Now that the initial burden of Sarbanes-Oxley (SOX) compliance is lightening for many companies, chief audit executives (CAE) are feeling pressure from all sides to “rebalance” their internal audit activity.  Management continues to push for reduced time and money dedicated to SOX compliance.  Audit committees are demanding that auditors be attentive to other areas of the business, not just financial reporting risks. 

This recent hyper-focus on SOX compliance has prevented internal audit activities from addressing other important business risks.  In many companies, the processes and controls associated with these other business risks have not been audited in two years, since the inception of SOX.  Rebalancing the internal audit activity is not as simple as going back to what had been done before SOX. Like it or not, SOX will continue to be a large part of internal audit’s focus in the foreseeable future.

As documented in various articles, white papers and surveys on the topic, including Protiviti’s survey entitled Moving Internal Audit Back into Balance: a Post-SOX Survey, rebalancing efforts center on a few common goals:

• More appropriate coverage of risk

• Better ability (i.e., more time) to perform traditional audits

• Lower SOX Section 302 and 404 compliance costs

While few will argue with these rebalancing goals on the surface, most internal audit groups find it challenging to translate these high-level objectives into tactical business plans.  Recognizing this, we have devoted the remainder of this article to highlighting steps that have been and can be implemented by companies to achieve each of the above rebalancing goals.    

More appropriate risk coverage

Internal auditors can increase their coverage of risk by performing consistent risk assessments, creating risk coverage metrics that match the risk assessment, and employing continuous auditing techniques.

• Risk Assessments - The appropriate starting point for a risk assessment is to develop a common risk language across the organization.  Internal auditors should encourage the use of this common risk language for SOX, enterprise risk management, fraud, internal audit planning, and all other risk activities throughout the business. Using common terminology facilitates better coordination of risk management activities across the organization.
• Risk Metrics - Internal auditors should develop and report on risk coverage metrics to validate their planned approach, which is focused on key company risks.  Risk coverage metrics can be used to link internal audit activities to the related risk by requirement (i.e., fraud risk mitigation, internal audit risk mitigation, SOX risk mitigation) or by risk (i.e., health and safety, cycle time, contract commitment). 
• Continuous Auditing – This form of auditing has been around for many years.  Continuous auditing has evolved as IT systems have become more sophisticated and audit committees require thorough risk assessments and better information in response to recent regulatory requirements.  This technology-based approach allows internal auditors to provide greater coverage of certain risk areas than previously achieved through the sole use of traditional audit techniques.  For example, internal auditors can leverage technology to continuously audit accounts payable for items such as:  duplicate vendors, vendors with unusual addresses, voided payments, unusual payment dates (e.g., holidays) or other control overrides.  Although continuous auditing is not a full-proof audit approach, nor should it replace full-scope audits, it is a valuable tool to internal auditors who use it effectively.

Increase ability to perform traditional audits

In many companies, internal audit is leading the transition from a project-approach to a process-approach for SOX compliance.  Internal auditors are helping define where to start on the “project-to-process journey” to maximize the benefits.  Moving from project-to-process involves transitioning from an ad-hoc, one-time project approach to a sustainable, cost-effective and value-added process over time.  This transition will not occur overnight, nor is there a single “starting point” that is appropriate for all companies.  Although controls optimization is the most common project-to-process activity, other activities of focus during this transition include implementing a change recognition process, integrating Section 302 and 404 processes, and re-evaluating the certification process. 

In other leading organizations, internal auditors are redefining their role as it relates to SOX compliance.  Certain tasks performed by internal audit in the first few years of compliance are now recognized to be more appropriately performed by management.  For example, in the early years of SOX compliance, many internal auditors were responsible for creating process documentation and developing and executing test plans.  In these leading companies, internal auditors are challenging the status quo by educating management that internal audit should be involved in validating management’s results but not maintaining process documentation (or in some cases, performing initial testing).  These internal audit groups are using the time previously spent on such SOX activities to complete “more traditional” audit work.

Reduce 302 and 404 compliance costs

To control SOX compliance costs, many companies moving beyond Year One are examining the scope of their efforts and rationalizing their control set.  In order to continue to reduce costs, companies are also implementing other tactics such as self-assessment techniques and optimizing the IT general control environment.

It is important to recognize that “self-assessment” means different things to different organizations.  Some companies use self-assessment techniques to facilitate a 302 “chain of certifications.”  Other, more progressive, companies are using self-assessment as an integral part of their 404-testing approach, some since the first year of compliance.  Regardless of how it is used, self-assessment offers several benefits that improve the control environment and reduce compliance costs, including:

• Drives the “tone-at-the-top” down to process owners

• Reinforces process owner accountability for critical controls

• Integrates control and risk assessment activities into daily business practices

• Ongoing assessments enable analysis across business units, reporting periods, business objectives or any other attributes incorporated in the assessment

• Reduces costs by decreasing the scope of detailed controls testing or facilitating the roll-forward of “preliminary” testing to year-end

For companies that have not incorporated self-assessment into their compliance plan, keep in mind that implementing a self-assessment process requires careful planning.  A practical approach is to use self-assessment for lower-risk processes and continue to complete detail testing in higher-risk areas.  Medium-risk processes should employ self-assessment with the results “validated” by internal audit or another independent party.

            Process Risk                                         Level of Testing

·         Low                                                Process Owner Self-Assessment

·         Medium                                           Self-Assessment w/ Validation

·         High                                                Full-Detail Testing

Another tactic companies are using to reduce compliance cost is increasing reliance on automated controls.  In Year One, most companies placed heavy reliance on manual controls due to a lack of understanding of the requirements or their systems.  Leading companies are now finding ways to place greater reliance on automated controls for two reasons: these controls tend to be more reliable and they are less costly to test.

Four areas to consider when increasing reliance on automated controls include:

• Update pre-determined configurable IT controls.  Examples include data entry warning messages for duplicate records/transactions, invoice-to-purchase order tolerances, and user access privileges.

• Automate fraud controls.

• Create audit logs, exception reports, or system alerts to facilitate real-time monitoring of transactions.

• Take advantage of workflow capabilities within ERP systems to facilitate automatic routing of reports and transactions or on-line reviews and approvals.

Even with all of these tactical approaches, rebalancing the internal audit activity will not happen overnight.  A well thought out approach is the key to a successful rebalancing effort.  Therefore, all CAE’s should take a long-term view of their rebalancing objectives and prioritize the steps that will achieve those objectives.  This investment of time and resources will result in a more effective internal audit function and a higher level of stakeholder satisfaction, including the audit committee, management, and internal audit staff. 

John Champ is an associate director and Chris Cebula is a director in Protiviti’s Cleveland office.  

Article from Protiviti’s KnowledgeLeader – www.knowledgleader.com

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.