Accounting & Tax

The Insiders

Do internal auditors have a bigger role to play in ensuring the integrity of financial reports?
David KatzSeptember 1, 2002

The latest rash of high-profile accounting scandals is adding fuel to the debate over reporting relationships in the finance department.

No longer satisfied with financial audits controlled exclusively by senior corporate executives and accounting firms, regulators and institutional investors are now insisting that publicly traded companies reorder some of those reporting relationships.

Under a recent proposal by a New York Stock Exchange (NYSE) committee, for example, board audit committees would have more power over external auditors. Among the audit-committee powers being championed: sole hiring and firing authority over a company’s independent auditor.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Internal auditors, who until recently have typically slaved away in anonymity, focusing mostly on broad corporate controls and risk-management programs, are also being asked to take on added responsibility. But in the wake of Enron, Xerox, and WorldCom, internal auditors at some large companies — JC Penney, for instance — have begun playing key roles in setting audit-committee agendas. “I write the agenda for the audit-committee meeting,” says Howard Johnson, senior vice president and director of auditing at Penney.

At other corporations, internal auditors have been asked to pore over financial statements, assuring the soundness of the numbers — or ferreting out mistakes. Indeed, management at WorldCom claims that internal auditor Cynthia Cooper uncovered the accounting ploys that ultimately forced the company to lower its stated earnings for 2001 by $3 billion.

Remarkably, WorldCom management says Cooper and Glyn Smith, another member of the internal audit staff, directly contacted the chairman of the board’s audit committee, Max Bobbitt, to discuss what they had found. Bobbitt later had Cooper and Smith interview David Myers, then WorldCom’s controller, about the company’s treatment of payments to third-party vendors as expenses.

Some finance chiefs see internal audits as something of a sniff test for overly sophisticated accounting schemes. “If a corporation is engaging in activities beyond the understanding of the internal audit department, that’s a warning sign,” says Richard Marsh, CFO of FirstEnergy Corp., an Akron-based utility holding company. “If there’s that kind of a disconnect, it really weakens the control function.”

Edison Discovers the Audit

To beef up the function, reform advocates (among them, William Bishop of the Institute of Internal Auditors; David Richards, director of FirstEnergy’s internal auditing department and immediate past chairman of the IIA; and Dorothy Heyl, senior trial counsel for the Securities and Exchange Commission) say internal auditors must have direct links to audit committees. That way, they can report concerns without fear of reprisal from their bosses.

Of course, some companies have always allowed the head of internal audit a private audience with the audit committee. Members of the NYSE’s corporate accountability and listing standards committee think that the practice should be universal. In a June 6 report to the exchange’s board, the committee said internal auditors should meet separately with the audit committee at least every quarter.

And the SEC is forcing those relationships on some companies. In a settlement this past May, the SEC ordered Edison Schools Inc., based in New York, to improve its financial controls by creating an internal audit department. Edison Schools also agreed to promptly hire an internal audit director, who would periodically report to the audit committee. In its order, the SEC found that Edison, a for-profit manager of public schools, violated federal record-keeping laws by, among other things, failing to properly accelerate its recognition of losses relating to agreements with certain school districts.

But the SEC also found that the company did not have “an adequate accounting system to bill [school] districts,” and that its inability to address the system’s weaknesses stemmed from its lack of an internal auditor. “We found the lack of an effective audit function to be a problem [at Edison],” says the SEC’s Heyl.

Edison does have a CFO, Adam Feild, as well as a fairly famous chairman, Benno Schmidt Jr., the former president of Yale University. But company management adhered to the SEC’s request to hire an internal audit director by June 14.

The company hired an Edison employee to direct the newly created internal audit department before the deadline, according to Adam Tucker, vice president of communications and advocacy for the company. “To maintain the independence of the internal auditing role, the Edison internal audit director reports directly to the audit committee of the board of directors of Edison Schools, and not to senior management,” says Tucker.

Function at the Junction

At most large public companies, however, the issue isn’t whether there is an internal auditor, but who the auditor’s boss should be. It’s one thing for regulators and investors to say the internal audit department should get its general marching orders from the board audit committee, but internal auditors usually report to the CFO.

The most popular solution, according to the IIA, is to provide auditing executives with two masters: the audit committee for policy-making and a senior corporate executive — usually the CEO — for more-routine work.

On “functional” matters (general direction and policy-making), about half of the internal audit executives report directly to audit committees, according to a recent survey conducted by the IIA. But in more than a quarter of the 42 companies that responded to the question, top internal auditors report to either the CEO or the CFO on functional matters.

When it comes to more-routine tasks, chief audit executives (CAEs) most often report to senior finance executives. At almost half of the 74 companies responding to another question on the IIA survey, the CFO (42 percent) or the controller (5 percent) signs off on the budget and performance of the CAE. Just 2 percent of the respondents said they report to the board on budget and performance matters.

Some reformers believe internal auditors should report to the board more often. They argue that otherwise CFOs and controllers can exert pressure on internal auditors to rubber-stamp finance-department numbers.

They Walk the Line

Then again, some internal auditing chiefs like reporting to CFOs, as long as they have complete, private access to the audit committee. For one thing, finance chiefs tend to be more accessible than CEOs. For another, they are generally more savvy about auditing minutiae, says David Richards.

Although Richards preaches the institute’s gospel of separation of finance and internal auditing at FirstEnergy, he reports to Richard Marsh, the company’s finance chief. Both Richards and Marsh say they have a collaborative relationship, working hand-in-hand to bring major internal audit issues to the audit committee.

Richards says he has easy access to FirstEnergy’s audit committee, which is responsible for hiring and firing the top internal audit executive and approving the department’s annual plan. Marsh and members of the audit committee have encouraged him to call committee members if anything questionable crops up, adds Richards.

A Waste of Resources?

Beyond a change in the reporting lines for CAEs, observers say a move to more-intense checking of company financials would be a substantial shift in duties for many audit teams. For years, those teams have focused just on keeping information systems and operations running smoothly, says the IIA’s Bishop.

After all, most internal auditors aren’t CPAs. Before the current accounting scandals, internal auditors largely steered clear of such complicated financial maneuverings as off-balance-sheet accounting, third-party investment vehicles, and derivatives accounting. Some internal auditing executives still feel they shouldn’t get involved in auditing those processes. “Should the internal auditing function be plowing the same ground [as independent auditors]?” asks Richards. “My own view is that it’s a waste of corporate resources.”


Still, internal audit teams at a number of big companies are working much more closely with their independent audit firms. In that regard, Howard Johnson, Penney’s chief internal auditing executive, took it as a vote of confidence when Allen Questrom, the company’s chairman, said at a meeting of the company’s senior managers early this year that the retailer was counting on its internal auditors to make sure its numbers are right.

Until recently, Penney’s internal auditors had given KPMG, the company’s external auditor, a wide berth. “We didn’t spend a lot of time with them,” grants Johnson. “We’re doing more of that now, however.”

One for-instance: Penney’s internal auditors are providing their external counterparts with timelier operations data than the accountants normally work with, says Johnson. His 80-member internal audit team now supplies KPMG with up-to-date figures on the markdown of company inventory as soon as it gets them.

“KPMG would have the prior history, but we are out there auditing the stores,” adds Johnson. Penney’s internal auditors are also taking a closer look at company disclosures of special-purpose entities and travel expenses.

Reporting on day-to-day department matters to Charles Lotter, Penney’s general counsel, secretary, and executive vice president, Johnson takes his general direction from the audit committee. But he also works for the committee itself, writing the agendas for its meetings after consulting with members and company officials. Although he says he has “a great relationship” with the company’s CFO, Robert Cavanaugh, Johnson notes that it is not a reporting relationship.

Then again, that’s just fine with the Penney internal audit chief. These days, he says, “being separate from the finance organization is a very good thing.”

David M. Katz is assistant managing editor at

WorldCom: The View from Inside

Ask Glyn Smith who internal audit should report to, and the answer is clear: the audit committee. “In the post-Enron, post-Andersen environment,” he says, “internal audit really needs to function independently of either the CEO or the CFO.”

Smith should know. As a senior manager in WorldCom’s internal audit department, he worked closely with Cynthia Cooper, the vice president of audit, in the investigation that unearthed an alleged fraud involving almost $4 billion in overstated revenues, later revised to $7.1 billion.

That internal audit team seems to have demonstrated why such a reporting setup may be preferable. According to sworn public documents filed by WorldCom, on June 11, after Cooper discussed her investigation with then-CFO Scott Sullivan, Sullivan asked for a delay in the review. The next day, however, Smith and Cooper called audit-committee chairman Max Bobbitt to discuss “questionable transfers” made during 2001 and the first quarter of 2002. Their concerns apparently centered on the company’s accounting for its line costs (payments for network services and the use of third-party facilities) as capital expenditures — and not as expenses. That treatment was out of whack with industry practice. It also didn’t jibe with generally accepted accounting principles.

WorldCom’s Securities and Exchange Commission filing indicates that, during the call to the audit-committee chairman, Smith himself told Bobbitt about the key points Sullivan made in his discussion with Cooper. The points included the CFO’s request for a delay of the audit review, and his claim that the capitalization issues would be cleared up in the second quarter of 2002.

On June 26, WorldCom management announced the discovery of the expense transfers, along with the firing of Sullivan and a pending restatement. All in all, the improper bookkeeping would trim nearly $3 billion from WorldCom’s previously reported earnings for 2001.

While Smith insists his internal audit recommendations do not stem from his experiences at WorldCom, he maintains that audit committees need to learn more about accounting. Toward that end, Smith believes committee members should take at least 32 hours of professional-education courses in auditing and corporate governance annually. In addition, he thinks audit-committee terms should be limited to about three years. Besides boosting alertness, regular audit-committee shake-ups would supply internal auditors with a changing group of bosses, he says.

Smith readily concedes that most chief audit executives get their policy direction from audit committees. But he says they tend to be managed and evaluated by CFOs. Such a setup, however, can cause an internal auditor to become too beholden to finance or operations.

To avoid conflicts, Smith thinks some firms will install a senior vice president of risk management or governance to oversee the audit department. But the real oversight should rest with the audit committee. They should be “driving the internal audit plan and giving direction to the internal audit department,” he says. —D.K.