The Role of Internal Audit in SOX Compliance

Ever since Congress passed the Sarbanes-Oxley Act in 2002—a response to major accounting scandals at such companies as Enron, WorldCom, Adelphia, Tyco, and others—internal auditors have been wringing their hands over their role in assuring compliance with the complex law.

SOX, as it has come to be known, created radical and comprehensive changes among publicly traded companies aimed at protect investors by improving the accuracy and reliability of financial disclosures, and by creating more stringent record-keeping requirements and criminal penalties for violating securities laws. A central provision of the rule, known as Section 404, requires companies to ensure that they have adequate internal controls over financial reporting and that those controls are documented, tested, and maintained to ensure their effectiveness. SOX also officially assigned the organization’s external auditor with responsibility for approving the assessments supporting management reports regarding internal controls over financial reporting.

While SOX obligated new practices for managers to test their own controls, internal audit, which had traditionally been the department focused on assessing risks and testing controls in the financial and operational activities of organizations, still had a major role to play. At many companies it was determined that internal auditors already possessed the required skills and experiences to contribute to the organization’s SOX efforts.

SOX and Internal Audit Oversight
Although testing the organization’s controls is something that is a core competency of internal audit, there is no legal requirement under SOX that forces organizations to have an internal audit function or to involve the existing function in SOX compliance projects. SOX defines the roles of management, the audit committee, and the external auditors, but it does not specifically address the internal auditors’ role or assign any specific responsibility to internal audit. There are, however, particular sections of the regulation that may be indirectly associated with internal audit.

Section 404 of SOX requires the organization’s independent auditor to attest to management’s own assessment of internal controls and procedures in accordance with standards established by the Public Company Accounting Oversight Board. In turn, the PCAOB gives place to internal audit in Audit Standard No. 5 with the statement of “Using the work of others” and assumes that external auditors may rely on the work of internal auditors.

In consideration of both SOX Section 404 and PCAOB Standard No. 5, we can conclude that existence of an internal audit function is an important facilitating factor for an independent auditor to attest to the management’s assessment of controls; however, it is not a prerequisite for the organization’s compliance with SOX. Still, it is important to note that some organizations may be required to have such an internal audit function depending on their sector, jurisdiction, or listed exchange. In the United States, for example, companies listed on the New York Stock Exchange are required to conduct internal audit activities, while those listed on Nasdaq have no such requirement.

Under the Section 409 of SOX, public companies must disclose to the public on a prompt and current basis when there is an additional information concerning material changes in the financial conditions or operations of the organization. When doing so, a disclosure committee is responsible for designing and implementing the organization’s disclosure procedures. Accordingly, the disclosure committee detects relevant disclosure problems and develops appropriate systems in order to make sure that material information is released to the steering committee (which should include the CEO and CFO) in a timely manner. When doing so, the disclosure committee is expected to review SEC filings, management’s quarterly and annual evaluations of internal controls over financial reporting, press releases, and internal audit reports.

Once again, the organization can be one move ahead if its management is able to benefit from existing internal auditors’ reports in relation to Section 409. As previously mentioned, however, it is not a prerequisite for compliance with SOX, though consideration is to be made for sector-specific and jurisdictional regulations and guidelines.

Ideal Positioning of Internal Audit in SOX Compliance
As explained above, the Section 404 of SOX requires management to make an annual assertion followed by an independent auditor’s attestation. Similarly, the Section 302 requires the management’s quarterly approval of financial reporting and disclosure controls and procedures.

After organizations had initiated efforts to reach compliance with the reporting requirements of both SOX sections, internal auditors raised many questions related to their actual role and involvement in SOX related activities (along with the limits of their involvement). Despite the fact that there is no direct legal requirement as detailed above, participation by the internal audit function in SOX compliance projects is perceived as a reasonable choice by organizations’ managements because of the fact that internal auditors are deemed to possess various skills and experiences in processes, operations and compliance procedures.

As SOX compliance evolved in the years after the regulation’s passing, this perception converted internal audit activity into a function playing a critical role in control testing on behalf of management as an annual program of SOX compliance. According to the IIA’s survey in 2013 by the Institute of Internal Auditors, 69 percent of Fortune 500 companies’ internal audit functions are involved in SOX compliance efforts, whereas the scope of involvement ranges from a minor role to ownership of the entire SOX process.

A new study finds that companies are increasingly putting internal audit in charge of SOX internal controls compliance, rather than departments such as financial reporting or legal.

The survey, conducted by the SOX & Internal Controls Professionals Group, finds that 46 percent of respondents report that internal audit is in charge of managing the SOX internal controls compliance function, a 5 percent increase from last year, and up from the 32 percent who said internal audit handled it in 2016. There is also an increase in the use of a dedicated SOX/IC compliance team. About a third of respondents say SOX is now headed by a dedicated team, up from 25 percent last year. According to another survey by consulting and advisory firm Proviti this year, the rate for involvement of internal audit in SOX compliance efforts was 82 percent.

While every organization is different, to be able to find an ideal position for the internal audit in SOX compliance, it is good to remember the role of internal audit function as per the IIA’s internal auditing standards. Based on the standards, the Chief Audit Executive (CAE) of the organization is required to establish a risk-based plan to determine the main concerns of the internal audit activity. For this purpose, internal auditors are required to consider a SOX non-compliance situation as a risk to the organization in their risk assessment process when preparing an internal audit plan and determining their focus.

Maintaining Objectivity and Independence
According to the IIA’s Attribute Standard No. 1100, internal audit activity must be independent and internal auditors must be objective in performing their work. Responsibilities for designing, installing, implementing, or drafting controls and procedures by internal audit may lead to the presumption that the internal auditor’s objectivity is impaired. In other words, the appearance of objectivity cannot be preserved when internal audit both designs, installs, implements, or drafts procedures and then audits them at the same time. As such, it is important to note that internal audit should be in a position that provides assurance and consultation without impairing its objectivity and independence, with consideration of the IIA’s above-mentioned standards.

Therefore, when determining internal audit’s role in SOX compliance, it is crucial that internal audit cannot be responsible for developing processes or procedures that ensure the organization’s compliance with SOX. As a natural consequence, internal audit should not be the owner of entire process so that they can refrain from assessing specific operations for which they also have responsibility.

In addition to that, in some cases management may request an internal auditor to manage a SOX project. A project manager is usually deemed as a responsible person for observing the level of progress of the project with consideration of a timeline and organizing appropriate communication of project consequences with relevant parties. If internal audit’s role is limited with such administrative duties, objectivity would not likely be impaired. However, if the project manager’s responsibilities includes designing, approving, or making decisions about controls and procedures, the internal auditor’s objectivity is impaired.

In addition, an internal audit function may assist management in the following tasks and roles as well:

• Internal audit may attend steering committee meetings, as they can provide recommendations to the SOX project team about general direction and progress of the project.
• Internal audit may act as facilitator and coordinator between external auditor and management.
• Internal audit may share existing internal audit documentation with responsible parties.
• Internal audit may make recommendations on documentation standards, tools, and testing strategies without impairment to its objectivity.
• Internal audit may participate in disclosure committee meetings in order to make sure that the committee members are aware of the ongoing results of internal audit activities in relation to SOX Section 409.
• Internal audit may provide training on internal controls, risk assessment, and planning of tests without impairment to their objectivity.
• Internal audit may execute the required tests in relation to SOX; however, it would be optimal that the management or a separate SOX advisor or project team has selected the controls to be tested because they ultimately need to be the responsible party.

Walking a Fine Line
SOX compliance is still one of the most important concerns for companies that fall under its requirements. When complying with SOX, it is certainly useful to have an engaged internal audit function, because not only may such a function assist management in assessment of internal controls but also external auditors are more likely to rely on internal audit’s work in their attestation.

It’s logical that company managements may want to benefit from internal audit’s significant expertise in relation to SOX compliance. However, internal audit’s support should be limited to making recommendations and a level of involvement that refrains from designing, installing, implementing, or drafting controls and procedures in order to protect the independence, objectivity, and integrity of the internal audit function when carrying out its usual role. In cases where there are different approaches or requests on the role of internal audit or instances where objectivity may be impaired, the CAE should discuss them with the audit committee.

An alternative to utilizing internal audit to play a central role in SOX compliance is to enlist support from public organizations, consulting firms, or other providers for testing assistance within the scope of Section 302 and 404. Such arrangements can make life easier because such a service provider may have a better understanding of the expectations of the external auditor as well as relevant authorities. In the meantime, internal audit can focus on its day-to-day responsibilities without potential threats to its independence.  

Mert Özbilgin is a senior risk advisor at a Big Four firm in Malta.