The Sarbanes-Oxley Act has transformed how companies conduct business.
Companies can benefit from considering the effects of SOA on their internal audit function.
Some of my recent engagements have me thinking about the different ways internal audit functions interact with the rest of their organizations or more precisely, how the folks in internal audit view their role within their companies and their responsibilities to their companies. Unfortunately, I see an increasing trend in internal audit behavior that is costing my clients precious time and money while diminishing the function’s effectiveness among co-workers and external partners. Let me say at the outset that I’m very sympathetic to the people who do this important and increasingly demanding job. There was a time when an internal audit job was seen as an opportunity to learn the whole company and then springboard to almost any other position. Compliance has changed that. Internal audit is now viewed more narrowly as a means to an end. In this newsletter, I’ll discuss how compliance requirements have affected the potential and value of this critical function and how it can be rehabilitated while still meeting all regulatory oversight. In my view, the issues fall into two broad categories. The good news is that there are solutions for the taking. The first is what I’ll call the “self-image” issue. Some internal audit functions in a legitimate and sincere attempt to comply with Sarbanes-Oxley have taken the current Institute of Internal Auditors (IIA) definition of “an independent, objective assurance activity” to an extreme where they hold themselves apart from their company. These folks are overlooking other key parts of the IIA’s definition that describe internal audit as “designed to add value” and “help companies achieve their objectives.” Instead of seeing themselves as an unbiased and beneficial force focused on ensuring that their company’s internal control environment is effective, efficient and compliant, they position themselves as a detached wedge between their company and the audit firm. More than once I’ve watched this model make clients undergo in effect two audits. Here’s a quick example: When one of our U.S. clients acquired a foreign-based company, they also acquired an internal audit department that, in the name of independence, wasn’t forthcoming about the competency of the accounting function. Post-acquisition, the internal audit function assumed the role of corporate cop and shadow auditor prior to the external audit. From start to finish, the acquisition and integration processes were inefficient and costly to the acquiring company. The solution here resides with the audit committee, CEO and CFO who need to work together to make their internal audit function comfortable that they can be fully objective while also exerting a positive effect on the company’s processes and outcomes. Internal audit needs to see itself as a powerful tool that can help the CEO and CFO assess the company’s near- and long-term risks in a way that helps the company achieve its goals while also maintaining the highest governance and regulatory standards. And while it’s clearly the responsibility of finance and accounting to be SOX compliant, it’s internal audit’s responsibility to help them. It’s a complex balancing act to be sure. But when it’s done right, the company is more efficient on all fronts; and external auditors have access to solid information to complete their engagements quickly and accurately. The second issue is what I’ll call “SOX myopia,” and it affects companies in two ways. The first is in the area of expanding oversight. External firms are finding their audits increasingly scrutinized by the PCAOB at more and more granular levels – the evidence for which is dependent on more specific documentation at every point of sign-off within the company. To close this gap, it’s critical for internal audit to move beyond traditional SOX compliance to ensure their company’s controls and processes are on par with the PCAOB’s expanding requirements. This effort will also enable external auditors to do their jobs efficiently, effectively and in compliance with new and evolving standards. The second way “SOX myopia” affects companies is in how the function is perceived by the rest of the company. I’ve repeatedly seen internal audit departments so consumed with compliance that they become alienated from the rest of the company. In some of the worst cases that I’ve observed, internal audit is viewed as a “gotcha” organization that is simply a cost center and doesn’t contribute to the business. The solution here lies in changing internal audit’s modus operandi so that it approaches errors or omissions proactively. Suppose revenue recognition is the problem. Instead of looking for exceptions to report, internal audit can work with management to identify the source of the situation and help design processes to achieve maximum accuracy going forward. That’s a win-win-win – internal audit, affected department, company with everyone pushing in the same direction. To repeat, I’m very sympathetic to the people who staff internal audit departments and to how compliance has narrowed what was once an almost ombudsman-like position. They walk a fine line every day because there’s no wiggle room when it comes to compliance. It’s absolute. However, it is possible for internal audit to be totally objective and still be an integral contributor to the company’s success. It’s all embedded in the IIA’s definition: “… an independent, objective assurance consulting activity designed to add value and improve an organization’s operations … bringing a systematic and disciplined approach to evaluate… risk …” In closing, here are a few suggestions to mitigate against the effects of increased compliance and enable internal audit to realize its full potential.- Make sure internal audit sees itself as part of the company not a silo. And then make sure the rest of the company sees internal audit as part of the team. The CEO and CFO can play important roles here by clearly communicating to the rest of the company that they support the internal audit function as both insurers of the company’s processes/controls and critical contributors to its success.
- Populate internal audit with people who can communicate effectively with both the company and with external auditors as rules, laws and directives continue to be issued with greater frequency. In the changing regulatory landscape that’s become business-as-usual, keeping everyone current must be a key initiative.
- Ensure all internal audit staff have broad-based skills to help design leading-edge processes that improve the business. The tick-the-box staffer is yesterday’s employee.
To discuss this important topic further or if you’re looking for general accounting advice and counsel, contact marc@blytheglobal.com
Here’s a sample of recent and current engagements.
- Assisting a $200 million entity that was part of a multi-billion dollar company and is now owned by a private equity firm with a wide variety of activities, including closing the books on a monthly basis, U.S. GAAP and IFRS financial reporting, and ERP system implementation.
- Providing part-time controller/CFO services to several private equity- and venture capital-backed companies ranging from start-ups to $50 million businesses.
- Performing financial due diligence, quality of earnings analysis and deal structuring assistance for boutique private equity firms.
- Providing financial modeling assistance to a public company in connection with a new line of business.
- Providing financial reporting, XBRL and technical accounting support for several smaller public companies.
- Providing pre-audit support for several companies preparing for their first external audit.