Internal Audit and Sarbanes-Oxley
In the early days of the Sarbanes-Oxley (SOX) Act, the internal audit played a crucial role in creating and managing SOX programs. Companies looked more often than not to internal audits as leaders in developing and implementing these initiatives. A KPMG study conducted shortly after the passage of SOX suggests that internal auditors were responsible for these programs at 15 percent of companies and day-to-day management in 56 percent of businesses.
However, this overemphasis on financial reporting can open companies to other risks. Financial reporting and monitoring can take a lot of time, and if internal audit teams are saddled with these responsibilities, they may lose focus on other areas of their jobs. A separate PricewaterhouseCoopers report found that in the years immediately after SOX was passed, internal audit departments spent approximately 50 percent of their resources supporting the SOX program.
Understandably, the overemphasis on SOX led to a number of concerns among established internal auditors. Industry groups urged both corporations and their internal auditors to balance their risk management strategies among a variety of risks, not specifically SOX. This shift in resources created a situation that fails to address key strategic, operational and compliance risks and undermines internal audits’ value to businesses.
“Sarbanes-Oxley has consumed internal audit organizations that other priorities are falling by the wayside. Simply put, the legislation is diverting internal audit resources from risk-based auditing, creating the potential for dire consequences,” PwC added.
While focusing too much on SOX can lead to unbalanced risk management programs, there are several noted benefits of involving internal auditors with SOX programs. As The Institute of Internal Auditors notes, internal audit practitioners are experts in internal control, and their insight and experience can contribute significantly to efficient and effective SOX initiatives.
“Internal audit is charged with providing assurance and consulting services on all major risks, including the risk of poor controls over financial reporting,” the IIA adds. “They might be obliged to review and assess management’s testing if they don’t do it themselves, at greater cost to the company as a whole than if they did the testing.”
The key is knowing how, when and where to prioritize specific elements of internal audit programs. One specific risk area should not completely override others, even if it is a priority.