I am looking forward to the opportunity to debate this topic next week with Richard Chambers, President and CEO of IIA Global – to be made available later on IIA’s Audit Channel TV.
Here is a summary of my thinking, using an excerpt from my book: Minimize Costs & Increase the Value of your Sarbanes-Oxley 404 Program: Management’s Guide to Effect....
The main points are these:
I welcome your comments.
There is a sharp divide among internal audit professionals as to whether the internal audit activity should play a significant role in the Sarbanes-Oxley program. In the first few years of Sarbanes-Oxley, management more often than not looked to internal audit as internal control experts to lead the development and implementation of the Sarbanes-Oxley program.
For example, a KPMG study in 2005 showed that internal audit:
However, those internal audit activities were generally not given the resources necessary to perform the Sarbanes-Oxley work in addition to what they needed to meet their traditional and broader assurance responsibilities. As a result, internal audit groups became consumed by a narrow focus on Sarbanes-Oxley and cut back on audits of other risk areas. The PwC study referenced above reported that for 70 percent of companies in the first year of their Sarbanes-Oxley program, internal audit dedicated at least 50 percent of its resources to supporting the Sarbanes-Oxley program.
This caused concern among internal audit professionals, audit committees, the auditing firms, and a number of governance experts. They urged companies and their internal auditors to return to a more operational and traditional focus on risks and controls that extended beyond financial reporting.
PwC commented:
“Internal audit organizations have been so consumed by Sarbanes-Oxley [sic] that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That’s because a failure to address key strategic, operational, and compliance risk areas in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and financial risks in the future.”
Today, the number of internal audit activities involved in these three areas is lower (although KPMG and other firms have not updated their surveys, less formal studies show about half of companies are still using internal audit to perform Sarbanes-Oxley testing) and efficiencies have brought the level of effort down as well. Certainly, larger firms are more likely to have established internal control activities (or similar) within the corporate finance function that are responsible for the Sarbanes-Oxley program. But the concern remains among a number of internal audit leaders.
While there is a risk, there are also significant benefits when internal audit makes a contribution to the Sarbanes-Oxley program. These include:
Each company should weigh the risks and benefits of internal audit involvement in Sarbanes-Oxley. These considerations should be given significant attention by management and the board:
Reference should also be made to guidance from The IIA in Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act, which was released on May 26, 2004. Key points addressed in the document related to assistance with testing include:
“It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organization’s Sarbanes-Oxley project can be significant but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.” (Executive Summary)
“Activities that are included in the internal auditor’s recommended role in supporting the organization in meeting the requirements of Sections 302 and 404 include:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 |