Internal audit and control functions have long been war-weary parts of Corporate America, bombarded by ever-more risks to monitor and disclosures to make. Two sessions at the Compliance Week 2012 conference explored how audit and compliance executives can rally for a counter-offensive.
All the changes of the last decade—the rise of new technologies, revisions to financial reporting rules, new standards in legal liability—have forced companies to take a close look at their audit functions and their control environments to see where updates and improvements are necessary.
Bill Spoehr, vice president for financial compliance at grocery retailer Safeway, said his company has cut its testing of key controls by 69 percent from the earliest days of Sarbanes-Oxley compliance eight years ago. Great news, but the $43 billion company still sees challenges arising from three major areas: changes in accounting standards, changes in the business, and changes in the external audit approach.
Just on accounting standards, Spoehr said Safeway can attest to the fatigue of disclosure overload. He cited a recent Big 4 study that said the volume of footnote disclosure has swelled 24 percent since 2004; at Safeway, disclosures for pension obligations alone have expanded from 2 to 12 pages. “No wonder our control count is going up,” he said. “This places challenges on our corporate accounting. Do we have the expertise, the time, and the systems to meet these requirements?”
Broadly speaking, most compliance and audit executives would answer that question with a “no.” Integrating controls more closely into business processes is one way to address that problem, and Mike Ellner, vice president of internal audit and global financial compliance at insurer ACE Group, said executives shouldn't be shy about using force to make such change happen.
At the same Compliance Week 2012 session Spoehr spoke at, Ellner asked for a show of hands: “Who believes that within your organization, your IT function and your business function are well-coordinated when it comes to consideration of controls?” Not a single hand went up. “Every company has this issue,” he said. “You have to force IT and business to sit down at the table—force the conversation—and there will be a lot of benefits.”
Ellner said many companies embrace the idea of integrating business and IT to improve operational audits, but pause at the idea of integrating business and IT controls. Yet there are efficiencies and operational improvements to be found if companies can force that conversation, he said. That discussion leads to a better picture of where application and business controls overlap, and can even allow the company to reduce its automation or business controls, he said. It also helps in understanding of the financial bite of control failures and produces some base-lining of automated application controls.
External auditors are, as usual, another source of tension. Spoehr said Safeway has seen some new approaches adopted by its auditor (Deloitte) after the Public Company Accounting Oversight Board adopted a suite of new standards aimed at risk. Companies need to know what their auditors consider to be the high-risk areas, so they can know where auditors will focus their testing. Safeway, Spoehr said, has found it important to prevent “audit fatigue” that allows internal audit and external audit to do unnecessary redundant testing.
The Modern Audit Function
At a separate session, Mark Monday, vice president of internal audit at Hasbro, said he has found a great deal of benefit in spending more time listening carefully to the audit committee—even reading between the lines when committee members ask questions to get a better idea of the concerns they are probing. “Many times the audit committee doesn't want to come out and bring a specific question right to the point,” he said. “So they'll dance around it with questions that suggest that they're thinking of something else or want to go a little deeper.”
“We're always struggling with ‘where do I put my effort?' Compliance is a piece of the puzzle but resources are stretched thin.”
—Sanjay Singh,
VP of Internal Audit,
Starbucks
For example, Monday said, questions from his audit committee members led him to suspect they weren't confident they could rely fully on management's self-testing of controls in the early days of Sarbanes-Oxley. Management had pushed the self- assessment out to the business units to be performed by the process owners; reports came back assessing thousands of controls with only a few problems, and with mitigating controls used to address those concerns.
“The audit committee started asking how much they could trust management reporting that was coming out of management self-assessment,” Monday said. “So we decided we needed to listen to the undercurrent of what they were asking.”
He dispatched his internal audit staff to begin reviewing the self-assessments and included that in the audit plan. Internal audit staff review the self-assessment results, the testing processes, and the supporting document to get a sense for their credibility. “Is it going to stand on its own two feet as to whether an independent individual could reach the same conclusions?” he said.
Mark Monday, VP-internal audit at Hasbro, talks to the audience about running the modern audit function, while Sarah Flanagan, senior antitrust compliance counsel for Intel, looks on.
Sanjay Singh, vice president of internal audit at Starbucks, said he struggles with allocating resources when internal audit's mandate has grown but resources have not. Starbucks is still a relatively young company, he said, and the company's audit committee has charged internal audit with providing not just traditional audit services but advisory services as well.
“We're always struggling with, ‘Where do I put my effort?'” he said. “Compliance is a piece of the puzzle, but resources are stretched thin.” Singh said compliance officers would be wise to help internal audit prioritize compliance-focused audits to be sure they don't fall to the bottom of the to-do-list. “Left to their own, [internal auditors] will struggle with the prioritization process, and where the corporate compliance ends up on the audit plan may or may not be what you want.”
Making the case for more resources to meet the demands has been tricky, Monday said. He recently presented a three-year plan that spelled out a “very legitimate argument for how we are falling short,” he said. His plans suggested that his resources grow 25 percent to meet the mandate placed on internal audit, yet the corporate annual operating budget has not been allowed to grow for the past two years. The internal audit staff has grown to accept a slim travel budget, and that's helped, he said, and the audit function has been forced by tight resources to focus more intently on prioritizing risks. “It's a challenge,” he said.
No comments yet