Since Section 404 of the Sarbanes-Oxley Act went into effect, both external and internal auditors have been unsure exactly how to treat "the work of others," not to mention "each other."The Securities and Exchange Commission and the Public Company Accounting Oversight Board have made it clear that public auditors need to scrutinize companies more carefully, including their internal controls over financial reporting, but at a PCAOB roundtable discussion in April, auditors and corporate financial officers complained of the increased cost of these intensified audits.
One tempting way to minimize costs is to allow external auditors to use "the work of others," which can include work performed by people who work for the company that is being audited.
External auditors often use the work of others, of course, though certain rules apply. In meeting the requirements of SOX 404, however, they did not use the work of others, or at least not much, to limit the scope or testing - or cost - of their audits. As a result, the audits may have been substantially more expensive than they would otherwise have been.
The subsequent issuing of PCAOB Auditing Statement No. 2 made it clear that the work of others is permissible, but the situation can still be unclear. Confusion can occur when the work of internal auditors blends with the work of management.
And that's what gets Dominique Vincenti, chief advocacy officer of the Institute of Internal Auditors, wagging her finger at auditors, internal and external alike. "Internal auditing is not supposed to do management's job," Vincenti warned. "When we talk of using the work of others and the 'others' is internal auditing, we are not talking about internal audit having tested internal controls on behalf of management."
Vincenti said that the PCAOB roundtable discussion revealed that the lack of acceptance of the work of others led to much of the painful cost of these first 404 audits. "The SEC and PCAOB heard those complaints and told the business community that they were going to do something about it," Vincenti said. "What they immediately said was that external auditors should use better judgment in the planning of their work. They should use a risk-based approach, that a 100 percent test was not appropriate, and that they should reconsider their approach when assessing management attestation. SOX is very clear about who is responsible for what. The law clearly states that the assessment and testing and documentation of internal controls over finance and reporting is management's responsibility."
An internal audit department, as part of its internal audit plan, may independently audit some areas of financial reporting and accounting, Vincenti said, but that is not part of SOX 404's requirements. It's part of an independent audit plan agreed with management and the audit committee. Under that plan, internal audit may test internal controls - a responsibility that properly belongs to management, and if internal auditors perform the job, they are doing so as part of management, not as internal auditors.
Vincenti warned that, despite internal auditing's high degree of competence and reliability, an external auditor should not accept its work as that of an internal auditor if it has acted in a management capacity. "At the end of the day, the PCAOB is very clear," she said. "Internal audit has to test management's testing, but if that management testing was done by internal audit, there can be no reliance on it. Things need to be segregated, and roles and responsibilities have to be clearly stated."
The issue of using the work of others was discussed at length during a Webcast discussion by the IIA in early September. Vincenti and representatives from Big Four accounting firms KPMG and PricewaterhouseCoopers delved into the gray areas where the rules require judgment.
Those two firms, and others, have developed models that auditors can use to judge when it is appropriate to use the work of others and how much they can rely on it. The Webcast discussed some of those technicalities, but it also probed into the difficulties experienced in the first year of reporting under SOX 404.
"I think it's well recognized that in year one, full implementation [of 404], in the area of using the work of others, really did not occur," said Gary Stauffer, senior partner of the national risk and quality practice at PwC. "The problem was based around timing, most likely. At the SEC's April 15 roundtable on Sarbanes-Oxley Section 404, there was a clear acknowledgement by all that the external auditor did not fully implement this process."
The timing issue, Stauffer said, was so serious that at some companies, management was still working on the 404 requirements when the auditors - with their eyes on the filing deadline - began their work. In the subsequent rush, the theoretical division between management and auditing may not have been so well-defined.
Vincenti attributed some of the problems to management being uncomfortable with having to pay for the same activity being done by internal and external auditors.
Stauffer added that since 404 wasn't implemented very efficiently in its first year, the second year will be critical in seeing how well it works and how it could be improved.
KPMG partner Lisa Daniels, another participant in the Webcast, opined on the use of the work of internal auditors. "I think it fits in perfectly to have an external auditor review internal auditing that was done with competence and objectivity," she said. "This provides external auditors with additional comfort in this area. That's what they need to get to. The higher the comfort, the more the work that can be relied on, and certainly the more often we see those types of reviews of internal auditing departments, especially by third parties, the more comfort is provided to the external auditor."
Daniels recommended that internal and external auditors meet early in the audit process to identify areas where the external auditor can rely on the work of internal auditors.
"It's all about coordination," Stauffer added. "Early coordination."
Vincenti explained that she expects the relative roles of management and auditors to become more balanced. The cost issues will go away as auditors and managers realize that they can be held liable for their actions. Then, she said, "The costs will seem justified."
