Common Questions About Internal Audit, New Regulatory Requirements
Internal audit has taken on new prominence now that New York Stock Exchange-listed companies are required to have an internal audit function. Public and private companies throughout the country are evaluating the benefits of internal audit to their operations.
Many organizations, in fact, have questions as to how an internal audit function can impact their businesses and what exactly the new NYSE listing standards require.
To address these issues, Protiviti Inc., a leading internal audit and business and technology risk consulting firm, has developed a list of frequently asked questions and responses to help companies assess their internal audit needs and, if applicable, their readiness to comply with the NYSE's internal audit requirement.
"Well-designed, properly staffed and correctly focused internal audit functions provide tremendous value to boards, executives and shareholders in the areas of risk management, internal controls, operational improvement and overall corporate governance," said Robert Hirth, managing director for Protiviti and head of the firm's internal audit practice. "Companies of all sizes, whether public or private, should consider internal audit solutions in a manner that creates an effective and value-added function rather than adopting a 'check-the-box' approach."
Protiviti has composed 10 common questions and answers that offer guidance on establishing a quality internal audit function and complying with the NYSE requirement:
- What companies are impacted by the U.S. Securities and Exchange Commission's approval of the new standards? Only NYSE-listed firms are affected. While the SEC also approved new listing standards for the Nasdaq, these did not include an internal audit requirement. "However," Hirth said, "we anticipate these regulations will raise awareness among boards, audit committees and senior management about the benefits of having an effective internal audit function, regardless of the stock exchange on which a company is listed." He added that many large private companies with diverse and complex operations may find that developing an effective internal audit function will assist them in maintaining, validating and improving internal controls; identifying opportunities to reduce costs and improve processes; and enhancing governance.
- Will NYSE-listed companies have to add new staff to meet the internal audit requirement? The new rule does not require companies to add internal audit personnel. Thus companies with adequately staffed internal audit departments likely won't need to institute changes. Still, those that lack a department or are understaffed may opt for a co-sourcing or outsourcing arrangement with a third-party service provider other than the external auditor, as permitted by the regulations. "Outsourcing could be an attractive option for many NYSE-listed companies that now find themselves needing to quickly establish an internal audit function to achieve compliance," said Hirth. "Outsourcing is a quick and cost-effective solution that provides immediate access to needed skills and resources that often provide a higher level of expertise, independence and objectivity."
- What is required if a company already has an internal audit function? Nothing new is specifically required, but Hirth noted that the final rule provides an impetus to review internal audit staffing. "Companies should ensure they possess the resources and skill requirements needed to respond to cyclical workloads, meet the challenges of this new regulatory environment and address new risks they now confront," he said.
- What is the proper internal audit staffing mix? Protiviti recommends that companies look to their individual risk profiles to drive staffing decisions. The firm points out that businesses facing a significant number of risks or particularly complex risks will require a range of specialists and expertise.
Most internal audit departments are headed by a chief audit executive and include layers of staff such as managers, senior auditors and auditors. Yet many companies also rely on other in-house professionals or tap into the specialized skill sets of outside providers.
- How much should a company spend on internal audit? "The amount invested should depend on the level and complexity of risks a company faces and the responsibilities given to the internal audit function," Hirth explained.
He added that a study by The Institute of Internal Auditors (IIA) identified a general range between 0.03 percent and 0.2 percent of revenues for an internal audit budget. "However, actual budgets vary widely today, and risk should be one of the key factors in determining the level of expenditures and resources required."
- What are the first steps in initiating an internal audit function? Initial steps should include clarifying expectations with senior management, the board and audit committee; considering the appropriate staffing model (e.g., in-house, co-sourced or outsourced); and formulating reporting responsibilities. Other key tasks involve developing an audit charter, identifying the "universe" of auditable entities, completing an initial risk assessment and developing an audit plan.
- What are the qualities of a strong internal audit function? The most salient qualities include an effective chief audit executive, a highly supportive audit committee and senior management team, a sound risk-assessment process, an identifiable and well-conceived audit methodology, and a focus on meeting customer needs. There must be an understanding that as a company changes, so do its risks. Also, every function should adhere to The IIA's International Standards for the Professional Practice of Internal Auditing.
- Should internal audit have a role in compliance with the Sarbanes-Oxley Act? Yes. Because internal auditors are well-versed in areas such as process documentation, internal control evaluation and testing, they can play a valuable role in any company's Sarbanes-Oxley compliance efforts.
- What are the most effective ways for management to use internal audit? "Perhaps the most effective way is for management to understand the key risks their company faces," said Hirth. "They should work with the internal audit department to determine how it can best help the organization address and mitigate those risks."
- Can a company use its external auditor to perform internal audit work? Although recent SEC regulations prohibit companies from outsourcing internal audit work to their external auditor, Protiviti notes there are certain exceptions where a limited amount of internal audit work can be performed by an external auditor. For example, internal audit work is permitted if it won't be relied on as part of the external audit.
The SEC approved the proposed NYSE listing standards in early November 2003. According to the NYSE, "Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company's risk management processes and system of internal control." Companies are expected to comply with the requirement by the first annual meeting after January 15, 2004, or by October 31, 2004, whichever is earlier.