AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
Audit Bookstore
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
Sarbanes-Oxley and Internal Audit in a Snapshot
by Jean-Louis Vergaert
The full Sarbanes-Oxley (SOX) Act is 66 pages long, and you will be surprised to hear that there is only one mention of “internal audit” in it: it is now a prohibited service for the public accounting firms. However, the Internal Auditors know that their life will be impacted. Indeed, SOX significantly affects 2 of our working partners: our distinguished superiors (the Audit Committee and the Company Officers) and the public accounting companies, who are both understandingly worried of their increased reporting responsibilities and the new criminal penalties.
This snapshot will not focus on the main core of SOX, e.g. the independence of the audit committee and public accounting companies, the conflict of interests, the corporate fraud and the increased penalties, and the whistle blowing procedures (see SOX sections 301 and 806). Instead, we will focus on the internal controls.
Internal controls appear in 3 sections of SOX: 404, 302 and 103.
404 a): by which annual reports will include an internal controls report where Management recognize their responsibility to implement controls, and evaluates the effectiveness of internal controls in place.
404 b): by which the external auditors will attest and report on the above Management statement.
The Act only refers to internal controls for financial reporting only. As a consequence, internal controls over errors, frauds, waste and embezzlement which do not have a material impact over financial reporting can possibly be excluded from this clause, although it is a matter of interpretation which has not yet been clarified.
302: to summarize this clause, the company Officers (CEO and CFO) signing the SEC reports are now responsible for what they sign – and attest that they have implemented the necessary internal controls to ensure that they are informed of any material impact over financial reporting.
As with 404, SOX reference to internal controls is not an all-encompassing definition of anything that can go wrong within the company. Instead, “Material facts”, “all material respects”, “material information”, “significant deficiencies”, “material weaknesses”, “significantly affect internal controls”, “significant deficiencies and material weaknesses” are the recurring SOX references in this clause.
From this interpretation, there is no reason to document all the internal controls within a company in a gigantic database, as it is sometimes recommended by software consultants or enforced by confused Management.
The only exception to the “materiality principle” is 302 (a)(5)(B) stating that the signing Officers have disclosed to the issuer’s auditors and the audit committee any fraud, whether or not material, that involves Management or other employees who have a significant role in the issuer’s internal controls. This clause increases the expected probity level of the company’s Management, and must be addressed by a serious whistle blowing procedure. This clause is also a good argument to be remembered by Internal auditors, when subject to “friendly” pressure while investigating some delicate area about the Management integrity.
103: this section sets the framework by which the SOX Board will define the auditing, attestation and quality control standards to be used by public accounting firms in the preparation and issuance of audit reports. Also, this section states that the standards will include the evaluation and documentation of the internal controls. However, the scope of this review remains limited to ensuring that transactions are fairly documented, comply with GAAP’s, and are approved by Management. The report must include a description of any material breach.
Although the external auditors have always performed some internal control reviews of large companies, they must now issue an official attest over the systems of the audited company. As a consequence, they are likely to increase their fees (see PricewaterhouseCoopers Whitepaper “The Sarbanes-Oxley Act of 2002, page 18).
An alternative is for the auditee to provide adequate information about the current status of their internal controls. Internal Audit remains the best channel to independently review the adequacy and effectiveness of internal controls, and to pass that information to the external auditors. Indeed, not only does Internal Audit ensure that controls are adequate, standardized across the company, and documented. They also perform periodic testing of these controls for effective design and operation, and recommend continuous improvement. Internal auditors are therefore the most suitable internal drive for improving and verifying internal controls. Following SOX, external auditors will only attest a control if it is monitored and optimised. They will refuse unreliable or informal controls.
Internal audit programs include an overview of many controls which external auditors are now likely to review more extensively, as indicated above. Such controls include, but are not limited to, procurements and cash disbursements, sales and cash receipts, stock controls, financial reporting controls, fixed assets, project management, corporate governance and ethics. Local Management would also greatly benefit from not having to explain to the external auditors what they have just spent hours explaining to the internal auditors. Everyone would benefit from a greater cooperation between internal and external auditors. However, although such cooperation exists at the Audit Committee level, in many companies it has not yet transpired to the level of exchanging detailed information about specific controls.
Sarbanes-Oxley will indirectly require to improve field level cooperation between internal and external audit departments, and this will not be easy. As much as national security acts recommend improved cooperation between the intelligence agencies, such cooperation faces, in many cases, entrenched interests and lack of trust and openness. In a generalized view, internal audit is afraid to give too much information to external auditors who will not know how to use it, or draw incorrect information, or request a documentation level of the controls to which internal audit is not used to. Internal audit does not want to be supervised by external audit, while external auditors do not wish to rely on internal audit information that is not up to their standards.
Technology cannot resolve such problem, but it can help. Electronic internal audit programs can filter information, and present only the level of detail which the user requires. In this case, internal and external auditors can agree on the controls to be reviewed and documented by internal audits. Such controls are usually part of internal audit programs. By implementing an automated filter, the internal auditor can easily produce an electronic paper which only shows their review of the audit points which are relevant for the external auditors.
Conclusion
Although internal audit is no part of SOX, it is in the interest of the profession that internal auditors lead a pro-active role, for the following reasons:
a) To provide better assurance to the Audit Committee and the Company’s Officers who sign the annual reports, including their attest on the financial controls.
b) To be able to claim resources commensurate with the internal audit duties, and to regain indep
SARBANES-OXLEY AND INTERNAL AUDIT IN A SNAPSHOT
endence when facing pressure and entrenched interests.
c) To avoid be subordinated to non-productive tasks, like documenting all internal controls in a repeated version of ISO 9002 or Control Assessment.
d) To avoid an increased review of internal controls by the external auditors, who might duplicate the internal audit work, at significant costs for the company (increased audit fees and time spent by the company’s staff and Management explaining the business processes and controls to the external auditors).
a), c) and d) are challenges; b) is an opportunity. It all depends on how we act.
About the Author
Jean-Louis Vergaert is an internal auditor working for a major entertainment company. He covers 40 countries on the 5 continents. His focus is on practical audit work, fraud detection, and detailed investigation. “The challenge of the travel and the various cultural and linguistic environments is what spices up the work of internal audit”. He has developed a paperless audit software which is available on www.aafaudit.com.
