Top 10 Global Impacts of SOX on Internal Auditing
Back to Basics:
Risk, Controls, Governance
Internal auditing is an
independent, objective
assurance and consulting
activity designed to add value
and improve an organization's
operations. It helps an
organization accomplish its
objectives by bringing a
systematic, disciplined
approach to evaluate and
improve the effectiveness of risk
management, control, and
governance processes.
Fostering
Enterprise Risk
Management
Re-engaging
Internal Controls
Facilitating
more effective
corporate
governance
#10: Incentive Compensation
Should internal auditing and
more specifically, the chief audit
executive (CAE), participate in
incentive compensation award
systems, based on performance
of the organization’s bottom line?
#9: Access to Information
Is the CAE positioned within the
organizational structure to have
access to and involvement in
emerging decisions by senior
executives; and to have a “seat at
the table” when key business
strategies are being developed?
#8: Reporting Relationships
Does the internal audit activity
properly report within the
organization directly to the audit
committee for oversight and to the
CEO for organizational interface?
#7: Are MD&A Disclosures Accurate?
Does the internal audit department
perform tests to ensure the accuracy,
completeness, and appropriateness of
the information contained in the
management discussions and analysis
(MD&A) portion of the annual report?
#6: Quality Assessment
International Standards for the
Professional Practice
of Internal Auditing
require an external quality assessment
every five years, plus an ongoing quality
program to ensure the outputs of the
internal audit department are in
accordance with expectations.
#5: Control Assessment
• Entity-wide assessment of key
controls in business processes that
feed the general ledger and hence
the overall financial statements
• Process ownership
• Certification of internal control
over financial reporting
• Linkage to COSO’s Internal Control
Framework, including entity-wide
control component assessment
#4: Fraud
• Awareness of potential fraud risks and
appropriate responses
• Fraud prevention and detection program
• Forensic auditing during financial audits
• Increased fraud consideration in the
internal audit department’s audits
#3: Governance
• Audit committee changes to charter
and scope of work
• Audit committee financial expert
• Audit committee member independence
and financial competency
• Oversight of fraud, risk, internal
auditing, and external auditing
• Self-assessment
Effective
Governance
#2: Ethics
• Hotline operations
• Compliance programs
• Training
• Culture – encourage disclosures
• Investigative process coordination
• Handling complaints and documentation
• Whistleblower protection
#1: Risk
• ERM
• Risk model
• Risk event identification
• Risk assessment techniques
–Probability
–Impact
• Risk response
• Risk-based audit approaches
COSO’s ERM-Integrated Framework

Entity objectives: four categories
 Strategic
 Operations
 Reporting
 Compliance

ERM considers activities at
all levels of the organization
 Enterprise-level
 Division
or subsidiary
 Business unit processes
Source: COSO Enterprise Risk Management Framework
Today’s Top 10
•
•
•
•
•
•
•
•
•
•
Risk
Ethics
Governance
Fraud
Control Assessment
Quality
Management Discussion & Analysis
Reporting Relationships
Access to Information
Incentive Compensation
For more information
• Visit www.theiia.org
• Call +1-407-937-1111
• E-mail custserv@theiia.org