The impact and effect of the Sarbanes Oxley Act on the internal audit profession: chief audit executives' perspectives.
Elson, Raymond J. ; Lynn, Michael
ABSTRACT
The Sarbanes Oxley Act of 2002 (specifically Section 404) requires management to assess the effectiveness of internal financial controls and instructs auditors to report on whether the controls are adequate or have material weaknesses. The Sarbanes Oxley Act ("SOX") has increased the focus on internal audit departments as a key partner in assisting management and the board of directors (especially audit committees) in fulfilling their corporate governance activities. Using a questionnaire, we conducted a study of chief audit executives (CAEs) within the insurance industry to obtain their perspectives on the impact and effect of SOX on their departments and profession. We were primarily interested in their involvement in the initial implementation and ongoing SOX compliance efforts, and any change in their departments' missions. We were also interested in the CAEs opinions on the role of internal audit in the future especially in light of SOX.
We received feedback from 35 (35.4 percent) CAEs representing organizations and audit departments of various sizes. The results showed that most internal audit departments were impacted by SOX in that they allocated significant resources to assist management in the initial Section 404 compliance efforts. The CAEs expected to expend similar efforts on future compliance efforts. Some departments also increased their mission to include corporate governance activities such as reviewing the company's ethics and business conduct and legal and regulatory compliance; areas not previously included in audit plans. CAEs could not fully articulate the future role of internal audit and no clear vision was provided. Responses received included expecting the function to remain unchanged, assisting management and the board of directors in corporate governance activities, and becoming more involved in enterprise risk management efforts.
Clearly internal audit departments were impacted by SOX and their missions continue to change to address emerging risks in the organization. However, the future role of internal audit was not clear perhaps because organizations continue to adjust to the new regulation. We recommend that researchers continue to focus on understanding changes in the internal audit function within organizations and its continuing evolution in response to SOX and other regulations.
INTRODUCTION
The Sarbanes Oxley Act of 2002 ("the Act" or "SOX") was enacted into law by the United States Congress because of a number of corporate failures which questioned the value of the financial statement audit. SOX apply to all Securities and Exchange registrants (i.e., public companies) and their external auditors. The key sections of the law includes requirements for (a) the establishment of the Public Company Accounting Oversight Board or PCAOB, (b) Auditor Independence, (c) Corporate Responsibility, and (d) Enhanced Financial Disclosures.
The enhanced financial disclosures as noted in Section 404 of the Act requires companies to vouch for accounting controls over financial reporting and disclosure weaknesses to shareholders. More specifically, Section 404 requires management to assess the effectiveness of internal financial controls and instructs auditors to report on whether the controls are adequate or have material weaknesses (Swartz, 2005). This is achieved through mandatory reports on internal control by management and independent auditors (Lin & Wu, 2006). Most businesses believe that the costs associated with complying with section 404 are too high (O'Brien, 2006). However, 79% of financial executives included in one survey reported that complying with the Act has strengthened their internal controls (Swartz, 2005)
The Act has increased the focus on internal audit departments as a key partner in assisting management and the board of directors (especially audit committees) to fulfill their corporate governance activities. Essentially, management and the board of directors must ensure that their organizations are complying with SOX and especially with Section 404.
Carpenter, Fennema, Fretwell & Hillison (2004) surveyed corporate executives and noted that some are creating new internal audit departments, others are filling existing staffing needs, while others are ensuring that control issues are brought to the CEO and CFO's attention immediately in at attempt to fully utilize internal audit. The New York Stock Exchange (NYSE) supports this initiative since all listed companies are now required to maintain an internal audit function to provide management and the audit committee with ongoing assessment of the company's risk management processes and system of internal control (Harrington, 2004). NASDAQ does not have the same requirement but supports an internal audit function as a best practice.
Although its requirement is very clear, the NYSE has delegated the responsibility of determining what constitutes a properly structured internal audit department to each listed company. Corporate executives have some suggestions on how the internal audit departments can become more proactive especially as it relates to Section 404 compliance. Proposed actions include stop using the department as a training ground, focus more auditing resources on financial areas, have the internal audit executive report to the audit committee, and view the internal audit department as more critical to the company's success (Carpenter et al, 2004).
The regulators and managements' positions are very clear but we were interested in what was actually happening in the internal audit departments. Specially, how much are internal audit departments impacted by SOX and how involved were they in Section 404 compliance efforts. As a result, we conducted a study of chief auditors (CAEs) to obtain their perspectives on the impact and effect of SOX on their departments. We were primarily interested in their involvement with their organization's initial implementation and ongoing compliance efforts, and any change in their departments' missions. We were also interested in the CAEs opinions on the role that internal audit might play in the future especially in light of SOX.
THE STUDY
The Chief Audit Executives (CAE) of Internal Audit Departments within the Insurance Internal Audit Group (IIAG), an industry group, was selected for this study. This is a specialized, focused group with a total population of 99 members. Contact was made with the group through a prior relationship with one of the researchers. Survey questions were developed to address the impact of SOX on the respective Internal Audit Department's (IAD). We were primarily interested in (a) their involvement in the initial implementation of SOX within the organizations, (b) any changes in their mission and/or operations as a result of SOX and (c) their views on the primary role IAD might place within their organizations after the implementation of SOX.
The survey questions were pre-tested with other experienced internal audit personnel and the final document emailed to the CAEs. Follow up e-mail and/or phone calls were placed to the chief executives to enlist their participation in the study.
RESULTS AND ANALYSIS
Positive feedback was received from 35 CAEs for a 35.4% a response rate. They represented companies of various sizes, but a slight majority (51%) worked at organizations with 1,001 to 5,000 employees, with 23% working at organizations with 10,000 or more employees. The CAEs are quite experienced with a slight majority (54%) working in Internal Audit for 16 or more years. However, a large number of CAEs (46%) were new to their current organizations having worked there for less than five years. The Internal Audit Department in which the CAEs worked are relatively small with most (86%) working in departments of less than 50 individuals. Eight CAEs (or 30%) worked in internal audit departments of less than 10 employees and one had more than 100 employees in the department.
In terms of educational achievement, the majority of CAEs (86%) earned at least a bachelors degree with an equal percentage (43%) obtaining at least a bachelors or masters degrees. Interestingly, 14% of the CAEs reported did not hold a formal college degree. Professional certification is quite important to these executives and most reported having at least certifications and a number had multiple certifications. The most important certifications in terms of total responses are the Certified Public Accountant (CPA), Certified Internal Auditor (CIA), Certified Financial Services Auditor (CFSA), Certified Information Systems Auditor (CISA) and Certified Fraud Examiner (CFE). Further information on the background of the chief executives who responded to the study can be viewed in Table 1.
SOX Implementation
Eight CAEs reported that they worked at mutual insurance companies and were not currently subject to SOX. As a result, no current resources were expended on SOX compliance. Most CAEs (69%) reported spending their audit resources on SOX compliance efforts in 2004 and expected to dedicate resources on 404 compliance in the future. Of those organizations that are subject to SOX, 12 organizations reported spending 21% or more of their audit resources on SOX related projects during 2002. Nine CAEs anticipated spending 21% or more of their future audit resources on SOX compliance efforts.
Not surprisingly, CAEs audit and control backgrounds were critical to their organizations in the initial SOX implementation efforts and they or their audit departments were critically involved in such efforts. CAEs reported that their involvement included providing project leadership and project management skills, serving as members of the SOX steering committee, providing internal control training to management, and serving as advisor to business in gathering control documentation. In addition, some CAEs reported that their audit departments were the primary documenters of internal controls, performed quality assurance on documentation and test plans, and as subject matter experts reviewed management's control documentation, testing plans and results.
Although the Internal Audit Departments were involved in their organizations initial 404 implementation efforts, CAEs reported that other departments would lead the maintenance and remediation efforts in the future. The responsible departments varied by organizations but they were expected to include finance, controllers, operating areas with a centralized project management office, newly created internal control departments, and in limited instances, the internal audit department.
Section 404 of the Act only requires that key controls be identified, tested and remediated as necessary by management. As a result, other controls within business processes would not be subject to management testing. We were concerned if such controls would be included in the audit department's audit plans. Twenty one CAEs reported that their audit plans would include such controls in the future.
Impact of SOX on department's mission
SOX has significantly affected the mission of most Internal Audit Department's including those not currently subject to its regulations. In fact, 27 CAEs reported that their departments are currently involved in corporate activities. This is an area not traditionally included in most IAD annual audit plan due to lack of expertise or relevance on the work of others such as the external auditor. For those organizations involved in or expanding their coverage of corporate governance activities, we requested that the CAEs indicate the top two areas in which resources would be allocated in the upcoming year. Top areas reported were ethics and business conduct, legal and regulatory compliance, and audit committee compliance with charter. One organization reported including the organization's whistle blower policy in its audit scope, while another was planning on examining the organization's conflict of interest policy.
CAEs reported that their organizations were expecting the internal audit department to lead control and risk training programs in the future. This finding is not surprising because of internal audit greater understanding of risk and control issues.
Even with the increased audit work or perhaps the change in their missions, 20 CAEs reported that their departments had adequate resources to complete the audit plan. For those CAEs expecting a staff level increase over the next twelve months, the percentage increase ranged from 10% to 66%.
Future Role of the Internal Audit Department
SOX has forced organizations to examine the mission of their internal audit departments since management is now performing certain tasks that were typically performed by internal auditors. We asked the CAEs to define the future role of Internal Audit from their perspectives.
Clearly this is a question that the CAEs are struggling with since no clear consensus could be identified from the responses. Some expected no change in internal audit's role, others expected to assist management and the audit committee in performing their governance activities and some expected more involvement in enterprise risk management efforts. Some of the responses follow:
* We provide independent, objective risk assessment and evaluation of the effectiveness of risk management practices, internal control and corporate governance processes in all areas. We work with management in achieving business objectives by creating solutions to improve operations, while remaining objective and independent.
* Internal audit will support the audit committee of the Board of Directors in fulfilling their role by providing objective evaluations of management's internal control processes, Sarbanes-Oxley compliance efforts and enterprise risk management practices.
* I'm afraid that there will be significant pressure for us to become financial auditors with CPA designations due to SOX. I hope that soon there will be realization that there is a need for internal audit to provide a different track than the external auditors. It will be a sad day when operational and compliance audit takes a back seat to financial auditing, even though I understand the overlap. Our benefit to the company is far greater than tracing dollars through systems and feeding them into financial statements so our external auditors will feel comfortable with them.
* As role is better understood and valued, will be asked to do more of what most good departments have been doing all along, i.e., evaluate controls against a changing risk profile and through the process create positive change to the organization--more opportunities now exist to obtain added resources.
* I still see the value of Internal Audit in providing for independent, objective assurance and consulting activity designed to add value and improve an organization's operations. I just don't know if the paranoia of SOX will allow a quick return to these activities.
* Less consultative and more back to basics. Increased use of computer assisted audit techniques (CAAT)/continuous auditing/monitoring.
* Supporting Audit Committee and management governance responsibilities through audits, risk/control training and enterprise risk assessments.
SUMMARY AND CONCLUSIONS
The results of our study were based on responses received from insurance industry audit executives and may not represent the views of all CAEs. However, they do show that internal audit departments played an active role in their organizations initial implementation of Section 404 of the Act and would continue to be involved in the future. As expected, CAEs played leadership roles in their organizations' implementation efforts. Clearly organizations were leveraging the knowledge of risk and control identification and remediation maintained by the CAEs.
The CAEs reported spending more of their resources on corporate governance activities such as reviewing ethics and business conduct and legal and regulatory compliance. This suggest that senior management and audit committees are relying more on their internal audit functions to assist them in their oversight responsibilities under SOX. Some organizations reported increasing audit resources by as much as 66 percent which suggest support from senior management to either fill existing or new staff needs thereby providing CAEs with adequate resources to fulfill their departments' missions.
The CAEs could not reach any consensus on the future role of Internal Audit which suggests that this is an evolving role. SOX has been in effect for approximate four years and public companies have completed at least two reporting cycles of their Section 404 compliance efforts. Therefore, future research should continue to examine the role of the internal audit function within organizations and its continuing evolution.
REFERENCES
Carpenter, C., Fennema, M.G., Fretwell, P.Z., & Hillison, W. (2004, March). A changing corporate culture. Journal of Accountancy, 197(3), 57-63
Harrington, C. (2004, September). Internal audit's new role. Journal of Accountancy, 198(3), 65-70.
Lin, H.H., & Wu, F.H. (2006, March). Limitations of Section 404 of the Sarbanes-Oxley Act. CPA Journal, LXXVI(3)). Retrieved on August 27, 2006 from www.cpaj.com.
O'Brien, P (2006, July). Reducing SOX Section 404 Compliance Costs. CPA Journal, LXXVI(7). Retrieved on August 27, 2006 from www.cpaj.com.
Swartz, N. (2005, July/August). Executives praise SOX but seek changes. The Information Management Journal, 22-25.
Raymond J Elson, Valdosta State University
Michael Lynn, AXA Technology Table 1: Demographics 1. Number of years CAE worked in Internal Audit 4 1-5 yrs 8 6-10yrs 4 11-15yrs 19 16+ yrs 2. Number of years CAE worked in your current organization 16 1-5 yrs, 5 6-10yrs, 7 11-15yrs 7 16+ yrs 3. The total current staff size of CAE's audit department 18 10 or less, 12 11-50 4 51-100 1 101 or more 4. The approximate number of employees in CAE's organization 8 1,000 or less 18 1,001-5,000 1 5,001-10,000 8 10,001 or more 5. Professional designations currently held by CAE CPA 20 CIA 15 CFSA 8 CISA 8 CFE 5 CMA 1 CBA 1 FLMI 4 CA 1 Certified Cash Manager 1 6. Highest educational level attained by CAE No college degree 5 Bachelors 15 Masters 15 PhD/Doctorate 0