The Internal Auditor's Role in Sarbanes-Oxley
By Christina Patilis, PricewaterhouseCoopers for CFOdirect
This article suggests that internal audit can play an important role in facilitating the implementation of Sarbanes-Oxley, and highlights four key steps to take.
The continuous stream of company collapses, highly publicized corporate scandals and the resulting Sarbanes-Oxley Act have dramatically changed the landscape of corporate America. A sound internal control environment and effective corporate governance process, which were once deemed to be best practices have now become mandated into laws and are a necessity to restore investors' confidence. However, many organizations are struggling with the most effective manner to set and to start the process that will meet regulatory and investors' expectations.
Enter the Internal Auditor. Internal audit has often been underutilized as a significant resource for sound corporate governance advice and invoking positive change in an organization's control environment. A value-added internal audit function offers a centralized and objective source of comprehensive information to management regarding whether an organization's control environment and governance process is operating effectively. This article suggests that internal audit can play an important role in facilitating the implementation of Sarbanes-Oxley provided that four key steps are taken.
The Four Step Approach
The following four key steps should be considered to ensure that internal audit plays an effective role.
- DISSEMINATE INTERNAL CONTROLS KNOWLEDGE.
Internal audit's mission has always involved identifying risks and ensuring that related controls exist and are operating effectively. Thus, senior management can significantly leverage internal audit's knowledge and documentation of an organization's risks, control weaknesses and outstanding recommendations for improvement. Furthermore, internal audit can educate management about the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, which is the most accepted framework for internal control and has been incorporated into
U.S. auditing standards. Internal audit can provide internal controls and COSO training to management and serve as a subject matter expert for the organization.
- ENSURE THAT OBJECTIVITY IS MAINTAINED.
- CLARIFY EXPECTATIONS AND SECURE SUPPORT ACCORDINGLY.
- SECURE APPROPRIATE SKILL SETS AND RESOURCES TO ADAPT TO ACCOUNTING AND DISCLOSURE REQUIREMENTS AND TO MAINTAIN THE LEVEL OF INTERNAL AUDITING FOR NON-FINANCIAL REPORTING REVIEWS.
Internal audit often walks a tightrope between balancing its objectivity and providing value-added advisory guidance to management. Due to uncertainty and lack of solid internal controls savvy, management might be inclined to delegate certain internal control responsibilities to internal audit inappropriately.
Sarbanes-Oxley has further reiterated the importance of ensuring that senior management does not shy away from their responsibility for establishing and operating an effective internal control environment. Internal audit can review, document and recommend changes in the control environment as well as evaluate whether the changes made were effective. However, management remains accountable for performing and ensuring the effectiveness of control activities and deciding when it is essential for the control environment to be enhanced.
Under the COSO model, the role of internal audit falls in the "monitoring" dimension. That is, internal audit is a monitoring control and it is inappropriate for internal audit to act at any time to "become" the control. Thus, it is imperative that internal audit continues to guard its objectivity by drawing a clear line between auditing control processes and conducting and implementing them as a primary facet of the control environment. If internal audit does not tread carefully in this area, the accountability objective, as intended by Sarbanes-Oxley, will be defeated.
Internal audit should ensure that its scope of work and communication and reporting mechanisms are clarified with management and other relevant parties and approved by the Audit Committee. The internal audit charter can be a useful vehicle for documenting internal audit's responsibilities as it relates to Sarbanes-Oxley.
Under Sarbanes-Oxley Section 404, the external auditor must attest to management's assertions regarding the effectiveness of internal controls surrounding financial reporting. Internal audit can add value by participating in management's meetings with the external auditor to assist in identifying and meeting the internal control documentation and testing expectations. In this area particularly, internal audit should clarify and document their role thoroughly.
Internal audit's role also will be most effective when there is widespread organizational support. Senior management and the Audit Committee must elevate internal audit to a high level of importance and promote organizational awareness accordingly. This can be facilitated by including internal audit in all key management committees, requiring and enforcing timely management responses and action plans for all significant internal audit findings and creating a reporting hierarchy and culture whereby internal audit can present potential contentious issues without hesitation.
Internal audit typically has encountered challenges in developing and retaining solid auditing capabilities, industry knowledge, information technology skill sets, and other related expertise. Management buy-in on increasing head count has also proven difficult.
With Sarbanes-Oxley, internal audit will require even more resources, including those specifically attuned to financial reporting disclosures. Fortunately, this time internal audit is likely to encounter strong commitment by management in ensuring appropriate resources are allocated to evaluating the internal controls process. Thus, internal audit will need to determine the additional effort required by Sarbanes-Oxley responsibility and agree on these resource needs with management and the Audit Committee. However, coverage of the non-financial reporting related reviews should not be sacrificed. Furthermore, internal audit should consider accessing specialized skill sets in Sarbanes-Oxley externally. Although most organizations are just beginning to get a handle on Sarbanes-Oxley, others might be more ahead of the curve and can offer tremendous insight.
The corporate world has certainly changed. Organizations will need to adjust quickly and proactively to the new world of corporate reform or surely face grave consequences if appropriate actions are not taken.
Internal audit has a great opportunity to demonstrate its fullest potential. Management should tap into this resource extensively but still maintain appropriate accountability and responsibility.
For more information on internal audit's role in Sarbanes-Oxley, please contact Christina Patilis in New York at (646) 471-2013 or firstname.lastname@example.org