Should internal audit ‘do SOX’?
There is a sharp divide among internal audit professionals as to whether the internal audit function should play a significant role in the SOX program. In the first few years of SOX, management more often than not looked to internal audit as internal control experts to lead the development and implementation of the SOX program.
For example, a KPMG study in 2005 showed that internal audit:
- was responsible for oversight of the SOX program at 15% of companies;
- provided day-to-day project management at 31% of companies (it should be noted that several surveys on this topic produced very different results. A PwC study (State of the internal audit profession study: internal audit post Sarbanes-Oxley) in the same year reported that 56% of companies relied on internal audit for day-to-day project management); and
- was involved in documentation and testing of key controls at 85% of companies
However, those internal audit functions were generally not given the resources necessary to perform the SOX work in addition to what they needed to meet their traditional assurance responsibilities. As result, internal audit departments found themselves consumed by a focus on SOX and cut back on audits of other risk areas. The PwC study referenced above reported that for 70% of companies in the first year of their SOX program, internal audit dedicated at least 50% of their resources to supporting the SOX program.
This rightly caused concern among internal audit professionals, the auditing firms, and a number of governance experts. They urged companies and their internal auditors to return to a more operational and traditional focus on risks and controls that extended beyond financial reporting. For example, Deloitte (Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era Second Edition, 2006) commented:
“The dramatic increase in the workload of internal audit attributable to Sarbanes-Oxley wasn’t always accompanied by an equal rise in resources, leading to a predictable outcome: The traditional work of the function—operational, systems, fraud investigations, and special project audit work—often took a back seat to the more pressing needs of regulatory compliance.
“For many internal audit departments, this shift toward Sarbanes-Oxley-related duties demands rebalancing. Meeting the requirements of the law is, obviously, important, but not to the detriment of other responsibilities. The function’s all-encompassing focus on Sarbanes-Oxley, adopted out of necessity in the early years, should diminish going forward, and in its stead should be a more rational and considered distribution of duties.
PwC (How to rebalance internal audit priorities in the Sarbanes-Oxley era, 2005) had even stronger language:
“Internal audit organizations have been so consumed by SarbanesOxley [sic] that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That’s because a failure to address key strategic, operational and compliance risk areas in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and ﬁnancial risks in the future.”
Today, the number of internal audit functions involved in these three areas is lower (although KPMG and other firms have not updated their surveys, less formal studies show about half of companies are still using internal audit to perform SOX testing) and efficiencies have brought the level of effort down as well. Certainly, larger firms are more likely to have established internal control functions (or similar) within the corporate finance function that are responsible for the SOX program. But, the concern remains among a number of internal audit leaders.
While there is a risk, as expressed above by Deloitte and PwC, there are also significant benefits when internal audit makes a contribution to the SOX program. These include:
- Internal audit practitioners are experts in internal control and their experience and insights contribute to an efficient and effective SOX program.
- When internal audit performs testing on behalf of management, it is more likely to be relied on by the external auditors, and this can result in significant savings on audit fees.
- Internal audit can perform combined or integrated audits that include both SOX testing and non-SOX work. The total number of audits performed, each of which management has to support, is reduced.
- When internal audit tests SOX key controls, they are more likely to be able to recommend process and control enhancements than if the testing is performed by management.
- Internal audit is charged with providing assurance and consulting services on all major risks, including the risk of poor controls over financial reporting. They might be obliged to review and assess management’s testing if they don’t do it themselves, at greater cost to the company as a whole than if they did the testing.
Each company should weigh the risks and benefits of internal audit involvement in SOX. These considerations should be given significant attention by management and the board:
- It is critical that internal audit have the resources to meet their commitments as documented in their charter. Their ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that they cannot address issues of significance.
- Internal audit may not perform a management function. It must remain independent and objective, consistent with IIA’s International Standards for the Professional Practice of Internal Auditing. It can, as a consulting service, facilitate the SOX program and provide day-to-day project management. It can also perform testing of key controls. However, the following are management functions that cannot be assigned to internal audit:
- Responsibility for the SOX assessment and program. These typically rest with the CEO and CFO.
- Making decisions relative to the SOX scope and program design. Internal audit may make recommendations but management should make the final decision in each case.
- Assessing whether a deficiency will be considered, for the purposes of management’s assessment of ICFR, a material weakness. Internal audit should share its opinion, but the decision rests with management.
- Assessing the overall adequacy of ICFR.
- The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need to points in (2) above. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both need to put the interests of the company first.
Reference should also be made to guidance from the IIA in Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act, which was released on May 26, 2004. Key points addressed in the document related to assistance with testing include:
“It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organization’s Sarbanes-Oxley project can be significant, but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.” (Executive Summary)
“Activities that are included in the internal auditor’s recommended role in supporting the organization in meeting the requirements of Sections 302 and 404 include:
- Project Oversight
- Consulting and Project Support
- Ongoing Monitoring and Testing
- Project Audit”
(Recommended Role of Internal Audit)
“Ongoing Monitoring and Testing
- Advise management regarding the design, scope, and frequency of tests to be performed.
- Independent assessor of management testing and assessment processes.
- Perform tests of management’s basis for assertions.
- Perform effectiveness testing (for highest reliance by external auditors).
- Aid in identifying control gaps and review management plans for correcting control gaps.
- Perform follow-up reviews to ascertain whether control gaps have been adequately addressed.
- Act as coordinator between management and the external auditor as to discussions of scope and testing plans.
- Participate in disclosure committee to ensure that results of ongoing internal audit activities and other examination activities, such as external regulatory examinations, are brought to the committee for disclosure consideration.”
(Recommended Role of Internal Audit)
Before leaving the subject, I want to address some concerns that internal auditors have expressed to me:
- SOX is a management function: yes, it is, but internal audit can add value to the company as a whole by helping with permitted roles.
- It damages our independence: not if the guidance above is followed.
- It interferes with our ability to do our core job: not if sufficient resources are given, and the guidance above is followed.
- You don’t need experienced internal auditors to perform SOX testing: you need people appropriate to the task. If you are only going to perform basic testing, you can use more junior staff – the same people that would otherwise be employed by management. But, you have the opportunity to (a) combine SOX work with other audit work and obtain efficiencies, and (b) go beyond SOX compliance and suggest improvements to processes and controls to manage all forms of business risk in the process.
- It hurts recruiting: why, when the company needs these people anyway, and it provides more experienced staff the opportunity to supervise and train.
- I don’t want to do it: tough!
So, should internal audit ‘do SOX’? I have done precisely that three times, and it worked very well. But is it right for every company – no. Each should determine what works best, but looking at what is best for the company as a whole rather than just what internal audit wants.
So what do you think?