Top 10 Global Impacts of SOX on Internal Auditing Back to Basics: Risk, Controls, Governance Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Fostering Enterprise Risk Management Re-engaging Internal Controls Facilitating more effective corporate governance #10: Incentive Compensation Should internal auditing and more specifically, the chief audit executive (CAE), participate in incentive compensation award systems, based on performance of the organization’s bottom line? #9: Access to Information Is the CAE positioned within the organizational structure to have access to and involvement in emerging decisions by senior executives; and to have a “seat at the table” when key business strategies are being developed? #8: Reporting Relationships Does the internal audit activity properly report within the organization directly to the audit committee for oversight and to the CEO for organizational interface? #7: Are MD&A Disclosures Accurate? Does the internal audit department perform tests to ensure the accuracy, completeness, and appropriateness of the information contained in the management discussions and analysis (MD&A) portion of the annual report? #6: Quality Assessment International Standards for the Professional Practice of Internal Auditing require an external quality assessment every five years, plus an ongoing quality program to ensure the outputs of the internal audit department are in accordance with expectations. #5: Control Assessment • Entity-wide assessment of key controls in business processes that feed the general ledger and hence the overall financial statements • Process ownership • Certification of internal control over financial reporting • Linkage to COSO’s Internal Control Framework, including entity-wide control component assessment #4: Fraud • Awareness of potential fraud risks and appropriate responses • Fraud prevention and detection program • Forensic auditing during financial audits • Increased fraud consideration in the internal audit department’s audits #3: Governance • Audit committee changes to charter and scope of work • Audit committee financial expert • Audit committee member independence and financial competency • Oversight of fraud, risk, internal auditing, and external auditing • Self-assessment Effective Governance #2: Ethics • Hotline operations • Compliance programs • Training • Culture – encourage disclosures • Investigative process coordination • Handling complaints and documentation • Whistleblower protection #1: Risk • ERM • Risk model • Risk event identification • Risk assessment techniques –Probability –Impact • Risk response • Risk-based audit approaches COSO’s ERM-Integrated Framework Entity objectives: four categories Strategic Operations Reporting Compliance ERM considers activities at all levels of the organization Enterprise-level Division or subsidiary Business unit processes Source: COSO Enterprise Risk Management Framework Today’s Top 10 • • • • • • • • • • Risk Ethics Governance Fraud Control Assessment Quality Management Discussion & Analysis Reporting Relationships Access to Information Incentive Compensation For more information • Visit www.theiia.org • Call +1-407-937-1111 • E-mail custserv@theiia.org