With the advent of new financial reporting legislation and regulations—namely, the now-infamous Section 404 of Sarbanes-Oxley—companies may be calling more frequently on internal auditors to issue opinions on the adequacy of internal controls.
That's right: internal auditors.
While SOX 404 requires external auditors to sign off on management’s assessment of the effectiveness of their internal control over financial reporting, some companies are apparently turning to their internal auditors for such assurance. That's according to the Institute of Internal Auditors, a professional association that recently provided guidance on the topic.
Anderson
“With the advent 404 in the U.S., and other countries headed in that direction, what we’re seeing and hearing from our peers is that audit committees and management are asking internal auditors for their opinion on internal controls,” said Doug Anderson, director of corporate auditing at Dow Chemical and a member of the IIA committee that drafted the guidance. “Audit committees are asking, ‘Do you agree with the external auditors? Do you agree with management?’ Those are fair questions for the audit committee to ask.”
But for most internal auditors, rendering such an opinion might be new territory. In fact, until now, Anderson says internal auditors haven’t had a framework for expressing an opinion.
The IIA guidance intends to clarify what internal auditors need to be mindful of when issuing such opinions.
Mistakes Not Acceptable
The guidance itself, which is based on IIA’s standards for professional practice, isn’t new. But it represents the first written, detailed framework for internal auditors of the various considerations that factor in when issuing an opinion on internal controls, such as the scope of the audit and the nature and extent of audit work performed.
Richards
“We’re bringing together a lot of pieces that exist in other forms,” says Dave Richards, IIA president. The culmination of that effort is a discussion paper, Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control (see box above, right).
While Sarbanes-Oxley has made financial controls a major focus for domestic companies, Richards says the guidance applies to opinions for all aspects of internal controls, including those related to operations, which “is where the risk for most companies really is.”
Although 404 was one of the drivers behind the effort, Richards notes that it isn’t only U.S.-based companies that are grappling with control issues. “The whole subject of internal controls is on radar screens around the world,” says Richards. “Most major countries have legislation with an emphasis around the subject of controls pending or being implemented. There’s a need from management, audit committees and the general public for internal auditor to step up and do this.”
“We’re dealing with issues where a mistake is not acceptable," says Anderson at Dow Chemical. "If we give the wrong message to management or the audit committee, we’ve failed as internal auditors.” The issue, says Anderson, has less to do with liability than responsibility. “Getting it right is critically important—whether we have legal liability or not, we’re relied upon to give management comfort and assurance.”
The Same Page
The guidance points to the Committee of Sponsoring Organizations of the Treadway Commission model as the independent framework on which to render control opinions. Richards says the COSO model has become “more pertinent today because of SOX work.”
Harrington
“This is a great first step on an emerging issue,” says Larry Harrington, vice president of internal audit at Raytheon and a member of the committee that drafted the paper. Harrington says the paper is a sort of “dos and don’ts in issuing opinions.”
The paper provides a detailed look at the various types of positive and negative assurances, what each opinion means, and specific matters that internal auditors should consider when issuing them. It also stresses the importance of defining opinions appropriately for the reader, so that the members of management and the audit committees who read the opinions and rely on them understand what they mean.
“This puts everybody on the same page, so we’re all operating with the same understanding,” says Kirk Root, chief audit executive at Skyline Corp.
Harrington says the guidance is also meant to get internal auditors and audit committees talking. “It serves as a guide to for internal auditors to have a dialogue with the audit committee,” on issues such as the amount of work required to issue an opinion on the overall control environment.
Anderson notes that the guidance isn’t going to answer every question internal auditors might have. “This guidance deals with key topics so internal auditors didn’t go through this year giving opinions without thinking things through, issuing the wrong types of opinions or opinions that are not well supported,” he says.
“Some of the feedback we’ve gotten is that the guidance doesn’t go far enough because it doesn’t tell the auditor exactly how much evidence they need to give a positive assurance; that guidance has not been written yet,” adds Anderson. But it’s an area he says the IIA’s Professional Issues Committee is looking at. “We had a discussion at the most recent PIC committee meeting about a phase two of the opinions project. There’s more work to be done.”
The document is available from the box above, right.
No comments yet