Home > Risk > Should internal audit ‘do SOX’?

Should internal audit ‘do SOX’?

There is a sharp divide among internal audit professionals as to whether the internal audit function should play a significant role in the SOX program. In the first few years of SOX, management more often than not looked to internal audit as internal control experts to lead the development and implementation of the SOX program.

For example, a KPMG study in 2005 showed that internal audit:

  • was responsible for oversight of the SOX program at 15% of companies;
  • provided day-to-day project management at 31% of companies (it should be noted that several surveys on this topic produced very different results. A PwC study (State of the internal audit profession study: internal audit post Sarbanes-Oxley) in the same year reported that 56% of companies relied on internal audit for day-to-day project management); and
  • was involved in documentation and testing of key controls at 85% of companies

However, those internal audit functions were generally not given the resources necessary to perform the SOX work in addition to what they needed to meet their traditional assurance responsibilities. As result, internal audit departments found themselves consumed by a focus on SOX and cut back on audits of other risk areas. The PwC study referenced above reported that for 70% of companies in the first year of their SOX program, internal audit dedicated at least 50% of their resources to supporting the SOX program.

This rightly caused concern among internal audit professionals, the auditing firms, and a number of governance experts. They urged companies and their internal auditors to return to a more operational and traditional focus on risks and controls that extended beyond financial reporting. For example, Deloitte (Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era Second Edition, 2006) commented:

“The dramatic increase in the workload of internal audit attributable to Sarbanes-Oxley wasn’t always accompanied by an equal rise in resources, leading to a predictable outcome: The traditional work of the function—operational, systems, fraud investigations, and special project audit work—often took a back seat to the more pressing needs of regulatory compliance.

“For many internal audit departments, this shift toward Sarbanes-Oxley-related duties demands rebalancing. Meeting the requirements of the law is, obviously, important, but not to the detriment of other responsibilities. The function’s all-encompassing focus on Sarbanes-Oxley, adopted out of necessity in the early years, should diminish going forward, and in its stead should be a more rational and considered distribution of duties.

PwC (How to rebalance internal audit priorities in the Sarbanes-Oxley era, 2005) had even stronger language:

“Internal audit organizations have been so consumed by SarbanesOxley [sic] that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That’s because a failure to address key strategic, operational and compliance risk areas in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and financial risks in the future.”

Today, the number of internal audit functions involved in these three areas is lower (although KPMG and other firms have not updated their surveys, less formal studies show about half of companies are still using internal audit to perform SOX testing) and efficiencies have brought the level of effort down as well. Certainly, larger firms are more likely to have established internal control functions (or similar) within the corporate finance function that are responsible for the SOX program. But, the concern remains among a number of internal audit leaders.

While there is a risk, as expressed above by Deloitte and PwC, there are also significant benefits when internal audit makes a contribution to the SOX program. These include:

  • Internal audit practitioners are experts in internal control and their experience and insights contribute to an efficient and effective SOX program.
  • When internal audit performs testing on behalf of management, it is more likely to be relied on by the external auditors, and this can result in significant savings on audit fees.
  • Internal audit can perform combined or integrated audits that include both SOX testing and non-SOX work. The total number of audits performed, each of which management has to support, is reduced.
  • When internal audit tests SOX key controls, they are more likely to be able to recommend process and control enhancements than if the testing is performed by management.
  • Internal audit is charged with providing assurance and consulting services on all major risks, including the risk of poor controls over financial reporting. They might be obliged to review and assess management’s testing if they don’t do it themselves, at greater cost to the company as a whole than if they did the testing.

Each company should weigh the risks and benefits of internal audit involvement in SOX. These considerations should be given significant attention by management and the board:

  1. It is critical that internal audit have the resources to meet their commitments as documented in their charter. Their ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that they cannot address issues of significance.
  2. Internal audit may not perform a management function. It must remain independent and objective, consistent with IIA’s International Standards for the Professional Practice of Internal Auditing.  It can, as a consulting service, facilitate the SOX program and provide day-to-day project management. It can also perform testing of key controls. However, the following are management functions that cannot be assigned to internal audit:
    • Responsibility for the SOX assessment and program. These typically rest with the CEO and CFO.
    • Making decisions relative to the SOX scope and program design. Internal audit may make recommendations but management should make the final decision in each case.
    • Assessing whether a deficiency will be considered, for the purposes of management’s assessment of ICFR, a material weakness. Internal audit should share its opinion, but the decision rests with management.
    • Assessing the overall adequacy of ICFR.
    • The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need to points in (2) above. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both need to put the interests of the company first.

Reference should also be made to guidance from the IIA in Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act, which was released on May 26, 2004. Key points addressed in the document related to assistance with testing include:

“It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organization’s Sarbanes-Oxley project can be significant, but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.” (Executive Summary)

“Activities that are included in the internal auditor’s recommended role in supporting the organization in meeting the requirements of Sections 302 and 404 include:

  • Project Oversight
  • Consulting and Project Support
  • Ongoing Monitoring and Testing
  • Project Audit”

(Recommended Role of Internal Audit)

Ongoing Monitoring and Testing

  • Advise management regarding the design, scope, and frequency of tests to be performed.
  • Independent assessor of management testing and assessment processes.
  • Perform tests of management’s basis for assertions.
  • Perform effectiveness testing (for highest reliance by external auditors).
  • Aid in identifying control gaps and review management plans for correcting control gaps.
  • Perform follow-up reviews to ascertain whether control gaps have been adequately addressed.
  • Act as coordinator between management and the external auditor as to discussions of scope and testing plans.
  • Participate in disclosure committee to ensure that results of ongoing internal audit activities and other examination activities, such as external regulatory examinations, are brought to the committee for disclosure consideration.”

(Recommended Role of Internal Audit)

Before leaving the subject, I want to address some concerns that internal auditors have expressed to me:

  1. SOX is a management function: yes, it is, but internal audit can add value to the company as a whole by helping with permitted roles.
  2. It damages our independence: not if the guidance above is followed.
  3. It interferes with our ability to do our core job: not if sufficient resources are given, and the guidance above is followed.
  4. You don’t need experienced internal auditors to perform SOX testing: you need people appropriate to the task. If you are only going to perform basic testing, you can use more junior staff – the same people that would otherwise be employed by management. But, you have the opportunity to (a) combine SOX work with other audit work and obtain efficiencies, and (b) go beyond SOX compliance and suggest improvements to processes and controls to manage all forms of business risk in the process.
  5. It hurts recruiting: why, when the company needs these people anyway, and it provides more experienced staff the opportunity to supervise and train.
  6. I don’t want to do it: tough!

So, should internal audit ‘do SOX’? I have done precisely that three times, and it worked very well. But is it right for every company – no. Each should determine what works best, but looking at what is best for the company as a whole rather than just what internal audit wants.

So what do you think?

  1. Premraj
    August 3, 2011 at 1:09 AM

    I also Agree with the approach of Performing SOX with the help of Internal Auditors ,I did that once with the help of Internal Controls considering the availability of enough resources.
    It was good .

  2. Rick Teubner
    August 3, 2011 at 6:41 AM

    I have to agree with Norman, that having IA perform SoX testing will work well for some companies but may not work well for others.

    First, you have to look at the level of internal control knowledge and sophistication that Finance Managers have and decide if they a) have sufficient knowledge to assess their own controls and b) have the integrity to admit to their own control failures. Many Finance Mangers that I’ve worked with have a very cynical view of SoX and treat it as a formality rather than an opportunity to self-assess. It’s fairly easy to simply report zero failures, quarter after quarter, without really taking an objective view of the process. If IA is involved, there is independent oversight that top management can rely on since control experts have some oversight of the process.

    There is also a significant risk, as Norman clearly points out, that an audit department will be consumed by SoX and let more significant risks go unaudited. SoX only deals with Financial Reporting risks, and there are clearly other risks, perhaps more significant, that could impact a company. One only has to look to the COSO model to realize that this is the case.

    My view is that IA should treat SoX as a priority, offering resources, coaching and consulting, but not abandon the audit plan in the process.

    August 3, 2011 at 2:46 PM

    You are the SOX expert Norman and so I can not talk much about it except to say that the more pressing regulatory needs of SOX was illusory. Strong heads of internal audit with good background in risk management needed to push back much harder but did not push back and as such spent all their time doing SOX when they needed to stay focused on risk as well. It does not help that they did not receive support from their management, from the external auditors and from the the IIA in the direction I am saying they should have focused on. Now they are playing catch up and there will be pain

    • Norman Marks
      August 4, 2011 at 6:41 AM

      Arnold, the IIA pushed back hard – I can say that because I was on the team that wrote the IIA responses to draft legislation and the to PCAOB and SEC rules. However, shouting loud is not going to work when the regulators don’t want to listen.

      There most definitely was a need to tighten controls around financial reporting. What else can you conclude when the CEO didn’t even read the 10Q and 10K?

      Controls at a majority of companies were not up to the task. Errors and even manipulation were higher RISKS than they should have been.

      Now was the SOX legislation OK? Yes, because it just required a management assessment and an external assessment of management’s assessment.

      Were the SEC rules OK? No, because they went beyond the legislation to require an audit of the controls over financial reporting by the external auditor, which was not required by SOX.

      Were the PCAOB standards OK? Well, AS/2 was not and had to be replaced by AS/5. Both fail to put sufficient attention on the root cause of most financial reporting errors: the Control Environment (COSO layer). That is not just the ‘tone at the top’, but the oversight by the audit committee, the hiring of competent professionals in financial reporting, and the ‘tone at the middle’: pressure to make the numbers.

  4. Frans Kersten
    August 3, 2011 at 11:10 PM

    SOx doesn’t use the right proces engineering principles. Processes itself should be “selftesting” and “selfcorrecting”. This can largely decrease the number of test to verify if processen are carried out the way they should be. We in the Netherlands have the curriculum “bestuurlijke informatieverzorging” (often translated as “accounting information systems” but this doesn’t cover the entire field) that covers such principles. Applying them will mean that IA has much less work to do. I once read that a Dutch company that has to be SOx-complaint came to the same insight and skipped unnecessairy tests.

  5. Norman Marks
    August 4, 2011 at 6:35 AM

    Frans, a well-designed business process will have these “self-testing” and “self-correcting” activities – they are the controls. The SOX program should identify the controls in place to manage the risk, then assess their design and test their operation to confirm they address the financial reporting risks.

  6. Choo-Lee Khor
    September 8, 2011 at 4:16 AM

    I have experienced intergrated audits as mentioned by Norman that can work well if developed as appropriate for the business to combine testing of Sox and non Sox work. This approach appears to make better use of limited resources, making best use of IA’s expertise and also provide value beyond compliance. However, in practice this approach has to take into consideration the skill sets of auditors required to be able to perform beyond ticking the box.

  7. ISO 9001
    October 19, 2011 at 2:20 AM

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Thank you for sharing this.

    ISO 9001

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: