Print


Rebalancing Internal Audit in the Sarbanes-Oxley Era

NOVEMBER 2005 - As companies have sought to meet new compliance standards under the Sarbanes-Oxley Act of 2002 (SOA), internal auditing has provided companies with vital business process analysis, control testing, risk management, and forensic accounting. According to a new report, “Optimizing the Role of Internal Audit in the Sarbanes-Oxley Era,” internal auditing has the potential to deliver even further value to organizations, but only if corporate management and boards readdress and rebalance the roles and responsibilities of internal auditors.

The report, issued by Deloitte & Touche, concludes that without the internal audit function’s involvement in business process analysis, control testing, risk management, and forensic accounting, there may have been significantly more disclosures of material weaknesses and revelations of noncompliance with SOA. Sacrifices were made, however. Traditional internal audit work—operational and systems audits, fraud investigation, and special project audit work—became secondary. And, with their fortunes tied more closely to internal audits, companies may need to react to realize the full value of their internal audit function.

Key recommendations outlined in the report include reworking the organizational structure of internal auditing so that the function reports to the audit committee as opposed to executive management. Keeping the internal audit function separate from management helps reassure regulators concerned with independence, external auditors seeking objectivity, and stakeholders expecting strong corporate governance practices.

Moreover, such an organizational structure may foster better communications, encourage more direct feedback, promote proper staffing and budgeting, and better enable audit committees to exert direct influence over the hiring, compensation, and firing of the chief audit executive.

Recent trends indicate that direct audit-committee reporting is more common. Several years ago, more than 90% of internal audit departments reported to the CFO. According to a recent survey by the Institute of Internal Auditors, however, only about 40% to 50% currently do.

While the internal audit function ordinarily will continue to play a role in Sarbanes-Oxley compliance, the report suggests reestablishing a broader view to address the multiple needs of stakeholders:

  • Fraud detection. Internal auditing can help management determine that reasonable control activities are in place for preventing and detecting fraud and supporting company antifraud programs.
  • Risk management. The internal audit function should play a prominent role in helping management with a comprehensive risk-assessment process, which is critical to judging whether internal control over financial reporting is effective.
  • Evaluating new business operations. New opportunities bring new risks, and internal auditors should take part in identifying, evaluating, and helping an organization intelligently manage such risks.
  • Managing information technology (IT). IT usually presents significant risk-management challenges to a company, regardless of the computer systems’ status.
  • Contributing to corporate growth. When companies expand into new regions, distribution channels, or customers, internal audit plans and activities should reflect these areas of focus and risk, to help build top-line revenue growth.

Deloitte & Touche and the Institute of Internal Auditors recommend that internal audit departments undergo regular quality reviews to assess the effectiveness and efficiency of the function. The report outlines three models: continuous quality assurance, self-assessment, and external quality assessment. It is available online at www.deloitte.com/us/IAPOV.

Close