About Internal Audit and New Regulatory Requirements
Issues Arising from the SEC’s Approval
of NYSE Listing Standards
2005 - The SEC approved updated New York Stock Exchange
(NYSE) listing standards in November 2003. According to
the NYSE, “Listed companies must maintain an internal
audit function to provide management and the audit committee
with ongoing assessments of the company’s risk management
processes and system of internal control.” Companies
must comply with the requirement by the first annual meeting
after January 15, 2004, or by October 31, 2004.
internal audit function took on new prominence with this
requirement. Many U.S. public and private companies have
questions about how an internal audit function can affect
them and what the new listing standards require.
What companies are affected by the new standards?
A: Only NYSE-listed firms are affected. While
the SEC also approved new listing standards for Nasdaq,
these did not include an internal audit requirement. These
regulations will probably raise awareness among boards,
audit committees, and senior management about the benefits
of having an effective internal audit function, regardless
of a company’s listing. Many large private companies
with diverse and complex operations may find that developing
an effective internal audit function will help them to maintain,
validate, and improve internal controls; to identify opportunities
to reduce costs and improve processes; and to enhance governance.
Do NYSE-listed companies have to add staff to meet the internal
A: Companies with adequately staffed internal
audit departments likely will not need to institute changes.
Still, those that lack a department, or are understaffed,
may opt for a cosourcing or outsourcing arrangement with
a third-party service provider other than the external auditor.
Outsourcing could be an attractive option for many NYSE-listed
companies that need to quickly establish an internal audit
function to achieve compliance. Outsourcing is a quick,
cost-effective solution that provides immediate access to
needed skills and resources that can provide a higher level
of expertise, independence, and objectivity.
What is the proper internal audit staffing mix?
A: Businesses facing a significant number
of risks or particularly complex risks will require a range
of specialists and expertise. Most internal audit departments
are headed by a chief audit executive and include layers
of staff, such as managers, senior auditors, and auditors.
Many companies also rely on other in-house professionals
or tap into the specialized skill sets of outside providers.
How much should a company spend on internal audit?
A: The amount invested should depend on the
level and complexity of risks a company faces and the responsibilities
given to the internal audit function. A study by the Institute
of Internal Auditors (IIA) identified a wide range, between
0.03% and 0.2%, of revenues allocated to an internal audit
budget. Actual budgets vary widely, and risk should be a
key factor in determining the level of expenditures and
What are the first steps in initiating an internal audit
A: Initial steps should include clarifying
expectations with senior management, the board, and the
audit committee; considering the appropriate staffing model
(i.e., in-house, cosourced, or outsourced); and formulating
reporting responsibilities. Other key tasks involve developing
an audit charter; identifying the “universe”
of auditable entities; completing an initial risk assessment;
and developing an audit plan.
What are the qualities of a strong internal audit function?
A: The most salient qualities include an effective
chief audit executive, a supportive audit committee and
senior management team, a sound risk-assessment process,
an identifiable and well-conceived audit methodology, and
a focus on meeting customer needs. The company must understand
that as it changes, so do its risks. Also, every function
should adhere to the IIA’s standards for internal
Does internal auditing have a role in compliance with the
A: Yes. Because internal auditors are well
versed in areas such as process documentation and internal
control evaluation and testing, they can play a valuable
role in any company’s SOA compliance efforts.
What are the most effective ways for management to use the
A: The most effective way may be for management
to understand the key risks their company faces. They should
work with the internal audit department to determine how
it can best help the organization address and mitigate those
Can a company use its external auditor to perform internal
A: Although recent SEC regulations prohibit
companies from outsourcing internal audit work to their
external auditor, there are certain exceptions where a limited
amount of internal audit work can be performed by an external
auditor. For example, internal audit work is permitted if
it will not be relied on as part of the external audit.
Hirth is managing director and head of internal audit
practice for Protiviti (www.protiviti.com),
a provider of internal audit and business and technology risk