Summary of Intended Public Testimony re: S7-13-00
Urton Anderson, CIA, CCSA, Ph.D.
Clark W. Thompson, Jr. Professor of Accounting and Associate Dean, McCombs School of Business, The University of Texas at Austin
My perspective is that of an academic who has spent the past two decades studying the quality control and assurance of professional practices and work groups, particularly those systems used in providing external and internal audit services. I have been retained as a consultant by three firms (Arthur Andersen, Deloitte & Touche, and KPMG) as well as the AICPA to provide insight and guidance on the issue of audit independence.
My focus in this testimony will be on two issues: (1) the need to address the issue of independence from an organizational behavior and control systems perspective, and (2) the misperception that providing internal audit outsourcing to an audit client (one type of non-audit service), is an incompatible service.
The external audit of financial statements has long been a service delivered by people granted the status of professionals. This status arises from specific needs in the service relationship, in particular the potential conflict of interest between the consumer of the service and the provider. In such services this conflict of interest comes from the inability of the consumer to evaluate the quality of the service at the time of purchase or consumption. To allow markets for such services, mechanisms were developed to mitigate the conflict between provider and consumer. Such mechanisms are codes of professional ethics, licensing, apprenticeship requirements and other trappings we commonly associate with the practice of law, medicine and public accounting.
These mechanisms traditionally were designed for services provided by an individual practitioner. In recent years, however, there has been a dramatic change in the delivery of professional services. Professional services in fields such as medicine, auditing, and law are now not usually provided by sole-practitioners, but by professional work groups and even larger professional service organizations. Yet, the traditional model for addressing the potential conflicts of interest, focused on the individual practitioner, is still being applied. This has been particularly true of the public accounting profession and in the approach taken in the proposed SEC rules. What is needed is a more holistic approach that recognizes to a greater extent that these services are delivered by teams of professionals organized into professional service organizations and that the old individual practitioner approach is no longer necessarily adequate or appropriate.
Quality assurance and control in professional service organizations takes place at three levels: at the individual level, at the level of the work team or group, and at the level of the organization or practice as a whole. While issues of conflict of interest or judgment bias (such as the "self-serving" bias explicitly referenced in the Proposed Rule1 may arise at the individual practitioner level, they may be significantly mitigated at the group or organizational level through naturally occurring structures, specifically designed mechanisms, or a combination of both.
In terms of the "self-serving bias" specifically, since this appears to be one of the primary arguments the Proposed Rule makes against the external audit firm providing non-audit services, there are a number of contextual factors as well as specifically designed mechanisms that would mitigate the potential "self-serving bias" effect in the judgment of individual auditors. In 1997, an article by Bazerman et al. (1997) appeared in The Sloan Management Review (SMR), which argued "the impossibility of auditor independence" owing to the very human and rather unavoidable "self serving bias."2 At the time I had written a letter to the journal questioning whether the authors of this article might not have overstated their case.3 I will now proceed to set out the key points made in my letter countering some of the claims made in that SMR article.
Numerous factors would mitigate or neutralize the alleged effect of the "self-serving bias" in the context of real world auditing practice. The first factor is the system of legal liability in which auditors perform their task. In determining an auditor's self-interest, it is not just who pays the auditor and who hires and fires. Auditors, particularly audit engagement partners, are certainly aware that they are potentially liable for their decisions and that courts will hold them responsible. The specter of legal liability arising from poor quality audits or reckless disregard of professional standards, including independence standards, affects both the individual audit partner and also his or her firm. Given the size of typical judgments awarded and the costs of litigation borne by the firm, including potential adverse reputation effects for the partner and the firm, it seems unlikely that auditors would ignore these considerations in determining their initial self-interest.
A second factor is the role of the audit committee. While the effectiveness of this mechanism is less than perfect, it is clearly a part of the client relationship that the auditor must manage. A displeased audit committee can replace the auditor as easily as displeased management. Increasingly, newly adopted stock exchange rules dictate that it is the audit committee that is to be regarded as the client, with the authority to name or replace an auditor. An effective audit committee should have a significant balancing influence in shifting the auditor's "self-serving bias" back to the interest of shareholders and creditors.
A third factor is the audit firm's structure and quality control mechanisms. Audits are conducted by a team whose members may or may not have a collective "self-serving bias." Individual bias does not always translate into group irrationality, just as individual rationality does not always translate into group rationality. Assuming that it does is to commit the fallacy of composition (i.e., wrongly concluding that what is true of the parts is necessarily true of the whole). Individual auditors are accountable and can be asked to justify their judgments to others on the audit team. Further, most audit firms (as well as the AICPA's SEC Practice Section) require concurring partner review that is designed to specifically counter the self-interest of the audit engagement partner. Concurring partners typically discharge a quality assurance and a risk management role with respect to their review of work performed on SEC client engagements. Having the decisions reviewed by someone whose interest is not in retaining the particular engagement but in protecting the firm (and his or her own equity interest in the firm) from liability should provide at least a partial mitigation of any bias. Clearly, there is an "anticipation effect" at work here: the imposition of accountability mechanisms such as concurring partner or peer review strongly influences auditor behavior. Several research studies I have conducted with Professors Lisa Koonce and Garry Marchant4as well as other studies5have demonstrated the effect that holding accountable -- having them provide justification for judgments -- has on auditor judgment.
Even stronger support for my belief that Bazerman et al. (1997) have overstated the impact that the "self-serving bias" would have in actual audit practice comes from a recent study by Professor Ron King at Washington University.6 In an experiment designed specifically to examine the self-serving bias in a group setting, Professor King demonstrates that the bias can be neutralized when participants belong to groups that create social pressure to conform to group goals. The group affiliation that Professor King induces (simulates) in participants in the study is relatively weak, certainly much weaker than would exist within an audit team, yet it is able to effectively counter the self-interest bias induced through an economic incentive. Specifically, the effect of the bias is eliminated by simply having the participants interact during the instruction period and informing the subjects that the person with the "highest damages" at the end of the session will be identified to the group, the goal of the group being to minimize damages. I certainly agree with Professor King when he writes that "this finding calls into question the conclusion by Bazerman et al. (1997) that it is impossible for auditors to be independent because of self-serving biases."
As a second part of this testimony I would like to address the issue of the incompatibility of the external audit of the finance statements with one particular type of non-audit service, the outsourcing of internal audit services. Auditor independence is an indispensable condition for providing effective internal audit services as well as for providing effective external audit services. This is recognized in both the standards and regulations governing external audit practice (AICPA standards, the Independence Standards Board, and SEC regulations) and in the standards defining good internal audit practice (Standards for the Professional Practice of Internal Auditing, current and proposed revision, promulgated by The Institute of Internal Auditors7. If such independence is required of both, how can there be incompatibility?
Independence with regard to the external audit has a different connotation from that in the internal audit. In the external audit the primary customers (parties outside the organization being audited) are particularly concerned about the potential conflicts of interest that arise from the auditor having a financial interest in the organization. For the external audit to be useful to these customers, the judgments made by the audit team need to be objective (i.e., unbiased) or at least compatible with the users' perspective. In the internal audit the primary customers (senior management, the board, and audit committee) have a different perspective. They are not concerned about the auditor's financial interest in the organization, but rather that the auditors are free from interference in determining the scope of work and performing their work. This notion of independence becomes primarily an issue of organizational structure and channels of reporting. Both internal and external auditors are to be objective and, with the exception of the financial relationship, face identical threats to independence (personal relationships, auditing own work, etc.). While clearly the standard required of internal auditors is not sufficient for them to meet the independence required for external audit (they are employees and in many cases have an ownership interest), it does not imply that simply doing internal audit work in some way induces a bias and thus compromises objectivity.
Does providing internal audit services mean that the external auditor would be reviewing their own work? No, because if current internal audit standards are followed in doing the work, the providers of these services would not design or implement controls and systems, or perform the work of operating management. But the proposed SEC Independence Rule makes a more subtle distinction in that in general the external auditor will rely, at least to some extent, on the internal control system when conducting the audit of the financial statements. However, this seems to be more an issue of where a line is drawn than a substantive distinction. What is done when there is no internal audit? Or if the audit services are provided by another firm? The same procedures could be used.
The argument is also made that internal auditing is a monitoring function and monitoring is part of the system of internal control, i.e., a management function. Therefore, in providing internal auditing services the external audit firm would be functioning as management (or as an employee) of the audit client. I think this argument is flawed. Footnote 169 of the proposed Rule notes that monitoring consists of two parts (ongoing monitoring activities and separate evaluation) and that the first is a function of operating management and the second is not. This same distinction applies to the literature on current internal audit practice where ongoing monitoring (such as evaluating the adequacy of a loan loss reserve) should not be performed by the internal audit department.
I do not believe that there is any evidence that there are more problems when internal audit is outsourced to the external audit firm than to other providers. In my mind, the problems arise more from an implementation of the outsourcing engagement rather than from independence concerns. I believe that there is a limit to what parts of the internal audit function can be outsourced. In effect, senior management cannot outsource their core responsibilities including two key components of the internal audit function - risk assessment and follow-up. While an overall risk assessment model can be applied by the service provider, senior management, in making the decision of how much service to purchase and which risk to address, is ultimately performing the risk assessment themselves. Follow-up also must rest with senior management. Too often in the outsourced engagement these two elements are not addressed. The CAE (chief audit executive) model that is embodied in the proposed Standards for the Professional Practice of Internal Auditing provides a mechanism for addressing these issues by requiring that specific parts of the internal audit function be retained in the organization. In the traditional audit function this chief audit executive is the audit director; however, in outsourced functions this could be one individual who is specifically assigned responsibility to manage the outsourcing contract and, particularly in the case of smaller organizations, may have other responsibilities as well (e.g., the individual might also serve as the Chief Compliance or Ethics Officer, the Chief Risk Officer, the Chief Legal Officer or even as the Chief Administrative Officer). Specifically, the chief audit executive should effectively manage the internal auditing activity to add value to the organization; should establish a risk based plan to accomplish the objectives of the internal auditing activity consistent with the organization's goals; communicate the internal audit activity's plans and resource requirements to senior management and the board for review and approval; and ensure that internal auditing resources are appropriate, sufficient and effectively deployed. The chief audit executive should coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication. The chief audit executive should report periodically to the board and senior management on the internal auditing activity's purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risks and control issues, corporate governance issues, and other matters needed or requested by the board and senior management. Finally, the chief audit executive should monitor whether appropriate management actions have been taken on significant reported risks or that senior management has accepted the risk of not taking action.
A final point I would like to address is the proposal of any sort of "firewall" or "Chinese wall" between the providers of external audit services and providers of outsourced internal audit services. The more complete the information flow between the internal audit activity and the external auditors, the less chance there is of an external audit failure. I am aware of no scenario in which I would not want information to pass from internal audit to the external auditor. In my opinion creation of such a wall would only serve to reduce external audit effectiveness. Indeed, I have some concerns that when the internal audit function is outsourced to other auditing firms, this communication is hampered. In these situations it is all the more critical that an executive in the organization be assigned the responsibilities of a chief audit executive. In fact, to the extent an external auditor relies on controls over financial reporting integrity, obtaining assurance from an integrated audit (i.e., performing both internal and external audit for the same client) can actually strengthen the external audit and make it more effective.
I would welcome the opportunity to respond to any comments or questions. I can be reached at Urton@mailutexas.edu or (512)471-9481.