Skip to Content

I am looking forward to the opportunity to debate this topic next week with Richard Chambers, President and CEO of IIA Global – to be made available later on IIA’s Audit Channel TV.

Here is a summary of my thinking, using an excerpt from my book: Minimize Costs & Increase the Value of your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls.

The main points are these:

  1. It is critical that internal audit have the resources to meet its commitments as documented in the charter. Its ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that it cannot address issues of significance.
  1. The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need to retain objectivity. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both must put the interests of the company first.

I welcome your comments.

There is a sharp divide among internal audit professionals as to whether the internal audit activity should play a significant role in the Sarbanes-Oxley program. In the first few years of Sarbanes-Oxley, management more often than not looked to internal audit as internal control experts to lead the development and implementation of the Sarbanes-Oxley program.

For example, a KPMG study in 2005 showed that internal audit:

  • Was responsible for oversight of the Sarbanes-Oxley program at 15 percent of companies.
  • Provided day-to-day project management at 31 percent of companies (it should be noted that several surveys on this topic produced very different results. A PricewaterhouseCoopers (PwC) study [written by Richard Chambers] in the same year reported that 56 percent of companies relied on internal audit for day-to-day project management).
  • Was involved in documentation and testing of key controls at 85 percent of companies.

However, those internal audit activities were generally not given the resources necessary to perform the Sarbanes-Oxley work in addition to what they needed to meet their traditional and broader assurance responsibilities. As a result, internal audit groups became consumed by a narrow focus on Sarbanes-Oxley and cut back on audits of other risk areas. The PwC study referenced above reported that for 70 percent of companies in the first year of their Sarbanes-Oxley program, internal audit dedicated at least 50 percent of its resources to supporting the Sarbanes-Oxley program.

This caused concern among internal audit professionals, audit committees, the auditing firms, and a number of governance experts. They urged companies and their internal auditors to return to a more operational and traditional focus on risks and controls that extended beyond financial reporting.

PwC commented:

“Internal audit organizations have been so consumed by Sarbanes-Oxley [sic] that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That’s because a failure to address key strategic, operational, and compliance risk areas in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and ļ¬nancial risks in the future.”

Today, the number of internal audit activities involved in these three areas is lower (although KPMG and other firms have not updated their surveys, less formal studies show about half of companies are still using internal audit to perform Sarbanes-Oxley testing) and efficiencies have brought the level of effort down as well. Certainly, larger firms are more likely to have established internal control activities (or similar) within the corporate finance function that are responsible for the Sarbanes-Oxley program. But the concern remains among a number of internal audit leaders.

While there is a risk, there are also significant benefits when internal audit makes a contribution to the Sarbanes-Oxley program. These include:

  • Internal audit practitioners are experts in internal control and their experience and insights contribute to an efficient and effective Sarbanes-Oxley program.
  • When internal audit performs testing on behalf of management, it is more likely to be relied on by the external auditors, and this can result in significant savings on audit fees.
  • Internal audit can perform combined or integrated audits that include both Sarbanes-Oxley testing and non-Sarbanes-Oxley work. The total number of audits performed, each of which management must support, is reduced.
  • When internal audit tests Sarbanes-Oxley key controls, they are more likely to be able to recommend process and control enhancements than if the testing is performed by management.
  • Internal audit is charged with providing assurance and consulting services on all major risks, including the risk of poor controls over financial reporting. They might be obliged to review and assess management’s testing if they don’t do it themselves, at greater cost to the company as a whole than if they did the testing.

Each company should weigh the risks and benefits of internal audit involvement in Sarbanes-Oxley. These considerations should be given significant attention by management and the board:

  1. It is critical that internal audit have the resources to meet its commitments as documented in the charter. Its ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that it cannot address issues of significance.
  2. Internal audit may not perform a management function. It must remain independent and objective, consistent with The IIA’s International Standards for the Professional Practice of Internal Auditing. It can, as a consulting service, facilitate the Sarbanes-Oxley program and provide day-to-day project management. It can also perform testing of key controls. However, the following are management functions that cannot be assigned to internal audit:
    1. Responsibility for the Sarbanes-Oxley assessment and program. These typically rest with the CEO and CFO.
    2. Making decisions relative to the Sarbanes-Oxley scope and program design. Internal audit may make recommendations, but management should make the final decision in each case.
    3. Assessing whether a deficiency will be considered, for the purposes of management’s assessment of ICFR, a material weakness. Internal audit should share its opinion, but the decision rests with management.
    4. Assessing the overall adequacy of ICFR.
  3. The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need to points in (2) above. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both must put the interests of the company first.

Reference should also be made to guidance from The IIA in Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act, which was released on May 26, 2004. Key points addressed in the document related to assistance with testing include:

“It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organization’s Sarbanes-Oxley project can be significant but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.” (Executive Summary)

“Activities that are included in the internal auditor’s recommended role in supporting the organization in meeting the requirements of Sections 302 and 404 include:

  • Project Oversight.
  • Consulting and Project Support.
  • Ongoing Monitoring and Testing.
  • Project Audit.”
  • “Ongoing Monitoring and Testing
  • Advise management regarding the design, scope, and frequency of tests to be performed.
  • Independent assessor of management testing and assessment processes.
  • Perform tests of management’s basis for assertions.
  • Perform effectiveness testing (for highest reliance by external auditors).
  • Aid in identifying control gaps and review management plans for correcting control gaps.
  • Perform follow-up reviews to ascertain whether control gaps have been adequately addressed.
  • Act as coordinator between management and the external auditor as to discussions of scope and testing plans.
  • Participate in disclosure committee to ensure that results of ongoing internal audit activities and other examination activities, such as external regulatory examinations, are brought to the committee for disclosure consideration.”
To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Tridip Chakraborthy

    Hi Norman – loved the aspects of your blog, I have also done a lot of implementations and faced a lot of SAP Procurement audits and have expressed myself in couple blogs on the topic of Sarbanes Oxley for the procurement function (for SAP procurement solutions)

    ..Keep up the great work

    Cheers

    Tridip

    (0) 

Leave a Reply