Government Pensions are in Trouble

One of the most compelling reason that talented individuals stay in government is the benefits and the stability. And in envy, I have attended a flurry of retirement parties this year. My colleagues have put in their time and are blissfully able to move on to second careers under the support of a state pension.

But these pensions are expensive and risky - and troubled. The City of Austin is no longer offering pensions to new hires, but instead is offering them a self-managed retirement savings plan. The State of Alaska moved from a defined benefit plan (which promises a stable monthly payment each month after retirement based on the last few years of wages) to a defined contribution plan (which promises to pay out only what you and your employer put in, plus earnings).

What happens when the financial markets take a hit as it did in 2008? The pension plans take a hit. And the governments who fund them must make up the difference.

The FASB has been pushing corporations to disclose pension obligations since the 1980s. The FASB requires corporations to own up to the true liability the pensions posed to their organizations. When confronted with the resulting terrible looking balance sheet, most corporations decided to do away with their pension plans. The GASB is also pushing goverments to recognize their true obligation when it comes to pensions and other post-employment benefits. The State of Texas disliked GASB 45 (subject matter: other post-employment benefits such as health care) so much, it passed a law allowing Texas governments to blow it off. Seehttp://www.window.state.tx.us/newsinfo/columns/070611gasb.html for the Texas Comptroller's take on this issue.

California Public Employees Retirement System, or Calpers, is suing bond rating agencies for inaccurate ratings, causing the pension fund to at least a $1 billion. Seehttp://www.nytimes.com/2009/07/15/business/15calpers.html

The PEW Center on the States issued a sobering report earlier this year - stating "at the end of fiscal year 2008, there was a $1 trillion gap between the $2.35 trillion states and participating localities had set aside to pay for employees’ retirement benefits and the $3.35 trillion price tag of those promises." Trillions - not billions! http://downloads.pewcenteronthestates.org/The_Trillion_Dollar_Gap_final.pdf

And this pressure to continue to meet those enormous pension obligations appears to have driven one state - New Jersy - to fraudulent activities and they are now under investigation by the SEC. http://www.sec.gov/news/press/2010/2010-152.htm

So how long are pensions going to be part of the government compensation package? I wouldn't be surprised to see them disappear in the next decade. How about you?

Comments on the 2010 Yellow Book - As Emailed to Michael Hrapsky at the GAO

Hi Michael –

I used the 2010 revision to teach with last week. So, I am going to take an initial stab at feedback about the new draft. Thanks for allowing me to do this informally- via email.

1. Independence: CPAs are still going to take the little bit of wiggle room you gave them and RUN with it. No one wants to give up drafting the financial statements as part of the audit and they are very busy justifying why their situation is different and they can still do what they have always done. I believe it would be better to prohibit it completely – with no professional judgment involved. It is wrong to create the subject matter that you opine on– period. And we are risking the integrity of the only service CPAs are actually licensed to provide – audits of financial statements. The AICPA is too lenient on their members on this subject and I would like to see the GAO do the right thing and flat out prohibit it.

2. Section 1.06. Auditors are still a bit confused on when the Yellow Book is applicable to their audit. They assume that if their client is a government – that the Yellow Book is automatically required. I’d like to see the language of 1.06 clarified and strengthened to says something to the effect of – “The Yellow Book is applicable to an engagement if it is required by law, policy, etc… Some organizations choose to voluntarily follow the yellow book. Just because the audited entity is a government or receives government funds, it does not mean that the government auditing standards are automatically required.” Yes, it is a bit redundant.

3. Section 1.07 – Some auditors erroneously believe that you have to be certified in order to be subject to the CPE requirements. 1.01a could be enhanced by adding “regardless of job title OR PROFESSIONAL CERTIFICATION.” Caps not necessary!

4. 3.53 – Professional judgment – This is my least favorite section of the yellow book. It is vague, redundant, and broad and I really struggle with teaching it. It is saying “turn your brain on” and then tells you when to turn your brain on. I wonder if you could merge 3.54 and 3.55 with evidence, 3.56 with competence, 3.57 with quality control, 3.58 with independence, 3.59 and 3.60 with planning, and get rid of 3.61 – which reads like an attorney’s fine print.

5. 3.84 human resources. Instead of doing a footnote back to the HR sentence in competence, I think it would be helpful to repeat the second sentence of 3.63 here… “Audit organizations should have a process for recruiting, hiring, developing, assigning, and evaluation staff to maintain a competent workforce.” Otherwise, I am afraid people are missing that because it is imbedded in another section, in the middle of a paragraph. Another solution would be to make the second sentence of 3.63 its own paragraph.

6. The appendix’s format is hard to decipher and it would be easier on the reader if you would indent the sub-topics. For instance on page 176 – c is a super topic, 1 is under c, and a is under 1. It is difficult to tell what is modifying what or what is listed under what. And this goes on for many pages.

7. 4.23 – why is abuse grouped with noncompliance? Shouldn’t it have its own number – number 4?

8. 4.22-4.30 –The 2 additional letters on internal control and compliance are out of date. So in 4.23 we find the list all of the things that trigger a reportable condition. And then we write letters on only two of them - internal controls and compliance. And the language that is used in these letters – in reality –is obscure and only vaguely related to what this section requires. I remember asking Michael about the purpose of these letters and he explained that they enhance transparency for the user. After the AICPA gets a hold of them and creates a stream of legalistic and confusing language to satisfy this requirement – we are being anything but transparent. Auditors simply go to the AICPA for model reports and plug the name of the entity in the blank. Users don’t understand them or, I might argue, need them if there is nothing to report. I would like to see the GAO reconsider the purpose of these letters and ask whether these letters are the best way to serve this purpose. If the GAO decides to keep these letters – I would suggest updating them to include the requirements for the auditor’s responsibility for fraud and abuse. Could the GAO propose some standard language for a straight yellow book audit that is clear and straightforward – like the mandatory performance audit paragraph at 7.30 in the 2010 proposed revision?

Thanks for allowing me to say things significant and not-so-significant! You guys are the best!

Leita

The 2010 Revision's Impact on Internal Audit Independence

The GAO’s 2010 proposed revision to the Yellow Book isn’t saying much that is new. Instead it is saying the same stuff – just in a different way.

For instance, the section on independence regarding non-audit services caused plenty of heartburn in the 2007 revision. The GAO asked auditors to evaluate whether they were 1. Auditing their own work in performing the non-audit service or 2. Making management decisions when performing the non-audit services. Obviously, auditing your own work and making management decisions compromises and auditor’s independence because the auditor will not be motivated to admit that they messed up either the work or the decision if and when they do the audit.

One state audit organization I worked with said that they had, many years ago, become frustrated with the state agency responsible for calculating pension obligations. It seems that the auditor was constantly writing the agency up for not calculating it correctly, so the agency finally just said, “You know what? We don’t really know how to do it. Will you do it for us?” And unfortunately, the auditor decided that was a good idea.

So, one assistant state auditor made the calculation for a decade or so until he retired. When a new auditor took over the job, she quickly realized that the calculation had been wrong the whole time and that the state owed the pension plan major dinero. How embarrassing is that for the state auditor to admit!?!

And the state auditor didn’t want to admit it and was trying desperately to figure out a way to avoid admitting their mistake. The only thing I can think for the auditor to do to avoid accountability is to write the state a check for a few million out of your personal state salaried accounts. I am sure they can spare it.

This is the sort of dilemma that independence standards allow us to avoid. But at the same time, independence causes internal auditors a special brand of heartburn.

Let’s look at what the proposed new standards say:

Some 2010 Clauses Significant to Internal Auditors

The revision to the Yellow Book takes a different path, but ends up at the same place. It talks about ‘threats’ to independence – and the following sound like they were written with internal auditors in mind:

GAGAS 2010 3.10

b. Self-review threat - the threat that an auditor will not appropriately evaluate the results of a previous judgment made or service performed by the auditor, or the audit organization, on which the auditor will rely when forming a judgment significant to an audit;

d. Familiarity threat - the threat that due to a long or close relationship with management or personnel of an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work;

f. Management participation threat - the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit or attestation engagement;

And then goes on to expressly prohibit one common internal audit activity:

3.49 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing or maintaining monitoring procedures. Monitoring involves the use of ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created by an auditor performing ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level. On the other hand, nonaudit services providing separate evaluations often are performed by individuals who are not directly involved in the operation of the controls being monitored. As such, it is possible for an auditor to provide an objective analysis of control effectiveness by performing separate evaluations without creating a significant threat of management participation that would impair independence. However, in all such cases, the significance of the threat created by performing separate evaluations should be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Auditors should assess the frequency of the separate evaluations as well as the scope or extent of the controls (in relation to the scope of the audit performed) being tested in evaluating the significance of the threat.

This excerpt points out a significant thematic difference between the IIA’s Professional Practices Framework (the red book) and the yellow book. Members of the IIA like to be helpful to their employers, the GAO does not. The GAO standards are written as if the auditor is an “external” auditor – not an internal auditor. A gentleman at the GAO once told me that internal auditor is a troublesome term. How can you be internal and be an auditor. The Yellow Book discourages auditors from performing ‘consulting’ engagements and instead prefers that internal auditors concentrate on the “assurance” aspect of their work.

One of the ‘hot’ topics – if you can go as far as to call anything in auditing “HOT” – at the HOTlanta IIA International Conference last summer was continuous monitoring. Internal auditors are working themselves into a frenzy figuring out how to do it.

BUT – when working in Yellow Book land, continuous monitoring – unless used by the internal audit shop to do their audit risk assessments – compromises auditor independence.

In one of my recent courses, we were discussing the COSO model and were talking about controls that the auditee should have in place over a federal grant. An internal auditor in the audience said that one of the best controls over a federal grant possible would be a strong internal audit shop monitoring the grant. And I immediately went, “No, I am not writing that up on the board!” A sharp reaction to a simple idea.

I immediately regretted shutting him down so hard and wrote it up on the board because I didn’t want to dwell on auditor independence that particular afternoon because it was off topic. But in Yellow Book land, the internal auditor is not to perform management functions. An auditor is an objective third-party that can give an unbiased assessment of what is really going on. This participant was looking at things from the IIA perspective – where it is OK to help management.

If the auditor took on monitoring the federal grant and then later criticized compliance or operations for same federal grant… they’d be in a bind, wouldn’t they? Because they were responsible for monitoring and thus for helping the client out. And unless the client is superhuman – they will usually come to depend on the auditor and assume (wrongly) that everything is OK and they have nothing to worry about. And then the auditor will have to write them a big fat check from his personal account for the questioned cost that they were complicit in generating. (I do realize that auditors won’t be writing any checks) by the way.

If this discussion has made you a little hot under the collar – go to the 2010 Proposed Revision athttp://www.gao.gov/new.items/d10853g.pdf and carefully read Sections 3.02-3.50. Yes, it is a lot to look over. But it is new and worth the time.

This is the time to let the GAO know what you think. Write to yellowbook@gao.gov by November 22 to have an impact on the next revision.

If you want to discuss the major differences between the Yellow Book and the Red Book – attend the 2010 Single Audit and Government Conference in Austin and catch Helen Young and I arguing over which standard is best. We had a huge laugh fest last week talking about our opposing views on the red book and yellow book. For more info, see: http://www.tscpa.org/Public/Catalog/CourseDetails.aspx?courseID=11CGC01

The GAO's Proposed Independence Standard is a Rehash

The GAO issued a proposed revision of the Yellow Book a few weeks ago and most of the revision is less than noteworthy. The GAO is cleaning things up, reorganizing, and syncing up its language with the AICPA.

On first blush - I thought the revision to the independence standard was the biggest change and would have the biggest impact on CPAs in public practice. But today, I find that the GAO is simply repeating what the AICPA has been saying all along regarding independence in its Code of Professional Conduct... please seehttp://www.aicpa.org/Research/Standards/CodeofConduct/Pages/et_101.aspx#et_101

and compare and contrast that with the start of chapter 3 in the proposed Yellow Book revision athttp://www.gao.gov/new.items/d10853g.pdf

I knew, from hearing Marcia Buchanan (GAO project manager for GAGAS... aka the Yellow Book) speak, that they had plucked the most difficult controversial quote direclty from the AICPA standards. Here is a quote from the 2010 revision:

GAGAS 3.46 Management is responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework. Consequently an auditor’s acceptance of responsibility for the preparation and fair presentation of financial statements that the auditor will subsequently audit would impair the auditor’s independence. Auditors should determine that audited entity management taking responsibility for the preparation and fair presentation of the financial statements possesses suitable skill, knowledge, and/or experience to evaluate the adequacy of any services in this area provided by the auditor.

But this sounds so much like the AICPA, I am afraid it won't change anyone's actual behavior when it comes to both creating and auditing the financial statements.

AICPA CODE OF ETHICS .05 101-3—Performance of nonattest services.

General Requirements for Performing Nonattest Services

1. The member should not perform management functions or make management decisions for the attest client. However, the member may provide advice, research materials, and recommendations to assist the client's management in performing its functions and making decisions.

2. The client must agree to perform the following functions in connection with the engagement to perform nonattest services:

a. Make all management decisions and perform all management functions;

b. Designate an individual who possesses suitable skill, knowledge, and/or experience, preferably within senior management, to oversee the services;

c. Evaluate the adequacy and results of the services performed; and

d. Accept responsibility for the results of the services;

The member should be satisfied that the client will be able to meet all of these criteria and make an informed judgment on the results of the member's nonattest services. In assessing whether the designated individual possesses suitable skill, knowledge, and/or experience, the member should be satisfied that such individual understands the services to be performed sufficiently to oversee them. However, the individual is not required to possess the expertise to perform or re-perform the services.

In cases where the client is unable or unwilling to assume these responsibilities (for example, the client does not have an individual with suitable skill, knowledge, and/or experience to oversee the nonattest services provided, or is unwilling to perform such functions due to lack of time or desire), the member's provision of these services would impair independence.

See... very similar.

What does all of this mean, bottom line? Well, I guess we won't know for sure until the fat lady sings... or until the GAO finalizes the standard in February. I know that many CPAs really aren't interested in giving up their financial statement drafting gig and so will read the standard to their own advantage. And the GAO has left them some wiggle room.

If you have an opinion, now is the time to voice it. Write toyellowbook@gao.gov to give the folks at the GAO a piece of your mind... if you can spare it today, that is.

Observations From a Few Courses

At the end of August, I taught two days for the a chapter of the Texas Society of CPAs. One topic was "Planning an Audit: Yellow Book Style." The other was, "Government Financial Statement Analysis."

1. In the audit planning course, I talk about how SAS 117 allows auditors to apply the risk assessment standards to the Single Audit. We now officially have the ability to use our professional judgment to reduce our effort on the low impact requirements and choose to spend more time on the more significant compliance requirements. During the class, I use a lame but useful analogy. My step-mother is a fabulous cook - Paula Dean style. Collard greens, black eyed peas, corn bread, cheese grits, Boston butt... southern culinary extravagance. And when I visit her, I COULD partake of everything she offers. But, since I am in my mid-40's - my Leita butt (not from Boston) doesn't look good if I eat everything. So, I have to make some hard choices. I can live without cheese grits, but I can't live without black eyed peas. I have a limited calorie intake - so I have to choose carefully. I have spoonful of grits, but a bowl full of black eyed peas and cornbread. And am I happy? Heck yeah!

Auditors who work for CPA firms doing federal compliance audits face the same dilemma. They have bid a certain amount on the job and they need to work within those constraints or they will lose money. CPA firms can't cover every single federal requirement in great detail. Notice, please, that I did not include government (internal, state, or federal) auditors in this category. From my experience, few of them set limits on how long projects need to take and can get as `fat' as they want!

One participant in my course, an auditor at a CPA firm , who was auditing the Head-Start program at a daycare, was very excited by this revelation. He needed to cut back on his work, and the AICPA's risk assessment formula gave him justification for doing just that. Take that boring stuff off your plate! You can't afford the calories.

2. During the government financial statement analysis course, I asked the crowd five questions about government financial statements - such as "Which of these funds is a proprietary fund?" and the like. And guess what? Only a third of them knew the answers. One gentleman, who had been doing government audits for 20 years missed every single question. WHAT? I hope he was just having a bad day or barely paying attention.

Many of the audience were newbies. And I am very glad to talk to them. Unfortunately, many CPA firms send green auditors out to do small municipalities and not-for-profits and reserve their more experienced staff for larger, riskier projects. Where does that leave the citizen in a small city? With inaccurate, uninterepreted financial statements. One city that we analyzed disclosed the same per capita income of $57,000 per citizen for the past 10 years. Unlikely.

Who else is going to hold these small governments and not-for-profits accountable, if not us. And since we both create and audit the financial statements (a practice that the GAO is doing its best to put a stop to) - who is truly watching the financial operations of a government? If we send our least experienced staff to the gig - to work with the CRAZILY complicated, post GASB-34 financial statements, who is going to catch these sort of errors? The GAO says in the 2007 version of the yellow book that "Auditing is essential to government accountability to the public." A pretty serious responsibility.

How easy it is for me to look at the game after it is all after and criticize. And - do not mistake me. I am not claiming to be Christ-like. As a matter of fact, I am quite a screw-up. But, on our journey to be the best professionals we can be, I think we can use a little redirecting occasionally. Compliance audits can and should be risk based and a newbie should not be sent out to take care of a government audit.

Proposed Yellow Book out as of 8/23/10

It's here! http://www.gao.gov/new.items/d10853g.pdf

The most signficant proposed change is to independence. Otherwise, the standards have been reorganized and pared down. If the AICPA already says it - the GAO doesn't have to repeat it.

The GAO makes clear their disdain for both drafting and auditing financial statements. Halleluah!

More later as I disect it and teach it!

Revision on its Way

Last Monday, I saw Marcia Buchanan, the project manager for the Yellow Book at the GAO. She was conducting a full day seminar for the Alaska Legislative Auditor and they let me sit in.

Marcia imagined that the proposed revision would be out by the 18th. Like NOW. I am watching for it every day. But, I was able to get a preview of what the proposed revision might include. Note that this is a proposed revision and it won’t be final until they get our comments and then issue the final version in the spring.

With that said, the main change to the Yellow Book will surround the general standard of independence. Independence has been a confusing, messed up section since the GAO started tweaking it earlier this decade. One thing that the GAO always allowed – somehow – was that auditors in public practice could both draft and audit the financial statements. The new standard refers to an AICPA Code of Conduct clause that makes this unacceptable. Interesting that the GAO is using the AICPA’s own writing against the members of the AICPA, in a way.

Marcia said that she shocked one of the members of the AICPA ethics board by calling forth his own standard prohibiting a CPA from working with a client that didn’t have the ability to create its own financials. He didn’t even know it was there. I have been very concerned about this practice for a long time. Blessing the financial statements that you just created goes against the basic premise of what auditors do.

We are supposed to be an objective third party that verifies that a subject matter is OK. If we create the subject matter, we are no longer objective.

More when the exposure is exposed! Redundancy is good in business writing!

What Makes Internal Auditors Mad About the Yellow Book?

Today, I enjoyed working with internal auditors with the county, school district, transportation district, and community college in San Antonio. We were covering the Yellow Book standards.

Most internal auditors have a designation from the IIA - like a CIA or CGAP - and would prefer to follow the Red Book if given a chance. But sometimes, the choice is made for them. A rule, regulation, contract, or law calls the Yellow Book into play, and there is nothing they can do about it.

One of my previous managers at the Texas State Auditor's Office was instrumental in drafting the Internal Auditing Act in Texas that requires all internal audit directors of state agencies to be orange shops - in other words, cover both the IIA and GAO standards. But when I did a training for his group last year (he now works for a large university) he complained about his decision. He feels like the Yellow Book goes too far in a variety of areas. My audience today felt the same.

What are they annoyed with in the Yellow Book?

Independence. In general, the IIA encourages auditors to be helpful - to consult as well as provide assurance services. The GAO discourages 'consulting' work and calls this sort of work 'non-audit services.' The GAO strongly warns auditors that engaging in non-audit services could ruin their independence on audits.

The GAO also far exceeds the IIA's requirements on quality control and peer review. The GAO mimics the intense requirements of the AICPA. One onerous quality control requirement asks that auditors perform an annual monitoring inspection to ensure that the quality system is working. A peer review must be conducted every three years under GAO standards and every five years under IIA standards.

The GAO also goes into a lot more detail than the IIA regarding how to plan an audit. The IIA's Red Book is mostly focused on how to run an audit shop - not in how to conduct an audit. The GAO says very little about how to run an audit shop but goes into great detail regarding how to run an audit project - asking that auditors design their audit to detect fraud and noncompliance, describing the qualities of strong evidence, and laying out general principles for working paper documentation.

My participants today - like my old manager at the University - wish they hadn't gotten themselves into the strict land of GAO standards.

An Experienced Auditors View on Independence

This morning, I wrote to the GAO and asked them when they would be publishing the proposed revision to the Yellow Book. Michael Hrapsky (the GAO answer man) thought they'd have something out by the end of August. I expect one of the major changes to surround independence. The GAO has been playing with that concept throughout this decade and I hope they can be clear about it this go round.

I published an article on peer review last week and heard back from a 65 year old government auditor. I respect his opinion and this is what he had to say about independence - although he won't let me share his name with you... I'll share what he said:

"Being impartial, objective and fair are absolutes. Being independent is relative. In reality, no auditor is totally independent. We all are hired by, work for, paid by, and can be fired by someone. I have encountered auditors who have a maximum of independence (e.g., GAO staff) who did not remain impartial, and I have encountered auditors with little true independence who were fearlessly impartial and objective. The issue for me is not how independent I am, but how impartial, objective and fair I can be when auditing a particular subject and/or program."

From that viewpoint, no wonder the GAO is having a hard time with the issue of independence. If no one is independent - should that section of the Yellow Book be retitled 'objectivity.' What a sticky mess of a concept - a theoretical tar baby. When the GAO draws their new line in the sand - which historically has surpassed the AICPA's line in the sand - we can reassess our personal situation.

Sensational Fraud Stories

OOOH – That’s bad

I fell for it again. I was attending a governmental conference and decided to stay for the general session where an FBI agent went into the gory details of a huge fraud case he worked on last year. He went as far as to share excerpts from phone conversations where they dropped the f bomb so much, it was like watching GoodFellas or something. He even went as far as to call one of the fraudsters “The Godfather.”

And the whole audience sat there riveted. “Oooh – that is bad.” “Wow, I can’t believe that.” The audience sounded like they were watching fireworks… Oooh. Ahhh. Wow….

When he started talking about how one of the fraudsters, who in addition to stealing massive amounts of money, also had child pornography on his computer, I got up and left.

Was I being edified by this information or just disgusted? I felt like I had just read something sordid in The National Enquirer about Britney Spears

Auditors are so fascinated by the topic of fraud that we actually hire ex-fraudsters to speak to us at conferences. In an effort to ‘get in the heads’ of fraudsters, we reward those fallen from grace by paying them thousands, sometimes tens of thousands of dollars to tell their fascinating story. Who is getting ripped off now?

Yes, yes, I know fraud is real. Yes, yes, I know it is important. But do we have to talk about it all the time? At every conference?

Our addiction for sexy fraud stories has made the Certified Fraud Examiner designation super popular among auditors. And as far as I can tell, very few of us ever encounter fraud in our work lives. Some of us wish we would – that way we could act like those cool investigators on TV. Maybe like a CSI.

I hope we all realize that we are not on TV.

While we are lapping up this drivel over and over and over – we are failing to learn new auditing techniques. We aren’t sharing with each other the most effective way to sample. We don’t hear from the experts about what sort of things really hang clients up when it comes to federal grants… I could think of a dozen topics that I would find more useful. I went to one session at the conference about preparing for an orange (red book and yellow book combined) peer review and I learned a few wrinkles in the standards that I didn’t catch on first read. Now that is useful information.

And, although I have been told several times that I am wrong – and expect to hear it again – how can we have a professional designation without any standards? Why does the CFE refuse to tell its members what a fraud report should contain? Maybe that doesn’t matter.

What the CFE has shared with us is the fraud triangle and the fraud tree. Both are very useful and help identify what fraud looks like. That is great. I’ve got it. Seen both, know what they say.

Now it is time to move on to another topic - maybe something to do with IT. I feel like our lack of knowledge regarding this topic is really going to bite us in the butt down the road. IT will be the next big auditing scandal and we aren’t doing anything to prepare for it. Why? Maybe because we are wasting valuable conference time being distracted by sexy, redundant, stories of fraud.

I think we should stop expecting our conferences to be filled with tantalizing, firework like fraud stories and instead use them as an opportunity to share what works and how to get better. I also would love it if we could drop the whole ‘faciliated panel’ idea…all that means is no one on the panel has to prepare… and it usually shows.

Why Doesn't Government run like a Corporation?

I have heard this lame question so often - I am beginning to get numb.

I am 6'3" Yep - I am extremely tall. Guess what question I get asked all of the time? Do you play basketball? I mean REALLY! My favorite response to that is, "No, but do you play minature golf?"

I also feel like saying something smarmy back when people talk about the inefficiencies of government and ponder why government can't run like a corporation. First of all, having seen both sides of this - government and corporations - corporations have very little to brag about. Corporations can be disfunctional, dark, and weird places. And corporations fail all of the time. The survival rate is very slim. Government can't fail. That is not an option unless you want everything - schools, electricity, commerce, emergency response, the mail! - to come to a grinding halt.

In the February 22, 2010 issue of Newsweek - An article called "America, Inc" by Andrew Romano and Michael Hirsh was discussing the trend of corporate CEOs putting their hats in the political ring and reasoning that they could clean things up and run government like a great corporation. One ex-CEO turned governor, Jon Corzine, begged to differ with that statement. He, too, felt that his experience as CEO of Goldman Sachs would turn the State of New Jersey around. But concludes that "The idea that your accountable to a bottom line and to a payroll in managing a business - it gives voters the confience that you have the right skills [to govern]. Buyt its 20,000 people versus 9 million. I don 't think candidates ge the tscale and scope of what governing is. You don't have the flexibility you imagined. There's no exact translation."

Newsweek goes on to say "Very little that happens inside a corporate suite is like governing a state or a country. CEO's, like generals, can issue orders and expect them to be carried out. Jobs and budgets can be pared by fiate, with little public controversy. It's not nearly as simple for governors, or senators - even presidents. Their authority is never absolute. They are constrained by the separation of powers and forced to ride teh giger of public opinion. They must persuade, cajole, and arm-twist to get their way. As Harry Truman once said about his presidential successor. Dwight Eisenhower: "He'll sit there all day saying do this, do that, and nothing will happen. Poor Ike - it won't be a bit like the Army.""

What is the best a political leader can do - face the issues head on - begin the discussion - and then hang on for a rough ride. They can start the ball rolling, but they can hardly finish the job on their own. No, governments can't be run like corporations. And no, I don't play basketball.

Silly Work

A few years ago, I worked with a school district in California. And this school district had a pool at every school that was run by subcontractors. Since we don't have pools at our schools in Texas, I was slightly jealous. And then I realized that this might be one reason why California is bankrupt and we are doing OK. When you build a pool - it costs money. It costs money to maintain and repair it. It costs money to regulate it and to audit it. The school district took on a world of expense and work when they took on pools!

The audit team I worked with was assigned the responsibility to monitor the pools (among other things). And the regulations over the pools were extensive. The four requirements I rememember from the regulations were:

* the pool chairs must be ergonomically designed

* the pool sign height should be at child level (30 inches above the floor)

* the pool should be staffed by qualified lifeguards when children are swimming

* the pool water quality should be monitored three times a day

Unfortunately, the pool auditors did not do a risk assessment on these requirements and were checking everything. So they used a ruler to measure sign height and then wrote the contractors up if they were off by an inch. WHAT?!? What an embarrasing finding to present to management. What should they have been looking at? Lifeguards and water quality obviously.

They complained that each pool audit took them several days and most of the pools went without review. Of course it took several days when they looked at every silly requirement! Wouldn't it be better to cover more pools for the significant requirements rather than cover every silly requirement at only a few pools? You'd better say yes! :)

Today, I am teaching a group of monitors and auditors from various state agencies in Texas. Compliance auditors don't think they need to do risk assessment. Yes, they do if they don't want to waste time and the taxpayer's money.

SAS 117 made it clear that when auditors do a compliance audit, they must also follow the other SAS's. INCLUDING the risk assessment SASs. Unfortunately, many of the auditors and monitors in my class are making no effort to follow standards. But that is a subject for another blog post...

A Few Weeks Between Me and the IIA International Conference

A few weeks later, I’m not sure it was worth the $2000+ I spent to attend.

Why did I go? To network and to learn.

On the networking end, I did show my face and visited with some of my old buddies in the government arena. But as I told one of them – who was the best presenter during the whole conference – I could have done that right here in Austin. When there are almost 3000 folks in attendance, it is difficult to track down new folks.

I met one gentleman who knows his stuff about risk, a few other people who are also in the CPE business, and learned how Jim Kaplan started AuditNet. Maybe something will come from those interactions.

I was hoping to convince the Public Sector committee that I was worthy of appointment – but I understand from a friend of mine who works for a Big 4 – the committees don’t like vendors.

On the learning end, I was disappointed. Maybe I just didn’t pick the right stuff for my breakout sessions.

Ken Moray – the City of Austin Auditor – who was the best of the conference – did a great job putting IT professionals in their place. And he provided some great tools for assessing IT.

Joel Kramer – of MIS – was entertaining and insightful as usual. He had a list of the 25 things that stupid internal auditors do – and that was fun to laugh along with. It was funny and instructional.

I saw a woman from Britain who argued that auditors should not make recommendations – she reasoned that we should be change agents not dictators. Cool concept. I listened to the Capability Maturity Model study – which was interesting. Using it, I can decide where my clients are along a scale of audit shop maturity.

For one session – I moved four times and still didn’t find anything I was interested in.

Two keynoters were notable. The CEO of Home Depot made me proud to be a woman. When asked how she handles her busy life without passing out from stress – she said she worked at being present in each moment – meaning she doesn’t let the past or the future encroach on what she is supposed to be paying attention to now. It reminded me of a Buddist teacher Tan Nicht Tran who wrote that when you are doing dishes – do dishes. Enjoy the dishes. He called It ‘mindfulness’. One sanctuary put bells at the top of each door so that the door would ring as you pass through it to snap your mind back to the current moment. Kinda’ cool to hear an executive talk about how minfulness helps her day-to-day.

Another keynoter was key in exposing the Bernie Madoff fraud. It was interesting to hear how Bernie Madoff used the worst of human nature to feed off of the unsuspecting. For instance, he formed a mafia-like network of advisors who were interested in lining their own pockets and remained loyal to him out of fear and self interest. He also told several stories of audit failure and how many years ago, Bernie thought he was done for when the auditor finally asked some decent questions. Only problem was, the auditor didn’t follow through and he went on to live his lie for another decade. A pretty good cautionary tale – but our profession is full of them.

Overall, I think I’ll wait another four years for the conference to cycle back around to the United States – by then maybe they’ll be talking about something other than ERM (Enterprise Risk Management).

A Few Resources Regarding Risk

I had a very interesting phone conversation this morning with Brian Barnier of ValueBridge Advisors. I met him at the IIA conference in Atlanta, where he was on a panel discussing risk. I asked him for more help in defining inherent risk - as I struggle with teaching that concept. Experienced practioners say that inherent risk is based on your gut. "Gut" is hard to teach.

The audit standards help us when it comes to control risk by providing the COSO model. But when it comes to inherent risk, they only say to 'consider magnitude and likelihood.' That is only mildly helpful. I asked Brian if he would point me to some risk resources that I could refer to in conducting my work and he said that there aren't any (ah ha... so I'm not crazy) but that he was writing one with the IIA. So now, we can wait the two years necessary for the IIA to come out with something to go off of.

In the interim - I'm not giving up my quest. And you might want to check out Brian on Risk TV. YES - Risk TV! at http://risk.mashnetworks.com/

Or check Brian out at

Brian Barnier

Envision - Align - Focus - Execute

ValueBridge Advisors

brian@valuebridgeadvisors.com

+1.203.295.0426 x703

AOL IM and Yahoo IM screen name BrianBarnier

News of "green shoots" and risk on www.twitter.com\Brian_Barnier

Team blog & videos: risktech.financetech.com

Multiple Certifications, Groups, Conferences!

I belong to three main groups – and have certifications from each of them. I belong to the Texas Society of Certified Public Accountants and am a CPA, the Institute of Internal Auditors through which I am a CGAP, and the Association of Government Accountants who grants my CGFM. But I am just scratching the surface of certification possibilities.

Right now, I am on my way to the IIA’s International Conference in Atlanta where my CGAP holds some weight. I will probably blog about the conference later.

What a cultural difference each of these groups exhibit. And although all have auditors as their members, the auditor’s makeup/perspective/profile is quite different between each group.

First the CPAs. CPAs can and do provide a wide variety of services. A typical CPA firm will do taxes, audits, bookkeeping, consulting, business valuation, estate planning, etc. etc. CPAs show up as Chief Financial Officers or budget officers in corporations and governments. In order to pass the CPA exam, you have to learn about all of those facets of work – and I believe it broadens your perspective. I know how taxes work – but don’t do my own because it takes a herculean effort to keep up with tax law. I know what keeping a general ledger entails but hire a bookkeeper to do my billings. Just because you know how it works, doesn’t mean you want to do it!

And for the portion of members who do audits – they can specialize in different industries and government types. CPA auditors at CPA firms follow the AICPA’s SASs (Statements on Auditing Standards) in conducting their work – which is primarily focused on financial statements and compliance. The AICPA’s SASs are the most complex and detailed auditing standards in existence (as far as I know!). Some auditors that audit public corporations must follow the PCAOB standards – which layer on top of the AICPA SASs.

CPAs are usually savvy businessmen and women at their core. They have a CPA firm to make money – and that shapes many of their decisions. In general, a CPA tries to spend as little time as possible on an audit project – because the faster they can do a project, the more money they make and it allows them to move on to other projects.

I am a CPA and started out with a public accounting firm. I then moved on to the Texas State Auditor’s Office where I worked on financial and compliance audits. However, it was my work as a ‘performance auditor’ at the Texas State Auditor’s Office that I liked the best. I felt it was more meaningful work and a lot more creative.

I have been plenty of AICPA sponsored conferences. I wouldn’t call them fun – nor the activities at night fun.

Internal Auditors are an entirely different crowd. They may have come from management and many never studied accounting. I joke that they wouldn’t know a financial statement if it came up and hugged them. Internal auditors are focused on making their employer’s operation more efficient, effective, and economical. They may also get involved in management committees and special projects. Their objectives usually sound like “Is HR complying with state hiring laws?” “Is the shipping department following corporate policies and procedures?” “Are employee benefit plans competitive in the industry?” They can, and do, look at anything and everything. Internal auditors are required by their standards to do an entity-wide risk assessment and audit plan so that they use their audit resources to make the biggest positive difference to their organization.

Internal auditors aren’t in competition with each other – as the CPA firms are – so they like to share and help each other get better at their jobs. The IIA’s motto is “Progress through sharing.” And, because of their unique position in the organization – they often have a lot of flexibility and can spend as much time on a project as they like – although good ones will spread their resources over as many risks as they can.

The standards that the internal auditors follow are loose and flexible also. Out of the three standards that I know and love – the AICPA SAS’s, the GAO’s Yellow Book, and the IIA’s red book – the IIA standards are the softest. The IIA says this is because they are working with an international community and trying to bring everyone up to a higher standard is difficult. HM. The work these folks CAN choose to do (not that they always do choose to do it) do is cool and important. The IIA is very strong with research – and although they do not issue this research as standards, it is still very helpful to their members.

I recently passed the CGAP (Certified Government Audit Professional) which I passed without studying. I did buy the CGAP study manual – but thought I pulled from so many different sources, and contained so many bullet lists – it really didn’t sink in. The manual also says that you should refer to other documents living outside the manual – which I didn’t do. The exam was all over the place and was overly focused on internal auditing at the local government level – mainly municipalities. I don’t even know how you could effectively study for it. If you have any background in government, and you want another certification on your business card, I recommend it.

The CGAP was the IIA’s way to acknowledge their government auditor constituency – but it is a small part of their membership. The IIA members are primarily corporate internal auditors.

The IIA’s International Conference in Houston was a B.L.A.S.T.! The food was great (filet minion, shrimp, crab), the venue was high class, and the party at night was rocking. The Atlanta conference wasn’t as suave or as fun… but fun none the same. At least it was better than the AICPA’s conferences because CPAs are too tight for all of that. Chicken, anyone?

The Association of Government Accountants offers the CGFM and gives the government accountant a place to hobnob. The Austin Chapter of this group is quite robust – but comprised of a diverse crowd. Most of them are not auditors – but accountants who work for the state or the city. They might be budget analysts, controllers, or consultants. Some are auditors and monitors.

I speak for the local chapter every year – and they draw quite a few auditors to the meeting. But I feel like this group suffers an identity crisis of sorts. They are such a broad umbrella, that anyone in government who is in finance, accounting, or auditing can fit in. I have never been to one of their conferences, although I understand they are HUGE and fun. I understand you can’t get an accounting or finance job in the federal government in Washington or surrounding towns without a CGFM. It holds a lot of weight up there. Not so much in other states. The AGA does not follow any standard – especially any auditing standard – because they aren’t all auditors.

Last month, I attended the ALGA (Association of Local Government Auditors) annual conference in San Antonio. I enjoyed seeing old friends and clients and I sponsored a booth for the first time. I don’t think that was a good use of my marketing budget… but with marketing it is hard to tell. ALGA does not offer any certifications. Most of the members are either CIAs (certified internal auditors), CGAPs, or CPAs. My favorite session at the conference was contrasting IIA and GAO standards. I am such a standard’s nerd!

I am considering joining the GFOA – Government Finance Officers Association. They shared the convention center in Atlanta with the IIA this week – but they didn’t have near the number of participants nor the international presence. I have spoken to that group a few times and have some affinity for them. However, for every certification – you have to pay annual dues… so I should probably experience an increase in earnings first.

Other popular certifications for this crowd is the CFE (Certified Fraud Examiner) and CISA (Certified Information System Auditor). Very nice to have under your belt - although the CFE folks worry me a bit. They don’t have any standards – although they did help write SAS 99 (the Fraud SAS). Their conferences are astronomically expensive, but I understand they are great.

You can also find organizations that cater to university auditors (ACUA), pension auditors, lottery auditors, state auditors, women (ASWA), Hispanics, etc., etc. You have a personal professional demographic? There is probably a group out there full of people much like you!

That would cost a fortune to be a member of all of the groups I mentioned. I did meet a man at the Houston IIA conference a few years back who had 10 certifications! His business card was so full, it was humorous. But, as you can imagine, he wasn’t a humorous guy. He was a very earnest and serious college professor. All his business card said to me is that he is very good at taking tests. Not necessarily that he knew what he was talking about.

The closing speaker at the IIA’s conference Mark Sandborne, said that a professional is someone who worries more about you than you do. I like that definition quite a bit. Professionals endeavor to bring you to the next level and have your back. All groups strive to make their members more professional. You’d benefit from exploring all of the above possibilities. If you have a group you particularly like, please let me know.