FAQs About Internal Audit and New Regulatory Requirements
Issues Arising from the SEC’s Approval of NYSE Listing Standards

By Robert Hirth

E-mail Story
Print Story
MAY 2005 - The SEC approved updated New York Stock Exchange (NYSE) listing standards in November 2003. According to the NYSE, “Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.” Companies must comply with the requirement by the first annual meeting after January 15, 2004, or by October 31, 2004.

The internal audit function took on new prominence with this requirement. Many U.S. public and private companies have questions about how an internal audit function can affect them and what the new listing standards require.

Q: What companies are affected by the new standards?
Only NYSE-listed firms are affected. While the SEC also approved new listing standards for Nasdaq, these did not include an internal audit requirement. These regulations will probably raise awareness among boards, audit committees, and senior management about the benefits of having an effective internal audit function, regardless of a company’s listing. Many large private companies with diverse and complex operations may find that developing an effective internal audit function will help them to maintain, validate, and improve internal controls; to identify opportunities to reduce costs and improve processes; and to enhance governance.

Q: Do NYSE-listed companies have to add staff to meet the internal audit requirement?
Companies with adequately staffed internal audit departments likely will not need to institute changes. Still, those that lack a department, or are understaffed, may opt for a cosourcing or outsourcing arrangement with a third-party service provider other than the external auditor. Outsourcing could be an attractive option for many NYSE-listed companies that need to quickly establish an internal audit function to achieve compliance. Outsourcing is a quick, cost-effective solution that provides immediate access to needed skills and resources that can provide a higher level of expertise, independence, and objectivity.

Q: What is the proper internal audit staffing mix?
Businesses facing a significant number of risks or particularly complex risks will require a range of specialists and expertise. Most internal audit departments are headed by a chief audit executive and include layers of staff, such as managers, senior auditors, and auditors. Many companies also rely on other in-house professionals or tap into the specialized skill sets of outside providers.

Q: How much should a company spend on internal audit?
The amount invested should depend on the level and complexity of risks a company faces and the responsibilities given to the internal audit function. A study by the Institute of Internal Auditors (IIA) identified a wide range, between 0.03% and 0.2%, of revenues allocated to an internal audit budget. Actual budgets vary widely, and risk should be a key factor in determining the level of expenditures and resources required.

Q: What are the first steps in initiating an internal audit function?
Initial steps should include clarifying expectations with senior management, the board, and the audit committee; considering the appropriate staffing model (i.e., in-house, cosourced, or outsourced); and formulating reporting responsibilities. Other key tasks involve developing an audit charter; identifying the “universe” of auditable entities; completing an initial risk assessment; and developing an audit plan.

Q: What are the qualities of a strong internal audit function?
The most salient qualities include an effective chief audit executive, a supportive audit committee and senior management team, a sound risk-assessment process, an identifiable and well-conceived audit methodology, and a focus on meeting customer needs. The company must understand that as it changes, so do its risks. Also, every function should adhere to the IIA’s standards for internal auditing.

Q: Does internal auditing have a role in compliance with the Sarbanes-Oxley Act?
Yes. Because internal auditors are well versed in areas such as process documentation and internal control evaluation and testing, they can play a valuable role in any company’s SOA compliance efforts.

Q: What are the most effective ways for management to use the internal audit?
The most effective way may be for management to understand the key risks their company faces. They should work with the internal audit department to determine how it can best help the organization address and mitigate those risks.

Q: Can a company use its external auditor to perform internal audit work?
Although recent SEC regulations prohibit companies from outsourcing internal audit work to their external auditor, there are certain exceptions where a limited amount of internal audit work can be performed by an external auditor. For example, internal audit work is permitted if it will not be relied on as part of the external audit.

Robert Hirth is managing director and head of internal audit practice for Protiviti (www.protiviti.com), a provider of internal audit and business and technology risk consulting services.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices