A call by members of Parliament in the UK for accountancy firms to be banned from providing expensive IT systems to companies they audit could have far-reaching implications for IT managers.
The all-party House of Commons Trade and Industry Committee said last week that while there should be no general statutory prohibition on the provision of non-audit work by firms to organisations they audit, there was a particular problem with computer networks, especially financial control systems.
“We are aware that particular concerns have been expressed about the supply of expensive IT systems, especially financial control systems, and it seems to us to be obvious on first principles that external auditors should not be involved in the provision of internal audit systems,” the MPs said. “We would therefore recommend a strengthening of the requirements in this area.”
The committee backed a tighter general self-regulation system, but warned of new laws if this failed. They were reporting on restoring confidence in corporate governance after the high-profile bankruptcies of Enron and WorldCom rocked the financial world last year.
Deloitte & Touche is the only one of the “Big Four” accountancy firms not to have spun-off its consultancy arm from its audit practice. However, a significant proportion of the advice audit firms now give is in such areas as risk management for financial systems, in which IT security is a key consideration.
There is mounting concern that when accountancy firms adopt this dual role, it could create a conflict of interest and undermine the independence of the auditor. The debate raises thorny corporate governance issues for IT directors and their boards, in addition to more immediate concerns about supplier management.
UK guidelines on the provision of non-audit services to clients are reasonably clear. According to the Institute of Chartered Accountants in England and Wales, an auditor should not provide advice or install systems that generate information for the client's accounts, such as accounting software or stock valuation systems.
The guidelines, published in November last year, also warn auditors against offering a “turn-key” service – defined as a project that consists of software design, hardware configuration and/or system implementation of both – unless the client gives permission for such a service.
They also recommend that an audit firm should not receive more than 15% of its total revenue from a client not listed on the stock exchange, and 10% from a listed client.
But there are grey areas in the audit/IT split, particularly concerning advice on risk management, which relies increasingly on sophisticated technology to pinpoint the internal and external risks facing an organisation.
“A lot of risk management is IT consultancy, systems and organisational design,” said one consultancy veteran. “Some of the large corporates have decided not to receive these services as they could undermine the independence of the audit firms.”
So what measures should companies take to ensure they are in line with industry best practice?
Financial services firm Legal & General tackled the issue nearly 10 years ago when it decided not to accept any IT services from its internal auditor PricewaterhouseCoopers. “The decision was taken to avoid a conflict of interest,” said Margaret Smith, director of business technology and delivery at Legal & General. “It has not hindered us and I think most IT directors are now aware of good practice.”
Others in the IT industry agree, arguing that there is an inherent conflict of interest posed by firms offering audit and IT services to the same client.
“The professional firms will assure you without doubt that there are safeguards in place and no cross-fertilisation of audit and IT in the same firm,” said Colin Beveridge, an IT industry expert and former interim IT manager for a string of blue chip companies. “But you can never be 100% certain the audit function is completely impartial as long as the auditor is also a supplier. Who is guarding the guards?”
Although the audit and IT services split is more likely to be on the in-tray of general management, any perception of conflict of interest could force IT managers to change their suppliers, Beveridge said.
But others in the industry have claimed that the drive to separate consultancy and audit practices has resulted in a more disjointed service for users.
Some argue that when audit and consultancy practices were under the same roof, the audit team could spot any gaps in the company's financial information, which could then be remedied by modifying the accounting software or buying a new system.
The audit team passes this tip on to their consultancy practice, which informs the IT director, who in turn pitches the idea to the finance director. It is joined-up working in action and everyone is happy.
“I think its harder for the IT director of a big company to put the right case for an IT project to the finance director using a third-party systems integrator than an integrated consultancy and assurance division,” said a consultant from one of the big accountancy firms who asked to remain anonymous. He added that the potential conflict between audit and tax advice was a more pressing concern. “This is where the real conflict of interest lies,” he said.
MPs are currently pressing for tighter controls on the provision of IT services from audit firms. IT managers may have little choice but to change one of their key suppliers now before being pushed by the regulator.
Guidance by the Institute of Chartered Accountants in England and Wales issued late last year outlines how audit and IT services can be provided to a client while safeguarding auditor independence.
The basic independence requirements are that auditors must evaluate whether there are threats to independence in providing any non-audit service to audit clients. The auditor should provide that service only where safeguards can be implemented to reduce such threats to an acceptable level.
The guidance warns that there is a potential conflict of interest if an audit firm is advising or installing systems that generate information for the client's accounts, for example, accounting software or a stock valuation system.
It also recommends that audit firms should not offer a “turn-key” service, defined as a project consisting of software design, hardware configuration and/or system implementation of both, unless the client gives permission for such a service.
The guidance also recommends that an audit firm should not receive more than 15% of its total revenue from a client not listed on the stock exchange and 10% from a listed client.