T H E I N S T I T U T E O F I N T E R N A L A U D I T O R S
Professional
Development
Research
Foundation
Certified
Internal Auditor®
William G. Bishop III, CIA
President
September 5, 2000
Mr. Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 Fifth Street, N.W.
Washington, D.C. 20549-0609
Re: File No. S7-13-00
Revision of the Commission's Auditor Independence Requirements
Dear Mr. Katz:
The Institute of Internal Auditors (IIA) would like to offer comments on the Securities and Exchange Commission's proposed rule amendments regarding auditor independence.
Established in 1941, The IIA is an international professional association with world headquarters in Altamonte Springs, Florida. The IIA has over 70,000 members in internal auditing, governance, internal control, IT audit, education and security. With representation from more than 100 countries, the Institute is the acknowledged leader in standards, certification, education, research and technological guidance for the internal auditing profession.
The IIA has long been a proponent of improved corporate governance and commends the SEC's efforts to address important independence issues. We offer the following comments after extensive and careful consideration. We believe this is a balanced response that is representative of the opinions of our diverse membership.
The IIA has focused its response on the issue most directly related to the internal auditing profession: provision of non-audit services by the external auditor. We believe we are uniquely qualified to offer comments about certain independence issues related to extended services, in particular those related to the outsourcing of the internal audit function by an organization's external auditor. Accordingly, we have focused the majority of our response on this area.
Change does not always come easily and is not always welcomed. However, if investors' confidence in the financial reporting process can be improved, investors and all of the parties in the governance process will benefit. We applaud the SEC's noteworthy actions to improve the quality of the financial reporting process.
Sincerely,
249 Maitland Avenue
Altamonte Springs
Florida 32701-4201
U. S. A.
Tel 407-830-7600
Fax 407-831-5171
Email wbishop@theiia.org
William G. Bishop III
Enclosure
The Institute of Internal Auditors
The Securities and Exchange Commission (SEC) proposal to revise its auditor independence requirements raises the question of whether the SEC rules should limit or completely bar non-audit services to audit clients.1 Non-audit services have been a focus of independence concerns for years, as demonstrated by the Cohen Commission report in 19782, the Treadway report in 19873, the Advisory Panel on Auditor Independence's report to the Public Oversight Board in 19944, the GAO report on the public accounting profession in 19965, and other studies. The establishment of the Independence Standards Board also demonstrates public and professional concern regarding the independence of auditors.
The fact that the issue of non-audit services has been debated at such length leads The IIA to conclude that the issue has not been addressed adequately. The IIA agrees with the SEC that now is the time to address independence issues in a way that responds to public concerns. However, The IIA also believes that while action is necessary with regard to non-audit services, a total ban of all extended services is not required to offer significant relief.
We believe that, in general, extended services can be divided into two categories:
Services in the second category should be permitted so long as the total amount of their associated fees are not sufficient to bring into question the independence of the external auditor and so long as there are no other managerial or operating considerations that hinder independence. While many non-audit services raise potential independence issues, there are others for which the independent accountant may be well positioned to provide valuable non-audit services. The first step in achieving a solution is to obtain an understanding of what types of non-audit services are to be prohibited and what services are appropriate as long as the aggregate fees are not excessive.
Developing a set of guidelines for assessing non-audit services would provide auditors and directors with a basis for evaluating the degree or risk of impairment of independence. Criteria such as the relativity of fees for non-audit services to the audit fee, the materiality of the transaction to the financial statements, the extent of review and approval required to contract the non-audit service, and the oversight of the service are some of the factors to consider in the assessment. These guidelines should begin by specifying those non-audit services that simply are not appropriate for the external auditor to provide under any circumstances.
The IIA believes that the Independence Standards Board should be able to define and develop the list and keep it current as marketplace conditions change over time. The Independence Standards Board is the appropriate place for this definition, but it is not unreasonable for the SEC to enter this dialog should conditions warrant and should the investing public be deemed to be at risk.
The concept of "acting as management or an employee of an audit client" seems straightforward, but unambiguous guidance is needed in this area. While it is almost universally agreed that the auditor should not take on management functions, criteria are needed for determining when management functions have been assumed.
We suggest that the SEC should hold the Independence Standards Board accountable for devising clear criteria specifying the types of extended services that are allowable and not allowable for a firm's external auditor. In our opinion, this is within the Independence Standards Board's mission, but it has not yet been accomplished. Because of the continuing interest in this subject, the SEC should motivate the Independence Standards Board to expedite action on this issue.
We suggest that the issue of enforceability also needs to be addressed. For example, the AICPA's Code of Professional Conduct (Code) states that external auditors should not assume complete responsibility for the internal audit function6. Yet in many instances where the internal auditing function is outsourced, the expanded role of contemporary internal auditing presents challenges for auditors attempting to comply with the Code as they are called upon to participate in special management task forces, set the scope of auditing, or perform other managerial duties.
The AICPA and its member firms need a strong enforcement mechanism to ensure that external auditor extended services meet the interpretation of the Code. As discussed in the proposed rule amendments7 and in FRR No. 508, we believe that the SEC should charge the Independence Standards Board with evaluating the adequacy of enforcement mechanisms. As with other independence issues, it is not unreasonable for the SEC to take additional action if needed enforcement mechanisms are not forthcoming.
As noted above, we believe that the Independence Standards Board should have the primary responsibility for establishing criteria for permissible and non-permissible extended services. We believe, however, that the current composition of the Independence Standards Board is not optimal for performance of these responsibilities because of the lack of representative constituents on the board.
Three of the Independence Standards Board's eight members represent public accounting firms, and a fourth member is the president of the AICPA. Thus, the board does not have a majority of members from outside the profession and, therefore, is not by its very nature independent of the public accounting profession. It is difficult, therefore, for the board to view independence issues from an unbiased perspective. Although public accountants are viewed as lacking independence if they audit their own work, the board is put in the unenviable position of having to set criteria for their own independence and that of their firms. We agree with the Panel on Audit Effectiveness' opinion that the Independence Standards Board should reconstitute its membership.9
The presence of public accountants on the Independence Standards Board is vital to ensure that all viewpoints are considered and all constituencies are represented. But we believe that a clear majority of board members and board staff should be independent of the public accounting profession. Board composition should be balanced to include representatives of the public accounting firms, the clientele of the public accounting firms, the investing public, and regulators. We believe that this recommendation will enhance the board's ability to address independence issues proactively and in a way that addresses public concerns.
As pointed out in the SEC proposal, "Prohibiting only some non-audit services does not address the increasing vulnerability of auditors to their audit clients and the corresponding link between the financial health of auditors and their clients. These concerns do not turn on the nature of the non-audit service involved, but arise simply because of the growing interdependence of auditor and client."10
The IIA believes that it would be very difficult for any single central authority to establish individual organizational limits for non-audit services. There are simply far too many special circumstances that arise and create interpretive dilemmas that only serve to complicate business processes.
To overcome this difficulty, The IIA believes that the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees11 offers potential assistance on the question of how much non-audit service challenges independence. On page 31 of its report, the Committee recommended that audit committees assume the responsibility for: "...actively engaging in a dialogue with the auditor with respect to any disclosed relationships or services which may impact the objectivity and independence of the auditor and for taking, or recommending that the full board take, appropriate action to ensure the independence of the outside auditor."
In the spirit of this recommendation, audit committees could be required by charter to evaluate extended services contracted to the organization's external auditor and the fees associated with them. In this way, the organization and its board, the outside auditor, and the SEC could have some assurance that the issue is being addressed in each publicly held organization. Further, within guidelines, the control would be tailored to the circumstances of the organizations, and factors such as the relative sizes of the audit firm and the client corporation could enter the consideration of how much non-audit service could be acquired without the impairment of independence.
The SEC document points out that from 1978 to 1982, companies were required by the SEC to disclose in their proxy statements all non-audit services provided by their auditors. During this period, the SEC also required a statement of the percentage of the fees for all non-audit services compared to total audit fees, the percentage of the fee for each non-audit service compared to total audit fees. Finally, the Commission required a statement specifying whether each non-audit service was considered and approved by the audit committee of the board of directors or by the board itself. The SEC points out that its interpretive release was rescinded and the related disclosure requirements were discontinued in 1982 because, among other reasons, SEC review of proxy disclosures indicated that accounting firms were not providing extensive non-audit services to their audit clients.12
We agree with the SEC that reinstatement of the disclosure requirement would prove useful to investors. We also agree with the SEC that audit committees, as well as management, should engage in active discussions of independence issues with the outside auditors. We suggest that in addition to past services performed, required disclosures should include services under contract that will be performed in future periods.
Our view is that non-audit services can make valuable contributions, but that they can also diminish the perceived role of the independent auditor. By eliminating some questionable services and requiring entity-specific oversight of potential non-audit services, the answer can be a win-win situation.
The IIA is in general agreement with the four principles proposed by the SEC for governing a determination of whether an accountant is independent of its audit client, and we believe that these principles will prove valuable in determining what non-audit services can be provided without raising independence concerns. Specifically, these principles provide that an accountant is not independent whenever, during the audit and professional engagement period, the accountant: (1) has a mutual or conflicting interest with the audit client, (2) audits the accountant's own work, (3) functions as management or an employee of the audit client, or (4) acts as an advocate for the audit client.13
The SEC states that it believes performing an internal audit function results in the auditor assuming a management function and, during the financial audit, relying on a system that the auditor has helped to establish or maintain. Further, the SEC solicits comment on whether internal audit outsourcing would impair, or would appear to reasonable investors to impair, an auditor's independence.14 Using these principles, we conclude that total outsourcing of internal auditing violates the SEC's independence criteria.
The IIA believes that the total outsourcing of the internal auditing function by the organization's external auditing firm impairs that firm's independence.
Compounding the issue of outsourcing internal auditing is the fact that the continually changing business environment has created an expanded role for internal auditors and resulted in additional demands for extended internal auditing services. In 1999, following global public exposure and due process, The IIA's Board of Directors approved a new definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
This definition was based in part on two major research studies that indicated that internal auditing is playing an increasing role in the risk management, control, and governance activities of major corporations.15 As internal auditing becomes more and more involved in risk management and governance processes, internal auditing becomes less and less compatible with the role of the independent external auditor.
It is important that the external auditor remains independent of the client organization, and SAS 6516 correctly points out that internal auditing departments are not independent of the organization. Total outsourcing of the internal auditing function is inconsistent with independence because internal auditing, when performed according to the Standards for the Professional Practice of Internal Auditing, is integral to the operations of the organization. Internal auditing is an integral part of an organization's system of internal control, risk management, and governance processes. Thus, an external auditor performing a total, comprehensive program of internal audit as well as the attest function would be in the position of relying upon or auditing its own work.
We believe that when the internal auditing function is totally outsourced to the external auditor, there is a conflict with two of the SEC's criteria for evaluating independence. There is a conflict with: (a) provisions regarding acting as management or an employee of the audit client; and (b) provisions regarding auditing the accountant's own work.
In summary, The IIA recognizes that external auditors have been providing valuable augmentation of internal auditing capabilities. At the same time, The IIA is keenly aware that internal auditing, in its most advanced and useful practice, is moving ever closer to integration with the organization's risk management control processes. As a result, it is truer today than ever before that the total assumption of internal auditing is an improper role for an external, independent auditor.
The SEC document states, "Proposed rule 2-01(c)(4)(i)(E) provides that an auditor is not independent when the auditor performs certain internal audit services for an audit client or an affiliate. This does not include nonrecurring evaluations of discrete items or programs that are not in substance the outsourcing of the internal audit function. It also does not include operational internal audits unrelated to the internal accounting controls, financial systems, or financial statements." Additionally, the SEC proposal questions whether performing only operational audits that are unrelated to the internal controls, financial systems, or financial statements would impair independence.17
The IIA's principal interest is to promote internal auditing activities that provide the maximum overall effectiveness in achieving the organization's strategic objectives. The IIA believes internal auditing best addresses management's strategic objectives when internal audits are performed by competent professionals in accordance with the Standards for the Professional Practice of Internal Auditing.
The IIA believes that a fully resourced and professionally competent staff that is an integral part of the organization best performs the internal auditing function. The IIA also recognizes that many "partnering" arrangements with outside providers have been effective in helping internal auditing departments contribute to management's strategic objectives. Internal auditing practitioners have often used third-party providers, including their external auditors, to satisfy the need for special knowledge or to compensate for language or distance difficulties. Such engagements are usually conducted under the direction of the chief audit executive who approves the scope of work, reviews the quality of the work, and determines the nature, extent, and method for reporting the results of the work.
While we believe that total outsourcing of the internal auditing function to an organization's external auditors impairs independence, outsourcing individual audit projects or a well-defined portion of the internal auditing function, under the management and direction of the chief audit executive, does not necessarily impair independence.
Outsourcing a part of the internal auditing function should be viewed in the same way as performance of other permitted extended services. It should be included in audit committees' considerations regarding total extended services that can be provided by the external auditor.
We were somewhat surprised by the SEC's question whether independence would be impaired by performing only operational audits that are unrelated to the internal controls, financial systems, or financial statements.18 Modern internal control models such as COSO19 view financial and operational controls as a part of the same system of controls. Operational auditing is the comprehensive review of the varied functions within an enterprise to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives.20
A major study by The Institute of Internal Auditors Research Foundation points out:
To us, the graver concern with having the external auditor provide outsourcing work comes with the potential "mutuality of concerns" arising from performing operational auditing, making recommendations, and then independently reporting on management's performance.21
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) stressed the importance of a concept of internal controls broader than internal accounting controls. Internal Control - Integrated Framework states:
"Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
The COSO definition of internal control clarifies that operational issues are included within the scope of internal controls. The IIA believes that the SEC's question "Would it impair the auditor's independence if the auditor performs only operational audits unrelated to internal controls, financial systems, or financial statements?" is inconsistent with the COSO definition of internal control. We believe that operational auditing should be subject to evaluation for independence conflicts using the same criteria employed to evaluate all other internal auditing services.
| 1 | Section II.C.2 (c, d, and e). |
| 2 | The Commission on Auditors' Responsibilities (Cohen Commission): Report, Conclusions, and Recommendations, 1977. |
| 3 | National Commission on Fraudulent Financial Reporting, Report of the National Commission on Fraudulent Financial Reporting, 1987. |
| 4 | Advisory Panel on Auditor Independence, Strengthening the Professionalism of the Independent Auditor, 1994. |
| 5 | GAO, The Accounting Profession, Major Issues: Progress and Concerns, U.S. General Accounting Office, Report GAO/AIMD-96-98, Washington, D.C., p. 37. |
| 6 | American Institute of Certified Public Accountants, Code of Professional Conduct, ET Section 101-13. |
| 7 | Section II.D. |
| 8 | Securities and Exchange Commission, Financial Reporting Release No. 50, 1998. |
| 9 | Panel on Audit Effectiveness, Report and Recommendations Exposure Draft, Paragraph 6.39, May 31, 2000. |
| 10 | Section II.C.2(e). |
| 11 | Report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, New York Stock Exchange, 1999. |
| 12 | Section II.C.4. |
| 13 | Section I (Executive Summary) and Section III.B. |
| 14 | Section III.D.1(b)(v). |
| 15 | The Institute of Internal Auditors, Competency Framework for Internal Auditing, 1999; and The Institute of Internal Auditors, A Vision for the Future: Professional Practices Framework for Internal Auditing, 1999. |
| 16 | American Institute of Certified Public Accountants, Statements on Auditing Standards, 2000. |
| 17 | Section III.D.1(b)(v). |
| 18 | Section III.D.1(b)(v). |
| 19 | Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework, 1992. |
| 20 | Lawrence Sawyer, JD, CIA, PA, and Mortimer Dittenhofer, PhD, Sawyer's Internal Auditing, The Institute of Internal Auditors 1996. |
| 21 | Larry E. Rittenberg, PhD, CIA, CPA, and Mark A. Covaleski, PhD, CPA, The Outsourcing Dilemma: What's Best for Internal Auditing, page 63, The Institute of Internal Auditors Research Foundation, 1997. |
| 22 | Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework, 1992. |