Scope of Services - Internal audit: The Current State of Affairs

Chapter 2: Internal audit: The Current State of Affairs

2.6 Scope of Services

Scope of Services of the Internal Audit Function

This section will deal with the scope of services in general and the shift from financial to operational audit in particular. Traditionally, internal audits focused on finances, as should be more than abundantly clear by now. The Dutch roots lie in the era before World War II. The role of the internal auditor could be typified as an internal accountant. The annual account was certified internally, after which an external auditor, supported by the work of his internal colleague, could sign off on the annual report. There was a large overlap in the scope of services of internal and external audit.

Sinnott (1957, 28-29) presented his view about IA's tasks. Its main focus would be detecting and preventing theft, fraud or any other loss of a similar nature. But it would also detect and prevent other errors, and continuously appraise internal checks. It would detect and report non-compliance with financial regulations and accounting instructions. It would also make suggestions for improving systems and methods, presenting financial and statistical data, and increasing income.

Stokvis (1957, 48) provided a view from The Netherlands. The internal auditor should be commissioned to:

Give his expert opinion on the internal financial statements.

Judge the efficiency of the accounting system

Provide management with all information within the orbit of his specialized knowledge, which in his opinion could be of assistance in running the business, especially regarding planning and delegation the duties of subordinate executives and control over the performance of delegated tasks.

These views clearly mark the general perception of internal auditing 50 years ago. While it has definitely gone out of style in some businesses, it has continued in numerous nations and businesses in one form or another up until now. Sometimes overtly in the text of job descriptions and contracts, sometimes covertly in the subtext of un-stated, and perhaps not even consciously realized, expectations.

It is fair to say that IA's scope of services remained rather stable from 1957 onwards to in the 1980's. From then on, the shift from financial towards operational auditing was apparent. A 1991 NIVRA survey conducted among 87 internal auditors supported this view: 76% of the respondents had noticed a shift from financial to operational audit. Since at that time the scope of services dated back to 1985, NIVRA's findings didn't pick up on more recent developments or mass scale jumping on a fashionable bandwagon. Sixty two percent of the respondents indicated that certifying the annual account formed only a part of their scope of services. This is noteworthy, because 85% of the respondents considered a combination of financial and operational audit important. According to that survey, financial audit was still ahead of operational.

The already mentioned ICAS paper (1993) also addressed IA's scope of services and objectives. The paper made clear that IA should aim at reporting whether management information and internal control systems have been, one, established and maintained and, two, whether they are sufficiently reliable and contributing to:

Provide the true and fair information necessary for preparing financial statements.

Contribute to the information necessary for the board to be able to judge whether, given the environment in which the company is operating and expects to operate, adequate financial resources are available to enable it to remain a going concern for at least 12 months from the date the directors approve the financial statements.

Minimize opportunities for fraud and other illegal acts and maximize the likelihood that the directors will quickly detect any such irregularities.

According to this, the ICAS clearly envisions financial audit as the proper work terrain of IA, which in itself contradicted the developments already noticed in the late 80's and early 90's.

In the middle of the nineties a number of studies and publications emerged. According to Van Lieshout (1994), halfway through the 1980's there was in the US a shift from financial to operational audit. While he vaguely hinted that this trend had something to do with changes in international accounting practices, he didn't get any more specific than that. According to a study by Breedveld-Krans (1990), 90% of the organizations studied had their IA performing both operational and financial audits. Ekelschot (1993) and De Jaeger (1995) also noticed this trend towards operational auditing. Other organizations had fully outsourced the financial audit to external auditors. This often led to either axing IA or a deeper and broader focus on operational processes.

A number of surveys provided data supporting this trend. They are (NIVRA, 1991; IIA The Netherlands, 1998 and 2002) presented in the table below. A few significant differences, which are indicated, hinder comparison. The table includes the average time spent on any service.

Table 2-8: Time spend by the IAF

Financial audit

Operatio-nal audit Compliance audit Other

Average time spend 1991 46% 32% ** 22%*

Average time spend 1998*** 30% 51% 9% 10%

Average time spend 2000**** 22% 45% 9% 24%****

* IT accounted for 12%

** not specified

*** no IT included

**** IT accounted for 16%

The problem is that no reference was made to IT auditing, making a comparison very difficult. Although the percentage for operational audits went up significantly (from 32 to 51, falling slightly back to 45) and the percentage for financial audit decreased from 46 to 30 and then to 22, this might be due to the fact that EDP audit was categorized under operational auditing in the second study. Despite this shift, almost 80% of IA's still performed some financial audits and expected that this would still be the case 5 years hence. A total absence of financial audit is not to be expected.

The ground gained for operational audit assignments is obvious. This is further demonstrated by a VRO study (1998). Out of its 29 respondents, 7 indicated that they had started operational auditing activities in the 80's. The remaining 22 started in the 90's.

There may be two explanations for this development, both originating in the Anglo-Saxon world. One was the publication of the COSO report in 1992 and 1994. The other was the surge of the corporate governance debate in the 90's (to be discussed in more detail in Chapter 4).

The publication in 1992 of the COSO report highlighted the importance of internal controls, and went a long way towards nailing down what that means (see Van Lieshout above). As outlined above, the emphasis was initially placed on optimizing operational processes. After the COSO report was published this shifted, due to the broadening of the concept "internal control", towards statements of being "in control" and "risk management". McNamee (1997) published an article proposing a changing approach directed at COSO and with a primary focus on "business risk" instead of an internal control system. In his conclusion he stated that

"the differences between the old and the new paradigm may appear subtle; nevertheless, the risk-based audit process is broader and richer in information content." (1997, 27)

International literature also indicates that the audit increasingly takes shape as an internal control function. McCuaig (1998) indicates that the added value of an internal auditor lies primarily in assurance as intended in the COSO report and the corporate governance debate.

In The Netherlands the term operational audit is used to describe the differences in scope of services. Paape (1999)¹⁶ argued to change "operational auditing" into Management Control System Auditing (MCSA), because management considers it important to have a second opinion about how well the Management Control System (MCS) is functioning. This call was repeated in 2005 (Paape, De Korte, Otten). The call was backed up by explaining that the term "operational auditing" tends to cause confusion among users of IA, because it connotes operational processes. Further, the new term would better mark off the main area of focus.

That is, pay more attention to management control. For an auditor it means that he must be capable of studying management control systems and their components. This subject will be returned to in Chapter 3.

Paape, Scheffe and Snoep (2003) also surveyed IA's scope of services among the Chief Audit Executive's of the largest companies in the EU. They discovered that the predominant service was operational audits (97%), which is consistent with several other studies already discussed.

A high number (64%) was also found for consulting activities. The consultative service delivery is strongly linked to the desire to deliver added value to management. The IIA Inc developed its new Competency Framework in 1999 via – among others – a Delphi study and a survey among internal auditors globally. Out of that it became apparent that consultative services seemed to be valued more by superiors and, therefore, deserved a prominent place in the framework. Consulting has been pushed forward as a valuable and viable service, but not without debate.

Having read numerous IIA Inc publications (1999a, 1999b, 1999c, 2000, 2001a, 2001b, 2001c, 2002b, 2002c, 2002d, 2002e, 2002f, 2002g, 2002h, 2003a, 2003b, 2003c to name just a few) and IIA Nederland (2001) and research reports, I noticed that many of them contain reference to the added value dogma about consultative services. The image of a profession almost desperately searching to be heard and valued springs to mind. It isn't too far fetched to compare that mindset with what has been happening in the external audit profession. They have been criticized with regard to their "one stop shopping" concept and focus on consultancy services. It led regulators to impose a ban on certain services and led to the sale of many of the consultancy services by KPMG, Ernst & Young, PricewaterhouseCoopers and Deloitte. At first sight similarities are easily found and it may not be that surprising that the same was happening in the internal audit community. In this respect the framework provided by Matthyssens et al (1998) at the end of this section is certainly worth examining and pondering.

16 L. Paape (1999), "OA, MCSA?!?! Over de toekomst van OA", pp 293-304. Dissatisfactions with the term

"operational auditing" are aired. Included are the potentially limiting association with operational aspects; the too large emphasis on the control of the performance of the work by Anthony; and the definition of operational being too much influenced by ambiguities and the desire to expand the task of the auditor to opinion forming around MCS.

It is also worth noting the differences of opinion regarding the "legitimacy" of consultancy services (in relation to the independence issue). While more than half of the respondents in the study of Paape et al (61%) think it is allowed, 23% totally disagree with that contention.

The issue bothering the profession is the collusion problem. Will an auditor be able to be

"objective" about advice he gave when the results of the advice, especially when they are negative, turn up in the course of a subsequent audit? If so, he is a better man than I am. The Standards allow consulting services, but do acknowledge the possibility of it impairing independence and objectivity. They are allowed by the Standards if disclosed before an engagement.

Church and Schneider (1991) researched the "collusion" issue. Students in a university class, having no experience with internal audit, were presented a case and made decisions that suggested an impairment of objectivity. In other words, they were susceptible to the temptations of collusion. Then they presented the same case to experienced internal auditors, who did not make comparable decisions. They concluded that experienced internal auditors maintained their objectivity. This demonstrates that while the danger of collusion is real, experienced internal auditors know how to handle it. Results like this might help to demonstrate that experience is a sort of inoculation against the illness of collusion.

Consultancy services also appeared to be an issue in The Conference Board research. Asked about their expectations with regard to consulting services, The Chief Audit Executive's surveyed reported a marked increase in that area. The areas covered ranged from vulnerability assessments to executive compensation reviews and quality control functions. Unfortunately, the survey did not inquire about the time spent on consulting services.

The collusion issue is also connected to broadening the scope of services. In earlier stages of the profession's development the area of expertise was quite clearly financial audit. . An auditor's education had everything to do with accounting and finance. Consulting was okay, as long as it was restricted to these areas. It was like going into an ice cream shop and being told you could have whatever flavor you wanted, as long as it was plain vanilla. The spread of the service pallet, however, made expertise less obvious, and service expansionism - sometimes known as "empire building" - more seductive. If one wants to be perceived as a value adder, one may be enticed to promote the image of expertise in areas where wise men would fear to tread. In other words, the issue might be getting more complicated.

Van der Woerd (2003) advocates the need for adding consultancy to more traditional services.

His argument is that the two are necessary, and needn't be obstructive. He suggests that consultancy engagements should not be mixed up and reports about those engagements are solely provided only to the lower level managers, not to the Management Board. He also advocates a strict separation of staff and does not allow an auditor or consultant to be involved in a subsequent audit of a previous consulting engagement where he was involved.

De Korte (2003) and Paape et al (2005) tried to solve the issue of possible collusion between consulting and auditing activities. Their conclusion was that consulting should preferably take place at the beginning of any audit. In preparing the criteria to be used during the audit, the internal auditor is well placed to discuss with management the preferred set up of the internal control system. That is the time to demonstrate his knowledge and expertise and make it available for management. This will prevent uncomfortable surprises - "guess what we found?" - at the end of the audit and will also promote acceptance.

Another interesting topic is the question whether top management activities should be subject to internal audit. Stokvis (1957, 50), supporting the idea that IA should receive instructions only from top-management (see above), was clear on the subject.

He should, therefore, be allowed to take cognizance of all documents which reflect the decisions of management, e.g., minutes, budgets, etc. If his findings give rise to any comment on top-management's activities, he should be able to report directly to the CEO and to any or all of the managing directors, thus ensuring that his position has the greatest possible independence within the organization.

Sinnott (1957, 32) felt a bit more reluctant about this issue and would leave the matter to the discretion of management.

If on the other hand, the scope of his activities is restricted to exclude top management, he can quite properly leave this field to the external auditor, having made his own restricted position clear to that auditor and having proffered advice on the appropriate internal check.

Back then the issue of including top management activities in the scope of services was controversial. Nowadays, much is said about the "soft controls" and the "tone at the top".

Verschoor (1992) reported that 65% of Chief Audit Executive's submitted information concerning the results of monitoring the corporate code of conduct or ethics to the Audit Committee.

Jules Muis (2003) was quite clear. "For the internal audit profession to suggest that 360 degrees reviews of corporate governance dynamics is easily within its professional reach – including 'tone at the top auditing' – is a dangerous illusion." (2003, 48) The newly adjusted IIA Inc. Standards – which came into effect on January 1, 2004 – made a giant leap forward by including Standard 2130.A1. "The internal audit activity should evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs and activities." Although one might approach this from a systemic perspective and not bring the "tone at the top" under this umbrella, expectations are clearly rising.

But the clock might be turned back. While writing this thesis, the Sarbanes- Oxley Act came into effect, and the outcome with regard to the scope of services is becoming more and more apparent. Gray (2004) studied its impact on internal auditing. It may be significant. "Internal audit departments are shifting away from consulting and operational auditing and returning to their traditional financial auditing activities. In terms of status, they are now reporting directly to the audit committee and play a greater role in the audit committee's meeting agenda."

(2004, xvi) He continued: "In terms of reporting relationships, usually there is a 'solid line' from the internal audit department to the audit committee, reflecting a functional relationship, and a 'dotted line' to the CFO (sometimes the CEO), reflecting an administrative relationship."

(2004, page xx)

In conclusion, the shift from financial to operational audit is obvious. The increasing breadth of the scope of services is also visible, and consulting, prominent in the IIA Inc's definition of internal auditing, while still subject to debate, is on the rise. The tone at the top and codes of conduct have, via the revised Standards, recently been appointed an area to include in the Scope of Services.

There seems to be an underlying trend, which emerges when taking a bird's eye view of the data and having been around in the profession for a while. The internal audit profession has always been an instrument in the hands of management and sought for its approval and recognition. Since it has never been mandatory, it had an inherent need to deliver value for money to management. Either that, or be shown the door. Marketers can tell you all about creating first a desire for products and services, and then a need.

Starting off with its focus on financial audit, working closely with the external auditor and providing assurance on the financial data, it sought to expand its services to other areas. This trend can be explained using the framework provided by Matthyssens et al (1998). They presented the following model.

Total standard service package

Differentiated custom-made service package, focused on applications

Low Differentiation in supply of products and services

Superior logistic service; basic service amendable with options to be paid for

High High

Low Experience buyer

U nb un dli ng

In no va tio n

Figure 5: Matthyssens et al (1998, 33): Service and Market evolution

This scheme shows that from a standard package there will be a trend toward differentiation of services, which winds up in superior services, which, in turn, can become a new commodity, which requires innovation to adapt to the changing needs of customers. The convolutions of that sentence demonstrate the potential ongoingness of this process.

This development may be relevant to IA's scope of services. The financial audit became a commodity, which was also provided by the external auditor. This competitive force led IA along the path of differentiation and finding new services, such as operational audit, IT audit, compliance audit, and the like. Adding consulting services increased the service pallet even more. The question whether this trend could be called "push", whereby the profession started this trend, or "pull", whereby management demanded other services, might be difficult to answer. If one would were to plot the current status of the internal audit services in this

In document Corporate Governance: the impact on role, position, and scope of IAF.pdf (Page 58-71)