| Rebalancing
Internal Audit in the Sarbanes-Oxley Era
NOVEMBER
2005 - As companies have sought to meet new compliance standards
under the Sarbanes-Oxley Act of 2002 (SOA), internal auditing
has provided companies with vital business process analysis,
control testing, risk management, and forensic accounting.
According to a new report, “Optimizing the Role of Internal
Audit in the Sarbanes-Oxley Era,” internal auditing
has the potential to deliver even further value to organizations,
but only if corporate management and boards readdress and
rebalance the roles and responsibilities of internal auditors.
The
report, issued by Deloitte & Touche, concludes that
without the internal audit function’s involvement
in business process analysis, control testing, risk management,
and forensic accounting, there may have been significantly
more disclosures of material weaknesses and revelations
of noncompliance with SOA. Sacrifices were made, however.
Traditional internal audit work—operational and systems
audits, fraud investigation, and special project audit work—became
secondary. And, with their fortunes tied more closely to
internal audits, companies may need to react to realize
the full value of their internal audit function.
Key
recommendations outlined in the report include reworking
the organizational structure of internal auditing so that
the function reports to the audit committee as opposed to
executive management. Keeping the internal audit function
separate from management helps reassure regulators concerned
with independence, external auditors seeking objectivity,
and stakeholders expecting strong corporate governance practices.
Moreover,
such an organizational structure may foster better communications,
encourage more direct feedback, promote proper staffing
and budgeting, and better enable audit committees to exert
direct influence over the hiring, compensation, and firing
of the chief audit executive.
Recent
trends indicate that direct audit-committee reporting is
more common. Several years ago, more than 90% of internal
audit departments reported to the CFO. According to a recent
survey by the Institute of Internal Auditors, however, only
about 40% to 50% currently do.
While
the internal audit function ordinarily will continue to
play a role in Sarbanes-Oxley compliance, the report suggests
reestablishing a broader view to address the multiple needs
of stakeholders:
-
Fraud detection. Internal auditing can help management
determine that reasonable control activities are in place
for preventing and detecting fraud and supporting company
antifraud programs.
-
Risk management. The internal audit function
should play a prominent role in helping management with
a comprehensive risk-assessment process, which is critical
to judging whether internal control over financial reporting
is effective.
-
Evaluating new business operations. New opportunities
bring new risks, and internal auditors should take part
in identifying, evaluating, and helping an organization
intelligently manage such risks.
-
Managing information technology (IT). IT usually
presents significant risk-management challenges to a company,
regardless of the computer systems’ status.
-
Contributing to corporate growth. When companies
expand into new regions, distribution channels, or customers,
internal audit plans and activities should reflect these
areas of focus and risk, to help build top-line revenue
growth.
Deloitte
& Touche and the Institute of Internal Auditors recommend
that internal audit departments undergo regular quality
reviews to assess the effectiveness and efficiency of the
function. The report outlines three models: continuous quality
assurance, self-assessment, and external quality assessment.
It is available online at www.deloitte.com/us/IAPOV. |