New ethics rules for CPA firms.
Engaging outside auditors to perform internal audit activities is not a new phenomenon; smaller financial institutions and companies have been doing it for some time. Since the early 1990s, however, as many companies including larger entities reengineered themselves to focus on their core businesses, there has been a move to outsource various staff and support functions, including internal auditing. For CPAs, these engagements--referred to in the professional accounting literature as extended audit services--often include helping perform a client company's internal audit activities or audit services that extend beyond the requirements of generally accepted auditing standards.
Companies using outsourcing as a business strategy usually seek vendors whose expertise or "core competencies" in staff and support activities provide high-quality, cost-effective services for buyers that do not have, or desire to have, such expertise. While cost containment and efficiency often are the objectives, companies increasingly use strategic outsourcing as a way to enhance or improve a department, not just reduce its cost.
CPA firms have core audit skills and methods as well as technological tools that well suit them to serve clients that adopt such business strategies. Building on their knowledge of a client company and its industry and business processes, many firms are viewing this natural extension of services as an attractive growth area. Virtually all of the six largest international accounting firms, as well as some regional firms, offer some level of extended audit services, and many have added internal audit professionals to their staffs to bolster these capabilities.
NEW PROFESSIONAL GUIDANCE
The growth in the number of situations in which outside auditors perform both attest services and extended audit services for the same client has raised questions about the potential impact on auditor independence of the extended audit services. Previous professional guidance-ruling no. 97 under Rule 101--Independence of the American Institute of CPAs Code of Professional Conduct--was issued by the AICPA professional ethics executive committee in November 1993. It permitted an auditor who performed attest services for an entity, also to perform internal audit activities for the same entity when those activities were considered extensions of audit procedures normally performed during the annual external audit--provided the auditor did not perform management functions or make management decisions.
In May. in response to questions about whether extended audit services engagements for attest clients impair independence and to provide additional guidance, the ethics committee issued an interpretation, Extended Audit Services, and ruling nos. 103, 104 and 105 under rule 101. (See Official Releases, page 110, for the full text.) Ruling no. 97 was deleted.
The changes established more specific guidelines for planning and performing extended audit services for existing attest clients. Following the same basic premise as previous guidance, they effectively codified best practices, reaffirming that these services would not impair independence with respect to attest clients, provided the auditor does not act or appear to act "in a capacity equivalent to a member of client management or as an employee." The auditor also is precluded from
* Performing other monitoring or control activities that affect the execution of transactions. One example is performing the ongoing review of transaction documentation for completeness before closing transactions.
* Having custody of assets.
* Performing processes that are the equivalents of ongoing compliance or the quality- control function. An example of this is daily testing to establish error or reject rates.
The guidance applies equally to extended audit services performed for clients when all or part of an existing internal audit department is outsourced or for a newly created internal audit function.
ESTABLISHING AN INTERNAL AUDIT FUNCTION
A frequently encountered situation--using extended audit services to initiate an internal audit program for an attest client--is a good example to illustrate the new guidelines.
The traditional approach. In the past, a company establishing an internal audit function started from scratch and built the department entirely in-house. While this approach worked well for some, there were certain drawbacks. For example, there were significant start-up time and costs to recruit the staff as well as to develop an entire internal audit methodology, and related processes.
The nontraditional approach. Some companies today engage their outside auditors to perform extended audit services for them as a fast, efficient way to provide internal audit coverage. Often, top management does this to encourage the view that not all activities and personnel must be "owned" by the company.
Directors see value in avoiding the sometimes lengthy time lag of building internal audit in-house and instead may want the external auditors to help get the activity up and running faster. Timeliness is especially important when a company first issues securities to the public and directors are sensitive to their responsibilities to new public shareholders.
When starting from scratch, the nontraditional approach is attractive to a smaller, cost-sensitive company, because it can avoid adding expensive full-time employees-- and the related benefit costs. Such costs may have been a determining factor in management's previous decision not to form an internal audit department. The nontraditional approach also gives companies access to specialized audit personnel and state-of-the-art automated audit tools they might not have been able to afford themselves. The availability of specialized resources and tools may be the most compelling reason for smaller companies to use extended audit services.
A final point for many companies is that this approach allows management to accommodate growth and bring all or part of the function in-house at a later date. Flexibility may be important if a company plans significant growth (such as through acquisitions) but has not yet made any actual transactions at the point internal audit is being considered.
IMPLEMENTING AN EXTENDED AUDIT SERVICES ENGAGEMENT
For practitioners, implementing an extended audit services engagement often begins with educating executive management and directors on the value of internal audit. In many cases, management is not opposed but simply had not focused on it as an important element of the company's growth or had considered it too costly. The process should include an in-depth discussion of the potential benefits of and concerns about internal audit services. Of particular importance is an open discussion of the roles and responsibilities of the company's board of directors, audit committee and management as well as the outside auditor.
The discussion should touch not only on professional standards and independence issues but also on the business considerations involved. The ethics rulings reemphasize the requirement that responsibility for internal audit remain with a competent member of management. That person's duties should be carefully outlined. He or she must have sufficient understanding of the audit process and standing within the company to effectively fulfill the responsibility. However the engagement to provide extended audit services is structured, all parties must understand that internal audit remains management's responsibility. Of course, management also remains responsible for establishing and maintaining the overall internal control system.
Once an understanding is reached among management, the board, the audit committee and the auditor, an engagement letter should be prepared specifying each party's roles and responsibilities and indicating that the auditor may not perform management functions, make management decisions or act or appear to act in a capacity equivalent to an employee. Interpretation 101-13 under Rule of Conduct 101 (see Official Releases, page 111) says an engagement letter is "preferable," and experience supports the business rationale and need for a well-written letter. Along with documenting the understanding between the company and the auditor, it should establish the benchmarks management and the directors may use to assess whether the engagement is being performed to their expectations. This is especially important when the client has not previously had an internal audit program. As with most contractual arrangements, work done on the letter up front will reduce later misunderstandings or conflicts.
The next step in an extended audit services engagement usually involves preparing an overall risk analysis, which serves as the basis for formulating the company's internal audit plan. Here again, there must be a clear delineation of responsibilities. The auditor can assist with preparation of the preliminary risk analysis and audit plan and recommend audit priorities. However, the final determination and approval of both must be the responsibility of the management person in charge of internal audit. When implementing internal auditing, a company would naturally look to the auditor's experience and expertise for input, alternatives and recommendations. However, the auditor must take care to remain in an advisory capacity and not assume management's role in deciding the composition and scope of the final internal audit plan. This is a key requirement of the ethics interpretation and rulings.
Once management has approved the audit plan, the auditor becomes responsible for day-to-day performance of the audit procedures and reporting the results. The auditor provides the staff needed to execute the procedures and is responsible for the direction, supervision and review of their work. While performing these services, the auditor must avoid acting in a capacity equivalent to an employee or manager by, for example, instructing the client's operating personnel to change procedures because of the results of the audit testing. Also, the auditor should not permit himself or herself to be referred to as being in charge of internal audit or as the internal auditor.
The interpretation clarifies that the work performed must not include involvement in authorizing, executing or consummating transactions or performing activities that are part of the company's ongoing compliance or control system. Careful preliminary discussions and a well-written engagement letter should establish the function's limits and avoid any potential conflicts with those requirements. The management person responsible for internal audit should take an active role in positioning the function and the auditor's role in providing extended audit services. Additional examples of activities and their impact on auditor independence are included in the exhibit on page 63.
The results of the extended audit procedures should be reported in a format that allows the company executive in charge of internal audit to evaluate the adequacy of the audit procedures performed and the resulting findings. The reports may include recommendations for improvements in systems and controls. These reports should not be issued on the client's letterhead. There are significant differences in reporting formats used in internal auditing; the auditor and the company manager should decide on a format that fits the company. The auditor can rely on his or her experience with other internal audit activities to present alternative formats for management consideration.
THE ELUSIVE WIN-WIN SITUATION
While nontraditional audit approaches are not right for every company, the process described here can benefit both companies and their auditors. Extended audit services quickly deployed in a professional manner allow management to focus on other activities. Management retains not only overall direction and responsibility for the function, but also the flexibility to expand the engagement or begin bringing all or part of the process in-house. By following the new ethics interpretations and rulings, the auditor and management are assured the services can be performed for the auditor's attest clients without impairing independence.
[TABULAR DATA OMITTED]
* LARGE CORPORATIONS INCREASINGLY are outsourcing staff and support functions, including internal audit. For CPAs performing such engagements--called extended audit services in the professional accounting Literature--this often means helping with a company's internal audit functions or performing audit services that extend beyond generally accepted auditing standards.
* THE INCREASED NUMBER OF SITUATIONS in which outside auditors perform both attest and extended audit services for clients raised questions about the potential impact on auditor independence. To provide additional guidance, in May, the AICPA professional ethics executive committee issued an interpretation, Extended Audit Services, and ruling nos. 103, 104 and 105 under rule 101 of the Code of Professional Conduct.
* UNDER THE NEW GUIDANCE, AUDITORS would not impair independence with respect to attest clients provided they do not act or appear to act "in a capacity equivalent to a member of client management or as an employee". They also cannot (1) perform other monitoring or control activities that affect the execution of transactions, (2) have custody of client assets and (3) perform processes that are the equivalents of ongoing compliance or quality control functions.
* TRADITIONALLY, WHEN A COMPANY added an internal audit department, it hired an in-house staff. Some companies, however, are using a nontraditional approach by asking their outside auditors to perform extended audit services as a fast, efficient way to establish internal audit coverage. The new' guidance clarifies how these engagements can be performed without impairing auditor independence.
RICHARD J. ANDERSON, CPA, is a partner and national director of internal audit services at Ernst & Young LLP in Chicago.
|Printer friendly Cite/link Email Feedback|
|Author:||Anderson, Richard J.|
|Publication:||Journal of Accountancy|
|Date:||Aug 1, 1996|
|Previous Article:||How to hire Ms./Mr. right.|
|Next Article:||New standards alter quality control systems.|