In the last year or more, chief audit executives and their staffs have stepped up to the plate Big Time in their company’s compliance with the requirements of The Sarbanes-Oxley Act of 2002; studies have shown that internal audit functions spent one-half or more of their resources dealing largely with the internal control requirements of Section 404.
This occurred, of course, because—with its knowledge, skills and experience—there’s typically no better group than internal audit to comprehend, document, and test the enterprise’s internal control over financial reporting, or to monitor remediation efforts. This assessment is reinforced by the auditing standard published by the Public Company Accounting Oversight Board, which points to internal audit’s competency and objectivity with respect to internal control over financial reporting.
Many positive side-effects have resulted from this situation, some of which we will review below. But there have been negative side effects, as well. It’s important to review those, too, before considering a path along which the CAE and the internal audit function can provide even greater long term value to the company.
Enhanced Stature And Positioning
Chief audit executives with whom I’ve recently dealt have found their group’s performance regarding Section 404 has received extremely high marks. Internal audit’s ability to quickly grasp the scope of the 404 initiative, mobilize staff, coordinate with others involved in the effort, and provide expert guidance in documenting and testing controls enabled many companies to meet deadlines with positive results, where otherwise that would not have been the case. Even in companies at which senior management and audit committee members already held internal audit in high esteem, there is a newfound appreciation of the chief audit executive’s ability to provide critical leadership under intense pressure.
One result of this has been greater attention—especially by audit committees—paid to internal audit’s role and responsibilities. Another has been greater attention paid to internal audit’s resources, so that the function is positioned to carry out its mission. Audit committees are looking more closely at the level and depth of internal audit’s staff. Budgets are being analyzed with a sharper focus—not to cut those budgets, but rather to ensure that sufficient credentialed and experienced resources are in place. Specialized IT and other expertise—along with sufficiently sophisticated audit-based technology and methodology—and appropriate levels of managerial capability are expected to ensure requisite high audit quality and efficiency. And audit committees are taking more time to consider internal audit plans, coverage, and reports.
Another result of the enhanced appreciation of the internal audit function is the fact that senior management has called upon the chief audit executive—and his or her team—to focus on areas of particular concern, such as compliance with laws and regulations and business process effectiveness and efficiency. Indeed, some chief audit executives have been called upon to continue to lead the effort on 404 going forward—recognition and “reward” for getting the job done well the first time around.
All of this indeed is positive; who wouldn’t want their team and efforts to receive applause from the highest levels of corporate leadership?
A Slippery Slope
However, these accolades come with associated pitfalls, each of which needs to be considered:
Diminished Objectivity—As noted, a number of chief audit executives are being asked to continue—or take on—the role of “chief internal control officer,” with lead responsibility for 404 compliance in Year Two and beyond. This, in reality, is a double-edged sword. Gaining additional responsibility typically is a good thing for any executive. And, indeed, the job might be doable, where a chief audit executive wearing both hats has one key lieutenant heading the internal audit function and another heading internal control, preferably with separate staffs. But even with such a configuration there can be difficulties: Where internal audit has responsibility for leading the 404 effort, there can be diminished objectivity when it comes to auditing the controls.
Neglected Responsibilities—Attention normally given to other important corporate activities can be diverted. Even when high-risk, priority operations are covered, less immediate but still-important areas might be neglected, especially those that are addressed on a cyclical basis. As more responsibility is accepted, unless there is a commensurate increase in resources, normally something has got to give.
Disappearing Staff—The more visibility and recognition achieved, the greater the likelihood that senior management or business unit leaders request internal audit to perform strategically focused special projects. The investigative and analytical skills can be used to achieve many business needs, and—if not careful to control those requests—staff needed for critical audit work can quickly dissipate. Similarly, as internal audit staff works with line and staff executives—and their capabilities become more widely known—there may be requests for internal transfers to work full time in other units.
Even in companies with healthy cultures in which units regularly assist one another to support the common corporate good—with all pulling in the same strategic direction—the reality is that business unit leaders look to fill special needs. Filling those needs must not be done at the expense of the internal audit function.
The Path Forward
For many chief audit executives, it’s time to take stock of priorities and resources. In addition to the current annual plan, it’s helpful to forecast needs for the next two to three years, considering audit and staffing requirements that reflect advancement and turnover. In many instances, there will be a significant and obvious shortfall in resources.
With respect to ongoing 404 work, serious consideration should be given to declining the opportunity to lead the effort, for the reasons outlined above; internal audit’s objectivity and ability to focus on higher risk areas are at stake. The internal audit function can and should continue to play an important role, but the time and resources needed to lead and coordinate all the players are significant. And while the amount of time needed for 404 in Year Two certainly should be less than in Year One, the amount of attention many companies are beginning to give to a related area—reporting on disclosure controls and procedures under Sarbanes-Oxley’s Section 302—is expanding.
Of utmost importance for chief audit executives is regular communication with whoever in top management their reporting relationship is with, as well as with the audit committee. In a number of companies, there has been a significant disconnect between what the internal audit function is currently doing and plans to do going forward—based on existing resources—and how those activities and plans are perceived by others. It is essential that the audit committee chair and top management fully understand normal audit coverage that has been deferred, including work related to the company’s strategic and operational objectives, and what is and is not encompassed in plans going forward. They need to know, for example, what business processes, foreign operations, and legal and regulatory compliance audits will or will not take place, what audit objectives will or won’t be achieved, and what will be the breadth and depth of coverage.
The chief audit executive does not want to find him- or herself in a situation characterized by expectations that are greater than can be achieved. And unless there is explicit and full communication, an expectation gap is likely to result.
Where expectations exceed available resources, there must be agreement on whether and how to enhance resources or modify audit scope. There may be opportunity to add staff, or to co-source where that makes business sense. As for deploying staff, decisions should be risk-based and consistent with internal audit’s charter and, as noted, with the demands and expectations of top management and the audit committee. Alignment is essential, or something will blow up—in all likelihood sooner than expected.
So for internal auditors who have been leading or heavily involved in Sarbanes-Oxley 404 initiatives, it’s time to define and stick with the day job—with clarity around what the job entails, what resources are needed, and with the full understanding and consensus of those with oversight responsibility.
The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.
No comments yet