2022 marks the 20th anniversary of the passing of the Sarbanes-Oxley Act (SOX).
In 2002, the SOX requirements brought Internal Audit to the forefront, as internal auditors were and are uniquely positioned to support management with SOX compliance given their expertise in financial reporting, internal controls, and independence.
However, one of the unintended consequences of SOX is that Internal Audit functions have been overcome with their focus on SOX.
Worse, Internal Audit is seen by some as purely “SOX auditors” as opposed to risk-informed professionals with broad business acumen who serve as trusted advisors to the most senior leaders in the organization.
Internal Audit's Critical Value
An effective Internal Audit function is essential to more than just SOX. It serves to:
- Protect company health.
- Promote sound corporate governance.
- Establish proactive risk management.
- Baseline strong compliance practices.
Internal Audit departments deliver value throughout the organization in evolving ways. For example, the graphic below illustrates how Internal Audit is answering critical questions from top stakeholders in the business:
If your Internal Audit function has been mired down with the details of SOX – or if your department’s initial charge was to support management’s SOX program as the result of going public – here are three steps to help your Internal Audit team lift up, look out, and expand risk coverage.
1. Ask Stakeholders What Their Most Critical Priorities Are
For Internal Audit to maximize its value and impact on the organization, it needs input from its stakeholders so that it can best address unmet needs.
If “beauty is in the eye of the beholder,” then the value of Internal Audit is in the eye of its stakeholders. So ask them what they value and need.
Ask your stakeholders what is front of mind – what do they care about? What are their most critical priorities today?
While this process often happens during the Internal Audit Risk Assessment, don’t limit these conversations to predetermined risk assessment timeframes. Lead with continual, open lines of communication so Internal Audit can strengthen working relationships and provide insights that cannot be gained elsewhere.
2. Align With Opportunities and Address the Gaps
With insight into what stakeholders are focused on, consider:
- Where management is focusing yet could use an independent perspective to ensure strategic objectives are being met.
- Where management is not focusing and needs additional support.
Stakeholder concerns + current controls = Gaps to be addressed
These gaps are opportunities for Internal Audit to add value.
Where do controls and other risk mitigation strategies fall short of addressing the risk priority?
Can current controls be enhanced for greater coverage, or are new ones needed?
Is additional training and follow-through needed?
In addition to Internal Audit’s usual assurance activities, the IIA’s International Standards for the Professional Practice of Internal Auditing (“Standards”) specifically allow internal auditors to perform “consulting” activities through the Internal Audit function. This significantly increases the types of projects that Internal Audit can perform – and they don’t all have to be based in providing assurance.
Depending on the gaps identified, below are some value-add activities that Internal Audit can, and in many cases should, perform to address those gaps:
- Risk assessments.
- Policy and procedure reviews.
- Control gap assessments.
- Root cause analyses.
- Process efficiency reviews and benchmarking assessments.
- Cost-benefit analyses.
- Strategic initiative reviews – advisory input and postmortem assessment.
- Culture surveys.
- Internal Investigations.
3. Iterate and Improve
After working to address the gaps, go back to your stakeholders and ask, “How did the plan and activities work?”
If you don’t receive constructive feedback – question that. Rarely is anything so perfect that no feedback can be offered.
One thing is constant – change. The priorities and gaps from last year – or even last month – have likely evolved. This is intel and feedback Internal Audit needs for a value-add, productive audit plan.
Twenty years later, SOX Compliance remains critically important to the financial reporting integrity of public companies and should remain a top priority. However, to maximize Internal Audit’s value to the organization, it needs to expand its focus well beyond SOX and continually assess the broader risk landscape and support the Board and C-Suite navigate the ever-evolving digital and global world in which we serve.
To fully capitalize on the value Internal Audit can bring to your organization, contact CrossCountry Consulting today.