Happy New Year!
Well, here it is, another year already, 2013, wow!
To start the year with a challenge, perhaps consider this as one of your organization’s new year’s resolutions, addressing or correcting the threat of intimidation within reporting obligations inside your organization. What am I talking about? To illustrate, let’s say you’re the CEO, and you decide you want to improve quality at your organization by establishing a senior quality resource person, a chief quality officer, someone who you look forward to working with, however, that will be expected and able to freely report to the board.
I will submit to you another scenario, let’s say you’re part of the IT management team that reports to the CIO. If there is a senior quality resource person that works with your team (e.g., does quality audits of your projects, processes, data, information and technology to provide oversight, report on schedule concerns and risks, suggest improvements, ensure adherence to policies, procedures, standards, charters and so on); in addition to reporting information to you, they also freely report it beyond you, to your board, steering committee, and CIO.
The question and challenge in both scenarios, should you be able to edit the findings of that senior quality resource person before your boss and others (e.g., board, steering committee and CIO among others) read their quality audit reports? Thus, interfering in the audit process, and possibly intimidating the auditor or whoever has a reporting obligation in your company.
In an interesting 2012 discussion paper, according to the International Ethics Standards Board for Accountants (IESBA), an independent audit process comprises of independence of mind and appearance.
(a) Independence of mind
The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
(b) Independence in appearance
The avoidance of facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that a firm’s, or a member of the audit team’s, integrity, objectivity or professional skepticism has been compromised.”
Furthermore, according to the paper, one of the threats to an auditor’s independence is apparently intimidation, and is explained as follows,
intimidation threat – when there is either a perception of, or an actual situation, that would intimidate auditors from adopting appropriate skepticism of management (e.g., company employing a former audit team member).”
According to this same paper,
Professional skepticism also includes the willingness to challenge management on the assertions and representations they make in preparing the financial statements.
Independence is seen as an important element for both the auditor to be objective in their evaluation of an entity’s financial statements and to allow the auditor to approach the audit with an appropriate degree of professional skepticism.
Auditor skepticism can be influenced by many factors in addition to independence, including: auditor education, training, supervision of staff and knowledge of a company’s business, the culture of the audit firm, and the audit firm’s relationship with client management and audit committees.
Independence at both the individual and institutional level may, in fact or appearance, have an impact on auditor skepticism and the resulting quality of the audit.”
The consensus is that auditor skepticism is an important driver of audit quality and independence.
The threat of intimidation in your independent audit process can be adequately addressed or corrected, for example, by ensuring that the quality resource person share their reports with you prior to sharing them beyond, so that your response (mitigation or corrective action plans, perhaps created in a collaborative way with the quality resource person) can be an integral part of the process and report, however, without changing any of the actual audit findings and auditor skepticism (e.g., the actual audit findings are left as is without any wording inserts, edits or deletion/omission of findings). In any case, here are a few links to information, tips and solutions by the CICA to ensure your audit process remains independent and valid and free from threats of intimidation.
And as always, comments are welcome.
As an aside, feel free to share whether you think a 4th edition of the Information Technology Control Guidelines may be in order and why… The aim of the guidelines is to provide a practical means of identifying, understanding, assessing and implementing information technology controls in all types of enterprises.
In my opinion, one does seem to be in order; the 3rd edition was written 14 years ago, there have been many developments since then (ITIL, COBIT, ITPolicyPro and so on), a fourth edition before 2015 may be a good idea.
Have a great 2013.
Ron Richard, I.S.P., ITCP/IP3P