1 INTERNAL AUDIT OUTSOURCING: AN ANALYSIS OF SELF- REGULATION BY THE ACCOUNTING PROFESSION Dennis Caplan, Diane Janvrin and James Kurtenbach ABSTRACT This paper examines the accounting profession s self-regulation of internal audit outsourcing services. The question of whether public accountants compromise their independence when they provide internal audit services to their attest clients was debated within the accounting and regulatory communities throughout the 1990s, and resulted in a confrontation between the accounting profession and the Securities and Exchange Commission in Internal audit outsourcing was a factor in the public perception of Arthur Andersen s role in the collapse of Enron, and in lawmakers reaction to that event. It is specifically identified in the Sarbanes-Oxley Act of 2002 as a prohibited service that public accountants generally cannot provide to their public company external audit clients. Our purpose is to contribute an historical perspective to ongoing discussions about the efficacy of self-regulation by the public accounting profession. Self-regulation of internal audit outsourcing remains important because the Sarbanes-Oxley prohibition does not apply to auditors private company clients, and because the rules that the SEC issued to implement Sarbanes-Oxley seem to allow accounting firms to provide Research in Accounting Regulation, Volume 19, 3 34 Copyright r 2007 by Elsevier Ltd. All rights of reproduction in any form reserved ISSN: /doi: /S (06)
2 4 DENNIS CAPLAN ET AL. internal audit services to public company attest clients under a variety of circumstances that were not anticipated in the original legislation. Although accounting firms have not yet shown strong interest in testing the limits of the new rules, the firms may do so in the future. History is full of examples of how improper or ineffective self-regulation leads to government regulation. (Leonard Spacek, managing partner of Arthur Andersen, 1969) Self-regulation by the accounting profession is a bad joke. (Arthur Levitt, former chairman of the SEC, 2003, p. 135) 1. INTRODUCTION The Sarbanes-Oxley Act of 2002 significantly altered the regulatory landscape of the public accounting profession. It increased third-party oversight of a profession that had previously been largely self-regulated. This paper examines the efficacy of self-regulation by the accounting profession in the years leading up to the Act in the context of a single issue: the question of whether public accountants maintain independence when they provide internal audit services to their attest clients. The rapid growth of internal audit outsourcing during the 1990s prompted every important professional and regulatory body with responsibility for auditor independence to address this issue. It was debated within the accounting profession and the regulatory community, culminating in a confrontation in 2000 between the AICPA and three of the Big 5 firms on the one hand, and the Securities and Exchange Commission on the other. Internal audit outsourcing was a factor in the negative publicity incurred by Arthur Andersen following the collapse of Enron, and in lawmakers reaction to that event, because internal auditing was a consulting service that Andersen provided Enron. Hence, internal audit outsourcing was an important phenomenon in the events that led to Sarbanes-Oxley. The Sarbanes-Oxley Act prohibits accounting firms from providing internal audit services to their public company attest clients. Nevertheless, self-regulation of internal audit outsourcing remains important for two reasons. First, the Sarbanes-Oxley ban does not apply to private company audit clients. Second, the SEC issued rules in 2003 to implement Sarbanes- Oxley that still allow accounting firms to provide internal audit services to public company attest clients, if those services are unrelated to internal accounting controls, financial systems, and financial statements, or if the
3 Internal Audit Outsourcing 5 auditors will not be reviewing their own work during the audit, or if the services are nonrecurring evaluations of discrete items. Although accounting firms have not yet shown an interest in exploring the limits of these new rules, they may do so in the future. In Section 2 of the paper, we identify and describe significant events, pronouncements, and statements of position on internal audit outsourcing, as well as important antecedent events. In Section 3, we assess the extent of consensus within the accounting profession and regulatory communities, we summarize the role played by the AICPA, and we provide concluding remarks. 2. A CHRONOLOGY OF INTERNAL AUDIT OUTSOURCING Internal audit outsourcing evolved as the result of two broad trends. The first trend was the increasing importance of consulting services as a revenue source for accounting firms. Throughout the 1980s and 1990s, competitive forces in the public accounting profession led many practitioners to characterize attest services as a low-margin commodity product. In this environment, accounting firms increasingly turned to consulting services to increase revenues and profits. The second trend was the increasing visibility and importance of internal controls. Because the routine review of internal controls is an important internal audit activity in companies large enough to support an internal audit department, the increased focus by regulators, accountants, and managers on internal controls led to increased visibility for the internal audit function. An early milestone in this regard was the Foreign Corrupt Practices Act of 1977, which required large companies to maintain adequate systems of internal control. The Treadway Commission Report 1 of 1987 recommended that all public companies maintain an effective and objective internal audit function, and also recommended that management report annually on its assessment of the effectiveness of the company s internal controls. 2 Another milestone occurred when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its report Internal Control Integrated Framework (1992). The report became widely accepted as an industry standard for its definition of internal controls and the criteria for evaluating controls. Hence, at a time when public accounting firms were looking for new consulting opportunities, the demand for internal control reviews was on the rise. There was a natural fit between the training, education, and
4 6 DENNIS CAPLAN ET AL. professional competency of public accountants and the work involved in reviewing internal controls. Also in the 1980s, companies experimented with outsourcing many activities that historically had been performed internally. Even before 1990, some companies had outsourced internal audit activities to their public accountants for reasons that seemed compelling. For example, because accounting firms often had a physical presence in foreign locations, such as an affiliated local firm, the firms could often provide internal audit services in these locations more efficiently than the company s own internal auditors. During the 1990s, internal audit outsourcing grew rapidly. By the mid- 1990s, about percent of companies were outsourcing some or all of the internal audit function (Kralovetz, 1996; Renner & Tebbe, 1998). Often, the outsource provider was a public accounting firm, although internal audit outsourcing is not an attest service, and other consulting and service firms began offering these services. Two surveys provide evidence of the prevalence of internal audit outsourcing just prior to the passage of Sarbanes- Oxley. Serafini, Sumners, Apostolou, and Lafleur (2003) finds that by about 2001, among companies that had an internal audit function, 11 percent outsourced the entire function and another 54 percent outsourced some portion of it. Forty-three percent reported that they intended to outsource more internal auditing in the future. Carcello, Hermanson, and Raghunandan (2005) surveyed the internal audit budgets of 217 mid-sized U.S. public companies, and finds that for 2002, 15 percent of all internal audit work was performed by outsource providers. The Regulatory/Self-Regulatory Environment: During this period of rapid growth of internal audit outsourcing, the principal regulatory bodies with oversight responsibility for auditor independence were the SEC, the Federal Deposit Insurance Corporation (FDIC), the General Accounting Office (GAO), and the state boards of accountancy. The various state boards did not pursue this issue to any significant extent, so the important regulatory activities occurred at the federal level. Although the GAO and the FDIC were actively involved in the internal audit outsourcing independence question, the jurisdiction of the GAO is limited to government agencies, government contractors, and their auditors, and the jurisdiction of the FDIC is limited to financial service firms and their auditors. Since the jurisdiction of the SEC includes all U.S. public companies and their auditors, the SEC was the preeminent regulatory body concerned with the question of whether internal audit outsourcing compromises an auditor s independence. The SEC s approach to this issue, consistent with its
5 Internal Audit Outsourcing 7 longstanding approach toward the public accounting profession generally, was to allow the profession to self-regulate whenever possible, to use formal and informal communications to encourage the profession to act on issues of concern to the Commission, and to enact and enforce regulations objectionable to the profession only as a last resort. The two most important self-regulatory bodies with responsibility for auditor independence during this period were the Executive Committee of the Professional Ethics Division of the AICPA, and the Public Oversight Board (POB). The Executive Committee of the Professional Ethics Division promulgates ethics standards for members of the AICPA. The POB was established by the AICPA in 1977 as an independent, selfregulatory body to oversee the quality of public company audits. An important milestone in the self-regulation of consulting services occurred in 1979, when the POB issued its report Scope of Services by CPA Firms. One of the key conclusions in this report is that there is virtually no evidence that consulting services impair auditor independence. However, the report acknowledges that specific evidence of such impairment would probably not be available, even if it occurred. The remainder of this section describes important regulatory and selfregulatory events and pronouncements related to internal audit outsourcing, organized by year. Exhibit 1 provides a time line of key events. 1984: The SEC responds to an inquiry by a small public accounting firm regarding whether the firm can provide internal audit services to a small bank that is also an attest client. The SEC states that the auditor s performance of internal audit type duties would impair independence in appearance. The SEC reply also states that the nature of the internal auditor relationship appears to be close to that of an employee, and that the internal audit function generally would be part of the system of internal controls administered by employees of the client. However, the SEC letter also confirms that auditors can assist clients in the establishment of systems of internal control that would then be administered by client personnel : Congress passes the Federal Deposit Insurance Corporation Improvement Act (FDICIA). The Act requires large insured depository institutions to report annually on internal controls over financial reporting, and for the auditors to attest to this report. FDICIA appears to be an important impetus for internal audit outsourcing in the financial services industry. A worldwide survey of large financial institutions, conducted by Deloitte Touche Tohmatsu International (DTTI), found that about 25 percent of survey respondents were outsourcing some internal audit work by 1995 (DTTI, 1995).
6 8 DENNIS CAPLAN ET AL. Exhibit 1. Time Line of Key Events Related to Internal Audit Outsourcing. Year Event Description 1979 The Public Oversight Board (POB) issues its report Scope of Services by CPA Firms 1984 The SEC responds to an inquiry by an accounting firm 1993 The AICPA Professional Ethics Division issues ruling No. 97 under Rule of Conduct The Auditing Standards Division of the AICPA issues an Audit Risk Alert that includes the topic of internal audit outsourcing 1996 The AICPA Professional Ethics Division issues rulings 103, 104, 105, and interpretation , all under Rule of Conduct The SEC issues new rules on auditor independence 2000 The Panel on Audit Effectiveness issues its report The POB notes the lack of evidence that consulting services compromises auditor independence, but also observes that such evidence would probably not be available, even if independence were compromised. The SEC staff states that internal audit outsourcing would probably compromise auditor independence. The ruling applies existing standards to internal audit outsourcing, allowing firms to provide these services provided they do not perform management functions. The Audit Risk Alert references a speech by the SEC chief accountant, and urges practitioners to carefully consider the implications of internal audit outsourcing on independence. The rules generally allow auditors to provide internal audit services to their external audit clients, as long as the auditor does not act or appear to act in the capacity of management or as an employee. The new rules prohibit large companies from sourcing more than 40% of their internal audit function from their external auditors. The Panel reports disagreement among its members on the question of a general ban on nonaudit services. It is the only question on which the Panel does not achieve a consensus Enron declares bankruptcy Arthur Andersen incurs significant negative publicity, in part because the firm provided Enron extensive consulting services including internal auditing services Congress passes the Sarbanes Oxley Act The Act specifically prohibits accounting firms from providing internal audit services to their public company attest clients The SEC adopts rules to implement Title II of Sarbanes Oxley With respect to internal audit outsourcing, the SEC rules appear more permissive than the Sarbanes Oxley ban would seem to permit.
7 Internal Audit Outsourcing : In November, the Executive Committee of the Professional Ethics Division of the AICPA issues Ruling No. 97 under Rule of Conduct 101, responding to an inquiry by the auditor of a financial services firm. The inquiry concerned the auditor s ability to assist with the client s internal audit activities, or extend the accounting firm s audit services when the client did not maintain an internal audit function. The accounting firm asked about three types of services: (1) testing the system of internal controls, confirming accounts receivable, and analyzing fluctuations of income and expense accounts; (2) reviewing loan originations or similar activities as part of the client s approval process; and (3) reviewing the client s loan origination or other business processes for their functioning, efficiency or effectiveness, and providing recommendations to management. Ruling No. 97 states that the activities described in (1) would not impair independence, noting that these activities are similar to extensions of audit procedures performed in connection with the annual audit; the activities described in (2) would impair independence because the auditor would be performing a management function; and the activities described in (3) would not impair independence as long as the auditor did not perform management functions or make management decisions, even though these activities are not normally necessary for conducting the annual audit. The response to this last item applies existing standards for consulting services generally to internal audit outsourcing in particular. Ruling No. 97 remains in effect until : In September, the Institute of Internal Auditors (IIA) publishes Professional Issues Pamphlet 94-1: The IIA s Perspective on Outsourcing Internal Auditing: A Professional Briefing for Chief Audit Executives. The pamphlet notes that outsource providers are aggressively marketing internal audit services to companies around the world. The pamphlet summarizes the IIA s position: The IIA s perspective is that internal auditing is best performed by an independent entity that is an integral part of the management structure of an organization. The IIA states unequivocally that a competent internal auditing department that is properly organized with trained staff can perform the internal auditing function more efficiently and effectively than a contracted audit service. (IIA, 1994, p. 2, emphasis in the original) The pamphlet characterizes the rapid growth of outsourcing as being driven, in part, by outsource providers promises of lower cost and higher quality services, reduced fixed staff salaries, and improved access to specialization.
8 10 DENNIS CAPLAN ET AL. Also in September, the POB releases the report of the Advisory Panel on Auditor Independence, Strengthening the Professionalism of the Independent Auditor. The POB commissioned the report in response to a speech by SEC Chief Accountant Walter Schuetze criticizing the accounting profession for not standing up to clients on financial reporting issues. According to the report: The Panel finds worrisome the trend of accounting firms, in wanting to grow, to add or expand nonaudit services and thereby reduce their reliance on and the relative importance of auditing. y Growing reliance on nonaudit services has the potential to compromise the objectivity or independence of the auditor by diverting firm leadership away from the public responsibility associated with the independent audit function y. (Advisory Panel on Auditor Independence, 1994, p. 9) The report goes on to recommend that independent auditing firms need to focus on how the audit function can be enhanced and not submerged in large multi-line public accounting/management consulting firms (p. 9). In a speech to an AICPA banking conference in November, SEC Chief Accountant Schuetze expresses concern about the practice of total outsourcing of the internal audit function to the company s public accounting firm. Schuetze notes that AICPA Ethics Ruling No. 97 is very restrictive, and that because external auditors must be independent both in fact and in appearance, auditors attempting to fulfill the responsibilities of the external auditor and the responsibilities traditionally performed by internal auditors must exercise great care. Schuetze also observes that to the extent banking laws require internal auditors to be under the control of management, outsourcing the internal audit function to the bank s external auditors is fundamentally inconsistent with the auditor s independence (Schuetze, 1994). The Auditing Standards Division of the AICPA issues Audit Risk Alert 1994 (Auditing Standards Board, 1994). The Risk Alert states that companies are outsourcing internal audit activities to their public accountants with increasing frequency, and then notes the concerns that Schuetze expressed in his November speech. The Risk Alert advises auditors to carefully consider the implications of internal audit outsourcing arrangements on independence. 1995: In January, SEC Professional Accounting Fellow Tracey Barber gives a speech at an AICPA conference on SEC developments. Barber summarizes current regulatory and self-regulatory guidance on internal audit outsourcing (including AICPA Ethics Ruling No. 97) as providing very strict limitations (Barber, 1995, p. 3). The position of the SEC, as described by Barber, seems to be that any arrangement for outsourcing
9 Internal Audit Outsourcing 11 would either place the auditor under day-to-day control of management, or require the auditor to exercise management functions, neither of which is consistent with auditor independence. Barber conveys the staff s view that it is very difficult to devise internal audit outsourcing arrangements that both would overcome the prohibitions set forth by all of the guidance currently available, and simultaneously satisfy all of the needs of a client (pp. 3 4). Barber also indicates that the SEC staff s interpretation of the COSO internal control framework is that some internal audit activities constitute part of the internal control system. As such, the auditor who undertakes these activities would compromise independence. In February, the Wall Street Journal runs an article on Morrison Knudsen. The company reported a loss of $141 million for the fourthquarter of 1994, its worst quarterly loss in its 83-year history, and more than twice analysts expectations. Morrison Knudsen also announced that it was firing Deloitte & Touche as the company s internal auditor and hiring Arthur Andersen for these services. The Wall Street Journal staff reporter concludes that since last November, Deloitte & Touche has performed both Morrison s external and internal audits, effectively removing a layer of review that most companies consider crucial (Rigdon, 1995). 1996: In February, the Professional Ethics Division of the AICPA issues exposure drafts of new ethics rulings that would explicitly permit auditors to provide internal audit services to their attest clients as long as the auditor does not act or appear to act in a capacity equivalent to a member of client management or as an employee. Comment letters from practitioners align almost uniformly with their apparent economic interests: practicing CPAs support the proposed rules; internal auditors, including internal audit executives from Merrill Lynch and Texas Instruments, oppose the proposed rules. Most of the comment letters in opposition to the exposure draft question whether it is practically feasible for auditors to provide internal audit services without crossing the line that separates consultants from employees, or without engaging in activities that look like management functions. The Institute of Management Accountants (IMA) opposes the proposed rules, primarily due to concerns about independence in appearance when the same auditor provides both internal audit and attest services to the same client (IMA, 1996). Comment letters from the Board of Governors of the Federal Reserve System and the Director of the FDIC generally support the proposal, but object that the terms management and employee are used in a vague manner, and also object to the proposed interpretation that allows the
10 12 DENNIS CAPLAN ET AL. auditor to attest to management s report on internal controls when that same auditor provides internal audit services that serve as a basis for management s report (Board of Governors of the Federal Reserve System, 1996; FDIC, 1996). Because FDICIA requires large financial institutions to provide a management report on internal controls and for their auditors to attest to this report, these regulators focus on this issue is not surprising. The Professional Ethics Division appears to have responded to this concern, because the final ruling states that management cannot rely on the auditor s work as the primary basis for its assertion in its internal controls report J The Institute of Internal Auditors. The lead story in the March/April issue of IIA Today announces a significant shift from the IIA s 1994 position on internal audit outsourcing. 4 The article notes that the major accounting firms are pursuing internal audit outsourcing services and predicts that outsourcing is likely to grow. The article acknowledges that, as a matter of practice, internal auditing practitioners have long used third-party providers to satisfy the need for special knowledge or to compensate for language or distance difficulties (IIA, 1996, p. 1). The IIA also acknowledges that outsource providers might provide cost/effective internal audit services for companies too small to maintain their own internal audit staff, and that outsource providers might constitute an improvement over internal audit departments that are less than world class. The article goes on to reference the Standards for the Professional Practice of Internal Auditing promulgated by the Institute, and to urge all providers of internal auditing to conform to those standards. Hence, the Institute s new position is to try to bring outsource providers under the umbrella of the IIA, to expand its membership to include outsource providers, and to urge outsource providers to support and participate in the activities of the Institute. The IIA continues to express concern about public accountants providing internal audit services to their attest clients: The IIA has also gone on record with the SEC s Chief Accountant by expressing the view that total outsourcing of internal auditing to the organization s external auditor would impair the independence of the external auditor. The IIA most recently affirmed that view in a letter to the AICPA Professional Ethics Executive Committee. (IIA, 1996, p. 1) J New Ethics Rulings. In August, the Executive Committee of the Professional Ethics Division of the AICPA adopts new ethics pronouncements for internal audit outsourcing, superseding ruling
11 Internal Audit Outsourcing 13 No. 97, which had been in effect since The new pronouncements consist of ruling Nos. 103, 104 and 105, and Interpretation No , all under Rule of Conduct 101 (American Institute of Certified Public Accountants, Professional Ethics Executive Committee, 1996a, b, c, d). The pronouncements distinguish between activities that constitute ongoing monitoring of the internal control system, and separate reviews of the control system. Under the new rules, auditors are allowed to provide attest clients internal audit services as long as those services constitute separate reviews of the control system, and as long as the auditor does not act, or appear to act, in the capacity of an employee or management of the client. The new pronouncements list examples of activities that would compromise the auditor s independence. The client must designate one or more individuals, preferably from senior management, responsible for the internal audit function. The client must determine the scope, risk, and frequency of internal audit activities, and evaluate the findings and results arising from those activities. The accounting firm cannot determine which control recommendations should be implemented, report to the board of directors or audit committee on behalf of management, or be responsible for the overall internal audit work plan. The new pronouncements address the question of whether the auditor can render an opinion on management s report of the effectiveness of internal controls over financial reporting, if the auditor also provides internal audit services. The auditor is independent with respect to this attest service as long as management retains responsibility for establishing and maintaining internal controls, management does not rely on the auditor s work as the primary basis for its assertion in its internal controls report, and the auditor does not act or appear to act in a capacity equivalent to that of client management or as an employee. The new pronouncements allow auditors to conduct operational audits, such as reviewing the effectiveness or efficiency of business processes. Independence is not impaired provided that the auditor does not act or appear to act in a capacity equivalent to that of client management or as an employee. Also, the auditor s independence does not depend on the frequency of internal audit services provided to the client, provided that the auditor s activities constitute separate evaluations of the effectiveness of the ongoing control and monitoring activities and procedures built into the client s normal recurring activities. J Other Developments in In August, SEC Chief Accountant Michael Sutton discusses internal audit outsourcing in a speech to the American
12 14 DENNIS CAPLAN ET AL. Accounting Association (Sutton, 1996). Sutton notes that internal auditing traditionally has been a management responsibility that, in critical ways, has been integral to the system of internal control, and then questions whether independent auditors can perform the internal audit function and also provide an independent look at the system of internal control. The skillful balance sought by the drafters of the [AICPA ethics rulings] may, in the final analysis, run up against the wall of perception and credibility. Sutton states that both the investing public and the accounting profession would be better served if accounting firms only provided internal audit services to nonaudit clients, noting that such an arrangement would not affect the total market for these services. In September, the General Accounting Office issues its report The Accounting Profession Major Issues: Progress and Concerns. This report reviews developments and trends related to auditor independence, audit quality, auditors responsibilities for detecting fraud and reviewing internal controls, and financial reporting and auditing standard setting. The report states that concern over auditor independence is a longstanding and continuing problem for the accounting profession (U.S. General Accounting Office, 1996, p. 37). With respect to nonaudit services, the report references an earlier report, Failed Banks: Accounting and Auditing Reforms Urgently Needed (1991), in which the GAO considered but rejected a recommendation to limit the scope of nonaudit services that accounting firms can provide their clients. The current GAO report reiterates that position: GAO believes measures that would limit auditor services y are outweighed by the value of y traditional consulting services (p. 8). The report notes that the GAO favors addressing concerns about independence through improved corporate governance, but cautions the accounting profession that these concerns might increase as accounting firms become more heavily involved in nonaudit services. 1997: In June, the SEC, AICPA, and large public accounting firms agree to the formation of a new private regulatory body: the Independence Standards Board (ISB). The mission of the ISB is to establish independence standards for public company audits. The organizational structure of the ISB is similar to the POB. The eight-member ISB includes four members from outside the public accounting profession. The Board retains an executive director and a small staff, and is funded by contributions from the accounting profession. The ISB begins operations in October. 1999: In November, Earnscliffe Research and Communications issues the results of a study commissioned by the ISB. The report, Research into
13 Internal Audit Outsourcing 15 Perceptions of Auditor Independence and Objectivity, is based on 131 interviews of CEOs, CFOs, audit committee chairs, investment analysts, audit partners, and regulators. The study asked interviewees about internal audit outsourcing as well as other types of nonaudit services. The report concludes that internal audit outsourcing is one of the three areas where people felt pulled both ways, and considered the matters to be important (Earnscliffe Research and Communications, 1999, p. 24, emphasis in the original). The report summarizes that while most people felt internal audit outsourcing was in no way problematic, a notable minority took the position that this might lead to a lower standard of protection for the investor (p. 25). The study notes that as a group auditors were more homogeneous than any other except perhaps regulators (p. 39). Auditors were also insistent that there were no greater issues of independence today than there had been in the past (p. 39), and they bridled at the notion that they might have to consider altering their business model, simply to avoid a perception problem, when the reality was that there was no impairment (pp ). By contrast, regulators (most or all from the SEC) worried that the [accounting] profession had been moving too slowly to deal with the issues around nonaudit assignments (p. 43). Summarizing the views of each group, regulators exhibited moderate concern about whether independence in both fact and appearance is a real problem today, and serious concern about whether independence in both fact and appearance will be a real problem tomorrow. By contrast, the consensus response of auditors was none to the concern about independence in fact both today and tomorrow, and slight to the concern about independence in appearance both today and tomorrow. In summary, the Earnscliffe study documents a gulf between regulators and the public accounting profession. 2000: In June, the SEC proposes new auditor independence rules that include a provision prohibiting auditors from providing internal audit services to their attest clients (SEC, 2000a). The large accounting firms launch a no-holds-barred public relations and lobbying campaign against the proposal (Levitt, 2003, p. 137). The AICPA argues that the SEC had not proven a single instance in which an auditor had compromised independence in order to obtain or retain a consulting contract, or in which a lack of auditor independence had led to an audit failure. According to Levitt, the no-smoking-gun argument was very effective with Congress. Some commentators and regulators believe this argument is exaggerated and that a few instances have been identified (over many years) in which nonaudit services may have contributed to audit failures. 5
14 16 DENNIS CAPLAN ET AL. Within a month of issuing the proposed rules, Levitt receives negative letters from 46 members of Congress, including two-thirds of the SEC s oversight committee. Levitt believes that the public accounting profession s success in lobbying Congress was related to the profession s political campaign contributions. Levitt notes that the Big 5, their partners, and the AICPA contributed $14.5 million to the 2000 elections, and that each of the Big 5 was one of President Bush s top 20 contributors. The AICPA Board of Directors concludes that the proposed restrictions on nonaudit services were not in the public interest, as they would strip the profession of skills needed to meet its auditing responsibilities in the New Economy (AICPA, 2000). The AICPA reports: Putting the very future of the CPA profession on the line, the SEC in late June  proposed sweeping rules that, if enacted in their current form, would force a restructuring of the accounting profession. The most threatening rule would prohibit accounting firms performing audits for SEC registrants from providing most non-audit services for those clients y The SEC s new proposals are draconian and unwarranted y. (AICPA, 2000) The characterization of a ban on nonaudit services as draconian may have been taken from the POB s 1979 Scope of Services report, which used the same term in almost the same context J Testimony Provided to the SEC. The SEC holds hearings on the proposed rules in July and September. Thornton (2003) finds that among 39 representatives of the accounting profession, 27 oppose the proposed rules, 9 are in favor, and 3 are neutral; among 19 financial statement users, 18 favor the SEC proposal; and among 21 regulators, 11 favor the proposal, 3 are opposed, and 7 are neutral. The AICPA and leaders of three Big 5 firms oppose the proposed rules. Leaders from two Big 5 firms support the proposed rules contingent on modifications that include allowing limited internal audit outsourcing. The division among the Big 5 firms corresponds to whether the firm has sold or is in the process of selling its consulting practice. KPMG, Arthur Andersen and Deloitte & Touche oppose the proposal, while PricewaterhouseCoopers and Ernst & Young support the proposal. Four members of the Independence Standards Board testify: three support the proposed rules, one is neutral. The Institute of Internal Auditors opposes a blanket ban on outsourcing, but opposes permitting total outsourcing due to concerns about independence arising from auditors reviewing their own work and assuming managerial responsibilities. Former Senator Howard Metzenbaum and former Federal Reserve Board Chairman Paul Volcker support the proposed rules.
15 Internal Audit Outsourcing 17 KPMG partner Robert Elliott, then serving as chairman of the AICPA, testifies: We in the AICPA are disappointed in the rush to judgment manifest in the SEC s premature issuance of a hastily and poorly drafted rule proposal followed by an inadequate comment period. y There is no evidence that lack of auditor independence is even an infrequent problem, let alone a current crisis. (Elliott, September 13, 2000) 6 Elliott says this is not about how much accountants are paid. This is about our ability to provide the y same level of high-quality information for investors that has enabled the American economy to zoom ahead of the rest of the world (Elliott, September 13, 2000). Elliott s statement contrasts with the candor exhibited 20 years earlier by the POB: The Board has also considered and rejected the more extreme view, expressed in the [Metcalf Report], that auditors be prohibited from furnishing to audit clients any nonaudit services y Such a draconian measure would not only deprive audit clients of services that they obviously deem valuable but also would cause a substantial reduction in revenues for many CPA firms. (POB, 1979, p. 2) In reply to an SEC Commissioner who asked whether there is dissent in the AICPA about the proposal, AICPA president and CEO Barry Melancon states that clearly, the overwhelming response of our profession is of grave concern for the proposed rule (September 13, 2000). In contrast to the remarks by Elliott and Melancon, Jim Schiro, CEO of PricewaterhouseCoopers, testifies: We would support restrictions of the types of consulting services accounting firms provide, including internal audit outsourcing, because we believe that changing market forces are making it increasingly difficult for firms to provide these services alongside their assurance practices. (Schiro, September 20, 2000) Shiro explains that historically, consulting services had not presented an independence problem, but given the way consulting services were evolving, consulting and audit services cannot exist under one roof in the future. Phil Laskawy, chairman and CEO of Ernst & Young, testifies: I ve grown increasingly concerned during the past several years that the heightened scrutiny of auditor independence has had a negative impact in the marketplace. y I have, in other words, been concerned that the appearance that auditors lack independence could undermine our relationship with the investing public. (Laskawy, September 20, 2000) With regard to the AICPA position, Laskawy and Schiro testify: I do not agree with the approach taken by others in the profession, including the AICPA, in making harsh attacks against the Commission [the SEC] and in trying to stonewall the Commission s efforts. In fact, I am quite troubled that the AICPA,
16 18 DENNIS CAPLAN ET AL. which has an obligation to represent all of its members, would take sides in a fashion that can only weaken public confidence in the accounting profession. (Laskawy, September 20, 2000) y I am extremely disappointed that a group that is to represent the members does not solicit the views of all the members before promulgating a position. y I find that some of the actions of the leadership of that organization have not been representative y of our two firms and did not engage us as they were adopting this position. (Schiro, September 20, 2000) The former chairman of Deloitte & Touche, J. Michael Cook, supports the proposed rules, whereas the current chairman, James Copeland, Jr., opposes the proposed rules. Cook testifies: y this issue of independence and non-audit services has been highly visible, a matter of some concern to the profession, to the Commission and to many others for many years. y The profession has, I think, diligently and appropriately sought to address these concerns over these years. Unfortunately, the profession has not been able to resolve them, and today the profession is, apparently, quite deeply divided over this issue. y Regrettably, I conclude that y some action on the part of the Commission is probably the only practical and feasible way to deal with the issue. y Some believe and continue to suggest that SEC action is not warranted absent proof that independence, in fact, has been impaired by non-audit services. To accept this position, one, in my judgment, would have to ignore the importance of the appearance of independence, which has been a fundamental precept of our independence standards, our professional standards, for almost 70 years. (Cook, July 26, 2000) In contrast, Copeland testifies I firmly believe that the unintended consequences of this bright line limitation on services will be significant and far reaching, resulting in a lessening of audit quality and perhaps, ironically, independence (Copeland, September 20, 2000). On the question of independence, Copeland states While there is no empirical evidence to support the assertion that an auditor s independence is impaired when it provides non-audit services to its audit clients, clearly some do perceive this as an issue and I believe the position that the perception issue exists. y The appropriate response to the perception issue is to determine whether the perception represents reality. I thought the panel on audit effectiveness did a credible job looking into this issue. (Copeland, September 20, 2000) The testimonies of these two men indicate a significant difference of opinion, despite their similar backgrounds with the same firm. In 2005, Copeland characterized the Sarbanes-Oxley ban on nonaudit services as hasty and ultimately counterproductive (Copeland, 2005, p. 39). From the academic community, 10 professors testify before the SEC, offering diverse opinions. Yale professor Rick Antle addresses the
17 Internal Audit Outsourcing 19 potential synergy that occurs when the external auditors provide consulting services: The real question is not how much value can you add by consulting, but how much of that value is driven by a tie with auditing. y What are these economies of scope I m talking about? Well, they re the values of the synergies that are generated by bundling services. I ll tell you now that as far as I know there s no systematic evidence as to the magnitude of these economies, just none that I know of. (Antle, July 26, 2000) Antle goes on to say that his intuition is that these economies of scope are substantial, as evidenced by Arthur Andersen s ability to rebuild its consulting practice in just a few years, after Andersen Consulting had spun off, from almost nothing (excluding tax services) to revenues approximately equal to its audit practice. In October, the Financial Accounting Standards Committee of the American Accounting Association submits a comment letter to the SEC regarding the proposed rules (AAA, 2001). The committee summarizes approximately 30 empirical studies, about 20 of which examine nonaudit services and/or auditor independence. The Committee s summary includes the following: (1) auditors judgments can be influenced by incentives to retain audit clients, but the extent to which nonaudit services influence auditors beyond the desire to retain the audit itself is not clear; (2) auditors do not appear to use audits as a loss leader to obtain consulting services; (3) studies of users perceptions of whether consulting services impair auditor independence provide mixed results; and (4) the only study cited by the Committee that specifically focused on internal audit outsourcing (Lowe, Geiger, & Pany, 1999) found that loan officers perceive internal audit outsourcing to compromise auditor independence only when the same personnel are used for both internal audit and attest services. Although not cited by the Committee, Swanger and Chewning (2001) surveyed financial analysts and found results similar to Lowe et al. The Committee presents its views to the SEC as follows: (1) clientretention incentives that could impair independence exist in the absence of nonaudit services, so the incremental benefit of the proposed rules might be minimal; (2) the proposed rules do not give sufficient weight to institutional features that provide auditors incentives to maintain independence, including the risks of litigation and loss of reputation, selfregulatory features such as the POB and peer review, and oversight by client audit committees; (3) the proposed rules are likely to negatively affect auditor competency and audit quality due to the loss of expertise gained from consulting services and due to the inability to recruit
18 20 DENNIS CAPLAN ET AL. talented employees; (4) financial statement users are not generally concerned about the effect of nonaudit services on auditor independence when the accounting firm does not use the same professional staff for nonaudit services as for the attest engagement; and (5) the client audit committee, not financial statement users, might be the appropriate benchmark for assessing independence in appearance. J The SEC s New Independence Rules. The SEC negotiates a compromise with the leadership of the AICPA and the Big 5 firms. In November, the SEC adopts new independence rules that reflect this compromise. The rules allow auditors to provide up to 40 percent of an external audit client s internal audit function, and completely exempt audit clients that have less than $200 million in assets. These restrictions apply only to internal audit services that have potential financial reporting implications, which probably include most reviews of internal controls. Operational audits, for example, are not subject to these restrictions if the audits are unrelated to internal accounting controls, financial systems, or financial statements. Levitt (2003) asserts that internal audit outsourcing was one of the two biggest issues that the SEC attempted to address with the independence rules of 2000 (p. 146). The AICPA leadership reports to its members on the compromise: Our key issues included avoiding a blanket ban on y internal audit outsourcing services. y Considerable progress was made. y Shielding smaller firms from the potential crippling effect of the new rule was and is a high priority (Miller, 2000). The new rules also include disclosure requirements for companies to report the amount of nonaudit services purchased from their external auditors. These new disclosures facilitated empirical research on nonaudit services that had not been possible using publicly available data for U.S. companies. The results of this research are mixed. Frankel, Johnson, and Nelson (2002) find that nonaudit fees are positively associated with a proxy of earnings management. Kinney, Palmrose, and Scholz (2004) find that certain unspecified NAS (a subset of nonaudit services that excludes internal audit outsourcing and some other major categories of nonaudit services) are positively correlated with financial statement restatements. Three other papers (Ruddock, Taylor, & Taylor, 2006; Ashbaugh, LaFond, & Mayhew, 2003; Chung & Kallapur, 2003) do not find a significant correlation between nonaudit services and audit quality. J The Panel on Audit Effectiveness. The Panel on Audit Effectiveness issues its Report and Recommendations in August. The Panel had been
19 Internal Audit Outsourcing 21 appointed by the POB at the request of SEC Chairman Arthur Levitt, to examine the current audit model. The eight-member Panel was chaired by Shaun O Malley, former Price Waterhouse chairman. The Panel held public hearings and received input from regulators, industry, the legal profession, accounting faculty, and accounting firms. The Panel s report covers many issues including auditor independence. A ban on nonaudit services is the only question on which the Panel reports disagreement among Panel members. The report makes no recommendation regarding a ban, but includes separate statements by Panel proponents and opponents of a ban. The Panel members supporting a ban state that nonaudit services have the potential to compromise the auditor s independence in fact as well as in appearance. When auditors provide nonaudit services, they are serving two different sets of clients: management and shareholders. Neither the auditor, the audit firm, client management, nor the audit committee are likely to be able to adequately assess and address independence issues as they arise. The Panel members opposing a ban are persuaded by the lack of any specific link between audit failures and the rendering of nonaudit services (POB, 2000, p. 127). Although the growth of consulting services has highlighted the appearance problem (p. 127), the Panel identified no new issues related to consulting services (p. 127) since the POB s 1979 Scope of Services by CPA Firms report. The Panel members opposing a ban also reference the Panel s review of 37 audit engagements for clients that also purchased nonaudit services, and 67 peer reviews conducted in 1999, none of which reported that independence, objectivity, or audit effectiveness appears to have been impaired. Despite these opposing views, the Panel agreed on the following statement: The Panel is not aware of any instances of non-audit services having caused or contributed to an audit failure or the actual loss of auditor independence. However, as the POB noted in its study on scope of services, Specific evidence of loss of independence through [management advisory services], a so-called smoking gun, is not likely to be available even if there is such a loss. (POB, 2000, p. 110, emphasis added) 2001: In January, Richard Miller, AICPA General Counsel and Secretary, reports to the AICPA membership on the negotiated compromise with the SEC: The SEC initially proposed to completely prohibit firms from providing information technology and internal audit outsourcing services. y While this approach [the
20 22 DENNIS CAPLAN ET AL. negotiated compromise] is not what we were seeking, in that it departs from current AICPA standards, it is a vast improvement over the proposed blanket ban. Obviously, the SEC recognized, as a result of comment letters and testimony in its public hearings, that internal audit outsourcing is a very important service y (Miller, 2001, emphasis added) J The Independence Standards Board. The ISB had issued a discussion memorandum for public comment on a conceptual framework for auditor independence in February 2000, followed by an exposure draft in November. A final draft is issued in 2001, but soon thereafter, in July, the ISB votes to dissolve. According to Alan Glazer and Henry Jaenicke, who were directors of the conceptual framework project, the ISB lost support from both the SEC and the accounting profession soon after its formation, in part because the SEC and large accounting firms held irreconcilable positions on independence in appearance. The ISB initially sought middle ground, incorporating in the exposure draft the concept of independence in appearance, but avoiding the term itself. This compromise satisfied nobody, and the status and potential role of the ISB were undermined when the SEC issued its independence rules in 2000, preempting much of the ISB s agenda. Glazer and Jaenicke claim that a majority of the conceptual framework task force supported including independence in appearance as a central element of the framework, and the Board itself concurred. Independence in appearance probably would have been included in the final statement, had the ISB survived long enough to issue one (Glazer & Jaenicke, 2002). J Enron. Enron files for bankruptcy on December 2, In the ensuing months, Arthur Andersen comes under fire for, among other things, a potential lack of independence with respect to the audit because Arthur Andersen provided Enron significant consulting services, including internal audit services. Fifteen months prior to Enron s bankruptcy, Joe Berardino, then a managing partner of the firm, testified to the SEC on internal audit outsourcing: When this internal auditing is performed by the same firm that is hired to audit the financial statements, that firm significantly enhances its knowledge. Who benefits when the audit firm has this enhanced knowledge? I would suggest the investing public. y Some say that we are auditing our own numbers in doing what I just described. I disagree. What we feel we are doing is simply auditing more of the client s business. (Berardino, September 20, 2000) As reported by the PBS program Frontline, on the same day as Berardino s testimony, Enron chairman and CEO Kenneth Lay