University of Waterloo
Symposium on Information Systems Assurance
C HANGING I NTERNAL A UDIT P RACTICES IN
THE N EW P ARADIGM
Glen L. Gray, Ph.D., CPA
Professor
Department of Accounting & MIS
California State University
Northridge, CA 91328-1280
(818) 677-3948
(818) 677-2456 (FAX)
glen.gray@csun.edu
----- Working Paper -----
September 27, 2003
The research reported in this paper is part of a research project sponsored by The Institute of
Internal Auditors Research Foundation.
CHANGING INTERNAL AUDIT PRACTICES IN THE NEW PARADIGM
Glen L. Gray, Ph.D., CPA
California State University, Northridge
ABSTRACT
Sarbanes-Oxley Act of 2002 (SOX) was the result of a harmonic convergence of several
events. The initial motivation for SOX was the Enron debacle. Over time, the public’s interest in
the Enron scandal was starting to die, but then the WorldCom scandal hit the news and it became
impossible for anybody in Washington to argue against stronger corporate governance laws. With
SOX, the internal audit profession has experienced a major paradigm shift.
The primary objective of this study was to explore how SOX has been impacting internal
auditors and their companies. This study included four focus groups that were conducted with
internal auditors from February to June, 2003. The groups indicated that the impact of SOX on
companies is systemic. Many boards have had to make adjustments in terms of composition,
frequency and duration of meetings, and the range of people they meet with. Recruiting new
board members has been challenging. CEO and CFO are facing their own challenges, particularly
in terms section 302 certification responsibilities.
The impact of SOX on the internal audit function has been profound. Even though SOX
does not require an internal audit function, the board’s and senior management’s views of the
internal audit function seems to have been greatly elevated due to SOX. The CAE is now on the
audit committee’s agenda. The internal audit departments are frequently reporting directly to the
audit committee. Senior management is encouraging the department to hire more staff members,
to pay competitive salaries, get more training, and to travel more.
These new responsibilities and encouragements have also created issues. One issue is the
potential reversal of the new image that audit has been trying to cultivate for the past decade.
Auditors wanted to move away from the image of the company’s police officers to an image as a
partner and a consultant. Because of SOX’s emphasis on financial reporting and auditing, the
pendulum is swinging back with the auditors doing auditing-related activities and less
operational and consulting activities.
Whatever the image, the work loads and responsibilities are increasing for internal
auditors. Management still expects the auditors to provide the services that they did in the past,
but they also want new Sox-related activities.
One thing is clear from the exploratory research, SOX is going to provide a rich domain
for more empirical and quantitative research on a wide variety of SOX-related issues.
1
INTRODUCTION & OBJECTIVES
A number of significant events have occurred impacting most companies’ regulatory,
governance, risk, and control environments that can ultimately affect the charter, structure,
planning, staffing, and procedures of internal audit departments. During the past decade, a wide
variety of both external and internal forces were exerting significant pressures on the internal
audit profession. As significant as those forces were, during 2002, the profession experienced a
major paradigm shift due to major financial debacles and corporate governance failures—such as
the Enron, WorldCom, Tyco, and Adelphia—that eroded public trust in capital markets and
resulted in the Sarbanes-Oxley Act of 2002 (SOX) [SOX, 2002], as well as various
pronouncements from the NYSE, AMEX, and NASDAQ.
As a consequence there has been increasing focus on financial reporting and corporate
governance by legislators, regulators, security analysts, investors, and employees. Whether by
law or by voluntary actions, the roles of boards of directors, audit committees, corporate
management, and both external and internal auditors are going through major changes. For
example, some SOX requirements include the establishment of an audit committee and the
establishment of whistle-blowing procedures, lists specific independence and composition
guidelines for the membership on the audit committee, prohibits personal loans to directors,
disallows any compensation other than director’s compensation, spells-out the relationship with
external auditors in terms of acceptable and prohibited services, requires that CEO and CFO
certify each annual and quarterly report filed and they are responsible for establishing and
maintaining internal controls, and specifies real-time reporting. NYSE has proposed
requirements such as that companies must adopt and disclose corporate guidelines, urges
companies establish an orientation program for new board members, indicate that the audit
committee will discuss risk assessment policies and risk management, and every listed company
must have an internal audit function.
The board and management are going to need guidance and assurance from internal audit
that the multitude of new SOX requirements is being met. CEO and CFO are going to want a
very high level of assurance before they, as required by SOX section 302, will certify the annual
and quarterly financial reports. As viewed by The IIA, internal audit is one of the four
cornerstones of the foundation on which effective corporate governance is built—the others
being, board of directors, management and the external auditors.
The primary objective of the study reported in this paper was to explore how SOX and
other pronouncements have been impacting internal auditors and their companies. One of the
critical issues that the study also explores was how internal audit will balance these new
requirements and expectations with their historical mix of services. In the past, internal auditors
were expanding their services towards consulting and non-traditional assurance services to
become partners (instead of police offices) and to provide non-traditional value-added services.
Once internal auditors started offering these expanded services, it is implied that these services
will be available in the future. But, now, time and resources (e.g., training/orienting internal audit
staff to new regulations and organization policies and procedures) are going to be needed to
respond to the new rules, regulations and guidelines, which in turn are going to put pressure on
reducing or eliminating some existing services—or for internal audit to make a strong case to
2
management to allocate more resources to the internal audit department. This study was
conducted through a series of four focus groups that were conducted with internal auditors from
February to June, 2003.
The remainder of this paper is organized as follows. The next section gives an overview
of the broad impact of SOX on public companies, public auditing firms (both large and small
firms), private companies, and non-for-profit firms. The subsequent section briefly describes the
research methodology. That section is followed by a summary of the focus group comments and
observations. The final section includes some conclusions and comments about additional
research activities.
BACKGROUND
SOX was the result of a harmonic convergence of several events and related timing. The
initial motivation for a law like SOX was the Enron debacle. After the public revelations of
major accounting irregularities, the company went bankrupt, the employees’ pension plan
became worthless, and eventually the accounting firm Arthur Andersen closed up is worldwide
operations. Many believe that the public’s interest in the Enron scandal was starting to die down
and so was the public’s demand for new corporate governance laws, but then the WorldCom
scandal hit the news. After that it became impossible for any House member, Senator, or
Presidential staff to argue against stronger corporate governance laws. And then to add to the
motivation to pass Sarbanes Oxley Act as in moved through the House, Senate, and the
Whitehouse, more scandals broke like Tyco, Adelphia, and Global Crossing.
On July 30, 2002, SOX became law with President Bush’s signature. As the following
paragraphs summarize, the impact of SOX has been wide and sweeping.
The major impact of SOX, of course, has been on public companies, which is the primary
focus of SOX. Because of independence issues, people have been asked to leave boards and
officers have been asked (required) to repay outstanding loans. SOX requires that one audit
committee member be a financial expert. Some companies have had difficulty designating a
current member or recruiting “financial expert” for Audit Committee. Because of the new
responsibilities imposed on the audit committee, audit committees meet more often and for
longer durations with more people on their meeting agenda (i.e., internal auditors).
Since the external auditor are prohibited from providing a wide variety of services to their
audit clients, companies must find another accounting firm (or other firms) to conduct prohibited
services such as outsourced internal audit services or IT consulting services.
Companies have had to create new (or modify existing) organizations and infrastructure,
such as:

Creating or expanding Disclosure Committee (not required by SOX, but is popular
response to SOX)
3

Creating or modifying whistle-blower organization (sometimes outsourced to accounting
firm or other third parties) to comply with Section 301

Creating SOX Steering Committee or SOX Compliance Organization

Creating an audit committee if none existed (Sections 205 and 301)

Creating an internal audit department if none existed (not mentioned in SOX, but more
companies now see an internal audit department as a necessity)

Develop Code of ethics for senior officers (Section 406)

IT departments are modifying systems and procedures to comply with Sections 302, 404,
and 409 (Real-time Issuer Disclosure)
SOX Section 404, which focuses on internal control evaluation and documentation, has
been particularly challenging to companies. According to a survey of CFO’s by CFO magazine
[Nyberg, 2003]:

SEC estimated that 404 compliance would take 4 to 5 hours/filing

48% of companies in survey estimated that 404 Compliance > $500K

EMC estimate: 302 & 404 compliance > $1M

Borland Software Corp estimate: compliance >$3M

40% of CFOs: SOX = “very little” or “no effect” on (improving) processes

30% of CFO believe benefits > costs
The second focus of SOX is accounting firms that audit public companies. SOX list
specific services that accounting firms are prohibited from providing to their audit clients,
including [SOX 2002, Sec. 201]:
(1) Bookkeeping and related services;
(2) Financial IS design or implementation;
(3) Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
(4) Actuarial services;
(5) Internal audit outsourcing services;
(6) Management functions or human resources;
(7) Broker or dealer, investment advisor, or investment banking services;
4
(8) Legal services and expert services unrelated to the audit; and
(9) Any other service that the Board [PCAOB] determines, by regulation, is
impermissible.
For those services not listed, the company’s audit committee must approve the service
before the audit firm can provide the proposed service.
Many of those prohibited services were very profitable to accounting firms. However,
because the scope of financial audits has expanded because of SOX, audit fees have been
increasing, which compensates for some of the other revenue losses. According to an article in
California CPA, a survey conducted by Foley & Lardner found that audit fees increased by 27%
last year for S&P 500 firms—about four times the typical annual increase [California CPA, 2003,
p 8].
Many of the smaller accounting firms have considered dropping their auditing services.
For example, New York’s Grassi & Co. dropped 40 audit clients and Los Angel’s Good, Swartz,
Brown & Berns LLP dropped 12 clients. This mean auditing will be even more concentrated
among the Big 4, which all ready performs 75% of audits in the U.S. One author believes that
there are currently about 850 firms that do audits now, and that number may drop to 100 over
next two years. [Johnson, 2003]
There are a variety of reasons why these smaller firms are getting out of providing
auditing services, including:

Too many limits on other services (e.g., the prohibited services)

Perpetual impact of registering with PCAOB (Apparently, once an accounting firm
registers with the PCAOB, there is no mechanism to unregistered.)

Opens firm to inspections (every year if greater than 100 public companies or every 3
years if less) [Note: 7 accountings firms > 100]

Registration process and forms (e.g., How many misdemeanor and felony convictions?)

The premium and deducible for liability insurance for audit services are increasing
significantly. (Some insurance carriers have stopped offering coverage for audit services.)
Of course those that continue to offer auditing services have the potential to pick up
additional audit clients (e.g., Marcum & Kliegman, LLP in New York picked up 40 new audit
clients last year). In addition, it may be short-sighted for firms to drop their audit services. The
staff will have difficulty maintaining technical skills. They may have trouble keeping clients
(e.g., clients who eventually go public). They may also have trouble attracting new hires—both
entry level and experienced. For example, since in some stated an accountant cannot become a
CPA without audit experience, it will be almost impossible to attract top-level accounting
graduates.
5
Although SOX specifically applies to public companies, SOX is having an impact on
private companies. The most obvious impact would be on those companies who were
contemplating going public in the future. Being public would expose the company to even more
rules and regulations that have costs associated with them. In fact, it is interesting to note that
some public companies have gone private to avoid SOX. SOX has a potential impact to both
parties if a public company is contemplating acquiring a private company. The due diligence that
would be performed by the public company would have to be even more intense. It is also
possible that the federal government may start requiring SOX compliance as part of contracts
with private companies. It is also possible that insurance companies and lenders will also require
SOX compliance.
Demonstrating the broad reach of SOX, even not-for-profit organizations are being
impacted by SOX. Boards of non-profits are typically business people and some of they believe
that SOX compliance might be good for non-profit organizations (e.g., big hospitals, museums,
etc.).
METHODOLOGY
Task 1: Compile Background Materials. First, a variety of pertinent literature
published by The IIA was reviewed, including International Standards for the Professional
Practice of Internal Auditing [IIA, 2001], Assessment Guide for U.S. Legislative, Regulatory,
and Listing Exchanges [IIA, 2003], and Recommendations for Improving Corporate Governance
[IIA, 2002] as well as other posting on the IIA Web site (www.TheIIA.org). Literature from other
professional and trade associations, standard setting bodies, and other parties impacting internal
auditing were also reviewed.1 The primary objective of this task was to identify the external and
internal standards, requirements, and issues related to internal audit services to broadly define the
contemporary internal audit environment. The review of the literature also identified issues to
explore in the focus groups.
Task 2: Focus Groups. Focus groups have proved to be a cost-efficient strategy for
gathering preliminary exploratory information. In this study, focus groups served several
purposes: (a) obtain a broad overview of internal auditors’ views regarding the new paradigm; (b)
obtain overviews of how companies are reacting to the new paradigm; and (c) determine
challenges that organizations and internal auditors are facing in implementing policies and
procedures regarding the new paradigm.
Four focus groups were conducted as part of this research project. The first focus group
was conducted in New York City as part of the chief internal auditors’ roundtable. Twenty
members of the New York IIA chapter attended that meeting. The second focus group was
conducted in Los Angeles and was hosted by the Los Angeles chapter of ISACA. The objective
1
In addition to the IIA Web site, each of the Big-4 accounting firms are very good sources for SOX materials.
CFODirect.com has a very robust collection of SOX-related materials. The PCAOB and SEC Web sites have all of
the “official” SOX materials. A Web site created by one of my prior co-authors, wwww.pcaob.com, has a wealth of
information—some of it collected from other sources and some of it new materials. Do not confuse this last Web site
with the official PCAOB Web site at www.pcaobus.org.
6
of this focus group was to explore the impact of SOX on IT and IT auditing. The third focus was
also in Los Angeles, but was hosted by the Los Angeles chapter of the IIA. The fourth focus
group was conducted at the annual IIA conference in Las Vegas.
The focus groups were taped. The comments on the four tapes were blended together to
create the following summary.
FOCUS GROUPS
The first part of each focus group explored general corporate governance issues related to
SOX. The second part explored the changing relationships between corporate management and
the internal audit department. The discussions then moved to exploring how SOX had impacted
the internal operations of the internal audit department, including organization, staffing,
planning, and management changes. During the focus groups a variety of other discussion arose
that are also summarized in the following paragraphs.
Corporate Governance
This section summarizes some of the comments that were made regarding how SOX, in
general, was impacting corporate governance, including the board and audit committee changes,
plus new committees and/or task forces that have been created in response to SOX.
Board of Directors
Direct Impact. Most of the auditors mentioned that their boards were concerned about
the many SOX requirements directly applicable to boards and audit committees, such as specified
responsibilities and independence requirements. As a few auditors indicated, in the past, some
board members were picked for their prestige or image—not their business acumen—and they
did not show strong interested in the management activities of the business. Other auditors
indicated that even those board member with business backgrounds historically relied heavily on
input from senior management to make key decisions.
However, now, the board members know they are now more accountable and they want
to fully understand their risks in this new environment. The board members are asking more
questions—and they are asking the questions of more people (e.g., management, internal
auditors, financial officers, external auditors, inside and outside legal counsels, consultants, etc.).
Retention. Although a few auditors used the term “scared” when discussing their board’s
reaction to SOX; none of the auditors reported a board member leaving specifically because of
some fear of new SOX responsibilities. But that does not mean that some board members did not
leave (or will be leaving) for other SOX-related reasons. For example, some board members have
resigned from their boards because of SOX independence requirements. Also, to help accelerate
changes to the board composition (e.g., to add more business-oriented members), some existing
board members are being encouraged to retire early.
Family-Dominated Public Companies. One type of organization in which SOX seems
to be having a major impact is those companies that are public but still have a dominant family
7
ownership. In these types of companies it is not unusual for two or more family members to be
on the board of directors, including being members of the audit committee. In addition, board
members might include the family lawyer and other people who are very close to the family and
could have a conflict of interest trying to represent both the family’s interests and the company’s
interests. These arrangements would not be in compliance with the independence requirements
of SOX.
These family members recognize the need (requirement) for the changes in the board's
composition; however, they also recognized that there will be a significant costs associated with
recruiting and compensating new board members. As such, some auditors indicated that it is
possible that in the future we might see a trend of these families purchasing more stock to either
take the company private or at least own more than 50% of the outstanding shares.
The auditors seemed to agree that, in general, that the boards do recognize that they have
to make the required changes, but many board members feel that the benefits of these changes
have not been clearly defined or quantified.
Financial Expert. One of the big unknowns that the boards must deal with is the
concept of the financial expert who must be part of the audit committee (to comply with Section
407). As of the time of these focus groups, the definition of financial expert was not yet fully
formed. However, whatever the final definition becomes, it will be very limiting in terms of the
population from which to designate or recruit audit committee members.
One of the problems is that the potential candidates are turning down offers to be on the
audit committee because they do not believe that they have the general and financial expertise to
be on an audit committee or, specifically, be designated the financial expert. That is, if they
accept a position and then they are implying that they are a financial expert.
Even those who are on the board and could qualify as the financial expert do not want
that designation because of the added responsibility—and perceived potential increase in
liability.
Recruiting Board Members. For those companies with board openings, they are finding
it difficult to fill those positions even if they will not be part of the audit committee. Part of the
problem is finding candidates who are both suitable and willing to take on the responsibilities
and presumed liabilities of a director.
In general, potential board members are just generally more cautious about joining a
board. For example, one auditor told the story of a potential candidate who came in and wanted
to do his own due diligence of the company. He spent several hours interviewing the controller
asking a wide variety of questions including things like how reserves were determined.
D & O Insurance. In addition to having difficultly attracting new board members,
insurance for board members is becoming more expensive. Some insurance companies are not
writing new policies for directors and officers (D&O) insurance and others are raising their
8
deductibles and premiums. One auditor said their deductible increased 400% and their premium
went up 20%.
Board Efficiency. Some of the SOX rules regarding board membership reduces the
efficiency of corporate governance. For example, the board at one company recognized that it is
a violation of independence rules for members of the audit committee to also be members of the
audit committee of subsidiaries. So, a new audit committee had to be formed for each subsidiary.
As such, presentations and discussions that take place with one board have to then be repeated
for the board members of the subsidiaries since there is no overlap between the different boards.
Audit Committee and Management. The new legal exposure for the audit committee
because of SOX is putting more pressures on the audit committee to more carefully perform their
duties. Because the board and the audit committee must ultimately rely on the corporate
infrastructure and management, a great deal of pressure is, in turn, being applied to management.
As one auditor said, “…management is turning over every rock looking at processes and
procedures with renewed vigor and scrutiny.”
Educating the Board. Some companies have developed formal procedures to educate
their board members and, in some cases, board members are educating each other (e.g., the
financial expert providing education to other audit committee members).
Charter. A couple of auditors mentioned that their boards are rewriting their charters to
be in compliance with SOX audit committee rules.
Sentencing Guidelines. One auditor discussed how in today's world both the board and
management are being “hit with a double whammy.” First, SOX and other new regulations are
expanding and explicitly delineated the responsibilities of the board and management. Secondly,
the risk environment for which they have these responsibilities are becoming much more
complex in terms of such factors as globalization, technology, finance alternatives, etc. Part of
the unknown that goes with these responsibilities is something called the constructive knowledge
doctrine, which is discussed in the federal sentencing guideline. In a sense, boards and
management are responsible for what they know and what they should know. As such, the board
essentially wants to know, “are we asking all the right questions?” This increases the board’s
interest in concepts such as enterprise-wide risk management and the importance in internal
controls.
New Committees, Task Forces, etc.
One of the “surprises” of SOX is the added bureaucracy that SOX is creating inside
companies. The following paragraphs summaries three of those, namely, a SOX Compliance
Group, a Disclosure Committee, and a Whistle-blower Office.
SOX Compliance Group. According to the auditors, some companies have established a
separate group (or subgroup, task force, steering committee, etc.) whose has primary
responsibility to follow SOX pronouncements and interpretations to help ensure that their
company becomes and stays SOX compliant. Generally, this group is not part of internal audit.
9
At one company, it is housed in the Business Risk Services Group. The risk management
department had just started a SOX group in another company. One large company is training a
variety of people across the country, so that each major office will have a local SOX resource to
provide guidance and leadership.
At other organizations, SOX responsibilities are included in the disclosure committee’s
scope of responsibilities.
At one company, the controller leads the SOX Group and the group includes the head of
each business unit (5) with internal audit taking a “project management role” in terms of
collecting data regarding SOX and what the company is doing in regards to SOX.
At another company, the SOX committee had a tiered structure with seven operating
sectors and at corporate level with a steering committee headed by the controller (who also heads
the disclosure committee) and includes the deputy and all the sector CFOs, internal audit,
treasury, corporate secretary, and vice president of tax. In addition, they have a separate project
management team headed by the deputy, sector controllers and an outside audit firm.
Some companies do not have a specific group—monitoring SOX compliance is more ad
hoc. At one company the controller is the point person on SOX. At another company it is the
internal audit CAE.
In discussing the disclosure committee vs. the SOX group in terms of responsibilities, in
general, the disclosure committee is more narrowly focused on financial reporting—like 10Ks
and 10Qs—and the SOX group is a broader working group monitoring sections 302 and 404,
internal controls, etc. and other aspects of SOX.
Disclosure Committees. SOX does not require a disclosure committee, but it does
recommend one. As such, many companies have either established new disclosure committees,
increased the status of existing disclosure committees, and/or expanding existing disclosure
committees to include a broader representation of high-level executives (e.g., one organization
included, amongst others, the CFOs from every subsidiary) to help make sure financial reports
and footnotes have all the proper financial disclosures—and that the proper people (e.g., the
controller) as signed off on them.
For those companies that already had disclosure committees, SOX has increased their
importance. The committee might also review disclosure of non-financial activities or events that
could impact financial results in the future. In some organizations, the disclosure committee
might even be responsible for evaluating the internal control structure for compliance with SOX.
The composition of disclosure committees varied from company to company. Generally,
the disclosure committee is composed of a legal representative, financial and accounting
representative, and treasury representative. Some committees also included an operations
representative, a press- and/or investor-relations representative, and/or an internal audit
representative. At one company, an internal audit representative sat in on disclosure committee
meetings, but did not vote.
10
One company had a particularly robust disclosure committee that included senior vice
presidents from each major business, general counsel, internal audit, and treasury.
Whistle-blowing. Those companies that did not have whistle-blower or fraud-reporting
hotlines (or other reporting structure) were now in the process of establishing them to be
compliant with SOX. The exact whistle-blowing process varied from company to company. At
one company a fraud-reporting hotline went to internal audit and to the legal counsel. Ethical
questions would go directly to the legal counsel. One company had its hotline connected to an
outside company. At another company, the hotline went to the Business Conduct office that, in
turn, reports to the general counsel.
One auditor, whose company already had pre-existing hotlines, said that 90% of hotline
calls were actually human relations (HR) related or similar procedural type of questions. So, at
many companies, hotline calls were screened by the designated organization (e.g., legal counsel,
etc.) before they are passed on to the audit committee.
One company that already has an ethics and compliance hotline is modifying the recorded
message to first ask if the caller is reporting something that is financial reporting related. If it is,
then the call is automatically routed to the outsourced internal auditors. On a quarterly basis or
more frequently if warranted, the outsource organization provides call summary reports to the
board.
One company also uses the company’s intranet for whistleblowers. The messages that
come in via the intranet go directly to the chair of the audit committee.
Some of the auditors from companies that had pre-existing hotlines indicated that there is
a common unattended consequence of these hotlines, namely, if an employee thinks they may be
let go, they will blow the whistle on something since they know they cannot be fired or laid off
until the issue is resolved. According to one auditor, over many years in their company, all but
one whistleblower was under some kind of cloud of performance problem. However, there was
usually some truth to what was reported: those these calls cannot be taken lightly.
Relationship between Board and External Audit
Boards are exercising increased scrutiny of external audit activities. For example, one
internal auditor said that in the past when the external auditor’s engagement letter was forwarded
to the audit committee, there was generally little response from the committee regarding the
letter. Now that the audit committee has explicit responsibility for appointing the external
auditors and eventually signing the engagement letter; they read every sentence and ask "...50
questions regarding the engagement letter." The audit committees are all asking hard questions
about the fees and the audit approach including such items as how the auditors will do their risk
assessment and evaluate internal controls.
Relationship between Board and Internal Audit
As a result of the requirements of SOX (particularly sections 302 and 404), boards are
showing a renewed interest in the internal control environment and what the internal auditors do.
11
As some auditors indicated, the boards also recognize that the existing internal audit department
may not have the expertise to fully meet the requirements of SOX and are encouraging internal
audit department to recruit additional personnel. This is almost a 180-degree reversal of the
common trend in the 90’s to downsize the internal audit departments.
Several auditors indicated that in pre-SOX years internal auditors never formally met with
the audit committee, but now they are on the audit committee’s agenda. Internal auditors who
historically did meet with the audit committee are, generally, meeting with the audit committee
are more frequently and for longer times. For example, one auditor said that meetings used to
run one to one-and-a-half hours, but now, they generally run two to 2 1/2 hours. In addition, the
number of audit committee meetings in a year has increased from four to seven. Another
company said their meetings increased from quarterly to monthly—some of which are face-toface and some are telephonic.
Reporting Responsibilities. Some internal audit groups report administratively to the
CEO, which is the recommendation of the IIA2, but, based on the auditors at the focus groups,
most still follow the more common practice of administratively reporting (a “dotted line”) to the
CFO. Whether reporting administratively to the CEO or CFO, now, the vast majority of audit
departments functionally report (a “solid line”) to the audit committee. Most of the focus group
attendees indicated that internal audit would continue to report to the CFO instead of the CEO
because the CFO has a much clearer understanding of what internal audit does then does the
typical CEO.
One auditor said his group reported to the risk manager who is part of executive
committee, which reports to board.
Even where the reporting relationship has not changed, as was stated by one of the focus
group attendees, “…there is a heightened awareness...(to) what you [internal auditors] have to
say on the part of both of these parties.”
The reason for the popularity of reporting to CFO is that the CFO’s background is a
closer match to what the internal audit department is doing and the issues they face. One of the
reasons that the IIA and others suggest reporting to the CEO is to reduce the potential impact
from the CFO pressuring the auditors to change something. However, this concern may have
been reduced in the SOX environment. As one auditor stated, “There's a lot less negotiation on
issues then previously.”
More Interest/Closer Scrutiny. On the other hand, with this new interest in internal
audit activities by the board and management, the CAE and the audit department are receiving
more questions and are also coming under closer scrutiny. One auditor reported that he has been
sending out internal control questionnaires for many years to collect information, but, nowadays,
the questionnaires go to more layers in the company and the distribution of the results of those
2
See Practice Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines [IIA, 2002a] and Practice Advisory
2060-2: Relationship with the Audit Committee [IIA, 2002b] for discussions on the IIA’s recommendations
regarding reporting responsibilities.
12
questionnaires has a wider audience because management now wants to take a closer look at
those reports. Reports now also go to the disclosure committee.
New Internal Audit Departments. Two of the focus group attendees said internal audit
departments were created in their companies specifically because of SOX even though SOX is
silence on internal audit departments.
Inside the Internal Audit Organization
Hiring. According to several auditors, SOX makes it easier to convince management
that internal audit needs to hire new auditors. The auditors gave several examples of opening
new internal audit positions because of SOX. This was even true in some companies where there
were hiring and salary freezes for other departments in the company. Others auditors gave
examples where internal audit had less pressure to cut staff even if cuts are taking place in other
parts of the company. Also, traditionally, the CFO had the final say on compensation and raises
for the internal auditors. Now, in many organizations, the audit committee has that final
responsibility, even if the audit group reports to the CFO for administrative purposes.
Changing Skill Mix. In terms of skills, one auditor said they are moving away from
looking for auditors with operational auditing skills and moving to auditors with financial
auditing skills. Another auditor indicated that were looking for auditors that have a more
corporate view vs. a detailed store-level view of the company.
Recruiting Environment. One auditor mentioned that the recruiters he normally used for
recruiting have said there has been a spike in demand for both regular auditors and IT auditors.
Unfortunately for CAE’s, the flip side is also true, in that head hunters are calling audit staff
members everyday trying to find auditors to leave for jobs elsewhere.
IT Auditors. Even though the Internet bubble has burst and have put many IT workers
into the job market, finding IT auditors with the right mix of auditing and IT skills is still
difficult. As one auditor said, “Regular IT people are a dime a dozen, but finding IT auditors is
still very difficult.” One auditor mentioned that applications for IT auditing positions have
quadrupled, yet, finding the right mix of skills in these populations is still difficult. For example,
many applicants have experience with Internet and Web programs and technology, but what are
needed are auditors experienced with ERP applications such as SAP.
Salaries/Retention. In general, budgets for internal audit departments are increasing.
Management recognizes the need to staff up in response to SOX. In addition, it is easier to obtain
approval to pay competitive salaries to recruit new auditors. This, in turn, helps increase the
salaries of those already in internal audit. Also, the company may be a little more generous with
expenses. For example, one auditor mentioned that his company was going through a major belt
tightening and had greatly restricted travel; however, internal audit could travel whenever
needed. This would sometime surprise the auditee. So far none of the auditors have sensed any
resentment on the parts of other employees related to the additional financial support for audit.
13
Regarding travel, the flip side is also true in that since managers know that the auditors
can travel more freely, managers are making more requests for the auditors to do additional
projects for them.
The auditors indicated that it is also easier to convince management to pay a premium
needed to attract IT auditors, which had been a serious problem in the past. Fortunately, the
salaries for IT auditors and regular auditors are converging somewhat, so the premium is not as
great as it once was. This is partly due to the increased demand (and salaries) for regular auditors
due to SOX-related activities and the relatively over supply (and softening of salaries) of IT
professionals due to the bursting of the Internet bubble.
Internal Recruiting. Some companies encourage people from other business units to
work in internal audit for a period of time to help them obtain a broader understanding of the
whole company. Auditors reported that internal recruiting is now easier because of the increased
visibility and status of internal audit.
Shift in Roles. In the past internal auditors wanted to move from being viewed as the
company police officers and, instead, be seen as team players and partners. Partnering is still
important, but, as one auditor said, “Now it's back to the basics.” As another auditor indicated,
things are being done on a collaborative basis--not the old fashion "sneak up on people"
approach--but the emphasis is on helping to ensure that management understands the importance
of internal controls and related assurance activities.
One auditor did expect to see the shift back toward being the company police officers
because the CEO is going to want the internal auditors to be more aggressive in their audits
“…that will allow the CEO to sleep at night and not worry about going to jail.”
Another auditor said he is now actually receiving requests from management to conduct
audits—quite different than in the past when management wanted the shortest, non-disrupting
audit possible.
In addition to partnering, in the past, internal auditors wanted to provide more valueadded services, which resulted in internal auditors providing more consulting services. For some
companies, SOX is moving the pendulum away from that direction. Under SOX some auditors
see themselves as facilitators, which they believe “marries” aspects of consulting and auditing.
One auditor said he sees the auditor’s role more consultative in that one of internal audit’s
roles is to identify best practices—particularly as those practices relate to section 404 (and
eventually 302)—within the company and report those practices to management.
One auditor described how in the past his audit department was hiring more and more
consultants who had no audit background. Reports to management took on a different flavor
using consulting terminology instead of audit terminology such as attestation and internal
controls. But now with SOX, reports definitely take on more of an audit flavor.
One auditor observed that the focus on internal audits is moving away from reporting on
operation efficiency, but comments are still made in that area if efficiency problems are
14
discovered during a financial audit. Another auditor said, his internal audit department had
become a profit center in the per-SOX years. Although there is a renewed interest in control
assurance, the audit committee does not want the audit department to move away from this a
profit-center approach.
The shift towards more financial and accounting cycle audits and less operational and
technical audits or consulting projects was mentioned by several auditors. Only one of the
auditors mentioned that his company was doing a formal study of how internal audit should be
restructured. Part of this was an evolution that started before SOX because financial operations
have become more centralized (e.g., in the past, each major operation had its own payroll, but
now it is centralized).
One auditor indicated that the downside to the shift back to the terms auditor or facilitator
as opposed to consultants is the connotations associated with those terms. One auditor said, “The
auditor was seen by auditees as somebody who could give them a negative review that could
impact their job and their group's cost of capital, therefore, the auditees were reluctant to give the
auditor important information that the auditor specifically requested. On the other hand, the
auditees saw a consultant as somebody who has been helpful to improve the auditees’ operations
and, therefore, were very forthcoming with information.” It is important to keep this in mind as
internal audit moves into the SOX world.
Increased Demands on Internal Audit. Whether it's called consulting or auditing,
because of SOX, there has been a significant increase in demands for audit department resources,
particularly for special projects or requests related to SOX requirements, such as internal controls
design, evaluation, and/or documentation.
Whistle-blower letters are given new emphasis, which takes resources to investigate.
Because of the renewed emphasis on internal controls, new titles are popping up in
companies such as director of internal controls.
Auditors are being invited to be involved in the front-end of planning new internal
controls as an expert. However, the auditor must be careful not to be part of the implementation
of those controls; otherwise independence will be a problem for the auditor to subsequently audit
those controls. One auditor indicated that his company addresses this front-end involvement
issue by having a policy that the audit team that will evaluate the controls must be different than
the team that was involved in planning the controls.
Outsourcing. Some companies still look favorably on the outsourcing of the internal
audit function in the SOX environment. As one auditor indicated, as in the past, “…it is still up
to internal audit to show that they provide added value to the organization.”
One auditor mentioned that their department is outsourcing part of their internal audit
activities, namely, “…detailed store-level activities…” and the existing internal auditors will
focus on broader corporate issues.
15
Companies that provide outsourcing services are also being impacted in terms of
independence issues and the reporting paths within the companies. The external auditor can no
longer also be the internal auditor. For those companies where that was the situation, they have
contracted with a new outsourced internal auditing firm—usually another Big 4 accounting firm.
On the other hand, some auditors indicated that SOX probably also tends to strengthen
relationship between management and the existing internal audit department, which, in turn,
reduces management interest in outsourcing the internal audit function. Management recognizes
the value of consistency related to an in-house internal audit department.
Many auditors seem to agree that the stature of the CAE also has increased in the eyes of
the board and management because of SOX.
SAS 70. Since SOX became law, some auditors have experienced a sharp increase in
SAS 70 requests generated by customers’ internal auditors or customers’ external auditors. At the
time of the focus groups, it is not clear how SAS 70 integrates with SOX requirements, so there
is a danger of duplicating activities. However, SAS 70 does provide at least some standard for
one company to request internal control information from another company.
One auditor, who has received many of these requests, hopes that SAS 70 would be
modified in the future to reflect SOX requirements. Another auditor expected that SAS 70 itself
would go away and be replaced by some form of more detailed 404 requirements. That is, as
more companies become compliant with section 404 requirements, internal control-related best
practices will emerge. Other auditors disagreed with this speculation because it is hard to image
that companies will share the results of their internal 404 compliance activities.
Tracking Audit Recommendations. Because there are more demands on the auditors,
the auditors indicated that it is important to improve the effectiveness and efficiency of the
audits. One auditor indicated that at his company they establishing a system to track audit
recommendations to help ensure that no recommendation is missed and the same
recommendation does not appear in the following year’s list of recommendations.
CAATs. Because the increased demands on auditors (and the tight auditor market),
auditors are turning more to technology, such as computer-aided audit tools (CAATs), to increase
their efficiencies. Some auditors indicated that they are using data analysis and data mining tools
to evaluate 100% (instead of some small sample) of the populations of interest. One auditor
mentioned using Benford’s Law to identify unusual transactions.
Some auditors indicated that this increase in data analysis and data mining is supported
by more companies creating company-wide data warehouses and/or data warehouses specifically
for internal audit use.
Relationship between Internal and External Auditors
Some auditors indicated that SOX has generally improved the relationship between the
internal auditors and external auditors. One reason may be that the external auditing firm is no
longer also providing outsourced internal auditing services to their company, so the feeling of
16
competition between the external auditors and the internal auditors has been reduced. Secondly,
there are still many unknowns surrounding the implementation and subsequent attestation of
certain SOX requirements, as such, there is probably a certain level of synergy as these two
groups tried to fully address the impact of SOX.
302 and 404 and Internal Controls
The sections of SOX that probably has the biggest impact—at least in terms of time and
resources—on internal auditors (and probably companies in general) is 302 (Corporate
Responsibilities for Financial Reports) and 404 (Management Assessment of Internal Controls),
which relate to internal controls.3 As one auditor said when discussing 302, “The CEO wants to
look into the whites of everybody’s eyes [before he signs anything].” One of those people the
CEO is going want to look into is the CAE.
Since SOX is new—and still a work in process—according to some auditors, one of the
biggest challenges for companies is defining the scope of internal controls that must be covered
under section 404. Should the scope be narrow (financials controls only) or broad (include nonfinancial controls)? The auditors generally believed that the focus will probably be narrow, but
there is a big gray area between the two because it is hard to identify all the controls, processes,
and events that could eventually impact the financial statements.
Fortunately, for some companies, pre-SOX activities are making it easier to meet SOX
requirements. For example, one auditor described how his company had been conducting controlself-assessment (CSA) to identify risks and then each risk is stored in a Lotus Notes database for
easy retrieval and reporting. The database also includes the inter-dependence of the risks across
the organizational structure. Every manager has access to their area of the database. Now, this
database will be part of the controls that each regional management will be required to include in
their own quarterly certifications as a precursor to the CEO and CFO doing their final
certifications.
One auditor indicated that his company is hiring 12 new people at $90,000 each to work
under the controllers to help people implement their monitoring and control processes. Internal
audit will review those processes and then external auditors do their own independent review.
Another auditor indicated that his company has a group that includes 3 auditors and 2
people from the controller’s department whose responsibility is to monitor what their peers in
their industry are doing regarding SOX. Besides monitoring other companies and trade
organizations, this group also monitors the Big 4’s Web sites because these firms are posting a
wide variety of applicable SOX-related information.
3
While these focus groups were being conducted in the first six months of 2003, one of the big concerns was timing
in terms of how quickly SOX-related activities had to be implemented because originally companies had to be SOX
compliant if they were closing their books after September 15, 2003. [Subsequent to the first two focus groups, on
May 27, 2003, the SEC extended the compliance date to June 30, 2004.]
17
Selecting a Framework. Part of the challenges of designing, implementing, and attesting
to the internal control infrastructure is that the infrastructure must be based on a recognized
internal control framework such as COSO, or Internal Control -- Integrated Framework,
published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission
(USA); CoCo's Guidance on Control issued by the Criteria of Control (CoCo) Board at the
Canadian Institute of Chartered Accountants; The Cadbury Report, Code of Best Practices,
issued by the Cadbury Committee of the United Kingdom; The King Report from South Africa;
and The Vienot Report from France. Most companies are using COSO, which the focus group
attendees indicated can be very cumbersome to actually implement. One auditor indicated that
COSO is about how you run your business--it is not about controls. That is, its coverage
(COSO’s 3 objectives) is far broader than financial internal controls.
The consensus seems to be that it is very hard to take COSO's list of controls and
objectives and map them to a specific company’s environment. One auditor said he has never
heard of a company who was happy with a COSO implementation (in the pre-SOX world). He
knew of one company that spent $20 million on consultants to help implement an internal control
environment based on COSO and they were not satisfied with the results. This activity predates
SOX enactment.
Documentation. The 404-required documentation of all the related business processes
can be a Herculean task for large, global organizations. Documenting a COSO-based
environment can results in a tremendous number of pages. One company implemented COSObased internal controls in 200 locations (subsidiaries, divisions, etc.) and ended up with 500-page
documents from each location. As one auditor indicated, the challenge does not end with creating
the documentation. “How do you maintain something that generates so many documents? How
can you tell if you are following your own procedures that are buried in so many pages of
documentation? How far do you drill down? Documentation could get too detailed.”
There seemed to be a general agreement among the auditors that once the internal control
framework is established, then the actual development and documentation of internal controls
should be more of a bottom-up approach. That is, those people closest to action are in a better
position to develop and document the specific internal controls that impacts their own operations.
These individual internal control documents can then be aggregated to develop department level,
division level, and, eventually, enterprise level internal control documentation. As one auditor
said, “It's critical that there's a thread that moves from the bottom to the top [of the organization]
and vice versa.”
One auditor said his company created and stored its internal control documents by
treating the individual controls as database elements and, thereby, created a database of internal
controls where the specific controls can be retrieved and reviewed on an as-needed basis.
IT’s Role. Since a large part of internal processes and controls are automated, IT’s role in
SOX compliance is critical—and, according to the auditors, the companies seem to recognize
that. One auditor gave an example of where in the past, 30 programmers might have direct assess
to the mainframe and the auditors commented that number was too high every year in its audit
report. Now, IT recognizes that this will be viewed negatively by top management as they go
18
through their 302 certification process and have, therefore, reduced the number of programmers
who now have direct access to the mainframe.
Another auditor reported that at his company they are increasing the minimum
requirement for new IT hires, as well as IT audit hires, and, in some areas (e.g., security), they are
requiring master’s degrees and/or other recognized certificates.
External Auditors
Just like there are new pressures on the company’s board, managers, and internal auditors,
the focus group attendees recognized that there are also new pressures on the external auditors.
For example, the external auditors are going to have to have an opinion on the client's internal
control infrastructure as it relates to the underlying internal control framework (e.g., COSO).
Just like there are no specific rules on how to actually implement COSO-based internal controls,
there are likewise no specific rules and how to attest to the implementation of COSO. Because
the SOX requirements are new, the external auditors are going to be somewhat reluctant to give a
complete pass (clean opinion) but they are also going to be reluctant to give a failing grade
(qualified opinion). The external auditor has to keep in mind that if they give a qualified opinion
this time, then the question arises why the auditors did not say something during the prior years’
audits if the internal controls had weaknesses. Even though in the past the external auditors were
not required to specifically opine on the internal controls, they do evaluate internal controls as
part of the audit process. As such, there would be some question as to why the external auditors
did not discover the problems they are now raising in their SOX-related evaluation.
External Auditor Training. Historically, external audit used to take a closer look at
internal controls, but in recent (but pre-SOX) years the external auditors have moved away from
internal control evaluations. Now, with SOX they have to move back to specifically evaluating
internal controls. Although the more senior members of the audit firm (e.g., partners and
managers) will have internal control evaluation skills that they can recall, the newer auditors will
need new training to help them do internal control evaluations.
Cost/Benefit Concerns.
A common concern of the auditors was the general frustration of trying to determine what
are the (measurable) benefits of all of the SOX compliant activities. SOX is taking people, time,
and money away from other activities. At the time of the focus groups, many sections of SOX
had not been fully interpreted by the SEC. As such, at that time management is driven by a fear
that it may be doing too little which, in turn, results in the board and management moving
towards a broad-brush approach to their SOX activities, but this may mean that in the end the
companies may be doing too much.
For example of scope of SOX related activities, one auditor said, "We now have a
program office devoted to Section 404 [of SOX] and this office currently has three members and
expects to grow to 18 members and to potentially even grow beyond that number.” Another
large company already has 80 people [not part of internal audit] in a similar office to, first,
document what the current infrastructure is and then to determine what needs to be done to
19
improve that structure. They carefully documented their activities so that there is an audit trail for
the complete process from beginning to end. The documents were then reviewed by the external
auditors. This SOX (non-audit) office is responsible to make sure that the infrastructure is in
place. The subsequent monitoring (attesting to) of the infrastructure then rest with the internal
auditors.
One auditor summed up this concern with the simple statement, “At the end of the day,
the value of SOX is questionable.”
Miscellaneous
During the focus groups, a variety of side issues came up. The following summarized
those issues.
Control Self-Assessment. CSA has the potential to become more popular under SOX
because it is an important tool for identifying and assessing risks. However, the focus group
attendees recognized that CSA must be done properly to be valuable. A good facilitator is
critical. Deciding who (e.g., what level of staff) to include at CSA sessions is also critical.
Several auditors suggested that CSA can (and maybe should) be done by someone (some group)
outside of internal audit, which might make people more comfortable in identifying risks.
US vs. Non-US Companies. Because of the scope of SOX, non-US subsidiaries of US
companies must also comply, which has created some resentment on the part of the non-US
subsidiaries.
Banks. Banks in particular feel they have a leg up on SOX since they are already highly
regulated. Same is true of other companies that have provided services to government agencies
because these agencies have been asking for signed certifications from those companies long
before SOX.
Not-for-profit Organizations. One of the surprising findings of the focus groups was the
significant impact of the SOX on not-for-profit organizations. Although SOX applies only to
public companies, not-for-profit organizations are also carefully scrutinizing SOX. One reason
for this interest is the fact of that the boards of many not-for-profit organizations are composed of
prominent business people who, in turn, are promoting the idea that the requirements of SOX
should also apply to the not-for-profit organizations. For example, one of the not-for-profit
organizations in the focus groups was establishing a whistle-blower hotline specifically because
of SOX.
Future
One of the auditors suggested that the IIA should promote internal auditors as financial
experts for audit committees.
One auditor speculated that more detailed requirements will be coming out of the SEC as
companies try to comply with SOX, which means that adjustments will have to be made in the
future to those activities that the companies had already performed in terms of SOX compliance.
20
Because external auditors now, in a sense, have the government behind them, the quality
of external audits should improve. The external auditors will get less push back from the clients.
The accounting firms will not use audit as a lost-leader commodity.
Hopefully, there will be more convergence in the future as internal auditors and external
auditors develop and publicize their best practices, and then these best practices will become de
facto standards.
SOX2. At each of the focus groups, at least one auditor predicted a SOX2 would
eventually come along that will go deeper than just financial statement-related controls contained
in the current version of SOX.
One auditor predicted that as lawsuits start happening—and lawyers start asking for ALL
your documents as part of the discovery—restrictions and regulations in SOX will become even
more strictly interpreted. One auditor predicted that audit standard development will become
more transparent, it will also become more political and will be subject wide lobbying.
Rapid reporting. The SOX requirement for rapid reporting is going to put increased
pressures on IT departments.
Forensic accounting. There will increased demand for forensic accounting to determine
what happened after the fact.
CONCLUDING COMMENTS
As the focus groups indicated, the impact of SOX on companies is systemic. Boards have
had to make adjustments—sometimes major adjustments in terms of encouraging early
retirement, expanding the frequency and duration of meetings, and expanding the range of people
they meet with. For those companies needing to recruit new board members, particularly audit
committee members, they are having some difficulties. CEO and CFO are facing their own
challenges, particularly in terms section 302 certification responsibilities.
The impact of SOX on the internal audit function has been profound, which is somewhat
ironic since SOX does not even require an internal audit function. Even though SOX does not
require an internal audit function, the board’s and senior management’s view of the internal audit
function seems to have been greatly elevated due to SOX. The CAE is now on the audit
committee’s agenda. In many companies, the internal audit departments are now reporting
directly to the audit committee, instead of the tradition of reporting solely to the CFO. As
opposed to the pre-SOX world, senior management is encouraging the internal audit department
to hire more staff members, to pay competitive salaries, get more training, and to travel more.
These new responsibilities and encouragements have also created issues for the internal
audit department and the CAE. One issue is the potential reversal of the new image that internal
audit has been trying to cultivate for the past decade. Auditors wanted to move away from the
image of the company’s police officers that company personnel dread to see to an image as a
partner and a consultant. Because of SOX’s emphasis on financial reporting, financial controls,
21
and financial auditing, the pendulum is swinging back with the internal auditors doing auditingrelated activities and less operational and consulting activities.
Whatever the image, the work loads and responsibilities are increasing for internal
auditors. Management still expects the auditors to provide the services (whether auditing or
consulting) that they did in the past, but they also want more SOX-related reports, attendance at
audit committee meetings, and to take the lead on several Sox-related activities (e.g., in some
cases, take responsibility for the whistle-blowing processes).
How this will all play out, only time will tell. Internal auditors seem to enjoy their new
visibility and status. From senior management’s perspective, the jury is still out regarding SOX.
Many seem to have their doubts whether the benefits of SOX will ever out weight the costs
associated with SOX.
One thing is clear from the exploratory research, SOX is going to provide a rich domain
for more empirical and quantitative research on a wide variety of SOX-related issues.
22
REFERENCES
California CPA (2003). “Audit fees surge after SOX,” July: p 8.
IIA (2001) International Standards for the Professional Practice of Internal Auditing, IIA
Research Foundation, Altamonte Springs, FL..
IIA (2002) Recommendations for Improving Corporate Governance, IIA Research Foundation,
Altamonte Springs, FL, April 8.
IIA (2002a) Practice Advisory 1110-2: Chief Audit Executive (CAE) Reporting Lines, IIA
Research Foundation, Altamonte Springs, FL, December 3.
IIA (2002b) Practice Advisory 2060-2: Relationship with the Audit Committee, IIA Research
Foundation, Altamonte Springs, FL, December 3.
IIA (2003) Assessment Guide for U.S. Legislative, Regulatory, and Listing Exchanges, IIA
Research Foundation, Altamonte Springs, FL, April 17.
Johnson, C. (2003) “Small accounting firms exit auditing.” The Washington Post, August 28
[www.smartpros.com/x40299.xml]
Nyberg, A. (2003) “Sticker Shock,” CFO, September: 51-62.
SOX (2002), Sarbanes-Oxley Act 2002, Public Law 107-204, 107 Congress.
23