ia role in sox compliance.pdf

Internal Auditor’s role in SOX ComplianceInternal Auditor’s role in SOX Compliance

Akhilesh Thakur

Definition of Internal Audit - IIA

Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organisation's operations. It helps an organisation accomplish its

objectives by bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of risk management, control, and governance processes.

© 2012 Protiviti Consulting Private Limited

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.2

Source : GAIN report on “Measuring Internal Audit Performance”

Major Section of SOX with IA Impact

404 a): by which annual reports will include an internal controls report where Management recognize their responsibility to implement controls, and evaluates the effectiveness of internal controls in place

404 b): by which the external auditors will attest and report on the above Management statement. The Act only refers to internal controls for financial reporting. As a consequence, internal controls over errors, frauds, waste and embezzlement which do not have a material impact over financial reporting can possibly be excluded from this clause.

302: the company Officers (CEO and CFO) signing the SEC reports are responsible for what they sign – and attest that they have implemented the necessary internal controls to ensure that they are informed of any material impact over financial reporting.



The effect of the Sarbanes–Oxley Act of 2002 (SOX) has been dramatic and global. SOX enhanced the regulatory framework for investor protection and confidence. Some of the points to be noted in relation to the effect are:• SOX has required or encouraged a variety of best practices related to management accountability, auditor independence,

audit committees, internal control reporting, risk management, and improvement of financial processes• One of the important contributions of the regulatory guidance is the “top-down risk-based assessment,” a robust

framework for identifying and assessing financial reporting risks• Compliance approaches, benefits, and costs continue to evolve as practice and regulatory guidance change

Source: http://www.auditnet.org/articles/SOX&IA.htm

How is IA different from SOX

SOX only covers internal control over financial reporting. It does not cover:

- Operational Efficiency

- Improvement Opportunity

- Benchmarking of best practices

- Wastages and inefficiencies

- Fraud which may not have material financial impact



Example 1: IA vs SOX

Internal Control: “Finance Manager on monthly basis reviews the accounts

receivables more than 180 Days. Reasons for these outstanding balances are

reviewed and approved by the Finance Controller.”

Evidence Available: The account statement are available and signed off by the

Financial Controller. See attachment:

Receivable > 180

Days



Question: What can be the treatment for this in SOX and IA?

Days

Example 2: Inventory Review

Control: Old, slow, non moving inventory is reviewed by CFO and provisions are

made for all inventory that are old, slow & non moving in excess of 180 days.

Treatment in SOX: In SOX, you will see the evidence of review and whether

adequate provision is made

Treatment in IA: ??????



Example 2: Inventory Review

Control: Old, slow, non moving inventory is reviewed by CFO and provisions are

made for all inventory that are old, slow & non moving in excess of 180 days.

Treatment in IA:

� Root cause analysis to identify why inventory became slow and non moving� Identify the method by which it can be avoided in future. E.g. define

maximum inventory levels

� Use of FEFO to ensure that materials with shelf life are not expired



� Use of FEFO to ensure that materials with shelf life are not expired� Suggest the alternate ways to liquidate the materials

‒ Use of materials by other locations in case of multiple plant environment

‒ Possibility to liquidate the materials if these are not customized products

‒ Reprocess the materials. For e.g. plastic and metal can be extracted from residual

� Suggest on keeping slow and non-moving materials separately and regular

reporting

Example 3: Sales

Description: Goods are not delivered in a timely manner to your customers

resulting in liquidated damages

Does it has any impact on SOX?



Example 3: Sales

Description: Goods are not delivered in a timely manner to your customers

resulting in liquidated damages

SOX Impact: NIL as this is an operational efficiency which is not covered by SOX

IA: Analyze the reason (root cause) for the delays and suggest remedial action

Examples

� Modify agreement with transporter for delayed delivery by them and recover

the liquidated damages from them



the liquidated damages from them� Identify bottleneck in production process if delay is due to delayed production

Internal Audit Survey Result

Role of IA and PMO in SOX Compliance

In most organizations,

Internal Audit (IA) is primarily responsible

for Sarbanes-Oxley

compliance process, followed by executive

management and the audit committee.



Source : GAIN report on “Measuring Internal Audit Performance”

audit committee.

Post - SOX Responsibilities

Primary Responsibility for overseeing SOX work



• Since the advent of SOX, IA has been shouldering the primary responsibility for its

compliance.

• Even though organizations are 8 years into the SOX compliance process, the results of

‘SOX survey’ still reveal that the highest responsibility for overseeing SOX work in both

large (27%) and small companies (29%) resides with internal auditors. While companies

want to rebalance their internal audit departments, “lead responsibility” of SOX activities

remains the most common role for internal audit till present.

Internal Audit Hours Dedicated to Each Year of SOX Compliance



The ‘Rebalance Survey’ sheds light on the relative level of consistency internal audit departments have achieved or are in the process of achieving with respect

to internal audit hours dedicated to SOX compliance.

This indicates that the internal audit departments are planning or implementing rebalancing efforts rigorously to migrate to their core responsibilities of governance, risk and compliance.

Internal Audit Responsibilities



As seen, all SOX related technical areas (27 to 28) fall in the second quadrant of the graph indicating higher level of competency and lower needs to improve. With the fast changing risk and governance landscape and the critical role played by internal auditors in assisting management to mitigate these risks, the trend above highlights the transition of the internal audit function from traditional audits and SOX compliance to a more high-quality and expertise audits in newer

areas such as GAIT, IFRS, XBRL, ISO 27000, and COBIT.

Internal Audit Rebalancing

After the enactment of Sarbanes-Oxley Act in July 2002 (SOX), internal audit functions became deeply entrenched in the process of guiding their management and audit committee, assessing the risks and controls over financial reporting and complying with the new internal control reporting requirements. Internal auditors were highly focused on helping their organizations establish, design and test financial reporting controls.

SOX survey and IA Rebalance Survey conducted by Protiviti establish that internal audit activity is moving away from SOX compliance functions towards a more strategic and critical role in meeting organizational goals effectively and efficiently.



Synergy between SOX and Internal Audit

Synergy between SOX and Internal Audit

Define scope for

internal audit

Identify common Update the test

Document the result for IA and

SOX

Planning for SOX and internal audit

for next year



Identify common areas with SOX

testing

Prepare list of controls to be

tested for internal audit

Identify controls and objectives

which are common

Define common documentation

standards

Update the test

result for SOX testing in the

required format

Internal Auditors Role in SOX

Impact of SOX on IA

The Impact of SOX on IA, is seen on the following parameters

• Enhancing Investors’ Perceptions - Corporate failures like Enron and WorldCom dramatically affected investors’ perceptions of public companies. Many provisions of SOX are directed toward rebuilding investors’ confi dence in corporate

America including formation of the Public Company Accounting Oversight Board, increased management accountability and auditor independence and stiffer criminal penalties. Despite being a primary goal of the act and being seen as highly important by respondents, the perceived impact on investor confidence was among the lowest in our study. Only 38 percent of respondents felt SOX has had a significant impact on strengthening investors’ perceptions of their companies

• Strengthening Internal Controls - Section 404, Management Assessment of Internal Controls, is one of the most significant provisions of Sarbanes-Oxley. This section requires management to issue a report stating their responsibility for internal control and provide an assessment of the effectiveness of internal control to which the auditor must attest

Empowering Audit Committees -



• Empowering Audit Committees - The provisions of Sarbanes-Oxley require the audit committee to directly oversee appointment, compensation and oversight of any public accounting firm employed by the issuer. The act also requires audit committee members to remain independent of the issuer and provides an incentive to employ a financial expert as a member of the committee

• Increasing Accountability - The provisions of Sarbanes- Oxley require CEOs and CFOs to prepare a statement and certify the appropriateness and fair presentation of the financial statements to increase involvement and accountability in financial reporting

• Strengthening External Auditor Independence - Sarbanes-Oxley prohibits external auditors from performing certain non-audit services for audit clients. Moreover, external auditors must report directly to the audit committee and the lead and reviewing partners must rotate off an audit client every five years

Source: http://www.tscpa.com/journal/articles/sarbanes-oxley.pdf

Role of Audit Committees in SOX

Although Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 do not assign specific responsibilities to audit

committees, Sections 301 and 407 establish broad standards for and disclosures regarding audit committees

Section 301 establishes certain general standards with which audit committee members are required to comply. These standards are:

• Except for board of director fees, audit committee members may not accept consulting, advisory, or other compensatory

fees from the issuer and its subsidiaries. Audit committee members must also not be an affiliated person of the issuer and its subsidiaries

• Audit committees must be directly responsible for the appointment, compensation, retention, and oversight of all registered public accounting firms that prepare or issue audit reports or perform other audit, review, or attest services forthe issuer

• Audit committees must establish procedures for receiving, retaining, and addressing complaints received by the issuer



Source: Internal Auditing’s Role In Sections 302 and 404 of The U.S. Sarbanes-Oxley Act Of 2002

• Audit committees must establish procedures for receiving, retaining, and addressing complaints received by the issuer related to accounting, internal controls, and auditing

• Audit committees must have the authority to engage independent counsel, as they deem necessary

• Issuers must provide the audit committee with appropriate funding to enable it to fulfill its responsibilities

Section 407 requires an issuer to disclose in its annual report whether it has at least one audit committee financial expert serving on its audit committee, and if so, whether the expert is independent of management. An issuer that does not have an audit committee financial expert must disclose this fact and explain why

SOX activities for IA

The following Sarbanes-Oxley-related activities were

found to be allowable and appropriate for internal audit:

• consulting on internal control

• consulting on internal control in relation to enterprise-wide risk management

• assisting the organization in identifying, evaluating, and implementing risk and control assessment methodologies

• recommending controls to address related risks

• assisting with designing systems of internal control (however, designing is not the same as installing; see below)

• taking on the role of lead project manager for all or part of the efforts related to complying with section 404

• providing training and/or information on internal control

identification and assessment, risk assessment, and test plan development

• providing information, training, and/or facilitating a control self-assessment

The following Sarbanes-Oxley-related activities were found to be inappropriate for an objective internal audit function:

• concluding on the effectiveness of internal controls on behalf of management



below)

• drafting procedures for systems of internal control

• assisting with maintenance of the controls repository

• conducting effectiveness testing on behalf of management (but without concluding for management)

• aiding management in the design of tests for control effectiveness (however, in all cases, management should make the final decision on control design and operating effectiveness)

behalf of management

• making or directing key management decisions regarding internal controls, remediation activities, and Sarbanes- Oxley compliance

• installing systems of internal control

• performing control activities

Source: http://www.deloitte.com/assets/Dcom-Israel/Local%20Assets/Documents/Optimizing%20the%20role%20of%20internal%20audit%20in%20the%20sarbanes-oxley%20era%281%29.pdf

IA role using Six Element of Infrastructure

We can relook at internal auditors role in SOX using six element of Infrastructure.

Key elements of infrastructure must be linked by design:

Risk if element is deficient:

MethodologiesManagementReports

People and Organization

Business Processes

BusinessPolicies

Systemsand Data



Risk if element is deficient:

People lack knowledge and experience to perform process

Reports do not provide information for effective management

Methodologies do not adequately analyze data and information

Information is not available for analysis and reporting

Process does not carry out established policies or achieve intended result

Business Policies:

• Internal Audit should gain policy support throughout the Company through joint development and execution oftraining related to new policies.

• Review and audit against new policies to validate operation and alignment with the future vision of the client’s SOXprocesses across the organization.

• Validate the acceptance and compliance of policies through Entity Level Control Review processes.

• Conduct an assessment of other elements of compliance risk throughout the organization to find opportunities tointegrate SOX related activities.

Business Processes:




Business Processes:

• Validate acceptance and compliance with the process through its involvement in the Operating Effectiveness phase(i.e. testing will reveal compliance with change process).

• When business changes are contemplated, act as an internal consultant to management in analyzing the changeevents to determine their internal control impact.

• Assist the management in defining the method to risk-rank processes and defining the extent and timing of testingto be performed on controls in High risk, Medium risk and Low risk processes.

• Confirm that SOX documentation is appropriately updated to reflect business changes during the OperatingEffectiveness phase.

• Confirm that test plans are updated to reflect documentation changes in a timely manner.

People and Organization:

• Develop a formal step in the department’s standard audit program to inquire about change events in organization.A checklist with common change events that might have a SOX impact may be a useful tool to facilitate this step.

• Continue to act as a resource to management in evaluating the potential SOX impact of change events.

• Assist with developing the Company’s training program utilizing its deep knowledge of risks, controls, COSO andSOX.

• Assist management in developing periodic communication regarding change recognition roles and responsibilities.

Management Reports:

• Assist Management in creating the reporting structure by conducting an information needs analysis to determine




• Assist Management in creating the reporting structure by conducting an information needs analysis to determinethe requirements of Corporate Controller’s Group, BU CFO’s, SOx Coordinators & SOx Process & Control Owners.

• Aid in the development and/or updating of existing reporting systems and structures to support additional requiredcapabilities.

• Develop mitigating reporting strategies until information and reporting capabilities match requirements.

• Internal Audit reviews and provides a predetermined level of validation for information contained in managementreports.

Methodologies:

• Assist with developing the SOX compliance methodology.

• Through the exercise of its responsibilities, validate that the organization is complying with and utilizing the SOX

compliance methodology.

Systems and Data:

• Assist with conducting a needs analysis to determine system requirements for key SOX compliance activities.

• Review SOX component processes that may be systematically assisted. Compare these activities with onescurrently being supporting by Internal Audit resources for opportunities to reduce involvement.




• Aid in the development and/or updating of existing systems.

SOX Roles and ResponsibilitiesRoles

• Internal Audit - IA• SOx Coordinators – COOR

• Process Owners – PO• Project Management Office – PMO• Chief Risk/Internal Control Officer – CICO • Certifying Officers – CO• Business Unit CFO’s – BU

SOX Components CO/BU CICO PMO COOR IA PO

Resetting the Foundation S P S S S

Change Recognition P P S S P P

Documentation P S P S P

Degree of Responsibility & Accountability�Primary: This role is formally designated, in which the duty is to

actively manage and authorize actions in the area of responsibility.�Secondary: This role is contributory, this group acts in a “check

and balance” or advisory capacity. This group also helps determinethe practical implications for the respective area of responsibility.



Design Effectiveness S P S P

Operating Effectiveness S S S P P P

Reporting & Validation of Results P P S S P S

Six Elements of Infrastructure

CO/BU CICO PMO COOR IA PO

Business Policies P P S S

Business Processes P P S S

People & Organization P P P P

Management Reports P S S S

Methodology P P

Systems & Data P S

SOX Roles and ResponsibilitiesVarious Components of SOX are described below:� Resetting the Foundation – Preliminary building blocks are established to define an overall project plan, communication plan,

measures of success, financial statement & assertion identification and linkage, locations and deliverables. These items must beevaluated each year. Although many of these items were prepared in year 1, Internal Audit should influence these foundationelements and subsequently define the strategy for Internal Audit. The foundation setting process should integrate SOX regulatorycompliance with other business and strategic objectives in addressing infrastructure priorities.

� Change recognition – Changes in business activities and M&A activity require a process for discovery and escalation to aid inproactive assessment of SOX compliance implications. Change recognition needs to be monitored, not only from top-down, butalso from bottom up. The appropriate information should be provided to both Corporate and BU-level personnel. Internal Auditmust participate in this effort to adjust their risk-based audit plan and/or SOX testing approach.

� Documentation – Documentation standards for Narratives, Flowcharts, Risk & Control Matrices, etc. drive efficient controlsevaluation. Methodology for consistently maintaining/updating the process documentation for changes in the business and theirimpact on the control environment enables the sharing of process ideas and forming best practices, as well as driving the InternalAudit plan.

� Design Effectiveness – Assessment of the design of controls to mitigate the financial reporting risks and includes the method ofreviewing, reporting and evaluating design effectiveness. Design effectiveness should be linked to change recognition activities



reviewing, reporting and evaluating design effectiveness. Design effectiveness should be linked to change recognition activitiesto verify the completeness of the controls in the documentation.

� Operating Effectiveness – A standard process for managing the various components of operational effectiveness is executedconsistently across the organization. There is a standard procedure for evaluating testing results and the aggregation ofdeficiencies to assess material weakness.‒ Testing procedures – Define the testing techniques, timing, resources, documentation of results and evaluation of results.‒ Testing Scope – Define sample size, key controls, locations to test, etc.‒ Self Assessment – Determine if, and how, process owners will self-validate control operating effectiveness.‒ Validation Efforts – Define the process to validate the results of management’s testing. Often, Internal Audit is used to verify

the results of management’s testing, regardless of the testing approach used by management (i.e. self-assessment or detailtesting).

‒ Classification of Gaps – Evaluate testing failures to determine whether a deficiency exists. If a deficiency exists, determine itsseverity (e.g. deficiency, significant deficiency, material weakness).

‒ Remediation – Develop, assign and monitor action plans. Prioritize and schedule remediation as appropriate throughout theyear.

‒ Refresh Testing – Develop and execute a plan to bring current the testing done throughout the year.� Reporting & Verification of Results – A formal reporting process regarding the assessment process and results that will support

the SOX certification process.

Example 4: Fraud

Description: Fraud in company where there is theft of Rs 1,500,000 lakhs by

cashier

SOX Treatment: ensure that Fraud is detected, accounted as loss and reported in Financial Statement (if material)

IA Treatment:

� Identify root cause for fraud

� Understand if it is process related gap or individual instance



� Understand if it is process related gap or individual instance� Understand if there is any Segregation of Duty issue

� Understand if there has been any collusion resulting in fraud

Example 5: Procurement

Description: computers are purchased after appropriate approvals

SOX Treatment: ensure that approval of PO is as per DoA

IA Treatment:� Review if the computer was required

� Understand if there were any unused computers in other department which

could have been used

� See if computer purchased is of configuration required for the work



� See if computer purchased is of configuration required for the work

ia role in sox compliance.pdf

Documents

internal control reporting

necessary internal controls

companys internal use

ia vs sox internal control

material financial impact

management statement

management accountability

material impact