The Sarbanes-Oxley Act may no longer be the overwhelming focus of internal auditors as it once was, but its spawn are still top of mind.
In particular, some internal auditors are now carefully examining how they handle potentially SOX-related issues that arise outside of their normal testing work. Before such worries emerge, experts say, companies must have a process already in place to address them.
An internal audit professional at a Fortune 500 company, who asked not be named, says it’s an issue that his department has pondered as it goes about its work testing areas that might have been touched during SOX testing.
“We started thinking about this when we were thinking about how we could take our Year One SOX effort and make it more sustainable. We started thinking about what could come up in our regular audits,” he says. “We then added a SOX rating statement in our criteria we use to measure risk for an audit finding, and added a SOX impact section to every IA report.
“If [other internal auditors] haven’t addressed this issue, I’d be surprised. Internal auditors are guaranteed to be touching areas that they’re also doing SOX work on,” the auditor told Compliance Week. “We have—and most companies probably have—a standing committee that meets regularly to discuss SOX-related issues, comprised of the controller, the CFO, general counsel, et cetera. If an issue came up, we would bring it to that standing committee to determine whether it’s a material issue, and it would get escalated from there.”
Experts who spoke with Compliance Week agree that having a communication process in place is critical.
Herrington
“This is a significant issue—and it should be,” says Matthew Herrington, partner in the Washington office of law firm Steptoe and Johnson. “No organization composed of human beings is perfect, and a vigorous internal audit effort should be expected to turn up the occasional anomalous result which requires further attention.”
The key, Herrington says, is that internal audit departments have “an ‘early warning’ relationship with the general counsel or a dedicated compliance office.” When a SOX issue exists, “who should make the determination, and who should be told at what point, are all matters addressed in advance, in a comprehensive compliance policy.”
Any activity that has a material affect on financial reporting, as well as any potential fraud material or not, is typically within the purview of internal auditors. “This presents very difficult issues for internal auditors, especially if they find something material during an audit that may not be focused on the issue uncovered,” says Matthew Nolan, a corporate lawyer at Miller and Chevalier.
Exactly how issues are handled depends on the nature and extent of the issue in question, Nolan says. For example, internal auditors might refer issues to the general counsel for investigation, report the matter to senior management, hand the problem to the board’s audit committee, or involve outside auditors, depending upon the problem and the temperament of the company.
Companies are trying to craft formal policies for such decisions, Nolan says. “One approach is to have a ‘rapid response’ team that is multidisciplinary. If the company has a compliance committee of that sort in place already, it can serve double duty.” Any internal-audit concerns could flow to that team, which would determine the underlying issue and who should address it. Doing so “brings some centralization at the outset” to ensure consistency and transparency, and can also clarify what issues should go to the audit committee, he says.
Visibility Procedures
Umbach
One challenge for audit groups is the need to provide “clear, timely, and concise visibility” to any issues that are identified, says Fred Umbach, a managing director at risk consulting firm Protiviti. “The need exists to understand the impact and likelihood of that issue across the business,” especially given the executive liabilities created by Sarbanes’ Section 302 attestations.
“As internal auditors have been driven to evaluate the gaps [in controls] that they see through SOX, they’re starting to treat their normal audit work the same way,” Umbach says. “Since the CEO and the CFOs have to certify the financial statements, if any open audit issues exist in the normal internal audit work or the SOX audit work, they want to immediately know the significance and the impact, and determine whether it’s necessary to disclose the issue.”
Umbach notes that under the Section 302 certifications, companies are required to have adequate procedures and processes in place to bring important issues to senior management’s attention. Echoing Nolan’s comments, Umbach says many companies achieve that end by establishing a disclosure or compliance committee of some kind, comprised with senior executives who can decide how to proceed.
“We haven’t seen any difference in the way SOX issues versus non-SOX issues are treated. All internal audit issues identified—SOX or non-SOX related—are being treated the same way,” says Umbach.
Langer
Daniel Langer, solutions director of internal audit and controls at consulting firm Jefferson Wells, says normal audit communication practices “would be the approach most of the time that would seem to be appropriate… ‘When in doubt, disclose,’ has been a primary feature of SOX.”
Langer’s recommendation: issues uncovered in an audit should go to the chief executive and chief financial officers, and—depending on how the company is structured—either to the compliance committee or a separate compliance executive. What’s more, if the problem is in an area that external auditors have reviewed, they should be alerted as well. Then the internal auditor should document the issue, identify the response of the people responsible for addressing the matter, and do a follow up to see that it’s been remediated.
Langer also warns that discovery of a SOX-related issue during an unrelated internal audit could indicate other problems. “It may be that more needs to be done at the top level to get the message down through the rest of the organization that [compliance] is everyone’s responsibility,” he says. “It may be a good opportunity to look at whether the organization needs to take a more enterprise-level approach to risk review.”
No comments yet