Corporate Governance, Audit Quality, and the Sarbanes‐Oxley Act: Evidence from Internal Audit Outsourcing PDF

Preview

Summary

Corporate Governance, Audit Quality and the Sarbanes-Oxley Act: Evidence from Internal Audit Outsourcing (Formerly: “The Relation Between Internal Audit Outsourcing Arrangements and Audit Committee Effectiveness: Implications for the Sarbanes-Oxley Act”) Abstract The objective of this study is to ex...

Description

Corporate Governance, Audit Quality and the Sarbanes-Oxley Act: Evidence from Internal Audit Outsourcing (Formerly: “The Relation Between Internal Audit Outsourcing Arrangements and Audit Committee Effectiveness: Implications for the Sarbanes-Oxley Act”)

Abstract The objective of this study is to extend the current literature related to non-audit services by investigating the area of internal audit outsourcing to the external auditor. We posit that certain types of internal audit outsourcing (i.e. those which are non-routine, and thus tend to be non-recurring in nature) are unlikely to lead to economic bonding, while offering significant potential for improvements in audit coverage and scope when provided by the external auditor. Alternatively, outsourcing routine internal audit tasks is more likely to lead to economic bonding, as well as creating disincentives for internal auditor independence. We obtain data from a survey of 219 Chief Internal Auditors and from relevant proxy statements in the year 2000, prior to the Sarbanes-Oxley Act. Our results are consistent with firms with strong audit committee governance being less likely to outsource routine internal auditing activities to the external auditor. The audit committee’s authority to dismiss the chief internal auditor enhances this effect. However, the outsourcing of non-routine internal audit activities such as special projects and EDP consulting are not negatively related to audit committee effectiveness. Additionally, outsourcing of either type of internal audit activity to an outside service provider other than the external auditor is not related to audit committee effectiveness. Collectively, we interpret these findings as supportive of an effective audit committee’s ability to monitor the sourcing of the firm’s total (i.e. internal and external) audit coverage, while simultaneously exhibiting concern for external auditor independence. Our findings call into question the need for the existing restrictions on some types of internal audit outsourcing to the external auditor, particularly in light of other corporate reporting environment changes enacted by the SOX.

1.

Introduction The Sarbanes-Oxley Act of 2002 (hereafter SOX) places severe restrictions on the

outsourcing of any internal audit (IA) functions to a client firm’s external auditor due to independence concerns (SOX 2002).1 The SOX restrictions on IA outsourcing represent an extension of the Auditor Independence Rules of 2000, which mandated a 40% ceiling on IA activities that could be outsourced to the external auditor (effective in 2001). However, the Institute of Internal Auditors (IIA 1996, 1994) and other financial reporting constituents argue that such outsourcing can be a beneficial and cost-effective means of improving internal and external audit quality. These diverse opinions may result from a scarcity of evidence concerning the different types of IA (internal audit) functions outsourced and the merits of outsourcing to various service providers. During the deliberations surrounding both SOX and the Auditor Independence Rules, two underlying assumptions were operative. First, all IA outsourcing to the external auditor was assumed to have equally deleterious effects on auditor independence and overall audit quality. The assumption that all non-audit services (NAS) impair audit quality, regardless of their nature, is one commonly found throughout much of prior NAS-audit quality research (Frankel et al. 2002; DeFond et al. 2002; Chung and Kallapur 2003). Re-examining NAS in more detail may improve our understanding of the mixed results of this research. Second, the IA outsourcing decision was assumed to be primarily the province of management, also a common assumption in prior IA outsourcing research (Caplan and Kirschenheiter 2000; Widener and Selto 1999; Krishnan and Zhou 1997).

1

SOX generally prohibits external auditors from providing to audit clients any outsourcing services that relate to the client’s internal controls, financial systems or financial statements. This essentially amounts to a prohibition on internal audit outsourcing (Caplan and Emby 2004).

1

However, this assumption has also been called into question by the growing stream of research focusing on the beneficial effects of independent, expert and active audit committees. In this paper we extend prior research by examining whether different types of IA activities outsourced to the external auditor are viewed differently by a key stakeholder in this decision: the audit committee. In particular, we categorize the specific types of outsourced IA activities as routine or non-routine, following the taxonomy of previous outsourcing studies (Pelfrey and Peacock 1995). We posit that outsourcing routine internal audit activities threatens external auditor independence, due to its recurring nature which may lead to economic bonding (Beck et al. 1988; Simunic 1984). Outsourcing routine internal audit activities may also impair internal audit independence by raising the specter of total internal audit outsourcing, and in the process threatening internal auditors’ job security. Internal auditors with uncertain job status may be less likely to disagree with management on internal control issues, reducing the likelihood that such issues would be communicated to the audit committee (Rittenberg et al. 1999; Quarles 1994; Kalbers and Fogarty 1993). As Caplan and Emby (2004) find negligible quality differences in routine tasks performed by internal and external auditors, outsourcing routine tasks appears to present significant risks to internal and external auditor independence without enhancing overall quality. Outsourcing non-routine tasks to the external auditor has a more complex impact on audit quality for three primary reasons. First, unlike routine activities, non-routine tasks are likely to be non-recurring, reducing the potential for economic bonding (Beck et al. 1988). Second, these outsourced non-routine tasks often require specialized

2

knowledge, such as EDP audit expertise, which may be difficult for internal auditors to obtain in-house. If these tasks are outsourced to the external auditor there may be significant financial statement audit synergies in both cost and audit scope (Smith 2002; Aldhizer and Cashell 1996; Simunic 1984). These may result in increased audit coverage. Third, using the external auditor to perform non-routine tasks may also be more efficient (versus using another outside service provider) due to the external auditor’s familiarity with the client and its IA function (Smith 2002; Krishnan and Zhou 1997). This familiarity also provides for a more seamless integration into the IA function’s coordination and training efforts (McDonald 2003; Smith 2002). Consequently, we argue that outsourcing non-routine tasks to the external auditor may provide significant advantages, without the potential independence impairment presented by the routine tasks. Whether the potential benefits outweigh the possibility of impaired independence in appearance is an empirical question. We also depart from the assumption that the management is the primary outsourcing decision-maker. Developments in regulation or best practices predating our sample period emphasize the audit committee’s role in the oversight of the internal and external audit functions (BRC 1999). Consistent with this regulatory focus, we expect effective audit committees (i.e. independent, informed and active committees) to be the primary gatekeepers in outsourcing decisions. We base our supposition on three premises. First, financial misstatements threaten the reputational capital developed by these independent audit committee directors (Srinivasan 2004; Abbott and Parker 2000; Beasley 1996). Consequently, a change in any component critical to the financial reporting process is of concern to an independent audit committee. Second, as the

3

Treadway Commission (1987) asserts, the IA function assists the audit committee in discharging its oversight responsibilities. Accordingly, an audit committee that is actively monitoring the IA function and understands its role in the internal control structure is likely to understand the impact of outsourcing (Raghunandan et al.2001). Finally, given their monitoring role, independent, active and expert audit committees are likely to be sensitive to actual or perceived independence problems of both the external and internal auditors (Abbott et al. 2003b; DeZoort 1997). Given the aforementioned risks to external and internal audit independence (without an commensurate increase in audit quality), we hypothesize that audit committees with strong governance characteristics are less likely to be associated with outsourcing of routine tasks to the external auditor. In addition, we argue that this effect will be heightened when the internal audit function reports directly to the audit committee. This is because under such reporting arrangements the audit committee is more informed about the outsourcing relationships. Due to the countervailing effects on audit quality, we do not provide a prediction of the association with respect to outsourcing of non-routine tasks. To test our hypotheses we obtained 219 survey responses from Fortune 1000 companies concerning the nature, extent and provider of IA outsourcing in 2000. Our sample period represents an ideal test setting as it precedes regulatory restrictions on outsourcing to the external auditor. The time period of our data is particularly important for two reasons: First, the year 2000 was a period in which relatively few external restrictions existed on the choice of outsourcing provider. Second, the mid 1990s had seen an acceleration of the growth in popularity of outsourcing (Rittenberg and Covaleski

4

2001; Weill 2001).2 Our survey was addressed to the Chief Internal Auditors (CIAs) of the sample firms, because we expect the CIAs to have the greatest authority in the outsourcing decision and the greatest knowledge of its benefits and costs (Serafini et al. 2003). We first test, using a logit regression, whether there is a relation between audit committees with strong governance characteristics and the outsourcing of any internal audit tasks to the external auditor. Our measure of effective audit committee governance is a composite variable (ACE) with the value 1 if the committee meets at least 4 times in the sample year, is entirely independent and includes at least one financial expert. We find that ACE is negatively associated with the use of the external auditor as an outsourcing provider. This effect is enhanced when the audit committee also has hiring and retention authority over the Chief Internal Auditor, as captured by the AUTHORITY variable. 3 We then use Tobit analysis to determine whether there is a differential relation between an effective audit committee and the type of internal audit tasks outsourced. As predicted by our hypotheses, we document a significant negative relation between ACE and the proportion of routine internal audit tasks outsourced to the external auditor. This effect is heightened when AUTHORITY and ACE are interacted. We find no significant relation between ACE and the proportion of non-routine outsourcing. This is consistent with audit committees with stronger governance differentiating between routine and non2

In particular, the AICPA released an Official Interpretation in May 1996 that concluded that outsourcing did not impair external auditor independence as long as a member of management remained in charge of the internal audit function. The consequence of this ‘green light’ was a dramatic growth in internal audit outsourcing through 2000 (Rittenberg and Covaleski 2001). Our sample data confirms the prediction of Rittenberg and Covaleski (2001) and suggests an increased economic impact of outsourcing than prior data. 3 Employment authority is indicative of higher institutional influence for the internal audit function and greater interest in internal audit by the committee (DeZoort 1997).

5

routine tasks when approving outsourcing arrangements. When we perform similar tests for the proportion of outsourcing of routine and non-routine tasks to other outside service providers (OSPs), we fail to document any relation between our test and dependent variables. Lastly, we examine only the subsample of firms which outsource to the external auditor. We find within this subsample that the significant negative relation between ACE and the proportion of routine tasks outsourced to the external auditor remains. This suggests that audit committee governance influences the type of outsourcing undertaken, after the initial decision to use the external auditor as the outsourcing provider has been made. Collectively, we interpret these findings as supportive of an effective audit committee’s ability to optimally monitor the sourcing of the firm’s total (i.e. internal and external) audit coverage, while simultaneously ensuring external and internal auditor independence. Our findings extend the current literature in audit quality and non-audit services, by differentiating between different types of NAS. More specifically, much of this prior research has typically assumed that all NAS have an equally negative impact on auditor independence (DeFond and Francis 2005). Unlike prior studies, our findings are consistent with different types of NAS potentially having differential effects on audit quality. In particular, there may be instances where a large NAS-audit fee ratio is not indicative of impaired auditor independence because of the nature of the NAS being provided. However, researchers are generally forced to treat NAS as equally independence-impairing due to the current regulatory disclosure regime that pools all

6

non-audit services into a single category. Consequently, our results also support calls for increased disclosure of the types of NAS fees (Gaynor et al. 2004; Liesman et al. 2002). Our paper also complements a growing stream of literature investigating the role of the audit committee in corporate governance. We provide evidence on the ability of effective audit committees to discriminate between NAS having differential impacts on audit quality. Our results suggest that effective audit committees are sophisticated consumers of non-audit services. Our findings are also consistent with those of Gaynor, McDaniels and Neal (2004) who find (in an experimental setting) that audit committee members prefer joint provision of audit services when such provision contributes to audit quality. Finally, our paper also contributes to the literature by providing initial, largescale empirical evidence on the amount, nature and providers of IA outsourcing activities. Our results have implications related to the SOX restrictions on internal audit outsourcing. As it stands, SOX prevents any audit quality improvements that may result from selectively outsourcing to the external auditor. It may be questionable whether the virtual moratorium on IA outsourcing is warranted, particularly in light of the other corporate governance changes enacted by the SOX (such as stricter audit committee requirements for independence and expertise). Furthermore, relaxing the restrictions might create future benefits from selective outsourcing. For example, the use of enterprise resource management and customer relations management systems by client firms continues to increase. The pervasiveness of these systems and others like them has heightened the demand for EDP-auditing related expertise in these areas (Serafini et al. 2003; McDonald 2003). Moreover, such systems also pose increased audit risks (Harkness and Green 2004; Lightle and Vallario

7

2003; Glover et al. 1999). The demand for EDP-auditing expertise is unlikely to diminish over time given the rapid pace of change in information technology. Hence, both the demand for EDP auditing expertise and the potential increase in audit quality resulting from knowledge spillovers gained from outsourcing EDP auditing has intensified and can be expected to continue. Additionally, smaller IA departments might benefit the most in terms of the expertise, cost savings and coordination ease afforded by the external auditor. This becomes a particularly salient issue when considering the recent NYSE listing requirement that all registrants have an internal audit department. Our results are consistent with the views expressed by Jacqueline Wagner, Chairman of the IIA, who stated during the Auditor Independence Rules hearings: “…We simply do not believe that it is possible for a single central authority in either the public or private sector to answer these (outsourcing and non-audit service related) questions for all publicly held organizations in the United States. There are too many permutations in sizes and relationships of both firms and their clients to make this feasible…the audit committee can best judge any potential impairment of independence based on the specific circumstances of the firm and its auditors.” (SEC 2000). The remainder of this paper is structured as follows: section two reviews prior literature, section three develops the hypotheses, section four discusses sample selection methodology, section five presents research design and results and section six concludes.

8

2. Previous Literature 2.1 Prior Internal Audit Outsourcing Research Previous research has identified several motivations for outsourcing internal audit activities. For example, Caplan and Kirschenheiter (2000) model outsourcing demand as a function of control risk. These authors also augment their model to control for potential losses resulting from internal control breakdowns. In addition to the factors described in Caplan and Kirschenheiter (2000), Petravik (1997) describes three factors important to outsourcers: the reduction of redundant audit work (resulting in external audit cost savings); the professional liability insurance of the external auditor; and the prestige of the external auditor. Pelfrey and Peacock (1995) posit that outsourcing internal audit projects may actually improve the quality of the audit because companies can employ external individuals with advanced degrees and technological specialization to provide the required services. Pelfrey and Peacock (1995) also document that when outsourcing takes place, the most likely arrangements include EDP auditing and/or operating systems design and utilize the external auditor. The most recent empirical outsourcing study of which we are aware is Widener and Selto (1999). Widener and Selto (1999) find statistically negative relations between the degree of outsourcing and proxies for asset specificity and frequency. However, consistent with prior empirical studies, Widener and Selto (1999) do not consider the role of the audit committee in their analyses, differentiate between outsourcing providers or distinguish between different outsourcing activities. In the following sections, we develop the role of an effective audit committee in the various facets of the IA outsourcing decision.

9

2.2 Audit Committee Effectiveness and External Audit Quality Abbott and Parker (2000) posit that outside, independent audit committee directors possess a two-factor audit quality demand function. The first factor is reputational capital enhancement/preservation. More specifically, outside audit committee directors may view the directorate as a means of enhancing their reputations as experts in decision control (Srinivasan 2004; Beasley 1996; Fama and Jensen 1983). Although audit committee service increases the reputational capital of these outside directors, it may also exacerbate the reputational damage should a financial misstatement occur.4 The second audit quality demand factor concerns director liability. In cases of financial misstatement, outside non-audit committee directors can potentially subrogate their director liability to audit committee members. This can be achieved by asserting reliance on the audit committee for issues such as the adequacy of th...