On the Frontlines: The Audit Implosion

Power provocatively adopted two seemingly contradictory terms, “explosion” and “implosion,” but he was simply identifying the coexistence of quantitative changes (in the explosion) and qualitative changes (in the implosion). In other words, auditing was expanding in volume while its center of gravity was increasingly relocating into the inner workings of organizations. I believe Power’s analysis was correct, and it was also prescient, as both trends have continued apace. In this blog, I shall focus on the significance of the “audit implosion” for internal auditors.  

I have witnessed the institutional internalization of auditing first-hand. At the beginning of my auditing career in 1990, as an external auditor with Price Waterhouse (a forerunner firm of PricewaterhouseCoopers), external auditing was by far the most prestigious specialty of auditing. In the late 20th century, internal auditors were generally perceived as the “poor cousins” of external auditors.

But the times were already changing. In the freewheeling external audit market of the 1990s, a tsunami of challenges traumatized the external auditing profession. Cut-throat competition frequently encouraged the large auditing firms to supply external audits at below cost in the hope of recuperating profits through lucrative consulting services. This resulted in a minefield of conflicts of interest, impaired objectivity, and tarnished reputations. More damagingly, the public tended to brush aside protestations of an “expectations gap” to accuse external auditors of negligence for not preventing or detecting their clients’ fraud. This period culminated in the demise in 2002 of Enron Corporation and its external auditor, Arthur Andersen.

External auditing’s difficulties were accompanied, from the 1990s, by the issuance of corporate governance codes like the British Cadbury Report (1992) and the series of South African King Reports on Corporate Governance (from 1994). These codes all had a commonality — they emphasized the importance of assurance on the ongoing reliability of internal controls. The relocation of the center of gravity of auditing to the inner workings of organizations had begun. The U.S. Sarbanes-Oxley Act of 2002 was a reaction to the Arthur Andersen debacle, and Sarbanes-Oxley Section 404 raised stakeholder interest in internal controls to new levels. Gradually but inexorably, the gaze of stakeholders was shifting from the external audit opinion on annual financial statements toward hitherto unexplored auditable spaces within organizations. Moreover, an increasing emphasis on the “riskification” of auditing and internal controls was leading to the embedding of risk frameworks inside organizations, and this created new auditing demands.  

The result of all these changes? A shift in the focus of auditing to an increasingly internal perspective. Of course, the external audit opinion on annual financial statements has maintained a crucial importance for stakeholder confidence — a modified opinion can have an earthquake-like effect among stakeholders. But the overall significance of the periodic external audit opinion has been eclipsed by demands for contemporaneous internal auditing and enterprise risk management. The external audit’s importance remains, but it has been diminished.

The implications of these trends? In the post-Sarbanes-Oxley era, the internal auditor is no longer the “poor cousin” of the external auditor but rather has moved to the forefront of institutional governance. Nonetheless, the shift of emphasis from external to internal auditing is still in progress and it has yet to be fully worked out. The inner, auditable spaces of organizations are sites of contestation and competition. Internal auditors jostle for space with other actors, including legal compliance specialists, risk management advisors, and quality management system engineers, all of whom are eager to gain a foothold in the new competitive space. The Institute of Internal Auditors has provided clarity to this volatile space through its Three Lines Model (first published in 2013): the model’s delineation of responsibilities provides a framework for ongoing conversations on matters like whether the second or third lines should take responsibility for the documentation of internal controls for Section 404 purposes.

The so-called audit implosion is more than just a technical issue. The internalization of auditing inside organizations is an ethical matter, closely linked to increasing stakeholder trust in this type of auditing. Having manifested their acceptance of the trustworthiness of internal auditing, stakeholders will surely continue to expect a reciprocal response, in the form of technically sound auditing that assists in setting the ethical tone of organizations. I believe the internal auditing profession is well poised to take on both the opportunities and the obligations arising from the evolving governance needs of our organizations’ auditable “inner spaces.”