What constitutes an (internal) auditor? - Internal audit: The Current State of Affairs

Chapter 2: Internal audit: The Current State of Affairs

2.3 What constitutes an (internal) auditor?

2.3 What constitutes an (internal) auditor?

Authority and professionalism

The word auditor originates from Latin and literally means listener. It was the task of the auditor to listen carefully and, based on his knowledge of the conditions, to evaluate if the farmers who had to account for their revenues did this in a manner that was consistent with both regulations and reality. (Most, 1969, 17)

Within the audit concept, authority is one of the most important starting points. Without authority little value will be attached to the opinion of the auditor - or anyone else, for that matter. But what is authority? Where does it comes from and what is it based on? And how does one obtain and retain it? Or, when things go horribly wrong, lose it?

Authority in the realm of auditors is intimately entwined with professionalism. But which comes first: authority or professionalism? Fasten your seat belts, because once again - and by no means accidentally - we find ourselves on the slippery slope of chicken and egg questions.

Some say that professionalism implies authority. This also implies that society should have confidence in the expertise and independence of any auditor: the basic elements of authority.

Without these two core concepts, auditors cannot fulfill their social function. These elements will be addressed separately.

Burns, Greenspan and Hartwell (1994) researched professionalism in internal auditing. Their view is that prior to 1977 internal auditing did not qualify as a true profession, because it failed to set professional standards. This changed in 1978 by the release of the "Standards for the Professional Practice of Internal Auditing of IIA Inc". The events that led to a significant elevation of professionalism were the enactment of the US Foreign Corrupt Practices Act in 1977, passed on Friday, December 9, 1977 in response to the scandal of Lockheed's bribing schemes in order to induce foreign countries, including Germany, to buy up very difficult to fly Starfighter jets.

Expertise requires knowledge and professionalism that the auditor should acquire from education, on the job training, and experience. Thus legislators set requirements that must be met before people are qualified and entitled to perform audits. The knowledge that an auditor should possess is not limited to financial knowledge. To form a professional judgment one should have knowledge of different disciplines. This knowledge is important to place issues in the proper context and perspective. Expertise is not only a requirement for an auditor to form a judgment on a certain subject. It is also the stone that the concept of reliability is built on.

Third parties will only accept the judgment if they believe that the auditor is knowledgeable of the business and also demonstrates this.

O'Connor (2004) would argue that this has to do with competence. Competence is the basic feature of any professional: primarily vested by education and training and demonstrated via licenses and "education permanente". A well known expert in psychology, Professor Wagenaar once said: "If we cannot solve a problem, we go for another problem that we think we can solve". This seems to be the case with defining professionalism, authority, expertise and competence - and, as we will see, objectivity and independence. If we cannot define the one properly, let us focus on the other and try to define that. Something along the lines of if two wrongs don't make a right, try three. It looks like an endless game of postponement.

Further, strict behavioural rules should apply to auditors. From the moment auditors started to become an independent profession, the most important professional ethical values were expertise, clearness in performance and expressions, trust, confidentiality, impartiality and independence. These are the core concepts of auditing ethics. Organizations such as the American Institute for Certified Public Accountants (AICPA) and The Netherlands' NIVRA tightly control and safeguard these behavioural rules, either in the form of standards for auditing, or in a professional code, and accompanying disciplinary powers.

According to Flint (1988, 64), the elementary characteristics of an auditor are "probity and strength of character". An auditor should approach an audit assignment without bias or any prejudice. This requires integrity and adherence to professional codes of conduct. Auditors should also not have personal involvement with the audit due to existing relations, financial or other interests, or interest regarding the outcome. One question is if these characteristics are the first thing that springs to mind when the public thinks "auditor".

Confidence is based on the belief in the presence of these characteristics. The auditor is an honorable man - he wouldn't lie - and, therefore, the fruits of his labor are worth more than the paper they are printed out on. In other words, an auditor's word is his bond, and reputation is key to both him and the profession as a whole. Society's trust in auditing is also dependent on the results of earlier audits, and to maintain that trust and the legitimacy to, the independent attitude of the auditor should appear from inviolable behavioural rules. An auditor who does not comply with the regulations is subject to the disciplinary law of the professional organization. As shown above from the Georg Simmel quote, faith and confidence have become increasingly important in modern society. Perhaps, in contrast with his assertion, this has always been so.

Independence and objectivity

Now let's look at the myriad of concepts used to make up for the characteristics of any auditor. Professionalism, authority, integrity, independence, probity and strength of character, trust, confidentiality, impartiality, objectivity, without prejudice, expertise, knowledge, and competence. All distinguished and lofty words that sound like they must mean a lot. But when push comes to shove, or even before, what exactly?

Let's try to nail down two of those highly debated and debatable terms: independence and objectivity. Independence, one of the main themes in the audit profession, both external and internal, has many aspects.¹¹ Arens and Loebbecke (1994) distinguish "independence in fact"

and "independence in appearance".¹² This distinction occurs more often. Factual independence has no value, as audit stakeholders do not see the objectivity of that. Therefore, it is important that auditors clearly indicate the extent and validity of their findings. Kocks expands the concept with two other aspects, namely independence "in mind" and "in behaviour".¹³ This subject was already touched on above. From that perspective, one would be inclined to regard this as more rhetoric than reality.

The authority of an audit and the degree of acceptance is partially based on an auditor's perceived, and actual, independence. In all cases where an audit is executed the audited party has accepted the underlying norms with regard to the reporting, duties, and other criteria. The audited persons have an interest in the research and are also in a position to influence results.

The objective of the audit is "to secure accountability" (Flint, 1988, 29). It is important for credibility and objectivity that the audit stands completely apart from the person whose behaviour is being evaluated. If this wasn't the case, the audit could be seriously compromised.

The audited party agrees to be audited because he basically has no choice. Do it or else. But he will continue to do his utmost to control damage. That is, not reveal any more than he absolutely has to. At the same time, the auditor needs unrestricted access to all relevant sources of information. What information is relevant can be determined only post facto. That is, after it has been scrutinized. Otherwise, the auditor's judgment about the value of, say, an annual report, could be seriously impaired. Based on his research, a report is written presenting findings and conclusions. This report should be published without further consequences for the auditor. The importance of this postulate is such that it forms a separate subject within auditing theory.

Defining independence and objectivity is a difficult task. That wouldn't overly concern us if the audit profession didn't lean so heavily on these concepts. One could even say, without exaggeration, that it is founded on them.

Independence is a subjective concept that connotes a willingness to bring a high degree of rigor and skeptical objectivity to the evaluation of company management and its plans and proposals. However, these studies (on independence of corporate boards in this case) have to use rough proxies for independence: the simple absence of a job with the company, a close family connection or (perhaps some regular stream of income from the company apart from directors' fees and dividends are all that it take to qualify. (Langevoort, 2000, 3)

The chairman of the dissolved Independence Standards Board (ISB) – an initiative of the SEC and the AICPA - Allen, delivered the 1997 Seymour Jones Lecture in Accounting at New York University's Stern School of Business.

11 Which is quite remarkable since both operate in different spheres. One outside the company and, therefore, supposedly more independent than the in-house player.

12Arens and Loebbecke (1994), p. 79. See also Flint pp. 54-61.

13H.C. Kocks (1997), "General principles of auditing", incorporated in reader postdoctoral education RO at Erasmus University Rotterdam, p. 10.

Our capital markets are the envy of the world and are an important component to the efficiency of our economy. The capital markets work on information, including financial statements audited by independent professionals. We believe that the attestation of a competent, independent auditor adds value. There is unanimous agreement that the independent judgment of expert auditors and the perception of that independence is a condition of the utility of the auditors' attestation. What does and should constitute independence in this context is not however always obvious.

Allen's contention is that independence and the lack thereof might in the end be related to the efficiency of pricing of securities in the market. In other words, independence has instrumental value. According to O'Connor (2004), the AICPA and SEC claim that independence has a value in and of itself.

O'Connor continues:

But if regulators are not clear on what the real purpose and value of independence is, then it is no wonder that the regulations they promulgate appear fragmented and lack cohesiveness. (2004, 42)

It is Allen's claim that independence is a proxy (it has no intrinsic value) of objectivity and integrity. In that respect he differed from the SEC and the AICPA and might have come up with fresh views. However, according to O'Connor, the ISB was influenced by the views of AICPA SEC because it allowing a number of CPA's to join. Before discontinuing the organization on July 31, 2001, ISB produced a number of Discussion Memorandums. One of them dealt with auditor independence and came up with four personal attributes: competence, diligence, integrity, and objectivity.

Competence is the ability of an auditor to perform the technical audit itself. Diligence, the new addition, is the useful notion that considers whether a competent auditor actually uses it in any given audit. Integrity is the capacity of the auditor to resist temptations to perform and report the audit with intentionally less than scrupulous adherence to presented facts.

Objectivity is the capacity of the auditor to perform and report the audit without intentional or unintentional biases.

Is this progress? O'Conner (2004) doubted it and concludes:

"Independence" per se is unnecessary or irrelevant in these examples [doctors and lawyers] for two reasons. First, a client or patient is unlikely to hire a professional whom he believes to have a strong alliance with an individual or organization whose interests are adverse to his own. Second, in the traditional professional services environment where doctors are simply doctors, lawyers simply lawyers, and accountants simply accountants, the "reputational capital" of the professional is based on the public's belief that the professional acts with objectivity and integrity.

Professionals who engage in reputation-depleting activities will likely find themselves with few clients over time, regardless of their "independence".… The solution [for auditors] is to institutionalize "objectivity" and "integrity" such that auditors who meet the criteria will generally act with objectivity and integrity even on behalf of the unknowable investing public. The result is "independence".

One might argue that this debate draws heavily on the notion of the external auditor. But the IIA Research Foundation (2001b) also produced a study on independence and objectivity. It notes that the focus of Standards and other literature regarding independence is mainly focused on "perceptions" of independence.

Our analysis of the literature indicates that independence and objectivity are often treated synonymously and often with a lack of clarity. Standards have invariably focused on independence and have paid only scant attention, if any, to the concept of objectivity. Standards have also variously discussed "independence in appearance", "independence in fact", "independence of mind", and "mental attitude". Little effort has been spent on defining those concepts, explaining the difference between these concepts and that of objectivity or on how they relate to an effective audit. (2001b, 13)

The report continues that "objectivity" should be the primary focus of attention. The rest follows as a result from enhanced objectivity. Objectivity is defined as a state of mind and as freedom from bias, expressing or involving the use of facts without distortions by personal feelings or prejudice. The stand of the IIA Inc is that the organizational position is a determinant factor for independence, which in turn fosters objectivity. Already in 1972 (Silvoso, 1972) the Committee on Basic Auditing Concepts declared freedom from bias as the main concern of audit. Again, from the perspective of the external auditor. This report stated that "the condition of 'conflict of interest' is the most important single determinant of the need for the audit function" (1972, 31). The issue was drawn into the core concerns of auditing and audits.

What have we learned thus far? Independence seems to be a result rather than an instrument.

If we focus on objectivity and integrity, independence will be the outcome. Okay. But does it bring us any closer to our goals? Probably not, because defining objectivity and integrity and putting it to work isn't any easier than independence itself. This much is obvious. While beating the drums of "independence" seems to be an essential part of the rhetorical rituals of the profession, it is essentially that. It might be best for internal auditors not to emphasize independence too much. Because if it is problematic for external auditors, it is doubly so for this sub-species. Internal auditors are by definition part of the organization and paid by management itself.

Organizational position

According to IIA Inc's Professional Standards (2001d), the organizational position is highly intertwined with independence and objectivity issues. In another report (2001b, 8), it takes the position that professionalism and objectivity make up for effective internal audit services. It is important to note that the IIA report points out that independence for internal auditors is more problematic than it is for the external auditors. The reasons for that are internal auditors are not only dependent on management, but also the increasing importance of internal audit activities conjoined with the growth in demand of IA consulting services leads to escalating concern and requires a response from the profession (2001b, 3).

Interestingly, the report continues, it is not appropriate to copy the SEC and AICPA approach by listing hundreds of pages of regulations to steer independence. Surely, that would add up to many more pages than there are for the external profession. The IIA tries to learn from the

"negative experience of the external audit profession with this approach over the past 70 years" (2001b, 4).

The report focuses on the objectivity subject as a process that can be managed. In a footnote it is stated: "The concept of managing conflicts of interests is important since one can never be totally free of conflicts that may impair objectivity." (2001b, 16) In a way it is just a matter of downsizing the problem as much as possible.

Professionalism in its turn is defined as integrity, competence and the use of due care (or diligence). Integrity is defined by the IIA Inc as "an uncompromising adherence to a code of moral values and the avoidance of deception, expediency, artificiality, or shallowness of any kind" (2001b, 9). How on earth will this be measured – if at all - and against what standards?

Competence is easier to understand. "Competence means having the intelligence, education, and training to be able to add value through performance." (2001b, 9) Surely, competence is acquired via education, training, intelligence, and a system of licensing and education permanente. On top of this there might be supporting systems, such as quality reviews and the possibility of disciplining by other professionals.

Due care has to do with the way internal auditors carry out audits. While elaborating on due care, the IIA Inc suggests to include "perspective compatibility" (2001b, 10), referring to an individual's view or perception of a given situation. Auditors should be aware of the interests of the stakeholders to whom they owe a duty. This is an extremely important point. First, because this means that the internal auditor has to readjust his focus and understand who his

"bosses" or "responsible parties" are, their interests, and how he should set about looking after them.

It is useful at this point to discuss the issue of the auditor's position within the organization. If there is more than one boss to serve, there surely will be different interests. Would it be fair to say to say that this needs to be part of his job description? Surely, that would make easier both his life and the ability to measure whether services were rendered as requested and demanded by his superiors. If there are differing, and even conflicting, interests, the implicit would become explicit by writing them down, and then they could be sorted out in terms of priorities. Otherwise, the poor auditor would be squeezed like a lemon. Or a stone. It would also demand making a case for make for why certain audits are required and who the auditor should report to. As long as the number of stakeholders is limited to one, these problems will not arise. But this is most certainly not the case. Interestingly, the IIA Inc study took stock and came up with the following 6 parties: management, employees, board of directors, audit committee, owners (shareholders), and the general public.

The study already acknowledged that, "Each of those parties will want, or at least will be perceived to want, different things from the audit, highlighting the importance of a consistent perspective across the audit team and function" (2001b, 10).

The IIA Inc (1994) agreed that the interests of constituents to whom an auditor owes a duty drive the auditor's obligations. But this does not necessarily require an explicit statement by a stakeholder. No. The auditor is often in a better position to understand what actions to take to act in the best interests of his constituents. The IIA Inc study calls this "perspective compatibility", between internal auditor, audit team, management, the board, and, if

In document Corporate Governance: the impact on role, position, and scope of IAF.pdf (Page 36-42)