Internal audit: Moving beyond Sarbanes-Oxley compliance

Similar documents
Third-party assurance optimization Value creation strategies for service providers

How quality assurance reviews can strengthen the strategic value of internal auditing*

Risk Considerations for Internal Audit

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Human Capital Advantage for Business What is the Value of ADP ihcm for CEOs?

SHARED SERVICES OR OUTSOURCING?

How to achieve excellent enterprise risk management Why risk assessments fail

Internal audit value optimization for insurance organizations

the role of the head of internal audit in public service organisations 2010

Building HR Capabilities. Through the Employee Survey Process

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

HR Business Partnering A Custom Approach

Internal Auditing Guidelines

The Transformation of Tax Something Big is Happening Here

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

2015 Trends & Insights

Hedge fund launch considerations Reaching new boundaries. Investment Management

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR NOAH GOTTESMAN

JSE Accredited to Audit JSE Listed Companies

Creating a Customer Advisory Board Overview and Checklist by Clearworks

Environment Sustainability and Highways

FASB s new qualitative goodwill impairment assessment Implications and opportunities

HKIHRM HR PROFESSIONAL STANDARDS MODEL

How can outsourcing assist your business in closing this gap and hit compliance measures with these recent regulations changes and training needs?

DEFINING OUR ROLE IN A CHANGING LANDSCAPE

The 360 Degree Feedback Advantage

Internal audit analytics: The journey to 2020 Insights-driven auditing

Cybersecurity The role of Internal Audit

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING

About ARMA International

National Association of State Comptrollers. Architecting a New State Operating Model for the Future. March 12, 2015

The eight attributes. Delivering internal audit excellence as stakeholders expect more

Learning Outcomes Implementation Guidance - Revised Staff Questions & Answers Document

COMPETENCY ACC LEVEL PCC LEVEL MCC LEVEL 1. Ethics and Standards

Human Capital Advantage for Business What is the value of ADP ihcm for HR Directors?

Self Assessment. Introduction and Purpose of the Self Assessment Welcome to the AdvancED Self Assessment.

Background. Audit Quality and Public Interest vs. Cost

Quality Assurance Checklist

Qualification in Internal Audit Leadership (QIAL ) Exam Syllabus

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

Members respond to help identify what makes RNs unique and valuable to healthcare in Alberta.

Board Governance Principles Amended September 29, 2012 Tyco International Ltd.

The resurgence of corporate legal process outsourcing Leveraging a new and improved legal support business model

ICF CORE COMPETENCIES RATING LEVELS

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Behaviors and Actions That Support Leadership and Team Effectiveness, by Organizational Level

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Current Trends & Challenges for IT Internal Audit Departments

IRS Oversight Board 2014 Taxpayer Attitude Survey DECEMBER 2014

The Benefits of PLM-based CAPA Software

Framing the future of corporate governance Deloitte Governance Framework

Communications Strategy

ERP Administrative Challenges Brian Jensen

GENDER DIVERSITY STRATEGY

The Role of Internal Audit in Risk Governance

FFIEC Cybersecurity Assessment Tool

PRIORITIZING CYBERSECURITY

Principles and Practices in Credit Portfolio Management Findings of the 2011 IACPM Survey.

Boosting Customer Loyalty and Bottom Line Results

2012 Deloitte-NASCIO Cybersecurity Study State Officials Questionnaire - Aggregate Results (NASACT)

4.1 Identify what is working well and what needs adjustment Outline broad strategies that will help to effect these adjustments.

Point of view* Shared Service Center - the 2nd Generation Taking the next step to reach a more efficient level of evolution.

September 2010 Report No

Human resources benchmark for insurance Overview

Cloud Marketing: Faces in the Cloud

How to stay competitive in a converging healthcare system kpmg.com

ISO 9001:2015 Your implementation guide

Community Partnerships Strategic Plan

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Essentials to Building a Winning Business Case for Tax Technology

Power & Utilities Spotlight Risk at the Core of Strategic Value Creation

Healthcare Internal Audit: In a Time of Transition

An Overview of Nonprofit Governance David O. Renz, Ph.D. Midwest Center for Nonprofit Leadership at UMKC

2009 Talent Management Factbook

Deloitte: delivering richer, responsive online experiences to users worldwide.

Auto insurance telematics The three-minute guide

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Internal Control over Financial Reporting Guidance for Smaller Public Companies

august09 tpp Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

International Forum of Independent Audit Regulators Report on 2014 Survey of Inspection Findings March 3, 2015

Organizational Change: Managing the Human Side

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Making Strategic Planning Work

Tax data analytics A new era for tax planning and compliance

Mobility Trends. Deloitte Tax Management Consulting. December Todd Dannenfelser. Niketu Bhatt. Deloitte Tax LLP

6. Chief human resources officer

Work Together Tools Social Collaboration with Novell Vibe Cloud

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

Impact of New Internal Control Frameworks

Process Management: Creating Supply Chain Value

A Closer Look The Dodd-Frank Wall Street Reform and Consumer Protection Act

How To Write An Impactful Audit Report

THE DALLAS IIA SOCIAL MEDIA POLICY

NamCode. The Corporate Governance Code for Namibia

Transcription:

Select a topic 2 Sarbanes-Oxley s impact on internal audit 3 Going beyond SOX requirements 3 Evaluating the internal audit function 4 The relationship between the audit committee and the chief audit executive 4 Multiple sources of assurance 5 Conclusion 5 Questions for the audit committee to consider in evaluating the internal audit function 6 Additional resources Internal audit: Moving beyond Sarbanes-Oxley compliance Is your internal audit group a compliance enforcer, a problem solver, a strategic adviser, or some combination of these? The answer to this question varies among companies, and sometimes even among different stakeholders in the same company. Among the most common expectations of internal audit is to gain assurance on financial controls, the reliable execution of audit plans, and coordination with the external auditor. But given the lack of specific guidelines or requirements regarding internal audit s responsibilities, there is a broad range of practice based on organizational needs, structure, and culture. Twelve years removed from the adoption of the Sarbanes-Oxley Act (SOX), some companies are leveraging the unique experience and insights of internal audit to provide value through advisory and consultative roles, much as they did before SOX dominated the agenda in the years following its adoption. Regardless of the scope of internal audit s work, audit committees can play an important role in confirming the whole organization is on the same page regarding the goals for internal audit, and in providing a strong avenue of communication for the chief audit executive to share concerns and perspectives. This issue of the focuses on the evolving role of the internal audit function, and provides considerations for how audit committees can effectively work with management and internal audit to maximize the value of the function in the context of a company s specific circumstances. 1

Sarbanes-Oxley s impact on internal audit In contrast to external audit, which is focused on financial reporting, internal audit has historically had a broader scope in considering company risks and conducting audits across the financial and operational activities of the organization. With the enactment of SOX in 2002, many internal audit groups were called on, out of necessity, to provide compliance support. In some cases, this caused the annual plans for internal audit to be abandoned in order to support SOX readiness projects. This frequently transformed into the function playing a key role in control testing on behalf of management as an annual program. In many instances, internal audit took ownership of the entire SOX compliance process. This resulted in a significant shift in internal audit focus to financial reporting activities and away from operational audits, and, by extension, away from some of the most significant risks. Today, compliance activities remain a significant part of most internal audit groups activities, and in some cases, they dominate that agenda. Information from the Institute of Internal Auditors (IIA) shows that 69 percent of Fortune 500 companies internal audit groups surveyed have some level of direct involvement in the SOX compliance process; the involvement ranges from a fairly minor role to ownership of the entire SOX process. 1 Our experience suggests that a substantial number of those companies spend more than half of their available resources on SOX-compliancerelated activities. Is there anything wrong with that approach? There are clear standards set by the IIA regarding the operation of the internal audit function, but there are no rules regarding the depth and breadth of internal audit activities. 1 February 15, 2014, The Institute of Internal Auditors 2013 GAIN Annual Benchmarking Study; covers fiscal year-ends from 12/31/2012 11/30/2013. The IIA defines internal audit as follows: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. There are two important aspects of this definition to highlight in relation to SOX compliance: Financial versus operational risks The IIA definition above refers to all operational activities, controls, and governance structures of the organization. Internal audit has always included an appropriate level of focus on financial processes within the audit universe. However, many key risks of a company are not directly, or solely, related to financial reporting. Examples include: a. Cyber threats b. Social media c. Mobile devices d. Cloud computing e. Foreign Corrupt Practices Act compliance f. End-user computer g. Third-party relationships h. Software asset management Effectiveness versus efficiency SOX compliance provides value through focusing on the effectiveness of controls, but does not directly address the efficiency of processes and potential operational improvements. The consulting element of internal audit work allows for the identification of areas where value can be gained, without undermining the fundamental safeguards the function is highly familiar with, based on more than a decade of experience in providing SOX services. 2

Going beyond SOX requirements An important first step in considering the scope of internal audit s role is for the audit committee and management to understand the nature and depth of the services currently being provided by internal audit, so that there is a clear understanding of what is being done and where there are opportunities to improve the business. Increasingly, internal audit groups are taking a more active role in emerging areas such as cloud computing and social media. More broadly, as discussed in Can Internal Audit Be a Command Center for Risk?, some companies are leveraging internal audit s cross-functional perspective to help combat risks. However, internal audit functions dominated by SOX compliance for more than a decade may not immediately have the requisite skills and mindset for effective operational auditing and the identification of opportunities for improvement in the organization. Similarly, the knowledge needed to assess risks in many areas, given technological advances, are such that a straightforward IT audit is often not sufficient. To address particularly complex issues, companies often opt to engage in outsourcing or co-sourcing arrangements with audit firms and other third parties. Internal audit may also benefit from using analytics and other emerging technologies to drive analyses and decision making. See Adding Insight to Audit: Transforming Internal Audit through Data Analytics for further discussion of this approach. The audit committee can consider inquiring with both management and internal audit regarding the appropriateness of adopting such tools. In addition, audit committees can evaluate the staffing of internal audit to confirm that the right people with the appropriate skills for the company and its industry are in place. If there are gaps, the approach to educating internal audit staff members or recruiting professionals with the needed skills can be considered. Evaluating the internal audit function The audit committee has an important role in molding the expectations of internal audit and measuring the function s success. Key performance indicators will vary based on the focus of the group, but it is important to set out both qualitative and quantitative factors. The audit committee and internal audit may benefit from regularly revisiting these expectations and working with management to explore how internal audit can best support the compliance, strategic, and operational objectives of the organization and provide enhanced value. There are two major categories of formal review of the internal audit function. The first is a quality review, which pertains to the quality of the work being completed, the effectiveness of the compliance activities, and other related matters. The second, and less common, type of review is a strategic assessment that focuses on what internal audit should be doing from the perspective of management and the audit committee. To inform this review, it may be helpful to conduct benchmarking studies of companies of similar size or industry; along these lines, the IIA does considerable work in gathering information about common practices across industries and other categories. It is also important to engage in communication among the audit committee, management, and internal audit regarding the most appropriate role for the internal audit function so that measures of success can be developed. Formal stakeholder interviews can be an effective means of confirming that everyone s voice is heard. 3

The relationship between the audit committee and the chief audit executive In order for there to be a healthy model of internal audit, it is important for there to be clearly articulated lines of communication and reporting among the audit committee, management, and the internal audit function. Among the most important relationships related to internal audit is that between the chief audit executive (CAE) and the audit committee chair. Communication can be improved if the CAE feels comfortable contacting the audit committee chair with any questions, comments, or findings that would be pertinent to the audit committee or significant to the company as a whole. It can be a leading practice to hold a pre-meeting between the CAE and the audit committee chair prior to audit committee meetings, as well as monthly check-in calls. Additionally, the CAE should be assertive in confirming that both management and the audit committee have full visibility into the function s activities, and be actively involved in organizational discussions related to the function s objectives, audit plan, and other activities. Audit committees should also confirm that the CAE has the boardroom presence and leadership skills to take an affirmative role and effect positive change in the organization. Ultimately, the audit committee plays a key role in confirming that the CAE has the clout, visibility, and platform to function as a senior executive of the company. Multiple sources of assurance In recent years, many companies have adopted specialized activities and approaches for providing assurance, in areas such as enterprise risk management, safety, environmental, insurance, regulatory, and six sigma. The assurance provided by these activities can, in certain circumstances, partly offset the retraction of internal audit to a more SOX-driven, financially focused role. However, this expansion raises the question of how all these forms of assurance can be understood as a whole to confirm there are no significant gaps or unnecessary duplication. It can be helpful to conduct assurance mapping to identify how these activities work together and how key risks are being addressed. The audit committee may wish to consider engaging internal audit to help evaluate and centralize these efforts. Internal audit s more holistic view could yield cost savings and provide an objective evaluation of whether, despite the multiplication of targeted assurance activities, certain areas of risk are insufficiently addressed. 4

Conclusion If the internal audit function is expected to perform an identical set of activities year in and year out, organizations may miss out on valuable insights into risks, operations, and governance. Accordingly, it can be beneficial to regularly revisit and evaluate internal audit s purpose, performance, and approach. As new risks for companies continue to emerge and evolving enterprise risk processes better illuminate these areas, audit committees are asking, Are we getting the right level of assurance over our management of the full range of risks, and where is it coming from? Many younger auditors who commenced their career less than a decade ago only know the audit world post-sox, potentially making a compliance-focused internal audit program an area of comfort and familiarity. It may be an opportune time for audit committees to assess the scope of internal audit s focus and contemplate a reset to provide the optimal assurance regarding the organization s risks. Ultimately, the audit committee can be an effective driver for the exploration of whether internal audit s responsibilities could be broadened. Questions for the audit committee to consider in evaluating the internal audit function To what extent do the audit committee and management understand where internal audit is allocating its time? Does internal audit have a well-articulated plan that is reviewed periodically and approved by the audit committee? Is the plan aligned to the key risks of the organization and other assurance activities? In delivering the internal audit plan, how flexible and dynamic is internal audit in addressing new risks and the needs of the audit committee and management? Does internal audit have a clear set of performance expectations that are aligned with the success measures of the audit committee, and are they reported to the audit committee? Is internal audit s risk assessment process appropriately linked to the company s enterprise risk management activities? What insights are being provided, outside of SOX requirements, from the current internal audit activity? Is internal audit addressing the most pressing business risks? Does internal audit have the skills and experience to address the significant risks of the company, and are there appropriate lines of communication to discuss how those risks can be addressed? Does the CAE feel comfortable communicating with the audit committee chair and empowered as a senior executive? Does the audit committee understand the map of assurance activities across different risks, and how various forms of assurance are linked? 5

Visit the Center for Corporate Governance at www.corpgov.deloitte. com for the latest information for boards of directors and their committees. Additional resources Will Risk Rain on Your Move to the Cloud? The Role of Internal Audit in the Digital Enterprise The Digital Grapevine: Social Media and the Role of Internal Audit Can Internal Audit Be a Command Center for Risk? Adding Insight to Audit: Transforming Internal Audit through Data Analytics ipad app available for download You can instantly access the Audit Committee Brief through a free, easy-to-use tablet app. New issues of the brief are made available for download each month and feature useful multimedia content not available in the print version. The application also includes an interactive edition of the popular Audit Committee Resource Guide. Click here or visit the itunes App Store and search for Deloitte Audit Committee Resources to download the application. To subscribe to the Audit Committee Brief and other Deloitte publications, go to https://deloitte.zettaneer. com/subscriptions. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. Deloitte is not responsible for any loss sustained by any person who relies on this publication. As used in this document, Deloitte means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Member of Deloitte Touche Tohmatsu Limited 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information