Auditors and Risk Management
July 2003
New SEC rules say that companies cannot describe
their controls as effective if there is even one “material weakness.” This means
companies must try to eliminate as many weaknesses as possible and publish a
clean report. Internal auditors can help in this risk management process.
by Matthew
Leitch
Internal
Controls Design Co.
If you are an external or internal auditor, please don’t read on. I’m about
to give away our secrets to the rest of the world. If you are not an auditor—for
example if your background is mostly in insurance—and you want to understand
what auditors believe, how they work, where their weaknesses are, and what they
contribute, then read on. It’s time to meet the auditors.
What Sort of People Are Auditors?
External auditors tend to be qualified financial accountants assisted by
their trainees. Big firms also employee specialists who are not accountants,
such as computer security and project management experts, though they are slightly
less common now that people increasingly believe external auditors should not
provide other services to their audit clients.
Internal auditors tend to be former external auditors mixed with people from
just about any background conceivable. Some internal auditors go on to take
up management roles in the companies they audit, but others move from management
into internal audit.
The training for auditors, especially external auditors, emphasizes working
in compliance with regulations and official standards of work. The regulations
on financial accounting are complicated and require careful interpretation.
There are also extensive written standards for internal and external auditing.
As a result, auditors have tended to focus on compliance with standards and
written procedures.
What Are Auditors Good At?
Auditors are good at going to see for themselves. They are usually skeptical
and good at digging up dirt and revealing the things managers would prefer to
keep hidden.
Despite sometimes having a reputation as dangerous to meet, they are usually
people who help spread good ideas. They network across their organization and
with their friends at other organizations. They attend conferences to learn
what is happening. When they find good ideas in their company, they tend to
spread them. They also bring new ideas from other places into their companies.
Auditors will review almost anything important to their organization—not
just financial matters.
Internal and external auditors fight for their independence and take ethics
very seriously. That doesn’t mean that all auditors are ethical and independent,
but it does mean that most are much more aware of the issues than people in
other roles.
External auditors often rely on work done by internal auditors and, when
they do, they check that the internal auditors have sufficient standing and
independence within their organization to speak the truth without fear.
Professional institutes for auditors and accountants usually provide personal
help for members with ethical issues and lots of guidance. Trainee public accountants,
for example, are encouraged to think of themselves as accountants first and
employees second. Whatever their boss wants, they have certain duties to their
profession.
Auditors spend most of their time looking at internally arising risks and
their countermeasures. Auditors soon learn how and why people make mistakes
and behave dishonestly. In these areas of operational risk their knowledge is
often excellent.
What Do Auditors Believe?
Like all specialists, auditors believe that the things they are concerned
with are broader and more important than the rest of the world realizes. Auditors
are concerned with “internal controls” and what they call “risk management.”
Auditing is yet another profession that has come to see itself as all about
risk management. This happened mainly during the 1990s. They see a “risk” as
anything that could have impact on an organization achieving its objectives,
and things done to cope with risks are “internal controls.” Originally, “internal
controls” meant checks like bank reconciliations and double entry, but now the
term is much wider and its boundaries are indistinct.
Auditors tend to focus heavily on internally arising risks, especially risks
arising from incompetence or dishonesty. When something goes wrong they tend
to say it was because of failure to follow internal control procedures while
other people are more likely to point to externally arising problems.
How Do Auditors Work?
The trend in internal and external auditing during the 1990s and more recently
has been toward more risk assessment and more flexible and focused reviews.
For example, over the last 3 years PricewaterhouseCoopers (the world’s largest
audit firm) has introduced an audit approach called “Towards Performance Auditing”
which has taken the firm far beyond the accounts department and directly financial
risks. They now interview managers across a business to find areas under pressure,
for it is here that the risks of financial misstatement are highest even if
the means of misstatement is not immediately clear.
In a similar spirit, internal auditors have begun to develop their work plans
by starting with their organization’s corporate risk register (which they often
helped to produce) and doing reviews to provide assurance on the key perceived
risks. This has pushed them into new areas and a wider range of reviews than
ever before, which sometimes creates difficulties.
Internal audit departments vary in how helpful they are to the people they
audit. The old-fashioned style was for internal audit to be a police force,
conducting reviews, issuing reports, and making recommendations for improvements
that had to be acted on. This sometimes led to confrontations. The modern style
is typically to be more facilitative. Although internal auditors still issue
reports, they often get some of their evidence by asking auditees to assess
their own risks and controls, and some auditors no longer make recommendations
themselves, though they will facilitate auditees devising improvements and later
track progress.
What Are Auditors Not So Good At?
The risk analysis done by, or facilitated by, auditors tends to be much less
sophisticated than risk analysis by people in insurance, safety, policy analysis,
and medicine, for example. Quantification, where it is attempted, tends to be
guesswork and undermined by basic technical errors.
Another weak area for many auditors is lack of design ability. Auditors do
a good job of spreading ideas but they tend to have far less creative ability
than typical engineers, system builders, and architects, for example. Auditors
check work done by other people, often against standards laid down by someone
else, and this does not develop their design and problem solving skills.
Consequently, although auditors often make suggestions or recommendations,
they tend to be obvious and lack detail, too often amounting to a call for more
documentation.
What Does the Future Hold for Auditors?
Auditing is getting more attention than ever thanks to Enron, Worldcom, and
the outrage that they stirred up. The Sarbanes-Oxley Act includes a requirement
for internal controls over financial reporting to be assessed annually with
the conclusions of the assessment published and attested to by external auditors.
This has increased the pressure dramatically.
At the same time, many internal auditors are changing the way they work,
away from routine examination of internal controls, and toward a more flexible
audit of all types of risk appearing on the corporate risk register. Although
auditors feel this is a good direction, it is somewhat experimental and does
create some difficulties.
One trend that may become more important is for organizations to set up a
team of internal control specialists whose role is to help managers design,
develop, and implement good control systems. They may do reviews, but the objective
is very different from internal audit. This allows internal auditors to concentrate
on what they do best, which is independent assessment, rather than getting stuck
into design.
The new rules announced by the Securities and Exchange Commission (SEC) on
May 27, 2003, may accelerate this trend. The rules say that companies cannot
describe their controls as effectively if there is even one “material weakness.”
Many companies will use the extra time they have been given to try to eliminate
as many weaknesses as possible and publish a clean report. While auditors can
help with this, ultimately, you cannot audit your way to corporate health. Someone
has to have the creative solutions to problems that have often lingered for
years.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.