Should Internal Audit Perform SOX Testing?

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

I am looking forward to the opportunity to debate this topic next week with Richard Chambers, President and CEO of IIA Global — to be made available later on IIA’s Audit Channel TV.

Here is a summary of my thinking, using an excerpt from my book: Minimize Costs & Increase the Value of your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls.

The main points are these:

  1. It is critical that internal audit have the resources to meet its commitments as documented in the charter. Its ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that it cannot address issues of significance. 

  2. The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need retain objectivity. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both must put the interests of the company first.

I welcome your comments.

 


 

 

There is a sharp divide among internal audit professionals as to whether the internal audit activity should play a significant role in the Sarbanes-Oxley program. In the first few years of Sarbanes-Oxley, management more often than not looked to internal audit as internal control experts to lead the development and implementation of the Sarbanes-Oxley program.

 For example, a KPMG study in 2005 showed that internal audit: 

  • Was responsible for oversight of the Sarbanes-Oxley program at 15 percent of companies.
  • Provided day-to-day project management at 31 percent of companies (it should be noted that several surveys on this topic produced very different results. A PricewaterhouseCoopers (PwC) study [written by Richard Chambers] in the same year reported that 56 percent of companies relied on internal audit for day-to-day project management).
  • Was involved in documentation and testing of key controls at 85 percent of companies. 

However, those internal audit activities were generally not given the resources necessary to perform the Sarbanes-Oxley work in addition to what they needed to meet their traditional and broader assurance responsibilities. As a result, internal audit groups became consumed by a narrow focus on Sarbanes-Oxley and cut back on audits of other risk areas. The PwC study referenced above reported that for 70 percent of companies in the first year of their Sarbanes-Oxley program, internal audit dedicated at least 50 percent of its resources to supporting the Sarbanes-Oxley program. 

This caused concern among internal audit professionals, audit committees, the auditing firms, and a number of governance experts. They urged companies and their internal auditors to return to a more operational and traditional focus on risks and controls that extended beyond financial reporting. 

PwC commented: 

“Internal audit organizations have been so consumed by Sarbanes-Oxley [sic] that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences. That’s because a failure to address key strategic, operational, and compliance risk areas in an internal audit program undermines the effectiveness of internal audit, diminishes its strategic value to key stakeholders, and exposes the enterprise to greater operational and financial risks in the future.” 

Today, the number of internal audit activities involved in these three areas is lower (although KPMG and other firms have not updated their surveys, less formal studies show about half of companies are still using internal audit to perform Sarbanes-Oxley testing) and efficiencies have brought the level of effort down as well. Certainly, larger firms are more likely to have established internal control activities (or similar) within the corporate finance function that are responsible for the Sarbanes-Oxley program. But the concern remains among a number of internal audit leaders. 

While there is a risk, there are also significant benefits when internal audit makes a contribution to the Sarbanes-Oxley program. These include: 

  • Internal audit practitioners are experts in internal control and their experience and insights contribute to an efficient and effective Sarbanes-Oxley program.
  • When internal audit performs testing on behalf of management, it is more likely to be relied on by the external auditors, and this can result in significant savings on audit fees.
  • Internal audit can perform combined or integrated audits that include both Sarbanes-Oxley testing and non-Sarbanes-Oxley work. The total number of audits performed, each of which management must support, is reduced.
  • When internal audit tests Sarbanes-Oxley key controls, they are more likely to be able to recommend process and control enhancements than if the testing is performed by management.
  • Internal audit is charged with providing assurance and consulting services on all major risks, including the risk of poor controls over financial reporting. They might be obliged to review and assess management’s testing if they don’t do it themselves, at greater cost to the company as a whole than if they did the testing. 

Each company should weigh the risks and benefits of internal audit involvement in Sarbanes-Oxley. These considerations should be given significant attention by management and the board: 

  1. It is critical that internal audit have the resources to meet its commitments as documented in the charter. Its ability to provide assurance and consulting services on the organization’s governance, risk management, and related control processes must not be impaired to the point that it cannot address issues of significance.

  2. Internal audit may not perform a management function. It must remain independent and objective, consistent with The IIA’s International Standards for the Professional Practice of Internal Auditing. It can, as a consulting service, facilitate the Sarbanes-Oxley program and provide day-to-day project management. It can also perform testing of key controls. However, the following are management functions that cannot be assigned to internal audit:
    a. Responsibility for the Sarbanes-Oxley assessment and program. These typically rest with the CEO and CFO.
    b. Making decisions relative to the Sarbanes-Oxley scope and program design. Internal audit may make recommendations, but management should make the final decision in each case.
    c. Assessing whether a deficiency will be considered, for the purposes of management’s assessment of ICFR, a material weakness. Internal audit should share its opinion, but the decision rests with management.
    d. Assessing the overall adequacy of ICFR.

  3. The decision should be based on what is best for the company as a whole, considering cost, risk, value, and the need to points in (2) above. While most CFOs and corporate controllers are interested in assigning the work to internal audit, and internal audit professionals would prefer the work to be handled by finance staff, both must put the interests of the company first.

Reference should also be made to guidance from The IIA in Internal Auditing’s Role in Sections 302 and 404 of the Sarbanes-Oxley Act, which was released on May 26, 2004. Key points addressed in the document related to assistance with testing include: 

“It is management’s responsibility to ensure the organization is in compliance with the requirements of Sections 302 and 404 and other requirements of the Act, and this responsibility cannot be delegated or abdicated. Support for management in the discharge of these responsibilities is a legitimate role for internal auditors. The internal auditors’ role in their organization’s Sarbanes-Oxley project can be significant but also must be compatible with the overall mission and charter of the internal audit function. Regardless of the level and type of involvement selected, it should not impair the objectivity and capabilities of the internal audit function for covering the major risk areas of their organization. Internal auditors are frequently pressured to be extensively involved in the full compendium of Sarbanes-Oxley project efforts as the work is within the natural domain of expertise of internal auditing.” (Executive Summary) 

“Activities that are included in the internal auditor’s recommended role in supporting the organization in meeting the requirements of Sections 302 and 404 include: 

  • Project oversight.
  • Consulting and project support.
  • Ongoing monitoring and testing.
  • Project audit.
  • Ongoing monitoring and testing.
  • Advise management regarding the design, scope, and frequency of tests to be performed.
  • Independent assessor of management testing and assessment processes.
  • Perform tests of management’s basis for assertions.
  • Perform effectiveness testing (for highest reliance by external auditors).
  • Aid in identifying control gaps and review management plans for correcting control gaps.
  • Perform follow-up reviews to ascertain whether control gaps have been adequately addressed.
  • Act as coordinator between management and the external auditor as to discussions of scope and testing plans.
  • Participate in disclosure committee to ensure that results of ongoing internal audit activities and other examination activities, such as external regulatory examinations, are brought to the committee for disclosure consideration.”

 

Posted on Aug 15, 2012 by Norman Marks

Share This Article:    

  1. Internal Audits role is in the testing of the effectiveness of Internal Control, therefore they should be testing that the Sox controls are functioning as specified.  Surely the whole concept of Sox was about control awareness and the control operators being aware a) what controls were there and b) that it was there duty to apply the control effectively?  To that extent itis management's role (at all levels) to be informed/ensure that the controls are operating.  It is Internal audits role to check that management are doing their job!  Yes IA will test Sox controls but it should be as part of their wider remit

  1. Nice to know your views about SOX by internal audit team. I am working as internal auditor in HCL Technologies Ltd. which is not bounded to comply with SoX. However, as part of good governance, we are involved in SoX project.

    We have obtained a phased approach wherein in year 2, we updated RCMs on management behalf, performed design level assessment of control and performed testing of key controls. The Scope was duly discussed and approved with management. In year 3, we handed over RCM updation process to management and kept only TOD & TOE. When we will be reaching at more matured stage all the activity can be handed over to management.

    Regards

  1. Internal audit should do an independent assessment of management's testing of SOX controls.  I used to work at a large Fortune 500 company where I was part of risk management. We were embedded within the business units as risk managers and internal control testers.  We would perform quarterly SOX key controls testing.  Internal audit would sometimes come in to do an independent assessment of our testing.  I think this worked well. Risk management was embedded in the business units, while internal audit performed an independent assessment.

  1. Who should be the tester?

  1. I am a company supervisor and they told me that i am one of the tester.  Is it mandatory? i dont have idea on doing this internal audit.

  1.  Francisco, management is responsible for assessing the controls, including the testing. They may ask internal audit to assist by performing the testing, or they may ask people like you to do it.

Leave a Reply