of 16
8/8/2019 sing Role of Internal Audit in SoX
1/16
1
Optimizing the Role of
Internal Audit in the
Sarbanes-Oxley Era
8/8/2019 sing Role of Internal Audit in SoX
2/16
8/8/2019 sing Role of Internal Audit in SoX
3/16
Optimizing the Role of
Internal Audit in the
Sarbanes-Oxley Era
8/8/2019 sing Role of Internal Audit in SoX
4/16
Although this publication contains information on compliance with Sarbanes-Oxley section 404, it is neither a comprehensive nor an exhaustive treatment of the topic. This
publication contains general information only and should not be relied upon for accounting, business, financial, investment, legal, tax, or other professional advice or services.
This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect you or your business.
Before making any decision or taking any action that may affect you or your business, you should consult a qualified professional advisor. The information contained in this
publication likely will change in material respects; we are under no obligation to update such information. Neither Deloitte & Touche LLP, Deloitte Touche Tohmatsu nor any
of their affiliates or related entities shall have any liability to any person or entity who relies on this publication.
8/8/2019 sing Role of Internal Audit in SoX
5/16
Table of Contents
Overview 1
Defining Effectiveness 1
Organizational Structure 2
Role of Internal Audit in the Sarbanes-Oxley Era 3
Fraud Detection 4
The Pursuit of Quality 6
Deploying Technology 6
Third-Party Compliance 7
Risk Management 7
Beyond Sarbanes-Oxley 8
Peak Performance Indicators 8
Conclusion 8
..........................................................................................
.....................................................................
.........................
..................................................................
.....................................................................
...............................................................................
.....................................................................
...................................................................
............................................................................
..................................................................
...........................................................
.........................................................................................
8/8/2019 sing Role of Internal Audit in SoX
6/16
8/8/2019 sing Role of Internal Audit in SoX
7/16
1
Overview
Few would dispute that the Sarbanes-Oxley Act of 20021 hasprofoundly changed the business environment for companieslisted on the U.S. equities markets. The mandated emphasison corporate governance and internal control has transformedprocedures and responsibilities at almost every level of theorganization, and the law will likely impact the manner inwhich business is conducted for decades to come. Whetherthe benefit will be commensurate with the cost remains an
open question in some quarters, but scant argument can beraised against the intent of a law designed to reduce fraudand bring reliability to financial reporting, and to restore confi-dence to the public markets.
Particularly noteworthy (if not notorious), section 404 of thelegislation requires public companies to determine financialreporting risks, identify or establish related controls, assesscontrol effectiveness, fix deficiencies, and then re-test and re-document anew. The challenges posed by this section, and bythe Act as a whole, have proven formidable, and the impacthas been felt throughout organizations across the U.S. andthe world.
Among the business functions most significantly affected bySarbanes-Oxley section 404, internal audit certainly rankshigh. Internal auditors, with their expertise in business processanalysis; financial, operational, compliance, and informationtechnology control testing; risk management; the COSO inter-nal control framework2; and forensic accounting, facedunprecedented demand for their services during the first yearof conformity with the law.
The profession rose to the task. Many internal auditors canclaimwith only slight hyperbolethat they played a valiantrole in year-one Sarbanes-Oxley compliance. Indeed, if not forthe internal audit profession, the business landscape wouldlikely be littered with significantly more disclosures of material
weaknesses and revelations of noncompliance with the Act.
But success can carry risk along with reward. The dramaticincrease in the workload of internal audit attributable toSarbanes-Oxley wasn't always accompanied by an equal rise inresources, leading to a predictable outcome: The traditionalwork of the functionoperational, systems, fraud investiga-
tions, and special project audit workoften took a back seatto the more pressing needs of regulatory compliance.
For many internal audit departments, this shift towardSarbanes-Oxley-related duties demands rebalancing. Meetingthe requirements of the law is, obviously, important, but notto the detriment of other responsibilities. The function's all-encompassing focus on Sarbanes-Oxley, adopted out of neces-sity in the first year, should diminish going forward, and in itsstead should be a more rational and considered distribution of
duties.
This reprioritizing should not be viewed as mere administrativetinkering. Today, more than ever, the fortunes of the companycan be tied to internal audit. In fact, a properly structuredinternal audit function can bring tremendous value to anorganization, impacting not just regulatory compliance butalso operational excellence. Intelligently utilized, internal auditcan help manage risk, prioritize goals and activities, eliminatecomplexity and redundancy, streamline operations, and drivedown cost, which, in turn, can enhance competitiveness whileprotecting and enhancing shareholder value.
The business world has entered uncharted territory, and opti-
mally structured and high-performing internal audit functionscan help shepherd companies through this new terrain.
Defining Effectiveness
In the new regulatory environment, responsibility and liabili-tyboth perceived and actualare elevated to unprecedent-ed levels. Never before have financial statements and disclo-sures been more carefully scrutinized. And never have the con-sequences of getting it wrong been more severe.3
Demand for heightened accountability resonates especiallyclearly with two parties: management, most notably CEOs andCFOs, who now must personally certify to the accuracy of the
financial disclosures and the effectiveness of controls; and theaudit committee, which is compelled to move beyond a reac-tive to a proactive role in financial reporting oversight. Each ofthese groups, in turn, rely heavily on an effective internal auditfunction for objective validation of the effectiveness of controlprocesses and the reliability of financial reporting.
1For purposes of this document, the terms "Sarbanes-Oxley," "the Act," and "SOX" all refer to the Sarbanes-Oxley Act of 2002 in its entirety, including all sections of t he law enacted by Congress, all associated rules promulgated by theSecurities and Exchange Commission, and all related standards issued by the Public Company Accounting Oversight Board. The term "section 404" refers specifically to the "Management Assessment of Internal Controls" section of Sarbanes-Oxley and all the rules and standards that fall under that section.
2Committee of Sponsoring Organizations of the Treadway Commission. www.coso.org
3Sarbanes-Oxley Act of 2002; Section 906: "Corporate Responsibility for Financial Reports"; Subsection C: "Criminal Penalties": "Whoever certifies any statement ... [that] does not comport with all the requirements ... shall be fined not morethan $1 million, or imprisoned not more than 10 years, or both; or willfully certifies any statement ... [that] does not comport with all the requirements ... shall be fined not more than $5 million, or imprisoned not more than 20 years, orboth."
Optimizing the Role of Internal
Audit in the Sarbanes-Oxley Era
http://www.coso.org/http://www.coso.org/8/8/2019 sing Role of Internal Audit in SoX
8/16
2
But what, exactly, characterizes an effective internal auditfunction? A baseline definition of internal auditing provides astarting point. The Institute of Internal Auditors (IIA) offers thefollowing description:
1. "Internal auditing is an independent, objective assuranceand consulting activity designed to add value and improvean organization's operations. It helps an organizationaccomplish its objectives by bringing a systematic, disci-
plined approach to evaluate and improve the effectivenessof risk management, control, and governance processes."4
With this description forming a foundation, the essential char-acteristics of an effective internal audit function can beframed. Deloitte & Touche LLP sees the following elements askey. An effective internal audit function:
operates from a clear, updated charter adapts its activities to the needs of the organization uses a risk-based approach reports directly to the audit committee enjoys full support of management and the audit
committee
maintains open communication with management and theaudit committee
has "clout" within the executive ranks engenders respect and integrity throughout the organiza-
tion teams with other internal and external resources, as
appropriate provides leadership on issues of internal control, fraud,
financial reporting, risk management, and corporate gover-nance
leverages technology deploys best-available methodologies engages in continuous education and staff development consistently reevaluates its effectiveness
provides support to the company's anti-fraud programs.
Organizational Structure
In the days before the harsh light of scrutiny shone on internalaudit, its organizational and reporting structure were topics ofconcern to relatively few. But today, with issues of compe-tence, independence, and objectivity at the fore, many busi-nesspeople are realizing that structure and reporting lines playa critical role in effectiveness.
Complicating the structural issue is the fact that the activitiesof internal audit serve the needs and/or interests of numerousparties, including:
audit committee board of directors executive management line management shareholders analysts and shareholder rating services regulators external auditors
Of course, despite their vested interest, not all of these partiesexert direct supervisory influence over the function. In mostcompanies, lines of reporting usually lead to either of twogroups: executive management or the audit committee.
In Deloitte & Touche's view, the latter choice offers clear supe-riority. When internal audit reports to the audit committee, thefunction is kept structurally separate from management, a dis-tinction of importance to many, including regulators con-cerned with independence, external auditors seeking objectivi-ty, and analysts looking for strong corporate governance prac-tices. Such an alignment also encourages the free flow ofcommunication regarding any issues or concerns; allows fordirect feedback on the performance of the chief audit execu-
tive and the function; ensures that internal audit is staffed andbudgeted properly; and permits the audit committee to exertdirect influence over the hiring, compensation, and firing ofthe CAE.
Conversely, when internal audit reports to managementusu-ally to the CFOthe effectiveness of the function can be dilut-ed. If management hires and fires the chief audit executive,controls the budget, and sets the agenda, then the impact onobjectivity and independence can be significant. Communicationof concerns can become bottled up; the pressure to rationalizequestionable practices or to issue favorable reports can intensi-fy.
Although the advantages of reporting to the audit committeeare clear-cut, one factor mars what might otherwise be anoptimal reporting structure: The audit committee lacks a day-to-day presence in the organization, and therefore may besomewhat out of touch with the culture, issues, and personali-ties, as well as the ability to handle required human resourceactivities.
Trends are moving steadily toward audit committee oversightof internal audit. Several years ago, better than 90 percent ofinternal audit departments reported to the CFO. Today,according to surveys by the Institute of Internal Auditors, thatnumber falls between 40 and 50 percent.5
While there are no easy answers, two points are unambigu-ous: The CAE must have a strong and direct reporting relation-ship to the audit committee; and the audit committee musttake responsibility for certain supervisory activities, includingapproving internal audit's budget, risk assessment, and auditplan, and for hiring, evaluating, and, if necessary, firing theCAE. Having a dual reporting relationship to the CEO or per-haps general counsel can facilitate the required administrativeactivities associated with operating the function within thecompany.
4Institute of Internal Auditors, Defining Effectiveness, http://www.theiia.org/index.cfm?act=content.group&subcat_id=671
5Institute of Internal Auditors, Internal Audit Independence and Corporate Governance, 2003, http://www.theiia.org/iia/download.cfm?file=234.
When internal audit reports tomanagement usually to theCFO the effectiveness of thefunction can be diluted.
http://www.theiia.org/index.cfm?act=content.group&subcat_id=671http://www.theiia.org/iia/download.cfm?file=234http://www.theiia.org/iia/download.cfm?file=234http://www.theiia.org/index.cfm?act=content.group&subcat_id=6718/8/2019 sing Role of Internal Audit in SoX
9/16
Role of Internal Audit in the Sarbanes-Oxley Era
While the upheaval of the last couple of years has surely roiledthe profession, certain principles remain unaffected. Mostnotably:
The traditional role of internal auditto assess controls, bringvalue, and improve operationsis as applicable today as itever was.
However, as noted previously, the department's workload hasdramatically increased with the advent of Sarbanes-Oxley.
Finding the right balance of activities will be key to future suc-cess, both for internal audit as a profession, and for the com-panies that internal audit serves.
Unfortunately, that balance cannot be neatly summarized in afew paragraphs. Each company presents unique circumstancesand distinctive needs. Myriad factors complicate the equationand impact the result, including company size, industry, loca-tion(s), budget, profitability, IT infrastructure, competence ofpersonnel, preferences of the board and management, andmore.
Figure 1: Internal Audit Maturity Model
3
* Cumulative: The past practices of the internal audit function are absorbed into and become part of new, expanded practices.
* Evolutionary: The past practices of internal audit are discarded as new practices are adopted to take their place.
8/8/2019 sing Role of Internal Audit in SoX
10/16
4
One way to parse the proper role of internal audit is throughthe use of a maturity model (see figure 1). The various activi-ties of the department can be charted along a descriptive con-tinuum that begins with "baseline," proceeds through "main-stream," and concludes with "leading edge."
In applying the maturity model to their own circumstances,companies will find variability to be the norm. Only the rareinternal audit department will see all its data points plotted
neatly under any one category. Rather, depending on goals,philosophy, and other factors listed above, the function mayclassify its risk management activities under, say, "leadingedge" while its technology description falls under "main-stream." Virtually unlimited combinations are possible, withnone necessarily being right or wrong. What works best andmakes sense for one organization may be entirely inappropri-ate for another.
But regardless of how the data points fall on the maturitymodel, clearly the optimal role of internal audit extends farbeyond internal control over financial reporting. The impera-tive to attain compliance in the first year distorted that per-spective, but the time has come to reestablish a broader view.
Internal audit needs to play a role in Sarbanes-Oxley compli-anceindeed, one of the most essential roleshowever, thatshould not be its sole responsibility.
A more expansive view of internal audit's optimal role asksthe question, What needs to be done to address stakehold-ers' needs? Some of those stakeholders and the issues theyface are described in figure 2.
Board/Audit Committee How are we managing business risks?How are we assured they are beingmanaged appropriately?Are we dedicating enough resources to
manage our risks?
CEO/COO What unforeseen events might disruptour strategy and prevent achievementof our goals?
CFO What risks could materially impact ourfinancial results?
General Counsel What could we do to further minimizeour legal and regulatory liabilities andensure compliance with laws andregulations?
General Managers How much risk am I allowed to take?What is our corporate risk appetite?What are my risk managementresponsibilities?
Risk Managers How efficient is our current risk
financing strategy? Does the currentrisk management strategy adequatelycapture the key risks?
Regulators How comprehensively isthe company addressing the iterestsof stakeholders?
Rating Agencies How well does senior managementunderstand risk?How great is management's risk aware-ness? What is their ability to managerisks as they emerge?
A fair amount of confusion exists within and outside the pro-fession regarding the challenges posed by Sarbanes-Oxley.What are the proper parameters of involvement by internalaudit? At what point does the function's independence andobjectivity become impaired? To answer these and other ques-tions, Deloitte & Touche convened a meeting of its leadingpractitioners to debate the issues and reach consensus. Thefollowing Sarbanes-Oxley-related activities were found to beallowable and appropriate for internal audit:
consulting on internal control consulting on internal control in relation to enterprise-wide
risk management (see page 7, "Risk Management," formore information on this topic)
assisting the organization in identifying, evaluating, andimplementing risk and control assessment methodologies
recommending controls to address related risks assisting with designing systems of internal control (how-
ever, designing is not the same as installing; see below) drafting procedures for systems of internal control assisting with maintenance of the controls repository conducting effectiveness testing on behalf of management
(but without concluding for management)
aiding management in the design of tests for control effec-tiveness (however, in all cases, management should makethe final decision on control design and operating effec-tiveness)
taking on the role of lead project manager for all or part ofthe efforts related to complying with section 404
providing training and/or information on internal controlidentification and assessment, risk assessment, and testplan development
providing information, training, and/or facilitating a controlself-assessment.
The following Sarbanes-Oxley-related activities were found tobe inappropriate for an objective internal audit function:
concluding on the effectiveness of internal controls onbehalf of management
making or directing key management decisions regardinginternal controls, remediation activities, and Sarbanes-Oxley compliance
installing systems of internal control performing control activities.
The overriding factor concerning appropriate activities hingeson decision-making and responsibility. Under the provisions ofSarbanes-Oxley, management is solely responsible for the sys-tem of internal control over financial reporting. Internal auditmay serve management in many capacities, including advisory,
testing, training, and development, so long as that workdoesn't cross the line into a decision-making role. Vigilanceby all parties can maintain this critical distinction.
Fraud Detection
Financial statement fraud generates more attention than itsprevalence might warrantsignificantly more misstatementscan be attributed to innocent mistakes and misjudgments. Butperception often trumps reality, and sensational acts of frauddefined many of the recent corporate scandals, providingcompelling news headlines and fodder for forceful politicalspeeches. When carried out on a large scale, fraud can wipe
Figure 2: Is Internal Audit Addressing Stakeholders' Needs?
8/8/2019 sing Role of Internal Audit in SoX
11/16
5
out billions of dollars of investor wealth in a short timeframe.And, of course, financial statement fraud was the impetusbehind the Sarbanes-Oxley Act itself.
Thus, given its prominence and potential magnitude, fraudboth financial statement fraud and the misappropriation ofassetsneeds to be on the radar screen of every internal auditfunction. Not that the function should become the sheriff ofthe organization; rather, internal audit ensures that reasonable
activities are in place to help prevent and detect fraud andsupport company anti-fraud programs.
Indeed, given its unique skill-set, internal audit is often at thefore when it comes to rooting out fraud-related problems.Some cases are first uncovered by the function, and internalaudit is frequently the primary option for investigating allega-tions of fraud.
That said, it must be noted that no company, no matter howvigilant, can eliminate fraud with 100 percent certainty.Determined and deceptive individuals, especially those actingin collusion, can sometimes subvert even the most carefullyand conscientiously constructed anti-fraud program.
But the lack of ironclad assurance is no excuse for inaction. Anumber of activities and programs to combat financial state-ment fraud are recommended for every public company, notsolely because their presence helps to minimize risk, but alsobecause their absence may result in an adverse opinion on theeffectiveness of internal control over financial reporting. Stepsthat address the misappropriation of assets, although notrequired under Sarbanes-Oxley, are also highly recommended.
A few of the essential elements of an effective antifraud pro-gram are noted below:
Control Environment: Strong antifraud activity, just like
strong internal control itself, begins with the control envi-ronment. The executive management team should continu-ously demonstrate, through words and actions, that ethicaland legal behavior is the only acceptable mode of conductin the company. This principled "tone at the top" must dif-fuse itself through everything the organization says anddoes: in regular communications; company literature; codesof conduct and ethics; hiring, promotion, and terminationpractices; vendor and customer relations; and much more.Some internal control experts contend that establishing thisculture of "doing the right thing" represents the mostimportant component of effective internal control.
While the control environment does not necessarily lend
itself to easy assessment, internal audit can gauge itsstrengths and weaknesses through a cultural survey givento employees throughout the organization. The surveymeasures hard-to-quantify components such as employeeattitudes, corporate culture, communication practices, andmore.
Whistleblower Hotlines: Perhaps the most critical pieceof an effective antifraud program can be found in thewhistleblower hotline, for two reasons: (1) such hotlinesare required by section 301 of Sarbanes-Oxley; and (2)whistleblower hotlines uncover more verifiable cases offraud than any other method, according to a study by theAssociation of Certified Fraud Examiners.6
An effective hotline should be anonymous and continuous-ly available. A detailed procedure for the timely handling ofreports should be developed and followed faithfully.Employees should receive guidance and encouragement on
its use. And the hotline should be advertised widely,through posters, wallet cards, intranet sites, periodic com-munications, and other means.
Fraud Risk Assessment: Simply stated, any risk assess-ment process that doesn't include financial statement fraudconsiderations will be deemed ineffective by the company'sindependent auditor, and the consequences will be far-reaching. According to the Public Company AccountingOversight Board, "if the risk assessment function is ineffec-tive, this should be regarded as at least a significant defi-ciency and as a strong indicator that a material weaknessin internal control over financial reporting exists."7
Thus, it clearly behooves companies to appropriately con-sider the risk of material misstatement due to fraud, and tosubsequently design and implement appropriate programsand controls to prevent, detect, and deter relevant fraudrisks and schemes.
Areas that deserve special attention during the fraud riskassessment process include management override of con-trols, revenue recognition, segregation of duties, significantand unusual journal entries, accounts involving judgmentand estimates, and complex accounting procedures.
While internal audit has a significant role to play in frauddetection and prevention, the function should not be charged
with sole responsibility in this area. The job is simply too largeand too important to be left to a single business unit. Rather,the obligation should be shared by every facet of the organi-zation, including executive management, employees, boardsand committees, and augmented by oversight and assistancefrom the external auditor, regulatory agencies, and others.
6Association of Certified Fraud Examiners, "2002 Report to the Nation: Occupational Fraud and Abuse." http://www.cfenet.com/pdfs/2002RttN.pdf
7Institute of Internal Auditors, "The Role of Internal Auditing in Enterprise-wide Risk Management," Sept. 29, 2004.
Given its unique skill-set, internalaudit is often at the fore when it
comes to rooting out fraud-related
problems.
http://www.cfenet.com/pdfs/2002RttN.pdfhttp://www.cfenet.com/pdfs/2002RttN.pdf8/8/2019 sing Role of Internal Audit in SoX
12/16
6
The Pursuit of Quality
With so much riding on internal auditboth from a regulatoryand competitiveness standpointthe optimal functioning ofthe department becomes a vital concern. Every stakeholdercited previously, but especially management and the auditcommittee, relies heavily on internal audit. How can these par-ties be sure that the function is up to the task?
The answer comes in the form of quality assessmentsanexamination of the effectiveness and efficiency of the func-tion. Just as a person requires regular medical check-ups to
remain in peak health, so too can internal audit benefit from athorough evaluation.
Three models exist, two internal and one external; forward-thinking companies will utilize all of them:
1. continuous quality assurance: Built into the job descrip-tions and operating routines of the department should becontinuous quality assurance activity. In some respects, thisprogram could be considered internal audit's own set ofcontrols that provide a window into work performed andquality of operations.
2. self-assessments: Conducted every two years, this
process deploys internal staff to examine the operations ofthe function. Has the charter been updated to reflect cur-rent conditions? Does a comprehensive risk assessmentserve as the basis for planning and execution? Are stake-holder needs met in a timely fashion?
3. external quality assessment: The Institute of InternalAuditors strongly encourages chief audit executives to sub-
ject their internal audit departments to independent scruti-ny. The IIA's Standard 1312, issued in 2002, states that"...every internal audit department [must] have an externalquality assessment at least once every five years by a quali-fied independent reviewer from outside the organization."In certain circumstancessuch as rapid turnover of staff
or a change in internal audit leadershipa more-frequentassessment schedule may be warranted.
Whether internal or external, a quality assessment reviewerwill look at the function for certain characteristics and per-formance indicators, including the following:
independent and objective dynamic and flexible proactive risk focused knowledgeable about company and industry
innovative and consultative catalyst for change aligned with management and audit committee expecta-
tions aligned with corporate objectives leverages technology and leading practices communicates effectively maintains constructive relationships emphasizes continuous learning.
It should be acknowledged that quality assessments can betime-consuming and costly. Yet the rationale is compelling:
As Sarbanes-Oxley-related activities become less of a firedrill and more part of standard operating procedure,realignment of internal audit's duties becomes essential. Aquality assessment can help the function, audit committee,and management fully understand the needs of the busi-ness and how internal audit should be organized to meetthese challenges.
Yesterday's leading practices are today's outmodedmethodologies. A qualified external quality assessment
team that is continually exposed to the full spectrum ofapproaches and techniques can bring up-to-date knowl-edge to the function.
Business moves at a breakneck pace, and to keep up, com-panies require continuous improvementa fact that holdsas true for internal audit as any other business function. Aquality assessment can provide that edge. As an ongoingprocess, the quality assessment will result in a periodic listof improvement areas that the chief audit executive caninclude in his/her evaluation metrics to encourage continu-ous improvement.
Deploying Technology
While technology will never replace an intelligent, inquisitive,and well-trained internal auditor, certain tools can improveefficiency and enhance productivity. Two categories of toolspredominate: supporting technologies and enabling technolo-gies.
The former category is fairly commonplace and not particularlyrevolutionary. For example, electronic spreadsheets serve as anaid in recordkeeping; automated work papers remove some ofthe drudgery from documentation.
Significantly more valuable, however, are enabling technolo-gies, which allow internal auditors to attain new levels of test-
ing assurance. For example, instead of developing samplingprocedures, internal audit can now, through technology, test ahigher percentage (or the entire population) of transactionsand processes. Additionally, the department can performexception-based and fraud-related procedures with far greaterlevels of reliability.
Leading the way are a number of enhancements to enterpriseresource planning (ERP) systems. This latest generation of soft-ware can acquire data from different repositories within thenetwork, and can help validate whether internal controls areoperating effectively.
Just as a person requires regularmedical check-ups to remain in peak
health, so too can internal audit
benefit from a thorough evaluation.
8/8/2019 sing Role of Internal Audit in SoX
13/16
7
Other examples of enabling technology include data acquisi-tion, analysis, and monitoring tools; and administrative tools.
In the modern internal audit environment, enabling technolo-gies are no longer a luxury, but a necessity, as they promotecontinuous monitoring of risk in a cost-effective fashion. Chiefaudit executives can and should make a compelling case toinclude such tools in their budgets.
Third-Party Compliance
Outsourcing has become a mainstream practice in recentyears, with companies large and small routinely ceding to thirdparties day-to-day responsibility for tasks such as payroll, ben-efits administration, order fulfillment, and more. But in theSarbanes-Oxley era, if these activities impact the financials, thecontracting company is responsible for assessing the effective-ness of internal control over financial reporting at the contrac-tor company. Internal audit can assume a major role in thisprocess: by assessing the validity and completeness of SAS 70reports; by auditing contract compliance with customers, sup-pliers, and dealers; and by conducting audits at third-partysites. The expertise of the function can be deployed to identify
specific monetary and non-monetary risks present in third-party relationships, and to recommend steps to mitigate thoserisks.
Risk Management
As noted in the early pages of this document, proper riskmanagement lies at the heart of an effective internal auditfunction. The specific role the department assumes in regardto risk will depend on its placement in the maturity modelcited previously (figure 1, page 3). A "baseline" approach maydeal only with operational risk, while a "leading edge" prac-tice may include a broad universe of enterprise risks. Manyfunctions will fall in the middle of the two extremes, depend-
ing on philosophy, charter, goals, and other factors. Somedepartments may limit themselves to the identification of risk;others may participate in the mitigation of risk.
Surprisingly, during first-year Sarbanes-Oxley complianceefforts, many companies failed to develop and deploy a com-prehensive financial accounting risk assessment process, anoutcome both unexpectedbecause risk assessment is anessential component of internal control over financial report-ingand unfortunatebecause without proper risk assess-ment, some of the time and dollars devoted to documentingand testing controls may have been misspent. Clearly, this situ-ation needs rectifying going forward. Internal audit shouldplay a prominent role in helping management realize that
without a comprehensive risk assessment process, internalcontrol over financial reporting can never be considered effec-tive.
It should also be noted that if a company does not have aneffective risk-assessment process in placeand many do notthe Institute of Internal Auditors standards require the internalaudit function to prepare one.
An aid to proper risk management may be found in a recentpublication from the Committee of Sponsoring Organizationsof the Treadway Commission (COSO). Entitled "Enterprise RiskManagementIntegrated Framework," the document definesand discusses key enterprise risk management (ERM) princi-ples, concepts, and components. Although not solely directedat the internal audit profession, the COSO ERM frameworkcan provide a clear blueprint for anyone seeking more effec-tive risk management. (Visit www.coso.org for ordering infor-mation.)
Augmenting the COSO ERM document is guidance from theInstitute of Internal Auditors, which reviewed the publicationfor applicability to the profession and deemed much of theinformation relevant and useful. According to the IIA,"Internal auditing's core role with regard to ERM is to provideobjective assurance to the board on the effectiveness of anorganization's ERM activities to help ensure key business risksare being managed appropriately and that the system of inter-nal control is operating effectively."8
Thus, according to the IIA, a risk-focused internal audit func-tion will engage in the following basic activities:
providing assurance on risk management processes providing assurance that risks are correctly evaluated evaluating risk management processes evaluating the reporting of key risks reviewing the management of key risks.
Some companies may wish to have their internal audit depart-ment take on a more active role regarding risk management.In such cases, the IIA considers the following roles permissible:
facilitating identification and evaluation of risks coaching management in responding to risks coordinating ERM activities consolidating the reporting on risks maintaining and developing the ERM framework championing establishment of ERM developing risk management strategy for board approval.
While participation in risk management activities is clearly adesirable role for internal audit, care should be taken to main-tain independence and objectivity. The board of directors andthe management team should retain full responsibility for riskmanagement; internal audit should diligently strive to limititself to an advisory role.
8Institute of Internal Auditors, The Role of Internal Auditing in Enterprise-wide Risk Management, Sept. 29, 2004.
During first-year Sarbanes-Oxleycompliance efforts, many companiesfailed to develop and deploy acomprehensive financial accountingrisk assessment process.
8/8/2019 sing Role of Internal Audit in SoX
14/16
Beyond Sarbanes-Oxley
Pre-Sarbanes-Oxley, internal audit faced no shortage of worthyprojects. Today, it's time to place many of them back on theagenda. Here are a few that merit consideration:
Evaluating New Business Initiatives: Dynamic companiesconstantly seek out new opportunities; those that don't maysoon find their fortunes lagging. However, each new opportu-
nity also brings new risk, and internal audit should take a sig-nificant part in identifying and helping the company controlthat exposure. Obviously, anything as monumental as a merg-er or acquisition requires due diligence on the part of internalaudit. However, less weighty initiatives, such as a new productdesign or new services, could also benefit from internal audit'swisdom and guidance.
Managing Information Technology (IT): IT usually presentssignificant risk management challenges to an organization,whether the computer systems are static, undergoing anincremental upgrade, or in the midst of a complete migration.Section 404 compliance has also inspired many companies toconsolidate disparate IT systems to bring more efficiency and
reliability to internal control; in such cases, managementshould be drawing heavily on internal audit expertise.
Contributing to Corporate Growth: Bringing value to theorganization has always been a prime concern of internalaudit, and building top line revenue growth certainly fallsunder that rubric. Specific activities in support of the growthobjective will vary by company. If corporate growth is attainedthrough acquisition, then the function should participate indue diligence. When organic growth defines the strategy,either through expansion into new regions, distribution chan-nels, or customers, internal audit should be involved in all the"auditable" processes. In other words, internal audit plansand activities should be skewed towards the company's areas
of focus and risk. If the company is thinking about "bettingthe farm" in a particular area, internal audit should be calcu-lating the odds.
Other Activities: Certain other areas are prime for internalaudit involvement:
research and development effectiveness decision-making processes inventory management ethics compliance.
Peak Performance Indicators
How does internal audit measure success? The particularmethod employed is less important than the act itself.Performance of the function should be constantly monitoredand rated. Here are some critical performance indicators:
recommendations adopted recommendations implemented within a certain time
period stakeholder surveys reports issued on time staff training and certifications cost-saving opportunities and actual cost recoveries
internal audit turnover internal audit transfers (with employees moving to other
units within the business considered a positive outcome) internal audit employee survey measuring professional
staff satisfaction internal audit staff utilization hours of training.
Conclusion
For companies listed on the U.S. equities markets, the regula-tory environment stands in a state of unprecedented flux.Internal audit can and should take a leading role in restoringequilibrium.
But before it takes on that enterprise-wide challenge, thedepartment must first be sure its own house is in order. Thedistortion caused by the first year of Sarbanes-Oxley compli-ance must be clarified. Charters and job descriptions shouldbe updated. Traditional roles must be reconciled with newresponsibilities. Audit work should be judiciously balancedbetween financial, operational, strategic, compliance, andinformation technology. Risk must be carefully weighed. Andthe needs of stakeholders should figure prominently in the
action plan.
Moving forward, Sarbanes-Oxley-related work should becomea visible and permanent part of internal audit's job descrip-tion. Helping to sustain compliance with section 404 of theAct will remain a critical responsibility. Providing objectiveassurance to the board and management on the effectivenessof the company's enterprise risk management activities willdeliver significant value to the organization. But the organiza-tional structure and specific activities of any particular internalaudit department will vary considerably by company.
Adaptability and flexibility will stand out as key characteristicsof successful internal audit functions. "One size fits all" was
probably never an accurate description of an ideally structureddepartment, but it certainly doesn't apply today. Rather, anoptimized internal audit function will tailor its activities toareas of greatest risk and opportunities for greatest value.Their companies will reap the benefits of sustainable compli-ance and enhanced competitiveness.
8
8/8/2019 sing Role of Internal Audit in SoX
15/16
15
8/8/2019 sing Role of Internal Audit in SoX
16/16
Member ofDeloitte Touche TohmatsuCopyright 2005 Deloitte Development LLC. All rights reserved
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their
respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor
any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a
separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte
Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or
affiliates and not by the Deloitte Touche Tohmatsu Verein.
Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu. In the U.S., services are
provided by the subsidiaries of Deloitte & Touche USA LLP (De loitte & Touche LLP, Deloitte Consulting LLP,
Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche
USA LLP.
