Audit Commission future still shrouded in mystery
Since announcing its abolition, the government has gone very quiet on its plans for the Audit Commission, reports David Walker.
Since announcing its abolition, the government has gone very quiet on its plans for the Audit Commission, as David Walker reports.
A year after communities secretary Eric Pickles decreed its abolition, the Audit Commission is still in business. It still, in principle, administers the statutory code of audit practice across the local public sector and has even re-started recruiting to its graduate recruitment scheme for auditors, which had been abandoned last autumn.
Its fate remains sealed, officially at least. The government still intends to ‘bring forward primary legislation in due course’ and remains committed to giving councils a right to choose their own external auditors.
But for at least the rest of this year, the Department of Communities and Local Government will have its hands full with controversial new laws on planning and housing and there’s precious little space in the parliamentary calendar for more contentious legislation. The House of Commons Public Accounts Committee has been promised several months to scrutinise any abolition legislation before it is presented to parliament, which would further delay proceedings.
Commission to appoint external auditors
The government said in July that the Commission will definitely appoint external auditors to local authorities in the 2012 financial years, on contracts that will run for three to five years. That must mean the Audit Commission or some public body looking remarkably like it will be needed to supervise the running of those contracts, until 2017. So the Audit Commission could stagger on, outlasting not only Mr Pickles but even the government itself.
It is not that the DCLG can’t be brutal. It is dispatching another unloved quango, finding space in its Localism Bill to decapitate Standards England, the watchdog on councillors’ behaviour. But on the fate of the Audit Commission, officials have been ambiguous, talking about keeping a ‘small residual body’, which might mean they could get by without primary legislation. Mr Pickles himself has disavowed the £50m a year cost savings he had said would come from abolition. This figure, he said sarcastically a few weeks ago, ‘came from my officials who I rely on completely in these matters’.
Yet much has changed. Even before he announced its death, Mr Pickles had instructed the Audit Commission to abandon comprehensive area assessment. This scheme involved the publication, jointly with education, police and social care inspectors, of annual judgements on public services in local areas of England.
Such ‘bureaucratic interference’, in Mr Pickles’ words, was unnecessary when public bodies are being encouraged – and forced – to pump out mounds of data on spending and performance, allowing the public to make their own minds up.
Value for money studies
What have also disappeared since last summer’s abolition announcement are the Audit Commission’s value for money studies – the last one it completed was about the cost of council road maintenance. The government’s plan had been that the National Audit Office would step in, and add local government to the vfm reports it writes about Whitehall. But that could not happen until the Public Accounts Committee gave its leave and MPs say they won’t debate the role of the NAO until they have clear sight of the government’s formal plans for public audit.
Earlier this year the permanent secretary of the CLG, Sir Bob Kerslake, was asked by the cabinet secretary Sir Gus O’Donnell to take an all-round look at local spending in the wake of abolition. Kerslake had said ‘we’re trying to develop an approach to accountability in this new world’. But as of early September his report has yet to surface.
Where the announcement of the Commission’s abolition has had most effect is within the Commission itself. Bob Neill, the local government minister, hinted a year ago that the audit practice – the 1200 or so Commission staff auditing councils, primary care trusts, police authorities and so on – could be hived off into a mutual or cooperative. Instead, the government seems now to favour privatisation.
Commission’s audit practice
Just as Parliament broke up for the summer, Mr Pickles instructed the Commission to appoint no auditors next year except from private firms. This effectively means the end of its own audit practice and over the autumn months it will become clearer whether staff leave to join commercial practices or move into the private sector as a fully-fledged firm. The government says it would not be against ‘an employee owned company’ provided it did not have ‘an unfair advantage’.
CLG told the Commission to appoint auditors on contracts lasting from three to five years ‘giving local councils and other public bodies the time to plan for appointing their own auditors’.
Under existing law, the Commission picks councils’ auditors from a roster of approved firms and its own practice, which till now has had about 70% of the business.
As for audited bodies, the future of audit was ‘not yet on the radar’ for over four out of ten chief executives, finance directors and council committee chairs from a sample of 70 surveyed by KPMG, though clear majorities favoured the principle of appointing their own external auditors.
Local authority concern
Interestingly the same survey found half of local authority top brass expressing concern about internal audit and control. Where internal audit is outsourced, new relationships may have to forged with new private sector external auditors – and there may well be some churn in the market as companies decide where to focus and specialise, both geographically and functionally.
Even enthusiasts for localism worry whether councils can create or reshape their audit committees to take on the muscular new roles the government seems to envisage. ‘A lot is being asked of a few councillors, who will need specialist knowledge and intellectual confidence,’ says Jessica Crowe, director of the Centre for Public Scrutiny. ‘And if councillors co-opt business people and outsiders to audit committees in large numbers, that could dilute accountability.’
Till now private sector auditors appointed to councils had the Audit Commission at their backs, checking they were being tough enough. In future, their appetite for controversy may be less. In its submission to the government earlier this year, the Audit Commission – which has refused to comment publicly on its own demise – raised this problem.
In the new circumstances auditors may choose to close their eyes. In the NHS foundation trusts are no longer subject to public audit; they choose their external auditors. ‘We note,’ the Commission said dryly, ‘that not a single public interest report has been issued since the first foundation trusts were established in April 2004’.
David Walker was formerly managing director, communications and public reporting at the Audit Commission
Was the UK right to pass on Sarbanes-Oxley 404?
The UK chose to pass on adopting the US government’s strategy surrounding Sarbanes-Oxley 404. Has it been proved right? Tim J. Leech and Lauren C. Leech take an extended look at this key issue.
The UK chose to pass on adopting the US government’s strategy surrounding Sarbanes-Oxley 404. Has it been proved right? Tim J. Leech and Lauren C. Leech take an extended look at this key issue.
This article takes a detailed (6700 words) look at Sarbanes-Oxley 404, broadly broken down into four sections:
- the ‘control-centric’ approach to reliable financial statements – what is it and what are its deficiencies?
- what would a true ‘risk-centric’ approach to SOX 404 look like?
- what US Congress, the SEC and PCAOB need to do to prevent the next major wave of unreliable financial reporting
- the business case for the US, the UK and the world moving to a true ‘risk-based’ SOX 404 type approach (including four key reasons)
- Opportunity for the UK to move forward.
Sarbanes-Oxley (SOX) Section 404 in the US calls for opinions from CEOs, CFOs and external auditors of US listed companies on ‘control effectiveness’ over financial reporting. Scores of the UK’s biggest companies listed in the US are forced to comply with these rules. Since 2004 SOX Section 404 has almost certainly proven to be the most costly regulatory intervention in the world in the history of securities regulation, costing companies and their shareholders tens of billions of dollars.
Unfortunately, since Section 404 was implemented, thousands of materially wrong financial statements supported by SOX Section 404 control effectiveness assurances have been issued, including assurances from CEOs and CFOs of financial institutions at the center of the 2008 global financial crisis and their auditors that controls supporting financial reporting were ‘effective’ in accordance with the dated and obsolete 1992 COSO Internal Control Integrated Framework. ‘Effective’ has been defined by the Securities Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) as capable of preventing even a single material error.
Shortly after SOX was enacted in July of 2002 Roger Hodgkinson, technical director at the Institute of Chartered Accountants England and Wales, wrote to the SEC raising serious concerns with the notion of external reporting on ‘control effectiveness’, saying ‘We sympathise with the SEC on many of the difficulties that it faces in arranging for the provision of pragmatic guidance on internal control reporting to implement the current requirements of the Sarbanes-Oxley Act. The combination of (a) a difficult concept (internal control) with (b) a requirement for measurement (effectiveness) for which there are no objective benchmarks, does not make for an easy solution.’
In 2004, after the release of SOX Section 404, the Turnbull Review Group (appointed by the Financial Reporting Council, the UK’s independent regulator for corporate reporting and governance) issued a position statement in June of 2005 rejecting the implementation of SOX 404 reporting requirements related to internal control effectiveness reporting in the U.K. Reasons cited at the time included:
1.15. In addition, in the Review Group’s opinion a requirement for a statement that processes are effective could be bound to lead to expensive testing and verification work to a low level of detail. The Review Group did not consider the benefit of such a statement to shareholders would be sufficient to recommend that it should be required, and was concerned that it might result in a focus on compliance rather than substantive assessment and management of risk, undermining what was seen as one of the main strengths of the Turnbull approach.
1.16. The Review Group received little encouragement from investors to recommend Section 404 style disclosures. Instead, investors stated they are looking for company-specific disclosures which provide them with some assurance that the key risks facing the company have been identified and are being managed, and which highlight areas of focus and improvement. The Review Group considered that this demand should in part be met by the new mandatory Operating and Financial Review (OFR).
(Review of the Turnbull Guidance on Internal Control, Consultation Paper, Turnbull Review Group, 16 June 2005, Page 4).
A key question that should be asked is whether the UK decision to reject SOX 404 ‘control effectiveness’ reporting in favour of one more focused on substantive assessment and management of risk generally was the right one. This article concludes that history has now confirmed that it was, indeed, the right decision.
In light of SOX 404’s massive costs, disappointing results, and hugely dysfunctional consequences this article proposes that US Congress enact a simple amendment to Section 404 to require CEO, CFO and external auditor opinions on the ‘effectiveness of risk management processes’ specific to the objective of reliable external financial reporting. This recommendation is consistent with but more specific than the position advanced by the Turnbull Review Group in 2005.
A true risk-based approach would allocate resources to the most statistically probable root causes that account for the majority of materially wrong financial statements. The authors believe this small legislative change would result in significantly more reliable financial statements, reduce long-term Section 404 compliance costs, better align with the new global regulatory focus on risk management and risk oversight and, most importantly, restore global confidence in US corporate governance and global capital markets.
Even if the business case for CEO/CFO and auditor certifications on risk management effectiveness representations proposed in this paper is not accepted in the US, the authors believe there would be a strong business case for Canada, Australia, the UK and Europe adopting this new corporate governance practice as part of the global move to international accounting and auditing standards.
The ‘control-centric’ approach to reliable financial statements – what is it and what are its deficiencies?
In 2002, Section 404 of the Sarbanes-Oxley Act of 2002 (“SOX”) stated:
(a) RULES REQUIRED. - The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934..to contain an internal control report which shall –
(1) State the responsibility of management for establishing and maintaining an adequate control structure and procedures for financial reporting; and
(2) Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of internal control structures and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING – With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestations shall not be the subject of a separate engagement. (Section 404)
The genesis of the SOX 404 legislation was drawn from conclusions of Commissions that studied the problem of unreliable accounting dating back to the late 1970s. Those commissions convened following three distinct waves of massively unreliable financial reporting in the US, including names such as Continental Vending, Equity Funding, ZZZZ Best, Penn Square Bank, WorldCom, HealthSouth, Enron, and many others. All of these Commissions called for management and auditor reports on ‘control effectiveness’. 25 years after the Cohen and Treadway Commissions first called for it, the Sarbanes-Oxley Act of 2002 made it the law of the land in the US in record breaking time creating impacts felt around the globe. Other countries, including Canada and Japan, have followed suit and now require management representations on ‘control effectiveness’. The UK, as mentioned earlier, emphatically rejected this strategy in 2005 as suboptimal and potentially dangerous.
The SOX 404 sections referenced above were initially implemented in the U.S. via the much maligned and criticized Auditing Standard No. 2 (AS2) enacted by the Public Company Accounting Oversight Board (PCAOB). The focus of AS2 was on documenting and testing controls. A word search analysis of AS 2 reveals that it uses the word ‘risk’ 98 times compared to 1802 instances of the word ‘control’. When the implementation of this auditing standard resulted in the SEC’s original cost estimates of $91,000 per registrant escalating to millions of dollars per registrant, with the total cost of SOX 404 compliance running in the billions of dollars globally, the PCAOB was told by the SEC to come up with a more ‘risk-based’ approach.
The PCAOB, listening to the resounding global criticism of the cost of AS2, made a tentative attempt to respond to criticism. In Auditing Standard 5 (AS5), the current and dominant U.S. SOX 404 guidance, the word ‘risk’ appears 193 times versus the word ‘control’ which appears 943 times. No attempt were made by the PCAOB at the time, as far as public records and direct inquiries to the PCAOB by one of the authors reveal, to actually consult risk experts or international risk management standards to develop a true ‘risk-based’ approach. The fixation on documenting processes and testing controls in AS5 suggests that the PCAOB authors tried to modify their core thinking, but continued to approach their task drawing on out-dated auditing protocols and terminology that were originally developed in the late 1970s, based on the core tenets of COSO Internal Control Integrated Framework, a control framework developed around 1990-91, more than two decades ago. The results, in terms of fixation on control processes and massive costs is exactly what the UK’s 2005 Turnbull Review Group cited earlier predicted would occur.
A section of AS5, PCAOB’s second attempt at SOX 404 implementation regulation, does suggest that auditors should complete a ‘risk assessment’, and states auditors should focus ‘more of his or her attention on the areas of highest risk’. (NOTE: presumably ‘more’ means more than auditors did using the guidance of AS2 which wasn’t much.)
What AS5 doesn’t do, is specifically require that external auditors determine statistically what the most common root causes of material accounting misstatements are generally; what are the most common root causes of misstatements for the business sector being audited; what are the most common causes of material errors in the books of the specific company they are auditing; or provide any substantial guidance on how to identify and assess the likelihood and consequence of risks to the reliability of specific account balances and supplemental note disclosures given the current ‘risk treatments’ in place.
AS5 also doesn’t suggest auditors use authoritative guidance on ‘risk assessment’ provided by the globally accepted risk management standards, such as ISO 31000, or even the risk assessment approach recommended in the much criticized 2004 COSO ERM framework to identify and assess risks to the reliability of the financial statements. These risk focused assessment frameworks are not deemed to be ‘suitable’ SOX 404 frameworks at the current time by the SEC.
In the years following the introduction of SOX 404 compliance costs spiralled. Unfortunately, as witnessed from the fallout of the 2008 global financial crisis, the massively high SOX 404 compliance costs did not produce significantly and consistently more reliable financial statements.
An Institute of Management Accountants discussion paper concluded:
In February 2007, Audit Analytics published, ‘2006 Financial Restatements: A Six Year Comparison’. One of the most profound trends highlighted in this report is that 512 U.S. Accelerated Filers (companies with market capitalisation in excess of $75m) issued restatements in 2006 to correct one or more material errors in their original accounting filings with the SEC. With a total reported registrant population of 3,861 Accelerated Filers that represents an error rate of 13.3%. Stated simply, the rate of material errors being corrected in original filings by Accelerated Filers in 2006 was more than one in every eight. (2008, p.5)
Ignoring for a minute the massively unreliable financial statements published by the companies at the heart of the 2008 global crisis, more current research suggests there have been some signs of progress. A 2010 report produced by Audit Analytics 2010 suggested that the frequency of restatements had improved from the dismal performance in 2006. Financial statements restatements issued by companies covered by Sarbanes Oxley 404 in 2010 at that time had improved to around 5% of registrants or, stated another way, one in every 20 randomly distributed management and auditor certified financial statements was later found to have material errors that required restatements under US GAAP. It is important to note that virtually all of the financial statements that had to be restated to correct material accounting errors contained CEO/CFO/External Auditor SOX 404 certifications in the original filings that stated the internal accounting controls over financial reporting are ‘effective’ in accordance with the dated 1992 COSO Internal Control Integrated Framework. ‘Effective’ is a term defined generally by the PCAOB and SEC as a conclusion that the controls that support the reliability of financial disclosures are capable of reasonably preventing even a single material accounting error/misrepresentation.
The cost of SOX 404 compliance today, while lower than costs experienced during the implementation stage, continues globally to be in the billions of dollars each year. SOX 404 compliance costs are so onerous that US Congress, via the 2010 Frank-Dodd Act, decided that in spite of the original SOX Act calling for Section 404 (a) and (b) to apply to all public companies, small cap public companies would be exempt from the complying with SOX section 404(b) that requires auditors attest to the effectiveness of controls.
Although the SEC has made a few, what are best referred to as, poorly funded and half-hearted efforts to evaluate the cost/benefit of Sarbanes-Oxley section 404, what has not been done, at least not in any serious way, is empirical research to determine the impact of SOX 404 compliance on the actual reliability of financial statements. (ie how much more reliable are financial statements post Sarbanes-Oxley than they were before SOX; how much more reliable are financial statements year over year; and how does the reliability of statements from US listed companies compare to other jurisdictions like Canada and the UK that have less onerous and costly compliance regimes) This is true in spite of the fact that collectively over 19,000 US listed companies, including major corporations with headquarters in other countries including the UK, incur SOX 404 compliance costs in the billions of dollars each year, and the fact that accounting and auditing practices in the post SOX 404 world leading up to the 2008 global financial crisis are now coming under intense scrutiny. (NOTE: small cap U.S. listed companies are exempted from SOX 404(b) but must still comply with SOX 404(a).)
What would a true ‘risk-centric’ approach to SOX 404 look like?
Simply put, a true risk-centric approach to SOX 404 would use a ‘risk-based targeting’ approach to allocate assurance resources, and would manifest attributes of an ‘enhanced risk management’ framework, such as the description offered in Annex A of the International Standard ISO 31000 Risk Management – Principles and Guidelines, considered by most experts to be the world’s leading risk management framework. The approach would be specific to the overall objective of producing materially fault-free financial reporting.
The current approach to SOX 404 mandated by the SEC and PCAOB, while claiming to be ‘risk-based’, is not in fact risk-based, at least not from the perspective of risk management professionals and standards. This conclusion is supported by the following authors’ observations:
- registrants are currently forced by the SEC rules to use the dated and obsolete 1992 COSO Internal Control Integrated Framework, a ‘control framework’, not a risk framework, as the primary assessment criteria to complete the assessment
- the vast majority of SOX 404 assessments today are done with no attempt to utilize statistical information on the most likely areas where material accounting errors and irregularities occur
- the vast majority of SOX 404 assessments do not direct assurance resources to assessment and testing areas proportionate with their statistically probable and highest impact risks
- the current standards do not require a formal review when SOX 404 control opinions and the supporting external audit opinions are found to be wrong to determine what went wrong and why
- the current SEC and PCAOB standards provide virtually no guidance on how to actually identify risks that threaten the reliability of the financial statements as a whole, or specific account balances and note disclosures, and how to identify and analyse the likely effectiveness of the ‘risk treatments’ in place to mitigate those risks.
In addition to the global risk management standard ISO 31000, other efforts are underway currently, including efforts by the Institute of Internal Auditors (IIA) and Open Compliance & Ethics Group (OCEG), to develop formal guidance management and auditors can use to assess whether an organization has, or doesn’t have ‘effective risk management processes’. Whether the approach used should result in a binary opinion (i.e. effective/ineffective), like the one currently required by SEC/PCAOB SOX 404 regulations, or ordinal (i.e. providing a numeric or other form of information on the degree to which the processes manifest effectiveness) is one of the major points of debate. It is fair to say that the “how to do it” knowledge is still at an embryonic stage.
(NOTE: In December 2010 the IIA published a practice guide on reporting on effectiveness of risk management processes and on August 29, 2011 announced plans to launch a new Certification in Risk Management Assurance (CRMA) in 2013 to better prepare internal auditors for true “risk-focused work).)
For the definition of risk based targeting above to be true for the objective of producing reliable financial reporting with the SEC defined tolerance of zero material errors, companies would need to determine themselves, or be told by the SEC, or a source recognized by the SEC as legitimate, what areas of their financial disclosures, and the financial statements of others in their business sector, have historically shown the highest statistical probability of being materially misstated and why. Information on which elements of public company financial statements most frequently require restatements is available currently from only one credible source in the U.S, a company called Audit Analytics.
There is currently no reliable source for reliable and empirical information on the most statistically probable root causes of accounting errors and irregularities. Outside of the US other countries, including Canada, the UK, Australia, Europe, and elsewhere do not currently have any reliable source that is statistically tracking and reporting details on material errors found in published financial statements through restatements and information on the root causes of those misstatements. The absence of reliable information on the statistical root causes of accounting misstatements is, in itself, indicative of the lack of regulatory focus on determining the real risks that threaten the goal of reliable financial reporting.
The amount of disclosure companies and auditors must make when material errors in prior period disclosures are discovered is highly variable around the world and generally limited. (NOTE: The usefulness of information on restatements should improve substantially once all information on restatements filed by public companies is categorized using globally accepted XBRL taxonomy. This will allow the areas impacted by restatements to be electronically tagged. This in turn will open up opportunities to do statistical analysis at a company level, business sector level, national level and international level on the statistically most probable areas of auditor certified unreliable disclosures.)
Historical information on the most likely areas of material error in a company’s disclosures and the root cause(s) of those errors/irregularities would have to be supplemented by efforts to identify new emerging risk areas that could produce ‘potential adverse impact’ in the future (eg the stock option backdating scandals and the problems at the heart of the 2008 global crisis, including collateral-backed securities and others). Identifying what is generally referred to as ‘emerging risks’ requires drawing on risk management processes recommended by organisations like the Bank for International Settlements, more commonly referred to as BIS, to identify emerging risks, including risks in new products, services, systems and other areas .
A sample of macro-level risks at the root of some of the most significant accounting mis-statements in history, based on the authors’ experience and research, includes the following:
- CEO and CFO have significant financial incentives to falsify and/or inappropriately manage financial results
- senior management and boards have major financial incentives to direct or overlook backdating of stock options
- senior management directs improper/fraudulent post-close journal entries to manage profits and/or hit earning targets disclosed to the market
- management overrides controls to hit bonus targets or prevent loss of positions
- audit committees have financial incentives not to ask management tough questions
- accounting staff are not current on accounting standards/GAAP
- management lacks the appropriate knowledge and skills to deal with accounting for complex or significant judgement related transactions
- in-house accounting personnel lack the necessary training and experience to deal with the scope and complexity of the organisation’s operations
- the external audit team’s objectivity is compromised by conflicts of interest
- external audit team lacks appropriate knowledge/skills, and/or the courage to challenge management’s assumptions.
With some modest research funding (modest in comparison to cost of failure) this illustrative list could be refined and list in order of frequency/consequence the most significant risks that have been at the root of major financial misstatements of US listed public companies over the past 20 years.
One of the few attempts to date to empirically examine this area was published in 2008 by Marlene Plumlee and Teri Lombardi Yohn, An Analysis of the Underlying Causes of Restatements.
Unfortunately, other than the Plumlee and Yohn paper, very little empirical research on the topic exists today. This is likely true because of the political sensitivity of completing serious research on auditing failure given the funding audit firms provide universities and the fact that there are significant barriers to completing that research, most notably litigation risk to companies and external auditing firms that would have to cooperate. These barriers would need to be addressed by SEC endorsement and regulatory support and sufficient funding.
Following the issuance of an IMA discussion paper on attributes of a true risk-based approach to SOX 404 in September 2006, a formal request was made to the SEC by the one of the authors of this paper to modify their SOX 404 guidance to allow the use of ISO 31000, a generally accepted risk assessment framework. Arguably, ISO 31000 is better equipped to meet the SEC defined ‘suitability’ criteria than the three control frameworks currently sanctioned by the SEC. (COSO 1992, CoCo 1995 and Cadbury/Turnbull 1994.) The SEC’s response at the time was they were only prepared to offer a response if a request to use ISO 31000 as a ‘suitable’ framework for SOX 404 assessments was made by a registrant via their pre-ruling process. (NOTE: The SEC has refused all requests from one of the authors of this article to produce the evidence they have relied on when they concluded in 2004 that COSO 92, CoCo 95 and Turnbull 94 meet their stated framework ‘suitability criteria’).
What US Congress, the SEC and PCAOB need to do to prevent the next major wave of unreliable financial reporting
To improve the reliability of financial reports, including the external audit opinions that accompany them, this article proposes three relatively simple steps.
Step 1: Congress makes a simple amendment to Section 404 of the Sarbanes-Oxley Act of 2002
To implement a true risk-based approach capable of reducing the number and magnitude of material errors in financial statements we recommend SOX 404 be amended by Congress to read as follows:
SEC. 404. MANAGEMENT ASSESSMENT OF FINANCIAL REPORTING RISK MANAGEMENT PROCESSES.
(a) RULES REQUIRED. – The Commission shall prescribe rules requiring each annual report required by Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 USC 78m or 78o(d)) to
contain risk management effectiveness report, which shall –
(1) state the responsibility of management for establishing and maintaining adequate risk management
processes for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the risk management processes of the issuer for financial reporting.
b) RISK MANAGEMENT PROCESSSES EVALUATION AND REPORTING.
– With respect to the risk management processes assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
Step 2: the SEC issue new guidance on how to assess the effectiveness of the risk management processes that support the objective of materially fault free financial reporting.
The SEC would need to amend its current guidance for management and describe how to evaluate the effectiveness of a company’s risk management systems that support the core objective of issuing materially fault free financial disclosures. This would need to include methods that are accepted by the global risk management community. This guidance would need to require, at a minimum, that the risks that statistically have been at the root of materially wrong financial statements over the past 50 years be identified and assessed, as well as statistically probable risks, including emerging risks, relevant to a company’s specific business sector and personal accounting restatement history. Once a list of statistically material risks is produced, management would need to, as a minimum, evaluate the likely effectiveness of the current ‘risk treatments’ in place to mitigate the statistically most dangerous risks to reliable financial disclosures. Any SOX 404 work done to date that can be linked to the most statistically probable/high consequence risks to the goal of materially fault free financial reporting would still be relevant.
Step 3: the PCAOB issue new guidance for external auditors on how to assess and opine on the effectiveness of a company’s risk management processes.
Once the SEC has issued sufficiently detailed guidance for management on how to complete their assessment of the effectiveness of their risk management processes that support the goal of reliable financial disclosures auditors should be able to use the same criteria to independently opine on the effectiveness of the company’s risk management processes supplemented by guidance how to assess and report on the effectiveness of management’s risk management processes. The IIA issued a practice guide in December 2010 proposing how internal auditors should assess and report on the effectiveness of risk management processes, and announced on August 29, 2011 they will be launching a new professional certification – Certification in Risk Management Assurance in 2013.
The business case for the US, the UK and the world moving to a true ‘risk-based’ SOX 404 type approach
The three steps proposed above to transition from the current control-centric approach to a true risk-based approach would be relatively inexpensive to implement by legislators. There would however, need to be significant changes to the current process/control centric SOX 404 and Canadian equivalent NI 52-109 assessments being done today by over 24,000 US and Canadian listed companies. This would entail some initial short-term incremental implementation costs to determine and address the statistically probable root causes of material errors and irregularities. The approach used by tens of thousands of external auditors and tens of thousands of internal SOX 404 assessment staff around the world would also have to change.
Reliable information on the root causes of materially wrong financial statements would need to be developed, analysed and used to better identify, measure, and track risks to reliable reporting, ideally linked to XBRL tags to allow for sophisticated computer analysis. The real significant risks to the objective of materially reliable financial statements would need to be identified, including sensitive risks, such as ‘CEO and CFO collude and manipulate earnings’, ‘CFO/controller isn’t technically current’, ‘accounting staff aren’t adequately qualified and/or trained’, ‘external audit team lacks required experience and knowledge’, ‘external audit staff’s objectivity has been compromised’, and the adequacy of the risk treatments in place re-evaluated. Radical change is rarely easy to implement, and US Congress and other global political bodies may be reluctant to embark on this path in the absence of a persuasive business case.
A list of key reasons why US Congress should take the bold step of amending the wording of SOX 404 includes:
REASON #1 – the current control centric approach to SOX 404 costs a lot and produces a high failure rate
To date, no country in the world other than the US has accepted the cost/benefit business case for SOX 404(b) that requires a separate external auditor opinion on ‘control effectiveness’. The UK, in 2005, explicitly rejected SOX 404 because of its assessment of costs and benefits. Only the US has elected to require a separate auditor opinion on control effectiveness. In spite of the US requiring two separate and very costly opinions on ‘control effectiveness’ – one from a company’s CEO and CFO, and the other from the company’s external auditor each year, there is no empirical support that this costly approach produces any more reliable results than the assurance strategies adopted in countries like Canada and the UK. Neither of these countries requires a separate opinion from the company’s external auditor that financial reporting controls are ‘effective’. Both emphatically rejected adopting the equivalent of SOX 404(b) based on cost/benefit analysis done by regulators in those countries. In spite of companies being forced to spend tens of billions of dollars opining on control effectiveness there is also no empirical research the authors of this paper are aware of that demonstrates that US listed financial statements are statistically more reliable in the post SOX 404 world than they were before SOX 404 was enacted.
The truth is that there is clear evidence that thousands of US listed companies that have spent billions of dollars to implement the current control centric approach to SOX 404 have published materially wrong financial statements since SOX was implemented. Annual reports from the US-based Audit Analytics continue to confirm that, while the numbers of materially wrong financial statements published by US listed financial statements have decreased since peaking in post-SOX 2006, the total dollars of misstated balances each year continues to be a staggering number. If the balance sheets of the organizations at the root of the 2008 global financial crisis that have been assessed by some as ‘technically correct, but massively wrong’ are included in the misstatement total, it is literally an ‘earth-shaking’ number.
REASON #2 – the current control centric approach misses the really big risks
In the years leading up to the global financial crisis of 2008 companies around the world accumulated trillions of dollars of assets whose value was directly linked to one key assumption – the US housing market would continue to rise indefinitely.
Figure 1, featuring an index of American housing prices going back to 1890, published by Yale economist Robert J. Shiller, provides a graphic illustration of why that assumption should have been regularly and aggressively questioned as a key risk by both management of the companies at the center of the global financial crisis and their external auditors (Tapscott, B and Tapscott, D, 2008).
Figure 1: A history of US home values
(Source: Shiller, Robert J. (2006) Irrational Exuberance. 2nd edition)
In addition to identifying risks to asset valuations, including the risk of a correction, there should have also been formal analysis of the ‘risk treatment’ strategy in place in all companies impacted by that chart to manage the risk the trend line would not continue to rise forever. In cases where this risk was ‘financed’ or ‘transferred’, the ability of the counterparty to absorb the risk in the even the chart below reversed should have similarly been rigorously examined. The risk management processes related to the asset value assigned to these assets should have been rigorously examined and opinions provided to the board on the effectiveness of the risk management processes and the adequacy of the risk treatments in place. No evidence has been produced that this step was done as part of the massively expensive SOX 404 control effectiveness assessment process.
What is certain is that billions of dollars was spent during the run-up period of 2005-08 on internal and external staff testing controls linked to line items of those companies’ financial statements that have never been, and are likely never to be, the source of material errors. By way of illustration, very few companies or their external auditors identified the reward systems in companies at the root of the global crisis as material risks to the reliability of the financial statements. Commissions have also identified deficient board oversight of risk as another major root cause. Based on research done by one of the authors of this paper SOX 404 control effectiveness assessments have rarely, if ever, determined that any US listed company has a deficient audit committee (Tim Leech, Parveen Gupta, Control Deficiency Reporting: Review and Analysis of Filings during 2004. Financial Executives Research Foundation http://www.leechgrc.com/pdf/) Major commissions in the US and globally are unanimous that reward systems and deficient risk oversight are two of the root causes of the financial crisis.
A true risk-centric approach that included the SEC stipulating the statistically most probable and significant risks to reliable financial reporting would have at least stood a chance of identifying this type of risk. History demonstrates that control centric SOX 404 testing using the now dated COSO 92 control framework as criteria completely missed the mark. COSO 92 puts very little emphasis on the importance of aligned reward systems or rigorous board oversight of risk management processes including those used to ensure reliable financial reporting. (NOTE: COSO announced plans in late 2010 to update the 1992 COSO Internal Control Integrated Framework. However it is important to note that the COSO chair stated ‘This project is not intended to change how internal control is defined, assessed, or managed, but rather provide more comprehensive and relevant conceptual guidance and practical examples.’)
REASON #3 – the current approach isn’t aligned with ERM methods
In companies that are working on implementing some form of enhanced ERM to better manage risks of all types they face a significant problem. The SOX 404 assessment approach required by the SEC and PCAOB is not aligned with generally accepted risk assessment methods and terminology. If a company uses enterprise risk management software to manage and report on the state of risk they must have one module for SOX 404 work and a separate system or module for other elements of ERM. This means that companies must implement a pure form of risk assessment approach across all of their operations using the type of approach in ISO 31000 or COSO ERM, except for the objective of publishing materially fault free financial statements. For that objective they must use the type of methods prescribed by the SEC and PCAOB that their external auditors will accept, including the use of the dated and obsolete COSO 1992 Internal Control Integrated Framework which does not use modern risk management terminology.
The need to use separate terminology and approach creates yet another ‘silo’ – the ‘SOX 404 control effectiveness silo’. Silos are another one of the global crisis root causes identified by major commissions. The SOX 404 silo today must use terminology and approaches that are inconsistent with those used to implement ERM in virtually all other areas of the company. In essence work units must learn two different languages – SOX 404 control centric terminology, and another for ERM based on the type of terminology found in ISO 31000 and the related ISO Guide 76. This creates considerable additional expense and confusion. The SEC now requires proxy disclosures related to risk oversight, and boards will be asking management whether they believe risk management to be effective for all aspects of the company, except the goal of reliable financial reporting. For that dimension the board receives management’s opinion on control effectiveness, not risk management effectiveness.
REASON #4 – assure the world that the US is taking tangible steps to fix one of the root causes of the global crisis
The general global consensus is that the roots of the global financial crisis were planted and nurtured in the US through a confluence of factors, including political support for the creation and support of gigantic organisations like Freddie Mac and Fannie Mae charged with making housing affordable to poor people; reward structures in the major US financial institutions at the root of the crisis; deficient regulatory oversight; accounting standards and auditing practices that allowed for accounting deception vehicles like the now infamous REPO 105 transactions; deficient capital requirements and regulatory oversight; and others.
The dramatic decline of the US dollar relative other major currencies around the world is evidence of a decrease in global confidence in the US governance and political systems.
What hasn’t yet been acknowledged, perhaps as a result of the enormous influence of the major auditing firms, is the role the accounting and auditing frameworks, including the costly SOX 404 regime currently in place in the US, played in the period leading up to the global financial crisis. If the US is to regain its position as the biggest and most trusted economy in the world dramatic steps need to be taken. One of those steps could be to acknowledge that, in spite of imposing costs in the tens of billions of dollars on US listed companies all over the world through SOX 404 as a solution to unreliable financial reporting, that massively costly and arguably obsolete solution hasn’t worked very well in terms of assuring investors financial statements are more reliable. Recognising this fact, US Congress, rather than attempting to continue to defend and maintain a costly regulatory regime that doesn’t work very well, can take dramatic steps and replace the current control centric SOX 404 process with one that focuses on, and better treats, the truly material risks to the goal of reliable of financial disclosures.
Opportunity for the UK to move forward
In light of the dismal US experience with SOX 404 what is clear is that the UK should not waver on its original logic for rejecting SOX 404 and adopt the same type of ineffective control effectiveness reporting regimes implemented in the US and, to a lesser extent, Canada and other countries. Given the current ‘political paralysis’ in the US and the significant influence of the major accounting firms on accounting regulations, Congress may be unwilling to amend SOX 404 to focus on assessing and reporting on the effectiveness or risk management processes. What the UK should do in light of the arguments advanced in this article is elevate the importance of effective risk management and seriously consider the business case for CEO/CFO/auditor public reporting on the effectiveness of a company’s risk management processes related to the specific objective of reliable financial reporting.
Whether the UK is willing to extend the original premise of the Turnbull Review Group for rejecting SOX 404 (ie not detracting from the more appropriate focus on the effectiveness of risk management processes) to more tangible and specific external reporting requirements on the effectiveness of risk management processes specific to the goal of reliable external reporting is still in question. Recent inquiries led by the House of Lords in the UK suggest some willingness in the UK to challenge the accounting/auditing status quo.
At a minimum, taking leadership in building foundation information on the most statistically probable root causes of material accounting misstatements could be a first step forward.
Only time will tell whether any country is willing to move past the dated and largely ineffective approaches of attempting to assess and report on the effectiveness of ‘internal control’ and focus on the far more important issue of the effectiveness of risk management processes specific to the objective of reliable financial reporting. However, with the global economy seemingly standing on the brink, there has never been a better time to take a positive step forward to prevent the next global wave of unreliable financial reporting.
Tim J. Leech FCA CIA CFE – managing director global services, Risk Oversight Incwww.riskoversight.ca and Lauren C. Leech CA CIA CFE
(NOTE: this article is a condensed and adapted version of a longer paper by Tim Leech and Lauren Leech for the International Journal of Disclosure and Governance titled Preventing the next wave of unreliable financial reporting: Why US Congress should amend Section 404 of the Sarbanes – Oxley Act)
Look inside the new NHS audit committee handbook
Work in the NHS? You’ll need to understand the key changes to the NHS audit committee handbook, outlined here.
Work in the NHS? You’ll need to understand the key changes to the NHS audit committee handbook, outlined here.
In June the Department of Health, with the assistance of the Healthcare Finance Managers Association (HFMA), produced a revised and updated version of its audit committee handbook (first issued in 2005).
Whilst much of the actual content remains the same, the structure of the handbook has been re-modelled with the result that a greater emphasis is now placed on the assurance framework as the pivotal tool in underpinning the audit committee’s broader remit of monitoring financial, clinical and all operational risks.
This is achieved by gaining quality assurances that the most significant risks to the organisation’s strategic goals are being effectively controlled; specifically that the level of operational control is appropriate to areas where the inherent level of risk (to achieving the organisation’s strategic goals) is high and that where residual risk is high appropriate monitoring and action is being undertaken.
This article provides a summary of the main points and any significant changes to the 2005 edition by covering the following areas:
- role of the audit committee
- assurance framework format
- controls and assurance
- financial performance
- clinical focus
- working with other committees and auditors
- the role of internal audit
- the role of external audit
- the role of clinical audit
- organise and support an audit committee.
Role of the audit committee
No audit committee can limit itself to internal financial control matters; it must have a broad remit across the organisation with the assurance framework as a pivotal tool in managing risks to the organisation’s strategic objectives. There are two areas the audit committee should provide the board with assurance:
- the assurance framework – the audit committee’s primary role is to look behind the framework to provide assurance that it is valid and suitable and that robust controls have been put in place to manage significant risks to the organisation’s strategic objectives
- public disclosure statements – in particular this comprises the statement on internal control, the evidence to demonstrate fitness to register with the Care Quality Commission (CQC), the annual report and accounts, and the quality account. The audit committee should ensure rigorous processes are in place to support these statements.
- greater emphasis is now placed on the assurance framework for identifying risks related to the organisation’s strategic goals, and specifically states the key question audit committee members need to ask is ‘how do we know what we know’?
- the role of the audit committee in providing assurances to the board on the assurance framework and disclosure statements is detailed more comprehensively with the emphasis on ensuring there is sufficient scrutiny of the processes and quality of data behind the assurance statements it is placing reliance on
- the revised handbook includes a list of what an audit committee should NOT do; this includes establishing and maintaining processes for governance, and overseeing the risk agenda.
Assurance framework format
The assurance framework is the key source of evidence that links strategic objectives to risk. The audit committee should use this document as the central tool for planning its work and key topics for scrutiny. It should not manage the process of populating the framework (this is the responsibility of the board), but should review the process and format of the framework thereby assuring the framework concentrates on high risk areas.
Assessing and reporting on the suitability of the format and processes around the assurance framework will provide a sound basis for the audit committee to comment on key aspects. The audit committee can make a significant contribution to the organisation by questioning whether the format of the assurance framework and the arrangements in place really do work for the organisation.
- the 2011 handbook includes a new section specifically on the importance of the assurance framework to the work of the audit committee, and directs audit committees to use the assurance framework as a key tool for planning and identifying topics for scrutiny
- the assurance framework should follow the structure of the organisation’s strategic objectives
- the role of the audit committee in reviewing the format and layout of the assurance framework is also comprehensively covered; specifically that objectives are appropriate, controls in place are sound, assurances are reliable and of good quality, and the data assurances are based on is sound and accurate.
Control and assurance
The assurance framework should follow the structure of the organisation’s strategic objectives. The audit committee should look at the process by which these are compiled and satisfy itself that the objectives are sufficiently strategic, clearly stated and not too numerous to be unmanageable, this point is highlighted in ‘taking it on trust’.
The controls in the framework are what the organisation relies on from day to day to manage its risks. The committee should seek assurances from management, auditors and other external sources of assurances that they are sound in design and operated consistently. The committee should also consider that there is a plan for these assurances to be received. This should form a key part of the audit planning process and involve a detailed review of sources of assurance and priorities. This can be reviewed in-year using the assurance framework and knowledge of board priorities to reconfirm the audit plans, particularly in relation to internal audit.
The board and audit committee should seek positive assurances that risks are controlled. The committee may also identify negative assurance e.g. a source giving a poor opinion or a conflict between two sources of assurance. The committee will then expect management to strengthen controls and seek independent assurance about the effectiveness of these.
A critical element for the audit committee is whether data on which assurances are based is reliable, the committee should ask whether it is valid (what sources were used), complete (did the data collection include all relevant elements and factors) and up to date (what periods does it cover).
- clear distinction is now provided between controls in the assurance framework and assurances in the assurance framework
- in respect of controls Audit Committees should question whether:
- controls are relevant to the risk
- the risks relate to the organisation’s objectives
- controls are complete in terms of adequacy covering all key risks
- in respect of assurances Audit Committees should identify whether assurances received are reliable, in doing so they should consider:
- the nature and source of the body providing the assurance
- the skills and experience of those providing assurance
- the nature and extent of work behind the assurance
- how current the assurance is
- what was the purpose of the review.
The maintenance of sound public accountability through financial reporting and robust systems of internal financial control remains a critical element of the Audit Committee’s work. The Committee should ensure it is reviewing regularly the risks and controls around financial management. In doing this the Committee will need to consider the integrity, completeness and clarity of financial reporting, taking into consideration the views of Internal and External Audit.
A key role of the Committee is to review, agree and recommend to the Board for approval the annual report and accounts. The Director of Finance has operational responsibility for establishing and maintaining a sound system of internal financial control, is responsible for the annual accounts and is increasingly taking on wider risk management responsibilities, consequently the Director of Finance should be a key executive contact for the Audit Committee. The Committee can also offer the Director of Finance a high profile forum when potentially difficult financial control decisions are required.
The core business of NHS organisations is healthcare; therefore the Committee must spend time reviewing healthcare aspects of the business. In particular it falls to the Audit Committee to consider the clinical objectives and risks in the Assurance Framework. The Committee’s role at all times is to satisfy itself that the same level of scrutiny and independent audit over controls and assurances is applied to the risks to all strategic objectives, be they clinical, financial or operational.
- A key role of the Audit Committee is to recognise the risks to clinical services from financial pressures and satisfy itself that adequate controls are in place and reliable assurances are received.
Working with other committees and auditors
The audit committee will need to have an effective relationship with any risk or governance committee so that it can understand the processes in operation. The audit committee’s role is not to manage risks, but rather to ensure that the overall system for risk management is in place and effective. It is important, so as not to impair independence, that roles are not merged and should be clearly stated in the respective terms of reference.
The audit committee should actively review the plans of auditors, and while the role of external audits is set out in the Audit Commission’s ‘Code of Audit Practice’ there is more scope for the audit committee to be pro-active in influencing the internal audit strategy and requesting work from internal audit that focuses on its audit needs.
The role of internal audit
An effective audit committee is dependent on the existence of an effective internal audit function; as an independent, objective and consulting body designed to add value and improve an organisation’s operations. Internal audit’s role embraces two key areas:
- the provision of an independent and objective opinion on the degree to which risk management control and governance support the achievement of the organisation’s agreed objectives
- the provision of an independent and objective consultancy service specifically to help line management improve the organisation’s risk management, control and governance arrangements.
The head of internal audit should have access to the chair of the audit committee at any time, and it should be clear that management should not be allowed to restrict or censor this access.
Each year’s internal audit plan should set out details of the assignments to be carried out. The relationship between the plan and the assurance framework is critical and the chief executive will normally attend discussions in relation to the internal audit plan in recognition of their responsibility and ownership of both.
The committee should be clear about those risks and controls that internal audit will be addressing and identify where else the committee needs to seek assurances not covered in the internal audit plan. The assurance framework should be the mechanism that informs this task.
Best practice describes the existence of a formal internal audit ‘charter’ which is a written statement defining internal audit’s objectives, responsibilities, authority and reporting lines. The charter should comply with NHS internal audit standards and set out internal audit’s position within the organisation, its authority to access records, personnel and physical properties relevant to assignments. The existence of an internal audit charter is an addition to the audit committee self assessment checklist.
- included in the 2011 audit committee handbook is a series of best practice examples and questions for consideration in regards to internal audit, including the question does a formal internal audit charter exist. This should be a written statement defining the objectives, responsibilities, authority and reporting lines
- key sources of a good risk based internal audit plan are included, these are listed as
- core financial systems
- governance and risk management
- assurance framework
- audit risk assessment
- it is noted that an important role of the audit committee is to monitor the implementation of agreed audit recommendations, ensuring the trust has a robust system for monitoring progress and, where applicable, asking operational managers to attend committees.
The role of external audit
The objectives of external audit fall into two broad categories – to review and report on
- the audited body’s financial statements, and on its statement on internal control
- whether the audited body has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources.
The appointed external audit provider should prepare an audit strategy and an annual audit plan for implementing the strategy. The annual plan should set out the details of the work to be carried out by external audit and must be discussed with the audit committee; the committee should concentrate on the outputs of the plan, and what they will receive from the external auditors, balanced against an understanding of the auditor’s statutory functions.
External audit should work with management and other assurance functions to optimise coverage. The committee will want to see and gain assurance that duplication of work with internal audit is minimised. External audit should never direct the work of internal audit and review and re-perform similar items for any piece of work on which it intends to place reliance. The audit committee should consider external audit’s view on the adequacy of internal audit.
External audit may issue a Public Interest Report (PIR) or referral to the secretary of state (or Monitor for an FT). A PIR is made when where auditors consider a matter is sufficiently important to be brought to the attention of the audited body or public as a matter of urgency. Whenever a PIR is considered the committee should receive a briefing on the statutory back ground and potential consequences of such a report.
- duplication of work between internal and external audit should be kept to a minimum.
The role of clinical audit
‘Taking it on trust’ describes clinical audit as ‘the review of clinical performance, the measurement of performance against agreed standards and the refining of clinical practice as a result’. For NHS boards managing clinical risk is of equal or greater concern than managing financial and business risk, therefore a good clinical audit function is an enormous asset and source of assurance.
In order to support the annual statement on internal control, heads of internal audit must provide an opinion on the effectiveness of risk management and control across potentially the whole of the trust’s activities. In addition when assessing the clinical governance aspects of the assurance framework internal audit and the audit committee will need to evaluate the extent and quality of the assurance provided by clinical audit.
Organise and support an audit committee
An audit committee should comprise of only non-executive directors; this provides the basis for the committee to operate and be seen to operate independently and to apply an objective approach. The committee should consider its own training needs and ensure that members have the skills to perform their role effectively. Essential is an understanding of finance and internal controls.
Prior to the 2005 edition of the audit committee handbook, audit committees met three to four times per year but in implementing the wider remit a committee is unlikely to fulfil its responsibilities in fewer than five meetings per annum. In assessing its performance audit committee members should assess their performance annually using the checklist in the audit committee handbook mindful that with any self assessment it is important to be constructively critical in their responses.
Helen England – director of audit and Matthew Lee – senior auditor, Parkhill www.parkhill.org.uk
Managing the audit department: resource management
Bev Cole’s ‘back to basics’ series of articles is designed to help you understand how to manage an audit department. Steps 1 (audit governance & strategy) and 2 (assurance plan / KPIs) were covered in the previous issue. Here Bev focuses on step 3: audit resource management.
Bev Cole’s ‘back to basics’ series of articles is designed to help you understand how to manage an audit department. Steps 1 (audit governance & strategy) and 2 (assurance plan / KPIs) were covered in the previous issue. Here Bev focuses on step 3: audit resource management.
There are six fundamental building blocks in the roadmap for managing an audit department. You can see these building blocks and read about steps 1 and 2 by clicking here to read the article from the previous issue.
Step 3: resource management
Performance Standard** 2030 states: ‘The chief audit executive must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan’.
The management of audit resources is a very big subject, so I’ll just cover the basics in this article by asking and answering some key questions. Please also read Attribute Standard** 1200 and related standards on proficiency and due professional care.
Ask yourself this key question – do you have the right number of people in the audit team with the right skills for current and anticipated requirements?
The audit universe should be used to identify what audits need to be undertaken, together with an average manday budget and an approximate average frequency. This will give you an estimated overall annual manday requirement.
This figure – together with your target efficiency percentage (audit work charged to actual time at work), average leave (including bank holidays, annual leave and sick leave) and work to be outsourced or co-sourced – should give you your headcount required.
Don’t forget to adjust this figure for the management overhead required, while the specialist knowledge required (IT, treasury, risk etc), business knowledge and level of audit skill required can also be assessed from the audit universe. A current skills assessment should be undertaken covering audit skill level, business knowledge level and specialist knowledge level.
From all of this information you should be able to put together a picture of the size, skill levels and structure of the department and a gap analysis. It is always useful to benchmark the size of the department as a sense check. A succession plan is also a useful tool for planning.
Here’s another key question – are you maximising your team’s performance?
There should be agreed performance targets that are regularly reviewed so everyone knows what is expected of them and how they are performing. These targets should flow from the annual departmental KPIs.
All audit colleagues should have a training plan and ideally a career plan so that they can address weaknesses, learn new skills and acquire knowledge to enable progression. They should also know where they are on their career path.
There should be communication about departmental goals and progress and the team should be consulted about changes within the department to get their ideas and to ensure they feel included. All of us wish to be treated as an individual and not just a resource. Do you know what their aspirations and goals are? Do you know what motivates them and about them as a person? Are you making assumptions about them?
Feedback should be 360 degree, with open and honest discussion encouraged (see also the article on ‘assignment team management’ within ACCA’s Virtual Learning Centre and I also encourage you to look at some of the excellent books on the subject).
Key question – is your budget sufficient to provide the tools and resources you need to provide reasonable assurance and are you managing within it?
If you don’t pay your team appropriately, you risk losing the skills, knowledge and experience you have and being unable to acquire this in the market-place as well. Consider periodic benchmarking of salaries.
In addition you need to ensure you invest in training and with limited resources use it address the issues in the skills and knowledge gap analysis.
It is common these days to use external companies to provide technical resource, either through having a co-sourcing arrangement in place or outsourcing specific assignments. Ensure you have sufficient budget to cover this and re-tender periodically to maintain the best service and price.
Audit automation software is often used nowadays, so ensure you have the budget for software licences and for upgrades.
Travel and subsistence can be a material part of the budget and good planning and flexibility can keep costs down. Encourage video conferencing to reduce visits between offices, and car sharing where unavoidable.
Phase your budget appropriately, particularly if operating a co-sourcing arrangement. If all your technically complex audits fall in the 2nd half of the year, it is all too easy to have spent too much of the budget too soon. Monitor your budget on a monthly basis to identify problems early and address them.
Remember, if you feel that you do not have the budget necessary to provide reasonable assurance, then it is your duty to request the budget you need and justify it. If necessary, escalate the issue to the audit committee.
3rd party management
Key question – are you maximising the benefit of any co-sourcing or outsourcing arrangements whilst minimising the cost? How do you know this?
Periodically return to the market-place to re-tender for specialist work you feel is inappropriate to resource internally. Produce a specification of requirements, review bids and interview prospective partners.
Ensure appropriate partners are approached for tender and that a robust contract is put in place at a negotiated price. Use the expertise of your procurement and legal departments. Be clear on what you don’t expect to pay for, for example relationship management meetings with the supplier. Be clear on dispute resolution, exit terms, confidentiality agreements, data security and ownership of intellectual copyright. Ensure an appropriate level of professional indemnity insurance is in place.
Set and monitor a service level agreement. Hold regular meetings to discuss how the contract is working for both parties.
Agree a specification of work for each assignment. Be clear on what is required and when. Discuss performance after each assignment and follow this up with written feedback.
Address any problems that arise quickly. If you are not happy with the quality of service provided, you should expect this to be addressed at no cost to you. Remember, co-sourcing works best when you work in partnership and where each party is clear on the expectations and deliverables of the other party.
Performance Standard** 2070 states: ‘When an external service provider serves as the internal audit activity, the provider must make the organisation aware that the organization has the responsibility for maintaining an effective internal audit activity’.
Key question – are you working efficiently by making the best use of IT?
For small audit departments, the use of desktops, word processing and spreadsheet applications will probably be sufficient. However, medium to large audit departments and ones with audit colleagues working remotely or with large volumes of data should consider using laptops and evaluate the costs and benefits of investing in audit automation software and audit interrogation tools.
Audit automation software provides a single database for audit working papers and aims to improve efficiency in several ways. It can improve workflow though sending documents automatically for review and then maintaining a record of review comments and responses. It can greatly improve issue tracking and issue analysis. Some software supports audit universe planning, risk assessment and scheduling. But from my experience one of the biggest benefits is in the speed and flexibility of production of MI, both for reporting to the business and for audit performance monitoring. It gives you better control.
Audit automation does come at a cost, not just on licences, but the investment in maintaining the software, the technical knowledge required to run it and revision of procedures and training of colleagues. It may also be advisable to pick and choose which elements within the software to use.
Audit interrogation tools can be used to analyse large volumes of data and can therefore be a very efficient way of working. They can produce intelligence to support audit findings which would have been impossible to generate manually. Bear in mind, however, that findings must be put in context as you ‘seek out’ errors rather than identify them through random selection of transactions to test.
Ideally the data for interrogation should be extracted by the audit department rather than be provided by the business, as this avoids potential amendment of the data.
Key question – are you acquiring the knowledge you need to provide reasonable assurance and are you managing it effectively across the audit department?
Knowledge is a key asset in any audit department, yet little structure is applied to its acquisition and management. In a broad sense such as knowledge of specific regulation or business area, identify the knowledge you require and undertake a gap analysis to knowledge held. Plan to rectify any gaps.
Find out about business targets, performance, changes and acknowledged issues in the business from attendance at key committees and relationship meetings with senior management.
Find out about what is really happening, emerging issues, unreported issues and about ‘internal politics’ by having effective management of relationships at all levels across the business, built up across the entire audit department.
Work effectively and efficiently by managing and sharing this knowledge within and across the various teams in the department and both up and down through the audit hierarchy.
This doesn’t mean writing everything down and sharing every bit of information. It does mean trying to avoid making assumptions about what is known and working together and pooling knowledge on assignments, business areas and subjects. It also means using it for the benefit of the department as a whole and not keeping it to yourself – whatever your level in the team!
So that was a very brief run through of audit resource management. In the next issue Bev’s final article will examine step 4: process management.
** For more information on all the standards, please refer to http://www.iia.org.uk/
Bev Cole is an independent consultant on internal audit and risk management and has worked in these areas within financial services for over 20 years.
Internal audit in further education
Graeme Clarke explains what it means to be an internal auditor in further education.
Graeme Clarke explains what it means to be an internal auditor in further education.
Skills are vital to the economy, enabling not only individuals to realise their potential but to help businesses achieve their objectives. The further education (FE) sector plays a key part in this by educating and training over 3.3m learners each year.
The term FE is used to refer to education for people over compulsory school age which does not take place in a secondary school. This can cover anything from basic training to a Higher National Diploma or Foundation Degree.
Within the UK, the FE sector is made of a wide range and type of colleges (according to the Association of Colleges there are 414 colleges in the UK – 347 in England, 41 in Scotland, 20 in Wales and 6 in Northern Ireland). These include general further education and tertiary colleges, sixth form colleges and specialist colleges offering provision in areas such as art and design, agriculture, etc. FE courses may also be offered in the school sector, such as in sixth form (16-19) schools, sixth forms within secondary schools or academies.
Government policy and the regulatory environment
It is important to recognise that there are differences in government policy and the regulatory environment across the different parts of the UK; however for the purposes of this article we have focused on England only.
The government has set out its vision for reform of the further education and skills system within its strategy for skills publication, Skills for Sustainable Growth, and parallel publication Investing in Skills for Sustainable Growth. This includes matters such as expanding the number of adult apprenticeships available as well as reducing bureaucracy in the sector (see the Department for Business Innovation & Skills (BIS) website for further details).
Within BIS is the Skills Funding Agency, whose main function is to fund and regulate adult further education and skills training in England. This Agency was introduced in April 2010 as part of the so-called ‘machinery of government’ changes which led to the replacement of the former regulator, the Learning Skills Council (LSC) which had been setup in 2001.
Also as part of these changes, the Young People’s Learning Agency (YPLA) was also established with a responsibility to support the delivery of training and education to all 16-19 year olds in England. In November 2010, it was announced that the YPLA would be abolished and the Education Funding Agency would be established as an executive agency of the Department for Education, responsible for funding. This is also in the context of reform and restructuring of the Skills Funding Agency in the context of the Coalition’s plans under the Comprehensive Spending Review (CSR) to reduce the public sector borrowing deficit.
Colleges in the FE sector are currently subject to inspection by the Office for Standards in Education, Children’s Services and Skills (Ofsted) using their common inspection framework. Ofsted uses a four point scale to summarise its judgements about achievement and standards, the quality of provision and leadership and management. These are Grade 1 (outstanding), 2 (good), 3 (satisfactory) and 4 (inadequate). Once completed and discussed with the college, reports are published on the Ofsted website and are often a useful source of background information to the college as well as certain areas that may feature as part of internal audit plans (e.g. quality of provision or safeguarding).
On 1 September, Ofsted launched a consultation on proposed changes to the inspection framework which will run to 24 November. One of the proposed changes is to cease the routine inspection of most providers judged outstanding at their last inspection unless their performance drops.
There is currently a requirement for FE colleges to have an internal audit service and, as is common with other parts of the public sector, there is a specific audit code of practice in place setting out roles, responsibilities and requirements for colleges and their respective auditors. The role of internal audit is no different to other sectors, in providing an opinion on the overall adequacy of the organisation’s risk management, control and governance processes. The existing code also includes an annex of mandatory areas of coverage which internal audit must cover annually (governance and risk management) and within a three to five year cycle (e.g. long term planning).
At the time of drafting this article, the Skills Funding Agency and YPLA are in the process of producing a new Joint Audit Code of Practice (JACOP) for the sector. In the interim, colleges are required to comply with Part 1 of the JACOP which took effect from 1 April 2010 and dealt almost exclusively with the high level roles and responsibilities of funding and assurance between various bodies; and the former LSC ACoP which sets out the more detailed roles, etc. The LSC Audit Code of Practice also makes reference to the need for compliance with Government Internal Audit Standards (GIAS).
Whilst in other sectors, you will often see a range of in-house, co-sourced and outsourced arrangements for internal audit, the current nature of internal audit in FE means predominantly such work is outsourced to third parties such as accountancy firms.
In terms of detailed assignments, there are a number of similar areas of activity which internal audit come across to other sectors, all be the nature, complexity and volume of activity does vary. For example, with colleges, a significant proportion (often over 60%) of expenditure is pay-related and there can often be a high degree of recruitment in colleges recruiting staff for the new academic term each year.
Another key area for internal audit is the review of the accuracy and integrity of learner data in support of the funding claims of the college. For example, records of eligibility for funding entitlement, attendance, etc. Others areas which you could be involved in auditing in a college environment include:
- partnership activities – including sub-contracted provision, often involving site visits to partner premises
- arrangements for safeguarding of learners
- the means by which the college ensure the quality of its provision and its quality management systems
- arrangements for the recruitment, monitoring and remuneration of any part time / sessional teaching staff used by the college
- student support and welfare processes such as personal tutoring and financial support.
Graeme Clarke FCCA
Graeme is vice chair of ACCA’s Internal Audit Network Panel. He was first attracted to internal audit by the opportunity to work with a varied and diverse range of organisations and making a difference by recommending ways for improvement. He has delivered internal audit services to further education colleges for the past 14 years and is a director within the governance, risk and internal control team of Mazars LLP in the UK.
The author is writing in a personal capacity and the views expressed above do not necessarily reflect those held by ACCA or Mazars LLP.