audit committee about support that might be needed was also important.
Facts are your friend. CAEs emphasized the importance of objective, accurate, and complete data, thorough audit work and analysis, and an understanding of the effect of the audit finding on the organization. In one case study example in the report, the CAE at a major U.S. retailer faced a challenge from the company's IT director, who did not want a report that identified "significant technical control issues" released without deleting some key findings. The CAE credited confidence in the quality of the audit work for helping to resolve the dispute and report the findings.
The full article," Pervasive' Pressure Challenges Internal Audit's Objectivity, by Neil Amato, is available at cgma.org.
—By Jack Hagel, editorial director, CGMA Magazine
Also at cgmamagazine.org
Ticket to retention: More paid time off
Many executives may be undervaluing the perks their employees want most, according to new research from finance staffing firm Accountemps.
When asked which workplace perk they think their employees are most interested in receiving this year, 41% of CFOs said better benefits, and 19% said more vacation days.
In a separate survey of workers, however, more paid time off (30%) edged out better benefits (26%) as most desired in 2015.
The surveys include responses from more than 2,100 CFOs from companies in major U.S. cities and more than 320 employees who work in an office environment.
"You can't underestimate the importance of time away from work," Bill Driscoll, a district president with Accountemps, said in a news release.
The full article, "Ticket to Retention: More Paid Time Off," by Jack Hagel, is available at cgma.org.
Where paying taxes is the most business-friendly
Worldwide, tax rates and the time it takes businesses to prepare, file, and pay their taxes continued to drop, particularly in Africa, according to Paying Taxes 2015, a PwC and World Bank study that has measured the ease of paying taxes worldwide since 2004.
The average total tax rate fell by 1.3 percentage points in 2013, the most recent year the study analyzed. Time to comply decreased by four hours for the year.
The Middle East was the most business-friendly. In 2013, the region's overall tax rate was 24%, and it took 160 hours per year to comply. South America had not only the most time-consuming tax system—it took 620 hours to comply—but it also had the highest overall tax rate in 2013 at 55.4%.
In North America, the World Bank's case study company paid an overall average 38.9% tax rate and took 213 hours to comply.
The full article, "Where Paying Taxes Is the Most Business-Friendly," by Sabine Vollmer, is available at cgma.org.
CFOs increase spending on cybersecurity
More than two-thirds of finance executives at technology companies have increased their spending on cybersecurity measures during the past year, a recent survey shows.
Most CFOs in an annual survey by accounting and consulting firm BDO said the main response to cybersecurity concerns was the implementation of new software security tools and the creation of a formal response plan for security breaches.
Sixty-three percent of finance executives in the AICPA's quarterly Business & Industry Economic Outlook Survey said their top response to the increased threat of data breaches was spending more on cybersecurity and fraud prevention.
The full article, "CFOs Increase Spending on Cyber-Security," by Neil Amato, is available at cgma.org.