Transparent accountability is a prerequisite for informed oversight. The board accounts so that shareholders or other stakeholders can be in control. The audit is a necessary confirmation of the reliability of the accounting. Without audit, there is no accountability. Without accountability, there is no control. And if there is no control, where is the seat of power?
As more specific responsibilities of directors have been codified, there has been a corresponding expansion of their reporting obligations. And since boards now have overall responsibility for risk management and internal control, directors report publicly on how they exercise that responsibility.
But the audit profession has not been quick off the mark to develop new assurance services that correspond to the expansion of disclosure obligations. With some reluctance the profession took on the task of ‘reviewing’ directors’ assertions on just seven of the 19 provisions within the 1992 Cadbury Code – a ‘review’ is much less than an audit.
There cannot be many occupational groups who have been so reluctant to provide new services that should be within their capability. This is partly due to legitimate concerns that their unlimited liability makes the risk too great. In part, it is to do with the monopoly rights the profession enjoys to provide the traditional, mandatory audit service.
But it is also a symptom of a mature profession that has surrounded itself with over-complex concepts and rules that are hard to adapt except at the margins. There is also widespread reluctance across the profession to audit ‘soft’ matters.
After a decade of intricate debate, the audit of internal control – at least in the US – has finally arrived. The Sarbanes-Oxley Act has imposed an obligation on auditors to attest to the CEO’s and CFO’s certification of the effectiveness of internal control over financial reporting. It questions whether the CEO and CFO have followed a proper process, as set out in the SEC rule, and whether the external auditor agrees with the conclusions.
It is encouraging that auditors now audit internal control, but it is a concern that they have perceived the need for a surrogate of ‘objective verification’. But ‘box ticking’ that certain risk management steps have been followed and documented is a more mechanical audit process than to judge whether the principles set out in Turnbull have been applied.
It begs the question whether the auditor is really concluding that internal control is effective or merely stating that a recognised internal control framework has been used.
In time, the most far-reaching extension within the 2003 combined code will be the codified board responsibility to evaluate its own performance and that of individual directors, including the chairman, and of board committees. As we should expect, there is a matching reporting obligation.
It will not be until well into 2005, when most companies report their 2004 year-ends, that we will see the extent to which companies comply with the code in these respects. Doubtless, shareholder pressure will be effective in encouraging compliance. But without audit, what will be the value of board assertions on their performance evaluation?
As yet there is no recognised framework for such an evaluation, although a relevant annex from the Higgs report has survived intact into the 2003 combined code. In any case, neither the evaluation of board performance nor any audit of the board’s report should be a matter of ticking boxes on a checklist. It calls for a cerebral, thoughtful approach.
The auditing profession needs to take a leaf out of the environmental auditor’s book. While environmental auditors usually report on specific environmental statements, their audit reports are long and free form. Invariably they include sentiment along the lines that the company ‘could do better – and how’. The CSR accent is on continuous improvement.
As more and more soft narrative is relied upon by shareholders or other stakeholders, more of the total audit will move in this direction. Going forward, will the accounting profession prove to be competent only to audit financial statements, or will it jettison its sacred cows and seize new opportunities?
The indications have not been promising and others would be willing to fill the vacuum – but it is not too late.
Andrew Chambers is the Deloitte professor of internal auditing at London South Bank University. He delivered his inaugural lecture on Tuesday, 30 November.
Carolyn Brown appointed as the first head of client legal services practice RSM Legal
UK senior partner Phil Verity has been elected for a second term at Mazars
Tallat Mahmood appointed to corporate finance team of Top 20 firm
Top 25 firm HW Fisher & Co has acquired London firm Rhodes & Rhodes