Internal audit's new role: put together a top-notch department.EXECUTIVE SUMMARY
* NYSE-LISTED COMPANIES MUST HAVE INTERNAL audit departments in place in advance of an October 31 deadline. Internal auditors Internal auditor
An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. also are evaluating the scope of work their departments should take on to comply with Sarbanes-Oxley and other rules.
* A COMPANY STILL PUTTING TOGETHER ITS INTERNAL audit department should proceed logically, hiring a new director first and letting him or her develop a plan for the audit function. In the search for a new director companies should involve not only the CFO See Chief Financial Officer. but also human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. and the board of directors.
* THE BIGGEST TASKS THE INTERNAL AUDIT DEPARTMENT faces are determining the scope of work and having the personnel and budget to complete it. In instituting internal controls over financial statements, companies must decide how they will document their compliance and how much of this work they expect internal auditors to complete. In most cases the department also will need to balance this work with its pre-404 tasks.
* COMPANIES SHOULD EXPECT TO PAY BETWEEN .03% and .2% of annual revenues for an effective internal audit function that also fulfills Sarbanes-Oxley requirements. Companies that pay at the top of the range typically are highly regulated, decentralized de·cen·tral·ize
v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es
1. To distribute the administrative functions or powers of (a central authority) among several local authorities. entities with facilities spread across the globe.
* AS INTERNAL AUDIT DEPARTMENTS SHED SOME of their operations focus, they must evaluate existing staff to see who has the financial expertise the department needs to perform its new functions. Communication skills also will be important to internal auditors as they undertake their new responsibilities, especially building relationships with the board's audit committee.
Not since WorldCom whistle-blower whis·tle·blow·er or whis·tle-blow·er or whistle blower
One who reveals wrongdoing within an organization to the public or to those in positions of authority: "The Pentagon's most famous whistleblower is . . Cynthia Cooper There are two different public figures with the name Cynthia Cooper:
World's largest marketplace for securities. The exchange began as an informal meeting of 24 men in 1792 on what is now Wall Street in New York City. (NYSE NYSE
See: New York Stock Exchange ) now requires all companies listed there to "maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company's risk management processes and system of internal control"--and do it before October 31, 2004.
This rule will affect CPAs in many companies. While most of the 2,800 NYSE-listed companies already maintained internal audit departments, the fact that some did not prompted the exchange to require them. Experts estimate about half of NYSE companies, including some that already had internal audit departments, will need to take action to comply with the ruling. An Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives.
Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ) survey in late 2003 showed 80% of the large companies included in the Fortune 1,000 already had an internal audit function. Even though the Nasdaq declined to require the same of the 3,400 companies trading there, it supports an internal audit function as a best practice.
Since the NYSE stopped far short of fully defining the role the now-required internal audit function must fulfill ful·fill also ful·fil
tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils
1. To bring into actuality; effect: fulfilled their promises.
2. , each company is left to determine on its oven what constitutes a properly structured internal audit department. CPAs who serve as internal auditors or as CFOs or controllers who oversee their employer's internal audit department will find themselves needing to decide what ongoing assessments might be necessary. New internal audit directors must determine the scope of work their group should address, the skills required, the cost of the task and what framework to follow. Companies that currently have internal audit departments can answer some of these questions. By reporting the experiences of some of these entities, this article will help CPAs introducing or expanding an internal audit function to better understand the task they face.
"The move to establish internal audit functions will spread because a properly structured internal audit department adds value" to any company, says Robert Hirth, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , a managing director of internal audit services at Protiviti Inc., a risk management and internal audit consultant in Menlo Park, California Menlo Park is a city in San Mateo County, California in the United States of America. It is located at latitude 37°29' North, longitude 122°9' East. Menlo Park had 30,785 inhabitants as of the 2000 U.S. Census. . "Audit committee members of NYSE companies who go through the internal audit process are likely to demand the same support at Nasdaq or private boards on which they serve." Any company that decides to add an internal audit function--required or not--should proceed carefully, however, to get the desired results.
CPAs should advise companies putting together a new internal audit function to proceed in a logical order.
* Begin the process of hiring the head of internal auditing first.
* Involve the board of directors' audit committee and human resources in the search.
* Hire a candidate with specific internal audit experience.
* Make certain the candidate understands the company's business.
First things First Things is a monthly ecumenical journal concerned with the creation of a "religiously informed public philosophy for the ordering of society" (First Things website). first is the advice from those experienced with internal audit. Hire the director and let him or her develop a plan for the audit function, says Norman D. Marks, vice-president of internal audit at Solectron Corp. in Milpitas, California Milpitas (IPA pronunciation: mɪlpitʌs; inhabitants are called 'Milpitans') is a city in Santa Clara County, California. It is located with San Jose to its south and Fremont to its north, at the eastern end of Highway 237 and generally between Interstate freeways 680 and . A NYSE-listed company, Solectron provides electronics manufacturing services Electronic manufacturing services (EMS) is term used for companies that design, test, manufacture, distribute and provide return/repair services for electronic component and assemblies for original equipment manufacturers (OEMs). to leading equipment manufacturers. "Give that person a flavor of the expected costs and ask him or her to come back with a plan."
Finding a new head of internal audit can be challenging. The demand for top candidates is high now and the supply limited. In addition to networking through their external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. for possible candidates, companies also will find top recruiters to be a good resource. "Be sure the recruiter you work with has direct experience filling the job of bead bead
Small object, usually pierced for stringing. It may be made of virtually any material—wood, shell, bone, seed, nut, metal, stone, glass, or plastic—and is worn or affixed to another object for decorative or, in some cultures, magical purposes. of internal audit," says Marks. "If your regular contact at the search firm has that experience, ask for them to supplement the search team."
An exhaustive search is only the beginning. While the CFO may have screened candidates in the past, the new regulatory environment demands the participation of additional company personnel in filling the top spot. "It's important to involve not just the CFO but human resources and the board of directors as well," says Marks. At many companies the chairman of the audit committee interviews all prospective internal audit directors. In screening candidates the audit committee should assure itself that any potential new hire fully understands the importance of responding to the committee's requests for information in a timely manner.
Companies today want a broader range of skills for their new internal audit directors than previously. "Finance is still number one, so the ideal candidate should really understand financial controls," says Marks. "But you need somebody who also understands the bandwidth of the business."
The new head of internal audit control services at Cisco Systems “Cisco” redirects here. For other uses, see Cisco (disambiguation).
Cisco System,Inc. (NASDAQ: CSCO, HKSE: 4333 ) is an American multinational corporation with 54,000 employees and annual revenue of US $28.48 billion as of 2006. , a Nasdaq-traded company in San Jose, California San Jose (IPA: /ˌsænhoʊˈzeɪ/) is the third-largest city in California, and the tenth-largest in the United States. It is the county seat of Santa Clara County. , represents the qualities many companies are looking for Looking for
In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. today. When Cisco's management and audit committee sought to upgrade its internal audit oversight prior to the passage of the Sarbanes-Oxley Act See SOX. of 2002 and independent of the NYSE regulations, it targeted candidates who were professionally trained as internal auditors and finance experts with lots of operational experience. "Cisco's executives and audit committee were thinking ahead and were visionary about the need for effective internal audit," says Emily Kwong, CPA, who has filled her post as senior director of internal audit control services since 2003.
Kwong's background includes 25 years in public accounting as a Big Four senior audit partner specializing in high-tech clients in Silicon Valley and Asia. Her tours of duty gave her expertise in financial reporting, sensitivity to government reporting and international experience with her firm's overseas development arm. Kwong also gained operational and finance experience while in charge of some of her firm's service lines that provided controller functions to companies that had outsourced them.
MARCHING ORDERS Noun 1. marching order - equipage for marching; "the company was dressed in full marching order"
equipage, materiel - equipment and supplies of a military force
Once a company fills the top position, the real work begins. The answers to the questions of cost, size, required skills of internal audit staff and implementation plan lead back to what functions management will ask the internal audit department to perform. Because this issue is still uppermost on the minds of many company executives, CPAs both inside and outside an entity can be helpful in setting the scope of work. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. an IIA study, only one-third of companies have addressed the need to reallocate Verb 1. reallocate - allocate, distribute, or apportion anew; "Congressional seats are reapportioned on the basis of census data"
allocate, apportion - distribute according to a plan or set apart for a special purpose; "I am allocating a loaf of resources to respond to the expanded role of internal audit.
"At Cisco, we've added a couple of people but some of my peers are talking about adding 25% to 30% to their current staff to meet the requirements of Sarbanes Oxley," says Kwong. Cisco's internal audit staff is lean. Only 12 people serve the needs of the $20 billion global technology company. Kwong credits the company's decentralized approach to Sarbanes-Oxley compliance. Each business unit takes ownership of controls, processing and testing.
Even established internal audit departments face expense increases to comply with the new legislation, primarily section 404 of Sarbanes Oxley, which mandates that management evaluate its internal controls over financial reporting and file a report with its financial statements about the effectiveness of those controls. The companies themselves decide the depth of the documentation and how much of the work they expect internal audit to complete. Since established departments had a full workload prior to Sarbanes-Oxley, internal audit directors have had to make tough decisions about how to apportion ap·por·tion
tr.v. ap·por·tioned, ap·por·tion·ing, ap·por·tions
To divide and assign according to a plan; allot: "The tendency persists to apportion blame as suits the circumstances" staff time and focus. "In many cases, departments had been charged mostly with maximizing operational efficiencies," says Marks. "Now complying with section 404 has taken over the department's entire focus."
Marks sees this seismic shift in emphasis as a slippery slope 'slippery slope' Medical ethics An ethical continuum or 'slope,' the impact of which has been incompletely explored, and which itself raises moral questions that are even more on the ethical 'edge' than the original issue . In the unlikely event the audit department gives up all of its pre-404 tasks to stress compliance, the audit committee will question the need for a return to the previous focus on controls to improve operational processes. "The key to 404 is not simply to accomplish what it requires but to leverage the resulting knowledge," Marks says. "We want to look at how this legislation can help us to identify best practices that both standardize stan·dard·ize
1. To cause to conform to a standard.
2. To evaluate by comparing with a standard. processes and increase efficiencies and spread them throughout the company."
FirstEnergy Corp., based in Akron, Ohio Akron is a city in the U.S. state of Ohio and the county seat of Summit County.GR6 The municipality is located in northeastern Ohio on the Cuyahoga River between Cleveland to the north and Canton to the south, approximately 60 miles (96 km) west of , has been managing internal audit issues for 65 years. The nation's fifth largest investor-owned utility, FirstEnergy set out to integrate the new demands with its ongoing responsibilities (see "FirstEnergy: Integrating Internal Audit," page 67).
David A. Richards, CPA, CIA CIA: see Central Intelligence Agency.
(1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , director of internal audit for FirstEnergy before his recent retirement, says "the first issue in setting up an internal audit shop is how to do it." He directs CPAs to the IIA as a source for materials to help set up a department. "The IIA is positioned to guide companies in setting up an infrastructure, provide access to people experienced in this process and help establish standards for what constitutes a good audit shop," says Richards, the 2001-02 chairman of the organization's board.
Not all companies want to do the set-up. Those outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management. the process to a public accounting firm should first clarify the department's purpose. Protiviti's Hirth says his company "leads clients through a reasonable approach to setting up a department that begins with the audit committee developing and approving a charter. Then we help get a chief auditor in place, determine how risks will be assessed and develop an audit plan." (For guidance on drafting a charter, see "Developing an Audit Committee Charter" on page 69. Also see the AICPA AICPA
See American Institute of Certified Public Accountants (AICPA). Audit Committee Charter Matrix at www.aicpa.org/audcommctr/toolkits/01.htm.)
What does all this cost? Hirth points to an IIA study that says companies should expect to pony up between .03% and .2% of annual revenues for an effective internal audit function that meets Sarbanes-Oxley requirements. Companies that are highly regulated and decentralized with facilities spread across the globe will find themselves at the top end of the cost range. "Risk assessment drives the cost," says Hirth. "Well-managed companies, with few past problems, that narrowly define the audit function will spend less than those with opposite characteristics."
NEW ENVIRONMENT, NEW SKILLS
Even established internal audit departments will find they need to upgrade or add financial expertise to the operations focus that has dominated their responsibilities over the past decades. Hirth, for example, advises clients to look at the background of their current internal audit staff before adding new personnel--to determine where they came from and to evaluate each person's whole career. "Even if staff members have moved to an operations focus, they might still have the financial background that is so important today," he says.
In addition to beefing up the department's financial expertise, new internal auditors are being asked to expand their interpersonal skills "Interpersonal skills" refers to mental and communicative algorithms applied during social communications and interactions in order to reach certain effects or results. The term "interpersonal skills" is used often in business contexts to refer to the measure of a person's ability . Janet McKinley, chief corporate auditor at BellSouth Corp. in Atlanta, embodies the qualifications of an ideal internal audit director. Her background includes 25 years in audit and finance positions at BellSouth's various operating divisions. McKinley lists communication ability as a top requirement for herself and her staff: "Fulfilling all the requirements means developing personal relationships vs. sitting behind closed doors assessing everything from a distance."
At BellSouth the communication flow is formalized for·mal·ize
tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es
1. To give a definite form or shape to.
a. To make formal.
b. . Either McKinley or one of her staff attends the officers' staff meetings in each of the company's business units. They take an active role in the proceedings by reporting on internal controls and audit issues and seeking input from managers about the processes. "We also make ourselves available at any time," she says. "We want to establish the internal audit as an event not to be feared but almost welcomed."
CPAs will find managing the relationship with the board's audit committee occupies a considerable amount of the internal audit director's time. The responsibilities include formal activities such as delivering reports at board meetings and less formal ones such as responding to ongoing information requests and educating new board members. For internal audit, direct contact with the audit committee is a significant result of the new regulatory environment. While McKinley reports to the corporate secretary, she counts on the solid line to the audit committee to execute her duties. "It's important to have the full support of the board and upper management," she says. "And equally important is understanding the board's expectations over and above what the law says."
Auditor qualifications. McKinley says her employer was retooling its internal audit staff even before Sarbanes-Oxley and section 404. "We were looking for more accountants with Big Four audit experience, more with finance and accounting backgrounds as well as candidates with the certified See certification. internal auditor designation." A major focus at BellSouth also is on audit staffers with strong information technology skills, including hiring people who have the certified information systems auditor designation. For a comprehensive list of skills and expertise an internal auditor should have, see "Internal Audit Director/Staff Qualifications" on page 69.
MEETING A GROWING NEED
The big job for internal audit--satisfying section 404 requirements to establish, document and monitor controls--will be accomplished over the near term. Plans for the future vary greatly by company, and few CPAs know exactly what internal audit's ongoing workload will look like. They will understand better once the full annual cycle is complete and the external auditors' needs have been satisfied. "SEC standards are so tight that any weakness in a control will cause the external auditor to give a negative opinion," says Richards. "We're laying out an approach with our external auditor ahead of time to see if our testing will be sufficient for its needs."
Despite the uncertainty of the times, the internal audit profession is growing. And CPAs are filling many of the critical positions. Demand for auditors is up and internal audit staff have open career paths to management positions throughout bigger companies.
That's good news for the profession and cautionary news for companies just starting up internal audit functions. "Everybody is out pounding the pavement for good and experienced staff," McKinley says.
Internal Audit Growth Fortune 1,000 companies that already have internal audit departments 80% Companies that increased their staffs to comply with Sarbanes-Oxley 50% Businesses that have allocated increased resources to comply with Sarbanes-Oxley 33%
* Audit Committee Effectiveness Center, www.alcpa. org/audcommctr/homepage.htm. This Web site provides guidance and tools for audit committee best practices.
* The AICPA Audit Committee Toolkit (# 991001JA). A resource to help audit committees achieve best practices in managing their role within the company, including working with internal auditors.
* Managing the Audit Function: A Corporate Audit Department Procedures Guide (# W1281190P0200DJA DJA
See Dow Jones Averagesr (DJA). ). An updated manual that reflects the radical changes in the internal audit profession.
For more information or to place an order, go to www. cpa2biz biz
Noun 1. .com or call the AICPA at 888-777-7077.
* Converging con·verge
v. con·verged, con·verg·ing, con·verg·es
a. To tend toward or approach an intersecting point: lines that converge.
b. Roles: The Changing Role of Internal and External Auditors. Conference cosponsored by the Institute of Internal Auditors and the AICPA, November 7-9, 2004, Orlando. Visit the Institute of Internal Auditors Web site, www.theila.org, for more information and to register.
* Also visit the IIA Web site for an up-to-date list of resources including a variety of webcasts, seminars, conferences and publications.
FirstEnergy: integrating Internal Audit
Over 65 years Ohio utility holding company FirstEnergy perfected its internal audit function, but the new regulations forced the company to make changes despite its long-standing expertise. The group directly involved in documenting and testing controls to comply with Sarbanes-Oxley section 404 ballooned to 30 people. In prior years nobody at the company had been looking at controls to the extent required by section 404.
While internal audit still is a major player in the company-wide compliance effort, its tasks now are shared throughout the entity. The diverse team that leads the project reflects the breadth of the integration required to provide the new information. The team includes the company controller who oversees the project as well as the internal audit director, the chief legal officer, the chief risk officer, the head of IT and top managers from two business units. The team works in part as a steering committee steer·ing committee
A committee that sets agendas and schedules of business, as for a legislative body or other assemblage.
Noun that reports to the board through the audit director.
The company's now-retired audit director, David A. Richards, budgeted close to 15,000 hours of compliance time, with half spent by the end of 2003. His team defined 75 business processes throughout the company and then took apart the company's financial reports to see where the compliance risks were in their accounting and reporting methods. "Each process we identified was fairly elaborate," says Richards. "Fortunately we had just changed over our entire accounting software system in June 2003, so we were not faced with the more difficult task of documenting a legacy system."
The compliance future is quite unclear even for FirstEnergy. It hasn't yet been through the full cycle including an external audit. No one knows what's going to be needed on an ongoing basis. "We'll need to up date and go back and do maintenance" says Richards. "But what that will entail and how frequently we'll do it are still outstanding questions."
Internal Audit Director/Staff Qualifications
Here's what companies should look for when hiring a director of internal audit. While the ideal candidate may not have all of these qualifications, he or she should have as many as possible. Companies also can use this list when expanding their internal audit staffs below the director level by adjusting the training and job experience requirements accordingly.
* Undergraduate degree “First degree” redirects here. For the BBC television series, see First Degree.
An undergraduate degree (sometimes called a first degree or simply a degree in accounting or related field (MBA MBA
Master of Business Administration
Noun 1. MBA - a master's degree in business
Master in Business, Master in Business Administration preferred).
* CPA with Big Four audit experience as well as finance and accounting background.
* Five to 15 years in internal audit.
* Professional designation such as certified internal auditor (CIA), certified information systems auditor (CISA (Certified Information Systems Auditor) The award for successful completion of an examination in information systems audit, control and security from the Information Security Audit and Control Association. See ISACA. ), certified fraud examiner Certified Fraud Examiner (CFE) is a designation awarded by The Association of Certified Fraud Examiners (ACFE). The ACFE is a 41,000 member-based global association dedicated to providing anti-fraud education and training. (CFE CFE Conventional Forces in Europe (treaty)
CFE Cash Flow to Equity (finance/accounting)
CFE Comisión Federal de Electricidad (México)
CFE Certified Fraud Examiner ), certified management accountant This article or section needs copy editing for grammar, style, cohesion, tone and/or spelling.
You can assist by [ editing it] now. (CMA CMA - Concert Multithread Architecture from DEC. ) or certified financial manager (CFM (Cubic Feet per Minute) The measurement of air flow. Cooling fans are rated in CFM. ).
* Experience in handling internal controls and Sarbanes-Oxley.
* Strong computer skills including financial systems and databases. Proficiency pro·fi·cien·cy
n. pl. pro·fi·cien·cies
The state or quality of being proficient; competence.
Noun 1. proficiency - the quality of having great facility and competence in accounting and auditing computer software.
* Experience interacting with upper management and the board of directors and its audit committee.
* High level of personal and professional ethics professional ethics,
n the rules governing the conduct, transactions, and relationships within a profession and among its publics.
professional ethics liability,
n 1. .
* Ability to manage and motivate a staff of financial professionals.
* Solid analytical and problem-solving skills.
* Strong written and oral communication skills.
Developing an Audit Committee Charter
A strong internal audit function begins with a strong board of directors' audit committee, For committees that still don't have charters, here is some information CPAs can use to help them draft one.
* Define the purpose of the charter: to help the board of directors fulfill its oversight responsibilities.
* Detail the authority the audit committee will have: to conduct or authorize To empower another with the legal right to perform an action.
The Constitution authorizes Congress to regulate interstate commerce.
authorize v. to officially empower someone to act. (See: authority) investigations into any matters that are within its scope of responsibility.
* Define the expertise and number of people required on the committee: at least three and no more than six members of the company's board of directors. Each committee member will be both independent and financially literate.
* Specify the number of meetings the committee will hold and the scope of its responsibilities, which include the following:
* Perform financial statement review.
* Understand the company's internal controls.
* Review the internal audit plan, ensure compliance and effectiveness and meet with the chief audit executive regularly.
* Review the external audit plan, ensure the performance of the external auditors and meet separately with them.
* Review plan to comply with laws and regulations, and communicate required code of conduct to company personnel.
* Report to board of directors and shareholders and keep avenue of communication open between internal audit, external auditors and the board.
Source: Institute of Internal Auditors, www.theiia.org.
PRACTICAL TIPS TO REMEMBER
* CPAs should recommend a broad spectrum of company personnel participate in the search for an internal audit director, including human resources staff and the board of directors' audit committee, as well as the CFO.
* CPAs can offer their expertise to help companies determine the scope of work the internal audit department will take on and what resources in terms of both money and personnel the department will need to do the job.
* Before adding new internal audit personnel, companies should look at the background of existing audit staff members. Examining an employee's career might reveal he or she has the financial background that is so important in the refocused internal audit function. Companies then can add new employees with the appropriate expertise to fill in the gaps.
* A best practice CPAs can recommend is that the internal audit department outline to the company's external audit firm ahead of time the approach it will take in complying with SEC standards to make sure the company is conducting the appropriate tests to satisfy the auditors.
CYNTHIA HARRINGTON, CFA (Computer Fraud and Abuse Act of 1986) Signed into law in 1986, the CFA was a significant step forward in criminalizing unauthorized access to computer systems and networks. The Act applies to "federal interest computers" that include any system used by the U.S. , has been a money manager specializing in large-cap value stocks Value stocks
Stocks with low price/book ratios or price/earnings ratios. Historically, value stocks have enjoyed higher average returns than growth stocks (stocks with high price/book or P/E ratios) in a variety of countries. for high-net-worth individuals and small institutions. She's now a full-time journalist whose work has appeared in Bloomberg Wealth Manager, Plan Sponsor and CFA Magazine.