Professional Documents
Culture Documents
Implications Pg.14
Regardless of the extent to which internal audit organizations are
invested in Sarbanes-Oxley compliance, their ongoing success
depends greatly on achieving and maintaining alignment with stake-
holder expectations. And given the fluid nature of these expectations,
there’s a constant need to rebalance internal audit priorities and
resources in order to effectively address multiple risks. To this end,
we suggest a six-step framework to help organizations achieve a
successful balance between demands, priorities and resources, as
well as aligning their efforts with stakeholder expectations.
Situation
Internal audit
organizations have
been consumed by
Sarbanes-Oxley
02
Upon the passing of the Sarbanes-Oxley Act in 2002, few observers
anticipated the extraordinary impact it would have on corporate
internal audit organizations. In the past two years, internal audit
organizations have been so consumed by Sarbanes-Oxley that other
priorities are suffering—a factor that’s wreaking havoc on carefully
crafted risk based internal audit plans.
A recent PricewaterhouseCoopers survey of more than 270 internal
audit organizations reinforces this point, indicating that nearly 60
percent of reporting companies dedicated half or more of their
internal audit resources to support Sarbanes-Oxley compliance.1
In addition, nearly 25 percent of the reporting companies had
not—as of November 2004—determined the allocation of internal
audit resources to Sarbanes-Oxley compliance for 2005. Such
indicators raise significant issues with respect to the ongoing impact
of Sarbanes-Oxley on internal audit planning for 2005 and beyond.2
03
Increased demand is falling heavily on the natural control experts
04
The resulting impact is new risks for internal audit
Situation 05
Our Perspective
Be sure that you are
more broadly safe-
guarding the enterprise
06
The current climate of compliance makes it clear that exclusive
emphasis on financial risks can fail to address potential high-risk
audit areas. Without internal audit coverage in these areas,
management and directors have less assurance about the
effectiveness of non-financial controls—and, by extension—less
confidence in the overall operational efficiency and effectiveness
of the enterprise.
A disproportionate emphasis on Sarbanes-Oxley by internal
auditors can also create a number of other undesirable consequences,
such as:
07
How to rebalance internal audit in the short term
Organizations allocating 50
percent or more of their internal
audit resources to Year 1
Sarbanes-Oxley compliance
should consider immediate actions
to rebalance their internal audit
priorities for Year 2.
08
Recommendation I
Identify audit program imbalances
Our Perspective 09
Recommendation II
Communicate the consequences of
an unbalanced internal audit plan
3 Institute of Internal Auditors, Flash Survey, “SOX Impact on the Audit Plan,” August 2004
10
• Identifying potential resource conflicts that could arise from
placing a high priority on achieving a risk-based internal audit
program, as well as providing sufficient internal audit resources
to address Sarbanes-Oxley procedures
Our Perspective 11
Recommendation III
Reallocate Section 404 project work
Recommended
Phase/Activity Lead Responsibility Internal Auditor Roles
4 Internal Auditing’s Role in Sections 302 and 404 of the U.S. Sarbanes-Oxley Act of 2002, © 2004,
The Institute of Internal Auditors, Inc., Alamonte Springs, FL
12
In practice, internal audit groups at many organizations appear to
be assuming a much broader role than what was originally
envisioned by IIA Standards. Results of the November 2004
PricewaterhouseCoopers internal audit survey indicate that internal
audit functions in many organizations are, in fact, assuming
significant responsibilities beyond the objective monitoring role
foreseen for internal audit by the IIA Standards and related guidance.
According to the survey:
Our Perspective 13
Implications
We recommend
a six-step approach
to long-term
rebalancing of
internal audit priorities
14
We suggest a six-step framework to help organizations achieve
a successful balance between demands, priorities and resources,
as well as aligning their efforts with stakeholder expectations.
Step I
Reevaluate the risk assessment
15
continued…
16
In reevaluating the risk assessment, chief audit executives
should consider:
Implications 17
Step II
Revalidate stakeholder expectations
18
Internal Audit Continuum™
AL !UDIT &UNCTIONAL &O
NTERN CUS
)
)NTE US
R NA L !UDIT &UNCTIONAL &OC
Step III
Align the internal audit plan
20
Step IV
Align resources, budget, and staff skills
Even with a clearly defined audit plan and a firm grasp of stakeholder
expectations, Sarbanes-Oxley demands may constrain the ability of
internal audit resources to address changing organizational risk profiles
or to adjust their audit approach to meet new requirements. As part of
the rebalancing effort, internal audit organizations need to revisit the
budgets, skills and capabilities necessary to fulfill the new plan.
Once the risk assessment and audit plan are determined, it’s time to
conduct a skills inventory to identify gaps between current resources
and capabilities and those deemed necessary to carry out the plan.
In cases where shortfalls in resources, skill sets or capabilities exist,
it may be appropriate for internal audit to look at “capacity
multipliers” to enhance available skill sets and productivity. These
multipliers range from co-sourcing solutions to process enhancement
and technology applications:
Implications 21
continued…
22
Step V
Rearticulate the internal audit charter
While internal audit may already have an approved charter, chief audit
executives should ensure it is current and aligned effectively with
stakeholder value drivers and expectations. In particular, the charter
should clearly outline the role of internal audit with respect to
complying with Sections 302 or 404 of Sarbanes-Oxley.
A revised internal audit charter adds a sense of permanency to the
rebalancing effort and helps create a general transparency and
awareness with respect to the internal audit function and its role
within the organization. An audit committee could use an updated
charter to measure internal audit’s effectiveness, while a chief audit
executive might find a revised charter helpful in managing
agreed-upon stakeholder expectations.
Implications 23
Step VI
Measure results
24
Richard Chambers
Director
richard.f.chambers@us.pwc.com
Karen Moscrop
Managing Director
karen.moscrop@us.pwc.com
www.pwc.com/internalaudit