Posted on 08/15/2004 9:52:19 AM PDT by wormsy
Internal Audit's Sarbox Role
Institute spells out the tasks internal auditors should perform in a corporation's compliance with Sections 404 and 302 of the act.
Stephen Taub, CFO.com August 06, 2004
The Institute of Internal Auditors (IIA) has trotted out a position paper recommending the role internal auditors should play in a corporation's compliance with Sections 302 and 404 of the Sarbanes-Oxley Act.
While Sarbox spells out the roles of management, audit committees, and external auditors, it's silent on the parts internal auditors must play, the trade group stresses.
The 13-page paper, available on the IIA's Web site, suggests that internal auditor involvement in compliance with the two section of the act should come in four areas: project oversight, consulting and project support, ongoing monitoring and testing, and project audit.
Section 404 requires top management to sign assess the quality of a company's internal controls over financial reporting and requires external auditors to attest to management's assessment of the controls. Section 302 requires chief executives and CFOs to personally certify the accuracy of their companies' financials.
The IIA proposes that management and the audit committee should depend on the internal auditor to:
Participate on project steering committees, providing advice and recommendations to the project team and monitoring the progress and direction of the project.
Be a "facilitator" between external auditors and top executives.
Provide existing internal audit documentation for processes being reported on.
Advise management on best practices in documentation standards, tools, and test strategies.
Provide line managers and executives with training on project, risk, and control awareness.
Perform a quality assessment of process documentation and key controls before financial information is handed off to the external auditor.
Advise management on the design, scope, and frequency of tests to be performed.
Be an independent assessor of management's testing and assessment processes.
Test management's basis for its assertions and then help identify control gaps and review management plans for correcting those gaps.
Put together discussions between management and external auditors on the scope and plans for testing auditing projects.
It's what my department's doing already.
What does this have to do with the purpose of FR?
Uhm, discussion about the effects of a recently enacted law probably fits within the purpose of FR? Maybe we should ask your permission before we post anything on FR?
But thanks for policing my posts.
You have FReedom to skip it if you don't like it. Sheesh.
BTW, my initial comment was merely a question. I was curious as to why someone would post that article here.
Be a "facilitator" between external auditors and top executives.
Provide existing internal audit documentation for processes being reported on.
Advise management on best practices in documentation standards, tools, and test strategies.
Provide line managers and executives with training on project, risk, and control awareness.
Perform a quality assessment of process documentation and key controls before financial information is handed off to the external auditor.
Advise management on the design, scope, and frequency of tests to be performed.
Be an independent assessor of management's testing and assessment processes.
Test management's basis for its assertions and then help identify control gaps and review management plans for correcting those gaps.
Put together discussions between management and external auditors on the scope and plans for testing auditing projects.
Actually, I found this quite interesting; internal audit is a very important part of corporate governance, and this is the business and economics section of Free Republic.
However I don't like the first two suggestions at all; both seem to move away from audit's natural independence and tend to make audit become part of the creative and production portion of the business, which is not good. I believe that audit should always preserve their third party nature, although of course one can argue that the strongest third party independence is preserved with external audit.
However, my experience is that you work far more with internal audit on resolving audit points than you do with external audit, which I find tends to just write a management report.
Having internal audit actively participating on steering committees as opposed to reviewing the work of a committee seems to me to be an unnecessary move away from independence. I don't think anyone can fairly and independently judge their own work, yet that is what this is asking the auditors to do.
Nor do I like the idea of internal audit being a facilitator between external audit and management; that's just a bad idea as far as I am concerned. While certainly external audit can work with internal audit to review outstanding audit points and audit methodology, external audit also needs direct input with management as far as I am concerned.
The other bits about using and preaching best practices, risk and control awareness training, and whatnot are motherhood and apple pie to me, and a responsible use of internal audit's time and efforts.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.