Will the number “5” signal greater self-reliance and less dependence on third parties for Sarbanes-Oxley compliance?
That number—symbolic of both the fifth anniversary of Sarbanes-Oxley and the release of the Public Company Accounting Oversight Board’s Auditing Standard No. 5—is certainly giving hope to companies that costs can be dropped and processes simplified through greater self-reliance during compliance testing.
One of the greatest sources of frustration and cost for companies regarding the internal control provisions of Sarbanes-Oxley—on top of the documentation and attestation costs—has been duplication of effort. It has not been uncommon, for example, for a company to pay for a “process walkthrough” with an internal auditing consultant, only to conduct another identical walkthrough (sometimes only days or weeks later) with the external auditor.
“When you’re paying two auditors—one internal, one external—I think there is a propensity for a lot of overlap,” says Randolph Beatty, dean of the Leventhal School of Accounting at the University of Southern California.
Now, while some companies continue to use a third party for assistance with internal audit work, others are ready to take the function in-house. “There are still benefits of having a readiness consultant,” Beatty says, “but some companies feel confident enough to cut out the middle man.”
Facilitating that confidence is AS5, which increases the ability of the auditor to rely on the work of others, eliminating walkthroughs and the requirement for auditors to obtain their own evidence in many cases.
With AS5 in its nascent stage and no current data available from field testing, estimating cost reductions for 404 is difficult right now. Regardless, the new standard is empowering many companies to move from greater reliance on annual assessments of controls toward internally driven self-assessments that make the external audit attestation less onerous.
According to a recent Institute of Internal Auditors survey of more than 9,300 internal auditors, most organizations are conducting their internal audits with in-house staff. And of those respondents at public companies, 95 percent of their internal audit work is being done in-house. Moreover, only one-third of the study’s participants will see an increase in their budgets for co-sourcing or outsourcing over the next three years.
Michael Higgins, compliance and revenue manager for RadiSys Corp., has recently started integrating self-assessments into his operation. “We’re moving from the check-the-box mentality to working directly with process owners to identify and mitigate risks,” he says. “I think AS5 is going to enable more companies to think like this.”
One way that Higgins approaches routine self-assurance is by analyzing critical inventory, revenue, and expenditure business cycles at his company, basing the audit approach on location of offices, importance of logistics, and degree of risk. He then submits his findings to the CEO and CFO on a quarterly basis. By doing so, process owners are kept informed about and are prepared for the ongoing reviews, and upper management can tailor its entity-level controls accordingly.
In fact, Higgins says, the self-assessment process has worked so well for RadiSys that management is renegotiating with the company’s external auditor, since the readiness process is now less tenuous.
Chris Carter, manager of audit services at the $11.9 billion gas company ONEOK, says that a company’s in-house internal audit staff must oversee the process “from start to finish.”
According to Carter, controls self-assessments can reduce compliance costs, lead to better information quality, and ultimately lift burdens on process owners. ONEOK handles the task by getting all the process owners in one conference room at the same time in a workshop atmosphere for the audit, rather than having internal audit staff come back and forth to their desks during the course of the review.
The Work of Others
Typically, the extent to which an outside auditor can rely on management’s assertion of internal controls’ effectiveness has centered around the clarity and completeness of work done internally. Under the PCAOB’s now-defunct Auditing Standard No. 2, the external audit firm used the “principal evidence” provision, meaning the outside auditor had to get independent confirmation.
Under AS5, companies can take back the reigns of the audit agenda. The new standard makes clear that auditors can now rely on company personnel other than those in the internal audit function, as well as outside consultants who are not CPAs. In addition, management and outside auditors no longer have to agree on the controls selected and tested, as long as management can justify the selections it makes. Management’s conclusions, the standard says, should be supported by the risk assessment, self-assessments, and the educated analysis of the financial statements and accounts.
“Just in the past few weeks, we have been asked by our external auditors to do more work, and they can rely on that work more, which I see as a positive,” says Dennis Stevens, director of internal audit at Alamo Group. “When you look at it from a cost standpoint, doing it in-house, you pay wholesale prices versus retail prices bringing a consultant in. There’s no question that wholesale is better.”
Stevens has been a vocal proponent of tailoring auditing methods to fit small business and decrease compliance cost burdens. And while he does say AS5 will “bring back management accountability,” he continues to echo the sentiments of a June 5 letter he wrote to Congress where he called the standard merely a “refinement” rather than “a substantive change.”
Still, the newly won freedom that AS5 provides doesn’t give businesses a license to cut corners on internal control reviews. Indeed, experts say it is now more important than ever that internal auditor teams—as well as corporate compliance heads—are qualified, unbiased, and knowledgeable about the most significant financial accounts, related processes, and key controls.
According to George Victor, partner in charge of quality control at audit consultancy Holtz, Rubenstein Reminick, companies need to assess both cost savings and risks when determining whether to outsource or internalize such assessments.
“It really depends on the size and commitment of the shop,” he says. “Using your in-house staff may be more cost-effective, but it is certainly still costly. You have to weigh how significant your cost savings will be against how significant your risk is in performing your own self-assessment and getting it wrong.”
Let the Business Do Business
Not surprisingly, Victor and others in the audit community contend that retaining an outside audit consultant for internal purposes is a hedge against numbers being out of place, or ineffective controls that could be uncovered by an external auditor.
“You do your own self-review, you’re essentially rolling the dice,” Victor says. As a result, he adds, the decision is as much political as it is financial. “Someone has to face the music, and there is less finger pointing internally if you turn it over to an IA co-sourcer or outsourcer,” he says. “Why not let them take the heat? That’s what you’re paying for.”
Alan McVay, director of control assurance at Rinker Materials, agrees with Victor, and isn’t prepared to make the “do-it-yourself” leap. He argues that one can recoup savings by being fully prepared, so that the external auditor has less work to do and fewer hours to bill.
“I don’t use self-assessment for SOX,” McVay says. “What some may call expensive [auditing consultants] have actually proven cheaper in the long run. Let’s let the business do business and increase external audit reliance, thus lowering fees.”
Either way, the Big 4 firms appear to be aware that AS5 may be changing attitudes at public companies. Robert Greene, a senior manager in PricewaterhouseCoopers, surmises that use of internal outsiders “will shift to other areas that will enhance, rationalize, and optimize their control structures.”
That may come in the form of advice on how to implement, deploy, and monitor automated controls, or evolving IT issues. “New technologies and the evolution of financial applications will also be an area where CPA IA practices will lend their expertise,” says Greene.
Phil Livingston, vice chairman of the auditing software company Approva Corp., agrees with Greene and predicts that automation of controls is the future for public companies and a paradigm that audit firms will push clients to adopt.
“With automation, you can set up rules [and] configuration settings based on your controls goals and test 100 percent of your underlying transactions instead of drawing samples for an audit,” Livingston says. “Now, mind you, you can’t automate everything, but from being out in the field, I can tell you that the sort of mechanized audit framework is here to stay and can go a long way in a self-assessment.”
Meanwhile, Del Monte Foods is moving its self-assessment process forward by investing in technology to address numerous SOX 404 processes, such as documentation, archiving, and automation of management approval.
Jonathan Wynn, Del Monte’s manager of advanced technology and collaborative services, has achieved this by storing information on Del Monte’s company intranet and allowing the related computer applications in place to create a real time audit trail, which has resulted in the elimination of paperwork and needless digging.
“When you run your SOX compliance program like this, you’re reclaiming your business and your responsibility,” says Wynn. “Ultimately this is a good thing.”