How to rebalance internal audit priorities

in the Sarbanes-Oxley era*

Table of Contents
Situation Pg.02
Internal audit organizations have been so consumed by Sarbanes-
Oxley that other priorities are falling by the wayside. Simply put, the
legislation is diverting internal audit resources from risk-based
auditing, creating the potential for dire consequences. That’s because
a failure to address key strategic, operational and compliance risk
areas in an internal audit program undermines the effectiveness of
internal audit, diminishes its strategic value to key stakeholders, and
exposes the enterprise to greater operational and financial risks in
the future.

Our Perspective Pg.06

As companies prepare for ongoing Sarbanes-Oxley compliance, they
need to clarify the role of their internal audit organizations. Equally
important, they must rebalance their internal audit resources to meet
evolving enterprise needs. This effort requires facilitating any short-
term tactical changes and long-term strategic plans that may be
necessary for an internal audit function to have the resources it
needs—not only to address Sarbanes-Oxley requirements, but to
account for operational risks as well.

Implications Pg.14
Regardless of the extent to which internal audit organizations are
invested in Sarbanes-Oxley compliance, their ongoing success
depends greatly on achieving and maintaining alignment with stake-
holder expectations. And given the fluid nature of these expectations,
there’s a constant need to rebalance internal audit priorities and
resources in order to effectively address multiple risks. To this end,
we suggest a six-step framework to help organizations achieve a
successful balance between demands, priorities and resources, as
well as aligning their efforts with stakeholder expectations.
Situation
Internal audit
organizations have
been consumed by
Sarbanes-Oxley

02
 Upon the passing of the Sarbanes-Oxley Act in 2002, few observers
anticipated the extraordinary impact it would have on corporate
internal audit organizations. In the past two years, internal audit
organizations have been so consumed by Sarbanes-Oxley that other
priorities are suffering—a factor that’s wreaking havoc on carefully
crafted risk based internal audit plans.
A recent PricewaterhouseCoopers survey of more than 270 internal
audit organizations reinforces this point, indicating that nearly 60
percent of reporting companies dedicated half or more of their
internal audit resources to support Sarbanes-Oxley compliance.1
In addition, nearly 25 percent of the reporting companies had
not—as of November 2004—determined the allocation of internal
audit resources to Sarbanes-Oxley compliance for 2005. Such
indicators raise significant issues with respect to the ongoing impact
of Sarbanes-Oxley on internal audit planning for 2005 and beyond.2

1 PricewaterhouseCoopers Internal Audit Alert Survey, November, 2004

2 To comply with Sections 404 & 302 of the Sarbanes-Oxley Act of 2002, U.S. companies are investing billions of dollars annually to
document, evaluate and test their internal controls over financial reporting. Section 404 of Sarbanes-Oxley requires a company’s
senior management to assess the design and operating effectiveness of the firm’s internal controls over financial reporting and to issue
an annual report that, in part, must address any material weaknesses in the company’s internal controls. Section 302 requires
the CEOs and CFOs of public companies to certify quarterly and annual reports.

03
Increased demand is falling heavily on the natural control experts

To a large measure, mounting demands on internal audit resources

reflect the high value that management is placing on solid internal
audit functions following the enactment of Sarbanes-Oxley. In many
ways, internal audit groups are being overwhelmed for doing their
jobs well, such as in establishing centers of excellence in the
documentation and assessment of internal controls.
Quite simply, internal auditors are the natural experts on control
within their organizations. This expertise, coupled with internal audit’s
emphasis on objectivity, has prompted management and boards of
directors to seek more help from internal audit in complying with the
many aspects of Sarbanes-Oxley. Further recognition of the value of
an effective internal audit function comes from the Public Company
Accounting Oversight Board (PCAOB), which, in its Auditing Standard
No. 2, stated:

“ Internal auditors normally are expected to have greater

competence with regard to internal control over financial
reporting and objectivity than other company personnel.”

04
The resulting impact is new risks for internal audit

Some internal audit observers liken Sarbanes-Oxley to an all-con-

suming “black hole” with an insatiable appetite for internal audit
resources. But as chief audit executives know all too well, the
resources of internal audit organizations are finite. As Sarbanes-Oxley
tasks consume a seemingly ever-expanding portion of internal audit
staff time, internal audit groups have limited available resources to
address areas of risk that fall outside of the Sarbanes-Oxley scope.
In fact, the most serious negative impact of Sarbanes-Oxley with
respect to the practice of internal audit is the extent to which it diverts
internal audit resources from risk-based auditing. As these resources
are channeled to Section 404 projects and other Sarbanes-Oxley
requirements, audits of high-risk, non-financial areas are being
deferred or cancelled.
In the near term, the lack of a risk-based internal audit program runs
counter to The Standards for the Professional Practice of Internal
Auditing (the Standards), as promulgated by the Institute of Internal
Auditors (IIA). Longer term, failure to address key strategic,
operational and compliance risk areas in an internal audit program
can lead to weak corporate governance, operational inefficiencies
and serious potential financial losses resulting from weak
internal controls.

The objective of risk-based auditing

is to ensure audit resources are
directed toward the highest risks.
However, when internal audit
resources are targeted exclusively
toward financial risks, many high
risk operational areas may be left
unaddressed.

Situation 05
Our Perspective
Be sure that you are
more broadly safe-
guarding the enterprise

06
The current climate of compliance makes it clear that exclusive
emphasis on financial risks can fail to address potential high-risk
audit areas. Without internal audit coverage in these areas,
management and directors have less assurance about the
effectiveness of non-financial controls—and, by extension—less
confidence in the overall operational efficiency and effectiveness
of the enterprise.
A disproportionate emphasis on Sarbanes-Oxley by internal
auditors can also create a number of other undesirable consequences,
such as:

• The potential to impair objectivity in situations where

internal audit has assumed an operational role on Section
404 projects

• Reduced ability of external auditors to rely on the work of

their internal counterparts who have assumed management
responsibilities on Section 404 projects

• Inconsistency between the roles of internal audit

organizations and their charters previously approved
by the Board

In Year 2 of Sarbanes-Oxley compliance, internal audit groups need

to return to the core fundamentals of risk-based internal auditing if
they are to effectively support compliance while addressing the value
expectations of their key stakeholders.

Internal Audit organizations that

are extensively invested in
implementing Sarbanes-Oxley
risk failing to meet longer-term
stakeholder expectations.

07
How to rebalance internal audit in the short term

Organizations allocating 50 percent or more of their internal audit

resources to Year 1 Sarbanes-Oxley compliance should consider
immediate actions to rebalance their internal audit priorities for Year 2.

For example, an internal audit group should seek to:

• Identify imbalances in its current internal audit program

due to the emphasis on Sarbanes-Oxley compliance activities

• Communicate the adverse consequences of an unbalanced

internal audit plan and program to the audit committee and
other key stakeholders

• Where appropriate, reallocate responsibility for Sarbanes-

Oxley compliance

Organizations allocating 50
percent or more of their internal
audit resources to Year 1
Sarbanes-Oxley compliance
should consider immediate actions
to rebalance their internal audit
priorities for Year 2.

08
Recommendation I
Identify audit program imbalances

By taking an inventory of the current internal audit program—

as opposed to the most recent risk assessments—organizations
can identify risk areas that have been deferred or cancelled as
a result of Sarbanes-Oxley demands over the past year. In addition,
assessing areas of high or moderate risk that have not been audited
enables companies to gain the basis for communicating the conse-
quences of an unbalanced internal audit plan to key stakeholders.

Our Perspective 09
Recommendation II
Communicate the consequences of
an unbalanced internal audit plan

Audit committees have shown a remarkable interest in internal

auditing since the enactment of Sarbanes-Oxley. Industry studies
show that more than 60 percent of the audit committees surveyed
have inquired specifically about the impact of Sarbanes-Oxley on their
particular internal audit programs. Audit committees have also been
supportive of increased internal audit resources, with more than 65
percent stating that internal audit staffing has increased over the
prior year.3
Clearly, audit committees at most companies are attuned to the
demands that Sarbanes-Oxley has placed on the internal audit
function and support adjustments to resource needs to address
the mounting demands of the new regulation. The responsibility for
informing the audit committee of the best internal audit approach
going forward falls squarely on the internal audit function itself. It is
therefore incumbent on the chief audit executive to inform the audit
committee about any resource imbalances and about any high-risk,
non-financial areas of risk that are not being addressed as a result of
the strong emphasis on Sarbanes-Oxley compliance.
To fully apprise senior management and the audit committee of the
consequences of any imbalance, we recommend, at a minimum:

• Articulating any current-period internal audit initiatives that

have been deferred or cancelled due to the reallocation of
resources to address Sarbanes-Oxley requirements

• Pinpointing areas of high and moderate risk which are

included in the internal audit program but have not been
addressed because of resource conflicts stemming from
the priority on Sarbanes-Oxley projects

• Identifying new internal audit activities and responsibilities

associated with Year 2 compliance with Sarbanes-Oxley

3 Institute of Internal Auditors, Flash Survey, “SOX Impact on the Audit Plan,” August 2004

10
• Identifying potential resource conflicts that could arise from
placing a high priority on achieving a risk-based internal audit
program, as well as providing sufficient internal audit resources
to address Sarbanes-Oxley procedures

• Identifying alternative solutions to achieving the risk-based

internal audit plan and all Sarbanes-Oxley related tasks.
Alternatives could include adding internal audit resources,
streamlining internal audit processes to improve audit efficiency,
improving technology leverage, or considering a strategic
co-sourcing relationship with a third-party provider to address
resource shortfalls.

• Communicating identified conflicts and potential alternative

solutions to senior management and the audit committee

Ultimately, the audit committee may elect to continue focusing

internal audit resources on Sarbanes-Oxley compliance activities
and to forego a broader-based internal audit plan. In this event, the
internal audit charter should be revised accordingly to reflect internal
audit’s new focus and responsibilities.

The responsibility for informing

the audit committee of the best
internal audit approach going
forward falls squarely on the
internal audit function itself.

Our Perspective 11
Recommendation III
Reallocate Section 404 project work

While internal audit’s involvement in the Sarbanes-Oxley compliance

process will inevitably vary from company to company, management
is ultimately responsible for the organization’s compliance. It is imper-
ative for management to define the ongoing roles of all parties in the
compliance effort. As these roles become more clarified during Year
2, tasks that had been performed by internal audit in the first year of
Sarbanes-Oxley implementation may be reallocated to other parties
on a long-term basis.
To help internal audit determine its most appropriate roles for
addressing the requirements of Sections 302 and 404 of Sarbanes-
Oxley, the Institute of Internal Auditors has developed the following
guidance4:

Recommended
Phase/Activity Lead Responsibility Internal Auditor Roles

Planning Project Team/Sponsor Provide advice and

participate on team

Execution Management Advise, assess, and assist

Reporting Management and Act as a facilitator or

the External Auditors coordinator

Monitoring Management Perform periodic audits or

follow-up reviews

4 Internal Auditing’s Role in Sections 302 and 404 of the U.S. Sarbanes-Oxley Act of 2002, © 2004,
The Institute of Internal Auditors, Inc., Alamonte Springs, FL

12
In practice, internal audit groups at many organizations appear to
be assuming a much broader role than what was originally
envisioned by IIA Standards. Results of the November 2004
PricewaterhouseCoopers internal audit survey indicate that internal
audit functions in many organizations are, in fact, assuming
significant responsibilities beyond the objective monitoring role
foreseen for internal audit by the IIA Standards and related guidance.
According to the survey:

• More than 30 percent of the companies participating in

the survey indicated that internal audit will assume overall
responsibility for the management of Sarbanes-Oxley
compliance efforts in Year 2

• Internal audit will assume primary responsibility for conducting

management’s testing of Section 404 controls at 55 percent of
the companies surveyed

• At 25 percent of reporting companies, internal audit will be

assuming primary responsibility for updating Section 404
internal control documentation

• Thirty-nine percent of the companies surveyed reported that

internal audit will assume primary responsibility for monitoring
the remediation of control deficiencies

This survey data suggests that internal audit groups in many

organizations may be asked to help manage Sarbanes-Oxley
compliance in Year 2. At first, chief audit executives may find such
requests to be flattering, tacit recognition of their managerial
prowess. But merely adding Sarbanes-Oxley management
responsibilities to their responsibilities without making
corresponding adjustments to their internal audit charter, program
and resources could easily result in an under-performing internal
audit function that is significantly challenged to achieve the
longer-term objectives of a solid risk-based internal audit program.

Our Perspective 13
Implications
We recommend
a six-step approach
to long-term
rebalancing of
internal audit priorities

14
We suggest a six-step framework to help organizations achieve
a successful balance between demands, priorities and resources,
as well as aligning their efforts with stakeholder expectations.

Step I
Reevaluate the risk assessment

While preparing for the first year of the Sarbanes-Oxley reporting

cycle, many organizations have deferred important aspects of
traditional risk-based internal audit plans in order to provide the focus
and resources necessary to address immediate compliance needs.
Deferring significant audit-plan elements has led to an imbalance in
internal audit priorities and resources for many companies. In these
cases, the need to document and test financial reporting controls has
taken precedence over a more broad-based, multi-dimensional
approach to risk-based internal audit.
Because of the fact that internal audit risk assessments and plans are
overly skewed toward traditional financial reporting controls,
organizations may be exposed to operational and compliance-related
risks that are unrelated to Sarbanes-Oxley requirements. To rebalance
an internal audit plan, an organization must revisit its internal audit risk
assessment and its stakeholder expectations—both of which have
likely changed dramatically in light of the Sarbanes-Oxley legislation.

15
continued…

Three important points emerge when reevaluating the overall

risk assessment:

• First, the completeness of the risk profile: Does the risk

assessment consider the entire risk profile of the
organization—or has the assessment been skewed to
address risks related to financial reporting, instead of risks
related to operations, strategy, information technology or
compliance issues?

• Second, the ranking or prioritization of risk categories and the

universe of internal audit topics: Has the prioritization of risk
been overly skewed by the current emphasis on Sarbanes-
Oxley while overlooking other significant risks that could
threaten the well-being of the organization?

• Third, the transparency with stakeholders by involving senior

management and the audit committee in the risk assessment
process. It’s important to ask both groups to articulate the
risks for which they’re ultimately responsible. It also should
be explained how a better understanding of risk management
contributes to the process. Through such efforts, internal audit
can take a lead role in facilitating a common understanding of
risk and establishing a framework to develop a comprehensive
internal audit plan.

16
In reevaluating the risk assessment, chief audit executives
should consider:

• The need to focus attention on financial reporting risks and on

internal audit’s role in providing objective assurance about the
design and effectiveness of the controls to manage such risks

• The downsides to ignoring operational and strategic risks.

Failure to carefully monitor non-financial risks may result in
longer-term under-performance or inefficiencies that could
impact the organization’s ability to deliver quality products,
services and sustained shareholder value.

• The development of a risk-based internal audit plan based on

an enterprise-wide risk assessment. While a newly developed
assessment will, by definition, include some aspects of
Sarbanes-Oxley compliance, the plan should focus on
mitigating the organization’s overall risk profile.

• The identification of Sarbanes-Oxley-related demands that

stem from the proposed internal audit plan.

Implications 17
Step II
Revalidate stakeholder expectations

The over-emphasis on financial reporting controls associated with

Sarbanes-Oxley compliance can also contribute to a gap between
stakeholder expectations for internal audit coverage and the narrower
scope of internal audit focus mandated by the practical demands of
the legislation. By revalidating stakeholder expectations, the
organization can better define and clarify the most appropriate role
for internal audit in Year 2 of Sarbanes-Oxley compliance.
Chief audit executives may find that their stakeholders are seeking a
broad range of internal audit services from value protection—where
the focus is on independent assurance about financial and
compliance controls—to value enhancement activities that are
intended to strengthen organizational efficiency and risk management
solutions. An internal audit plan can incorporate elements of both
providing they’re well defined in internal audit’s charter and
universally agreed to by stakeholders.
Our Internal Audit Continuum™ model demonstrates how all of these
elements work together to create a balanced whole.
Achieving the right mix of skill sets to address the strategic functional
focus demanded by stakeholders is key to the stakeholder
revalidation process.
The model points out that in the context of value protection, for
example, individuals with strong financial and compliance auditing
skills will be required to play the necessary assurance-based role.
Conversely, the value enhancement role may require people with
enterprise-wide risk management capabilities, as well as deep
product and business-process knowledge.
Just as stakeholder needs change over time, the functional focus
of an internal audit department is not static. A chief audit executive
should periodically revisit expectations—as well as the functional
focus of the department and corresponding skill-set needs—with key
stakeholder groups.

18
 Internal Audit Continuum™

Value Protection Balanced Value Enhancement

AL !UDIT&UNCTIONAL&O
NTERN CUS
)

Internal Control Business Process

Transactions Risk Management
Processes Improvement

Internal Control Assurance Relative Risk Coverage Risk Managment Assurance

Financial Operational Product and Enterprise-wide

Compliance Auditing Process Risk Management
Auditing Knowledge

)NTE US
R NA L!UDIT&UNCTIONAL&OC
Step III
Align the internal audit plan

When senior management and the audit committee are involved in

the risk assessment process, stakeholders develop a better grasp of
how the internal audit program fits into the broader risk-management
picture. The internal audit plan should be formally presented to the
audit committee, with care taken to spell out which areas of risk that
are—and are not—addressed by the plan. This will provide a basis
for discussion of the internal audit strategies underlying the annual
internal audit plan and present a complete picture of the
organization’s risk profile.
The internal audit plan can also demonstrate the balance between
value-protection and value-enhancement projects, as well as illustrate
the alignment of the audit plan with the organization’s strategic and
operational objectives. This enables stakeholders to gain a clearer
view of the organization’s overall risk coverage, and how the internal
audit plan is aligned with their specific expectations.

20
Step IV
Align resources, budget, and staff skills

Even with a clearly defined audit plan and a firm grasp of stakeholder
expectations, Sarbanes-Oxley demands may constrain the ability of
internal audit resources to address changing organizational risk profiles
or to adjust their audit approach to meet new requirements. As part of
the rebalancing effort, internal audit organizations need to revisit the
budgets, skills and capabilities necessary to fulfill the new plan.
Once the risk assessment and audit plan are determined, it’s time to
conduct a skills inventory to identify gaps between current resources
and capabilities and those deemed necessary to carry out the plan.
In cases where shortfalls in resources, skill sets or capabilities exist,
it may be appropriate for internal audit to look at “capacity
multipliers” to enhance available skill sets and productivity. These
multipliers range from co-sourcing solutions to process enhancement
and technology applications:

Strategic co-sourcing: Enterprises can turn to strategic co-sourcing

to acquire specialized skill sets that are not resident in the internal
audit function. The flexibility gained from strategic co-sourcing
enables internal audit functions to respond better or initiate change,
while enhancing the value of their investments.

Streamlined processes: Process improvement allows an internal

audit group to combat inefficiencies in core internal audit activities
which can rob the group of its capacity to maximize audit coverage
with available resources. Excessive cycle time for completing internal
audit engagements can lead to outdated results, diminished value
and significant stakeholder dissatisfaction.
By revisiting and streamlining core internal audit processes, an
internal audit group can gain newfound efficiencies, as well as an
enhanced capacity to add value. Key internal audit processes to
target for potential streamlining include the risk assessment process,
audit planning, audit program design and development,
documentation and review, internal audit reporting, and the
monitoring and follow-up of internal audit findings.

Implications 21
continued…

Technology applications: The application of technology can greatly

improve the efficiency, quality and value of internal audit processes
while freeing up resources to address high-priority areas. Promising
technologies include data analysis software, internal audit
infrastructure software and best-practices knowledge bases.

The realignment of resource and staff budgets provides a good

opportunity to conduct a Quality Assurance Review, as required by
the IIA Standards. A well-designed review will help to identify
resource and skill-set gaps, identify opportunities to improve internal
audit processes and verify compliance with The Standards.
Other ways to achieve the capabilities needed to deliver on provisions
of the internal audit plan include:

• Extending the rotation times for departmental staff.

This is particularly appropriate for organizations using internal
audit to develop management talent. For example, if a typical
rotation time for internal audit staff is 18 to 24 months, it might
be wise to extend it to 36 months.

• Establishing a guest auditor program that recruits subject-

matter experts from within the organization to conduct
specific audits in their areas of expertise.

• Recruiting new staff personnel who possess the necessary

skills to meet evolving requirements.

The application of technology

can greatly improve the efficiency,
quality and value of internal audit
processes while freeing up
resources to address high
priority areas.

22
Step V
Rearticulate the internal audit charter

While internal audit may already have an approved charter, chief audit
executives should ensure it is current and aligned effectively with
stakeholder value drivers and expectations. In particular, the charter
should clearly outline the role of internal audit with respect to
complying with Sections 302 or 404 of Sarbanes-Oxley.
A revised internal audit charter adds a sense of permanency to the
rebalancing effort and helps create a general transparency and
awareness with respect to the internal audit function and its role
within the organization. An audit committee could use an updated
charter to measure internal audit’s effectiveness, while a chief audit
executive might find a revised charter helpful in managing
agreed-upon stakeholder expectations.

Implications 23
Step VI
Measure results

After approving and implementing a rebalanced program, internal

audit needs a new set of performance measures to monitor results
that are aligned with current stakeholder expectations.
Ideally, organizations should develop a comprehensive and
meaningful set of performance metrics to measure the effectiveness
and value of a better- balanced approach to addressing internal audit
priorities. We recommend developing a “balanced scorecard” for
measuring internal audit performance against agreed-upon
stakeholder expectations. While balanced scorecards were once
considered a best-practice goal, they are now commonly recognized
as effective tools for measuring internal audit performance and value.

24
Richard Chambers
Director
richard.f.chambers@us.pwc.com

Karen Moscrop
Managing Director
karen.moscrop@us.pwc.com

www.pwc.com/internalaudit

© 2005 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers”

refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the
context requires, other member firms of PricewaterhouseCoopers International Limited,
each of which is a separate and independent legal entity. *connectedthinking is a
trademark of PricewaterhouseCoopers LLP
connectedthinking*