Smith left the small accountancy in 1997 to take an internal auditing job at giant SkyTel Communications. In 1999 SkyTel merged with what was then MCI WorldCom.
Smith readily concedes that most chief audit executives get their general marching orders and policy direction from board audit committees. But he says they tend to be managed on a day-to-day basis by CFOs. Typically, things like audit team budgets and auditor performance appraisals are handled by a company's finance department.
But the WorldCom internal auditor believes such a setup can lead to problems. He says in some cases, an internal auditor can become too beholden to finance or operations.
If that occurs, the definition of "administrative" can easily get blurred by politics and turf wars. At that point, an audit team may wind up as a de facto unit of the finance department, thus threatening the integrity of a company's internal financial controls.
Smith provides the hypothetical example of a vice president of internal audit whose bonus will be set by the CFO on April 1. In the course of a review he's completing before that date, however, the auditor concludes that the company's reserve for receivables is too low.
The auditor is then faced with a thorny decision: include the subject of receivable set-asides in his report and he risks incurring the wrath of the finance chief. But exclude the subject and he might betray his responsibility to board and the owners of the company.
Complicating the matter: Determining the proper reserve is almost always a judgment call. "When you estimate an allowance, it's not an objective decision," notes Smith. "It's not a black-and-white thing."
The small matter of the bonus only widens the gray zone. "What happens more often than not is that that administrative line is crossed," says Smith, "and there is a little more [operational] control in determining what can and can't be audited."
Hole-Poking
Not exactly an ideal scenario for sound risk management. But Smith is quick to point out that finance chiefs and CEOs should have some input in determining the scope of a company's internal accounting investigations.
But he goes on to warn that auditors often tread a fine line in deciding what to do with that input. "If you get to a point where you're giving their input more weight than anybody else's," argues Smith, "then I think you've impaired your objectivity and your independence."
To avoid conflicts, Smith predicts that some companies will begin to install a senior vice president of risk management or governance to oversee the audit department. Besides approving the work of internal auditors, such an executive could supervise areas like disaster recovery, commercial insurance buying, and ethics.
The real oversight power, however, should rest with the members of the audit committee. They should be "driving the internal audit plan and giving direction to the internal audit department," says Smith.
That's rarely the case, says the WorldCom internal auditor. What's more, board audit committees should be questioning their external auditors more closely than they do, he believes.
In that effort, audit committees may begin to look to inside auditors for help. "Maybe one of the things the audit committee does is to say, 'Hey, Mr. External Auditor, I would like you to sit down with our internal auditors and walk them through your work papers, your procedures on accounts receivable. Let them shoot holes through your procedures and see what you did.' "
Based on recent developments, it seems Smith and Cooper are pretty good at shooting holes through procedures.
Reader Comments» Post a comment