clearly. In addition, there were many opportunities to inter- sure what role the internal auditor played or whether the interact with executive management. I think that training has cer- nal auditor was effective.
tainly influenced my style. If management is disregarding the internal auditors’ con-
Because you asked me to choose one person who influenced clusions, it’s not only a test of the internal auditor’s integrity,
me, I chose Ed Lundy, however, I have to add that I took it’s also a test of his or her judgment. For example, if an inter-something away from someone in every position I’ve held. I’ve nal auditor uncovers something significant, takes it to senior
been fortunate to work with very good people along the way. management, and they make a reasoned decision to accept the
risk, does the internal auditor go forward? If so, how far? It’s
different if laws are being broken, but there’s plenty of room for
internal auditors to accept decisions they don’t necessarily agree
with, if those decisions are being made in an aboveboard manner. If an internal auditor had been in place at Enron when
its board of directors was deciding to waive the conflict-of-interest policy, it’s pretty clear what he or she should have done.
Is it the internal auditor’s job to question the process of how the
board reaches its decisions? I believe the answer is “yes.”
Do you think that using internal auditing to groom candidates
for other jobs in the corporation is a worthwhile practice?
The skills required in internal auditing extend far beyond
accounting; knowledge of the business is paramount. However,
because internal auditors shouldn’t audit the business units they
came from — at least for a year or two — pass-through is probably more effective in larger companies. In my career of forming internal audit departments, I have brought in people from
elsewhere in the business and people from disciplines broader
than accounting, such as information technology and financial
services. I also believe that internal audit departments need
anchor people — career auditors — who can make sure that
auditing is being done with the right techniques and that the
staff is getting the right training. It’s the chief auditor’s responsibility to ensure that the staff operates in an objective way.
What do you think about the quality of the people that internal
audit departments are able to attract?
Internal audit staffs have come a long way in attracting top-quality people. If you go back 20 or 30 years, internal auditing had the reputation in many companies of being a dumping
ground. There were people who couldn’t do anything else, so
they put them in internal auditing. Over the years, we’ve successfully weeded out those people and avoided taking on new
ones. I worked in a company where the byword was “don’t
pass the meatball” — that is, don’t pass off someone who’s
not capable. I talk regularly with executive search firms that
are looking for people to head internal audit departments, and
I can tell that they’re looking for top-notch people, just as they
would for any other executive position.
What changes have you observed in how audit committees go
about their work as a result of the accounting scandals?
You see changes in composition, because of the requirement to
have a financial expert. Because of the requirement for independence, audit committees are divesting themselves of some
people and bringing in others. Although the frequency with
which audit committees are meeting is being driven by what
they’re being asked to deal with, they have nevertheless increased.
The great majority of audit committees now meet quarterly, but
some are meeting monthly. As a result of all the disclosures that
are being required under Sarbanes-Oxley, audit committees are
getting more reports on the system of controls. They are also
moving toward a better understanding of risk management and
making sure that the organization has a risk-management process
in place. They’re not managing the risks themselves, but they
are looking to make sure that the risks are identified and understood and that there’s a system in place to deal with them.
Do you think internal auditors dodged a bullet during the
recent corporate scandals?
I don’t think we just skated through. Enron had outsourced
its internal auditing to Andersen. Cynthia Cooper, WorldCom’s internal auditor, found herself in the hot seat when she
discovered the things that were going on with the books. Unfortunately, she worked for the chief financial officer (CFO) —
the wrong reporting structure, by the way — and he tried to
suppress her report. She had the intestinal fortitude to go
around him to the audit committee, which told her to continue her investigation. There are other cases where we’re not
Do you see any “time bombs” in any of the new laws or
regulations that may not “explode” for a few more years?
Section 409 of the U.S. Sarbanes-Oxley Act of 2002 requires
companies to report any significant events that affect the financial viability of the company to the public as those events occur.
I haven’t seen anything on how that’s to be implemented, but
you could have companies required to go public with something when it’s not really known what the impact will be.
There’s a similar requirement under Section 404 to report
material or significant weaknesses, and in the last two months
I’ve started seeing such reports. In the past, these weaknesses
might have been routine audit findings that went to management and got corrected. Now, they may have to be reported
to the public. If the context is not known, there could be unintended consequences in terms of how investors react.
INTERNAL AUDITOR APRIL 2004