Internal Audit and SOX. Lessons From the 2011 Protiviti SOX Compliance Survey

My thanks to Bob Hirth for sharing a copy of this survey. I remember his smile when he said that he knew I didn’t always agree with Protiviti’s views, and maybe he anticipated that my comments (in this blog) would not be entirely favorable. He would have been right.

First, some disclosures: I count both Bob Hirth and Jim DeLoach among my personal friends, people for whom I have great respect and with whom I always enjoy breaking bread. I have known Bob since he was a partner at Anderson, providing co-source services to my company. Jim and I shared a series of roundtables in 2009 on continuous auditing.

I want to split my discussion of the survey into two pieces. The first is around the role of internal audit when it comes to SOX, and then I want to talk about the survey in general.

Internal audit and SOX

The Protiviti survey has a section headed: “Internal Audit Has Primary Responsibility for Sarbanes-Oxley Work”. But the content of the section has a key statement that uses different language: “The internal audit function remains the primary owner of oversight responsibilities regarding compliance efforts in most organizations, followed by the audit committee and executive management”. I don’t know about you, but I find this confusing.

  1. Internal audit frequently is asked to perform tests of the SOX key controls. This is consistent with the heading, that internal audit has primary responsibility for the work.
  2. Internal audit is rarely (in my experience) responsible for oversight of the SOX compliance work. Oversight is typically an audit committee activity, not even an executive management responsibility. It is true that internal audit may audit the SOX testing as part of its assurance services. But that is not oversight, which remains an audit committee responsibility.
  3. The CAE often helps manage the program, with the scoping, the plan for testing, and the evaluation of any deficiencies. But management remains responsible for the system of internal controls over financial reporting. Internal audit may host a SOX program office (I did at a few companies) because of the opportunity to add value through our knowledge of internal controls, etc. But while this is fairly frequent, in my experience internal audit functions assist with testing far more often than running the SOX program.

So as the section is written, I am not sure what to make of it.

Maybe it means that internal audit is performing most of the testing. Certainly, that is what Francine McKenna understood when she commented on the survey in her fine blog, Re: The Auditors. She said: “The Protiviti report had a few surprises for me — well, maybe not — about who’s doing the work of Sarbanes-Oxley within companies. For the most part it’s still internal audit.”

Francine interviewed Richard Chambers for his opinion on internal audit performing SOX testing. She quotes him as saying:

“While nothing about that contravenes our professional standards, the best role for Internal Audit to play in Sarbanes-Oxley compliance initiatives is to provide overall assurance on the effectiveness of the organization’s documentation and testing of internal controls and Section 302 certification process, rather than to be down in the weeds doing the actual documentation and testing of controls instead of management.”

I disagree when it comes to SOX testing. Sorry, Richard.

If we can assume that internal audit will get the resources to perform both value-add SOX testing as a service to management and meet its obligation to the board to provide assurance and consulting internal audit services, then why shouldn’t internal audit do both? Is it because:

  • It would be a violation of our independence as internal auditors? I don’t think so and Richard says it wouldn’t be contrary to IIA Standards.
  • It prevents us from doing ‘regular’ internal auditing? It doesn’t if internal audit is able to get the necessary resources. If management is willing to resource a separate SOX testing team, then they have already demonstrated they could fund that within internal audit.
  • It’s not a good use of internal auditors? Why not? The audit plan could combine SOX and other work in an area to obtain efficiencies. In addition, internal audit can not only identify a test failure, but make value-added recommendations for process and control improvement.

There are good reasons for having internal audit perform SOX testing:

  • Cost efficiencies can be obtained.
  • Internal audit can leverage their understanding to make value-add recommendations for process and control efficiencies.
  • Administration and coordination is easier when it’s all in the same house.
  • The CAE just understands this stuff – give it to the expert.

I recognize that some companies are large enough that it makes good business sense to set up a separate Internal Controls Compliance (or similar) function within Finance. But that doesn’t mean it’s best for every company.

So my answer to whether internal audit should perform the SOX testing is “it depends on what makes most sense for each company.” Sometimes, especially for smaller companies, it makes more sense to ask internal audit to perform the testing – as long as they are given the resources.

Richard mentions both testing and “SOX documentation”, which I assume to be documentation of the processes and controls. In my experience that is rarely done by internal audit and absolutely should be a management responsibility. I don’t see the value of internal audit doing it, and great value in requiring it be done by operating management.

The Rest of the Survey

Frankly, there are a lot of charts but not enough useful information for me in the report. For example, one key area for obtaining efficiency in management’s program is having the external auditor reduce fees by placing more reliance on management testing (whether performed by internal audit or another team). The chart (on page 27) seems to say that at 39% of companies, reliance is placed by the external auditors on internal audit testing of >75% of low risk key controls. But I am not sure I am reading the chart correctly.

Rather than continue to critique the survey for less than clear and useable information, I am going to use this post to ask questions for which I would like answers in the next Protiviti SOX survey.

1.       Key controls

a.       What is the average number of key controls for companies? (Mean, median, and how much do the numbers vary?)

b.      How does that vary by company size?

c.       How does that vary by industry?

d.      How does that vary depending on whether a single ERP is used?

e.      How does that vary when the majority of processes are performed by a shared service center?

f.        What are the trends?

g.       What percentage of key controls are automated controls? How many are hybrid? How many are at the entity-level (corporate vs. regional vs. division)? How many are IT general controls?


2.       Cost

a.       What is the average total SOX program?

b.      How does that vary by company size?

c.       How does that vary by industry?

d.      How does that vary depending on whether a single ERP is used?

e.      How does that vary when the majority of processes are performed by a shared service center?

f.        What are the trends?

g.       What percentage of the cost relates to the testing of automated controls?

h.      What percentage of the cost relates to the testing of IT general controls?


3.       Reliance by external auditors

a.       What is the average level of reliance (in terms of percentage of key controls)?

b.      How does that vary for low risk and high risk controls?

c.       How does that vary by company size?

d.      How does that vary by industry?

e.      How does that vary by type of control (manual vs. automated vs. IT general controls)?

f.        How does that vary by audit firm?

g.       How does that vary when internal audit does the work rather than management, rather than another independent testing group?


4.       Use of automation

a.       How much use is made of automation for:

                   i.      Program management, including scheduling, remediation management, and reporting.

             ii.      Process and control documentation.

             iii.      Documentation of testing.

             iv.      Surveys and self-assessments.

             v.      Automated testing of controls.

b.      How valuable are each of the above?

I am sure there are more questions to be asked. What do you want answered?

Posted on Jun 27, 2011 by Norman Marks

Share This Article:    

  1. A certain somebody (referenced in the post) Tweeted: "Is @normanmarks arguing that if internal audit gets more resources, it can take on any work - regardless of risks?" The answer is no. I am not. I see taking on SOX testing as a value-add service (like contract auditing, testing for duplicate payments, or running a fraud detection program) that is not core to internal audit (providing assurance and consulting regarding governance, risk management, and related controls). Is there a risk in taking on the work? I don't see anything I would consider of significance.

    Do you?

  1. Only the same risk as with any other work IA takes on: reduces resources available to deliver assurance; implies that providing assurance is NOT value-adding; and might get in the way if those responsible for governance ask IA for assurance on the whole SOx programme. If IA is the third-line of defence, can it take on 1st or 2nd line function tasks? IA has to ask itself, is management asking IA to do this because they don't really think the task has any value so they are farming it out to IA so they can forget about it? If so, what does that say about the tone at the top and the real stength of the organisation's system of internal control? Your bank recs might get done but the whole organisation might be out of control!
  1. Jackie, thank you for the comment on risks. I stated that IA was getting the resources to do the SOX work without adversely affecting their ability to provide assurance - their core function. Otherwise, I would not support taking on the task.

    On your other points, in my experience when the CAE is asked to take on SOX testing by management and with the approval of the board it is a reflection of the CAE's reputation for quality work. It is a compliment and shows trust. The CAE has a more prominent seat at the table and greater influence with management and the board.

    This is an opportunity to contribute valued services that cut corporate costs and enable the CAE to not only test controls over financial reporting but recommend enhancements.

  1. The above-referenced Tweeter asked: "What if there are many high risk areas not being addressed? How does it look for IA to be doing tactical SOX testing?"

    This goes back to an earlier post of mine, because I agree with the intent of the question.

    Internal audit is failing (in my opinion) if it is doing any of these tactical value-added tasks but not addressing high risk areas such as a lack of risk management, poor quality and inconsistent information to make decisions, strategy-setting and/or capital decisions made without consideration of risk or compliance issues, etc:

    • SOX testing
    • Fraud detection
    • Contracts auditing
    • Duplicate payment testing
    • Healthcare provider audits
    • etc
  1. Norman, to start with I want to tell you how much I enjoy your blogs which are very informative. While I am not an auditor, as a fraud investigator I work closely with them – often embedded on audit assignments. In my opinion I do believe there is an inherent and potentially significant risk in IA taking on this “value-added service”.  What are the adequate resources necessary for the IA to successfully integrate these into their area of responsibility? It has to go further than just people and money.
    In my experience most IA do not have the skill set to adequately address these high risk areas – no insult intended. This is especially true in the operation of a fraud detection program; it can also be a problem in conducting adequate SOX testing, Healthcare Provider Audits, etc. Couple this with the fact that IA is generally expected to operate under specific time constraints (in an attempt to conduct as many audits as possible) and the result compounds to the detriment of adequate risk management.
  1. Matt, thank you for the nice words. With respect to the value-added services, the CAE has to ensure (just as she has to do for any internal audit work) that there are sufficient, skilled and experienced staff to perform them. I have hired specialists (ACFEs and former police detectives) to lead my fraud investigation group, my contracts audit group, my EH&S compliance auditing group, etc. I heartedly agree that there is great risk in asking untrained people to perform investigations (whether those people are auditors, attorneys, HR specialists, or physical security personnel). The risk from a poorly performed investigations is very often greater than any loss from fraud.

  1. The discussion on Twitter as to whether IA should perform SOX testing continues. Arguments made include:

    - "We won't be able to hire staff". My reply: so who is doing the testing now? They can do it as part of IA

    - "I won't be able to retain staff". My reply: I tend to have junior staff perform the testing. As they develop, they can supervise the junior staff and progress their career as usual.

    - "Why have auditors do the testing? That's like having a surgeon remove a hangnail". My reply: one of our major problems is that SOX controls have been added to existing processes, making them inefficient. When auditors do the testing, they do more than leave a pass/fail behind; they leave behind suggestions for improvement. In addition, it is highly inefficient to have the same area audited by multiple groups.

    My challenge: give me a logical arugument why the internal audit function should not perform the SOX testing. It cuts cost, provides an opportunity to improve processes, increases auditor reliance and reduces their fees, etc.

    I understand that this is not something that CAEs want to do. Tough. Do what is best for the organization.

  1.  PS - please assume:

    1. The audit committee has approved IA doing the SOX testing

    2. IA has resources to meet its obligations under the charter as well as the SOX testing, and this will not detract from its abilities to address important risk areas

  1. An argument on Twitter: "SOX testing is a management function. Having professional internal auditors mired in the process is not their most valuable use"

    My reply was that fraud detection and investigation are also management functions, but internal auditors do them.

    A better answer would have been to point out that somebody is doing the testing. My experience is that the best trained and equipped people to test SOX controls are people who have a CIA or equivalent. They can be members of the staff of a controls compliance team in management, or part of the internal audit department.

    If internal audit doesn't do the testing, they also don't have the headcount to do other work. 

    The choice is not whether auditors do the SOX testing and not something else. Its whether the people who do the SOX testing are within internal audit or not.

  1. After what happenned to the economy over the in the last 15 years - does IA really still need to explain the value of independent assurance?

    IA in the trenches doing Management's long haul job to develop and test monitoring controls to effectively manage their business, is like expecting the NASA's final "go or no-go" compliance checker to be responsible to develop, monitor, escalate, self-test and monitor the fuel usage monitoring control indicator.

    Humans are self-blind to obvious design and monitoring process flaws; another person would see problems more easily.

    The right proactive and assurance value from IA is complex. Some things are easy. Independence provides trust that the NASA compliance checker gives a thumbs-up to launch our neighbors into space with a billion pounds of liquid nitrogen and hard-earned tax payer money, that you can trust their opinion.

    Responsible managers would take continuous monitoring programs developed by IA to manage risk better; not be comfortable outsourcing monitoring controls to IA.

    Getting the most value out of IA with the right mix of assurance and consulting and finding the fine line between facilitation and indepndence is complex; the easiest part of the formula is the value an independent construct that allows for fresh eyes and competent minds to do their job properly without bias and undue influence.

    IA cares enough to tell you what no one wants to hear, before it's in the newspaper. When outside the organization they know before the organization knows that there are large problems - then you will also find a poorly constructed  IA department lacking independence and/or resources to do their job in a capable manner to provide the value of good internal assurance.

  1. Great analysis - thanks for sharing. The Protiviti report, like many others I've read, have failed to provide usable/applicable statistics. I would recommend that the next writers of the Protiviti report to spend some time conducting SOX or other compliance rationalizations and field the type and substance of questions from stakeholders and truly understand the drivers of cost/benefit. That would lead to more precise and valuable statistics for their readers. Just a note that I appreciate the content Protiviti provides and I do find much of the context useful in performing analysis for my own company.
  1. Based on soem of my eralier clients, Internal auditor would do the control documentation and testing. This work was levergaed by the external auditors.

    Currently, for my organization, the compliance function sits in Fiannce and reports to VP, Finane, who in turn reports to CFO. The IA based on risk assessment, performes very little yeraly evaluation of the work of the compliance function. The challenge is our external auditors are not relying on our internal work and the rationale put forth is independance of the complaince function. Any thought/ feedback on this would be highly appreciated. The goal is to ensure external auditors start relying to some extent on iour internal compliance work.




  1.  Hi, I am happy to chat offline if you want to contact me at

Leave a Reply