Nearly two-thirds of senior internal audit executives say managers at their companies still don’t take responsibility for internal controls governing financial reporting, while one-fifth worry that helping their companies develop compliance programs compromises the integrity of their audits, according to a new report.
Those are the conclusions of a survey of 858 corporate auditors conducted by software firm ACL Services Ltd. ACL painted a picture of internal auditors swamped by Sarbanes-Oxley’s compliance needs, devoting their time to helping their companies meet its many challenges while other audit projects languished.
Companies coping with requirements under Sarbanes-Oxley were particularly challenged in the past two years. As internal audit and management teams implemented programs to satisfy documentation required under Sarbanes-Oxley, they had to sort out who was responsible for certain processes and procedures.
“One of the things chief audit executives said they faced was their management’s lack of acceptance of responsibility for the internal controls, and for ensuring that the internal controls worked effectively,” says John Verver, vice president of professional services for ACL. “Internal auditors spent less time on some of the traditional operational risk activities. As a result of [SOX Section] 404, auditors were spending a lot of time on compliance.”
“Internal auditors spent less time on some of the traditional operational risk activities. As a result of [SOX Section] 404, auditors were spending a lot of time on compliance.”
— John Verver, ACL Vice President
According to the ACL survey, 62 percent of respondents cited a lack of ownership for controls and related risk by management. 20 percent said they worried that their participation in shaping compliance programs—a widespread practice since the arrival of Sarbanes-Oxley—weakens their ability to audit those programs effectively. Another 61 percent, however, said they had no such worries. (More than half of the survey’s respondents were from large corporations with annual revenues of at least $1 billion.)
Donald Floyd, chief audit executive of Polycom, a $580 million provider of videoconferencing software and equipment, counts himself in the latter group. “I don’t believe that hinders our independence,” Floyd says. “All we’re doing is independent testing of the controls and feeding the results back to management. It’s up to management to act on that.”
Floyd does say management and internal auditors should establish a clear separation between who owns the controls and procedures and who tests them. When Polycom first waded into the process of meeting Section 404’s requirements, Floyd recalls, he received an initial list of objectives for the year—including the successful passing of a Section 404 audit.
“I made sure that was taken out of my objectives,” he says. “Compliance testing we do, and we may make recommendations to strengthen the control environment. I can’t take responsibility for whether the controls are effective or not.” Internal auditors’ involvement in compliance “doesn’t impact independence as long as you have a separation of ownership of controls.”
Hirth
Robert Hirth, a managing director at risk management consulting firm Protiviti, agrees that while internal auditors should be involved in compliance efforts, the ownership of controls and the decision-making about them should be the responsibility of management. “Being too involved in compliance becomes a bad thing for internal auditors because it starts to impair their objectivity,” Hirth says. “Get too involved yourself and you become part of management. It’s a matter of degree.”
Auditors do need to be involved in compliance because part of the internal audit profession’s objectives is to add value and improve upon a company’s processes and procedures, Hirth says. Internal auditors can provide guidance and consultation on control design and operating effectiveness—but not go so far as to become the control owners, he says.
KEY FINDINGS
The key findings below are from "New Demands, New Priorities: The Evolving Role of Internal Audit," the Global Audit Executives Survey Report, published by ACL Services, June 2006:
One in five audit executives felt their department’s independence was compromised
by their involvement in compliance programs.
Close to half believe that the focus on regulatory compliance has impacted their ability to complete
thorough and timely financial, operational, and system audits.
A shortage of skilled internal audit staff was identified as the most critical challenge to fulfilling
the internal audit mandate, closely followed by complexity of the IT environment.
The use of data analytics technology within audit departments is wide-ranging, with close to one-third
of the departments having less than 20 percent of their audit staff using data analytics software; however,
approximately one-fifth have over 80 percent of their staff using the technology.
Lack of qualified audit staff trained in the use of data analytics software and the dependency on IT for data
access were cited most frequently as barriers to increasing the use of technology within audit activities.
A total of 36 percent of organizations have adopted a continuous auditing approach across either all
or within select business processes. Overall 39 percent plan to implement continuous auditing in the near future.
91 percent of audit executives felt that management and business process owners should own the
monitoring of internal controls for business processes, and 33 percent have the technology in place or
are planning to implement this approach in the coming year.
Source
New Demands, New Priorities: The Evolving Role of Internal Audit (ACL Services, June 2006)
Under guidelines provided by the Committee of Sponsoring Organizations, internal controls are defined as a process designed to achieve objectives including the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and applications. That definition, Hirth says, embodies compliance and compels participation by internal auditors.
Richards
Or as David Richards, president of the Institute of Internal Auditors, puts it: “Should internal auditors participate in a new system development project? Yes. It’s taking their knowledge and skill and organizational expertise and putting it on that new system, so that if there is a control that needs to be put in place, it’s being done while it’s being constructed since it’s expensive to retrofit.”
In the case of SOX-related compliance activities, companies should be clear that controls over financial reporting are coordinated and directed by management, primarily in the finance and controller divisions, Hirth says. Internal auditing should stick to validating that the controls are indeed working as intended.
One of the challenges of SOX compliance efforts is that most attention is focused on transactional processing, says John Fraser, chief risk officer and head of internal auditing at Hydro One, a government-owned electricity utility in Ontario.
“In Sarbanes-Oxley, think of a triangle. At the top you have entity controls; the next level is IT controls, and the bottom third is transactional processing,” Fraser explains. “Most problems have been found on the entity controls level. SOX resources seem to be spent where the least amount of the problems have been.”
For compliance matters related to internal control over financial reporting, Fraser’s team provides advisory services to the internal controls project team at Hydro One, and conducts quality assurance audits over the documentation of controls. External consultants provided the direction for the internal control project, and were the primary resource for documenting the systems and design of testing, he says.
Fraser
“I didn’t want to take our eye off of the big projects in the company, and the areas of high risk in the company as required by my mandate, by diverting my resources to an area of relatively little added value,” he says.
ACL’s survey also found that the business challenges cited most frequently by senior audit executives were a shortage of competent internal audit staff (70 percent) and a complex IT infrastructure (60 percent). Both of these factors affected their ability to fulfill internal audit objectives, ACL said.
The ACL study and related resources can be found in the box above, right.
No comments yet