IIA chief: Sarbanes-Oxley puts internal auditing 'in the limelight'.In the post-Sarbanes-Oxley era, internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. are helping to steer steer castrated male cattle beast over a year of age. See also bullock, buller steer. steer bulling see bulling. steer Medtalk verb the projects for complying with Section 404 for testing internal controls; they are also in the best position to alert senior management to potential deficiencies before they become bigger problems. A certified public accountant Certified Public Accountant (CPA) An accountant who has met certain standards, including experience, age, and licensing, and passed exams in a particular state. and certified See certification. internal auditor himself, the current President of The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in , David A. Richards, recognizes the value internal auditors bring to their organizations and their link to corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . In an exclusive interview with Executive Editor Ellen M. Heffes, Richards talks about the enhanced role of internal auditors. Since coming to his post at The IIA's global headquarters in 2004, Richards has seen the organization's membership surge 15 percent to 115,000 last year; 2006 growth expectations are set at 20 percent. What follows are excerpts of the interview; more can be found at www.fei.org/mag/articles/5-2006_fr.cfm. Talk about internal auditing's role post-Sarbanes-Oxley. Richards: It's certainly been a very hot topic with our members, and for quite some time now because internal auditors have been a very integral part in almost every case that I've come in contact with. The feedback we're getting from surveys we run is that internal auditors, at least in year one, were spending as much as 50 to 100 percent of their time on Sarbanes-Oxley-related control assessment work for their companies. Although we believe that has dropped somewhat in year two, it is by no means a minor part of the workload that has been heaped on the internal audit function to help management prepare for their sign-off. So, Sarbanes-Oxley has elevated the importance of internal auditing? Richards: It's certainly been in the limelight limelight: see calcium oxide. limelight Early form of theatrical lighting. The incandescent calcium light invented by Thomas Drummond in 1816 was first employed in a theatre in 1837 and was widely used by the 1860s. a lot more. When Sarbanes-Oxley was enacted, a high percentage of companies turned to their internal audit departments and said, "We need you to help the organization figure out how to do that." So internal auditors worked with a management team to help determine how to document the company's internal controls over financial reporting, which controls needed testing and how that testing should be performed; what should be done about controls found to be ineffective; and the preparation of the statement management would sign. The IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. has issued a position paper on what we believe the internal audit function should do relative to the 404 assessment. We believe that the law, as enacted, is intended to result in management's testing and assertion of the internal controls of the business. If the internal auditor is doing that, then the managers who are responsible for those internal controls are not necessarily being held accountable for their effectiveness. That accountability is really the spirit of the Sarbanes-Oxley Act See SOX. . In essence, you have to determine what business processes feed information to your financial records. Once you decide what those processes are, you identify who owns them, and that's not the internal auditor. That is determined by the organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. of the business. For most organizations, the person who owns that business process is being asked to sign and submit a statement to the CFO See Chief Financial Officer. and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . Sub-certifications document on the record who the CFO and CEO are relying prior to their certification signoff for the organization in general. How has the relationship between a CFO and internal auditing changed? Richards: CFOs are now looking to the internal audit function in a way that they haven't done in the past. They are much more interested in, let's say, the internal audit work scope and being able to rely on the internal auditors in preparation for their own signoff. What I have seen happening is a better understanding of the organization's system of internal control. The CFO is either much more knowledgeable, or wants to be more knowledgeable, about internal controls. And if there's a control that's not working as intended, [he or she is] very actively looking at remediation so as to avoid a negative opinion at the end of the year. CFOs are very concerned about the timing of assessments throughout the year to identify and isolate isolate /iso·late/ (i´sah-lat) 1. to separate from others. 2. a group of individuals prevented by geographic, genetic, ecologic, social, or artificial barriers from interbreeding with others of their kind. any problems so that they can be fixed in sufficient time to avoid some sort of negative statement. [Also] more interactions and discussions are taking place with the internal auditor about internal control. Talk about the IIA's focus on corporate governance and its link to internal auditing. Richards: Corporate governance is all about three words: expectations, communications and accountability. It's the overall responsibility for organizations to set expectations by policies, procedures, practices and guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. that essentially say, "This is what we expect you to do." Good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). puts in place the kinds of activities, policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that drive people to do the right kinds of things. Communication is about making sure that expectations get communicated throughout the organization, and that there is proper training so that people understand what we mean by, say, "conflict of interest," and how that applies to them on their job on a day-to-day basis. If that is not done, the governance of the organization is going to fail. [ILLUSTRATION OMITTED] Accountability is being able to hold people accountable for meeting the expectations that have been set. You cannot hide under a rock or get away with something when there is an accountability and monitoring process in place. The internal audit function has roles in each one of these three aspects. From the expectation standpoint, the internal auditor should use his/her knowledge of the business and of good control to help put in practice the kinds of policies that are going to drive the right kinds of behaviors. Regarding communication, often the internal auditors assist in training about good internal control, risk assessment and ethical behavior. That means getting involved and helping to structure the training. The third piece, accountability, is where the auditor is involved as the independent, objective assessor of results, activities and processes. For just about anything that the organization does, the internal auditor should be an excellent source of information to the audit committee and management. With the right kind of structure, staffing and workflow The automatic routing of documents to the users responsible for working on them. Workflow is concerned with providing the information required to support each step of the business cycle. functioning correctly, the audit committee should be relying on the scope of work of the internal auditors to assess the organization and provide open, honest, assessments. You need an internal audit function that is structurally reporting to the audit committee in a way that protects the chief audit executive from criticism for saying what needs to be said. That's the environment that should occur, and senior management needs to embrace and support the internal audit function by saying, "We have this group around because we want to define and identify errors, omissions and/or process failures before they get out of hand. And we want to make sure that there's no area of the business that is exempted from some sort of independent assessment." The external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. is going to look at materiality MATERIALITY. That which is important; that which is not merely of form but of substance. 2. When a bill for discovery has been filed, for example, the defendant must answer every material fact which is charged in the bill, and the test in these cases seems to and processes that are financial statement-related; the internal auditors' scope of work gets into operational activities where the real risks to the business are. Financial risks are important, but operational risk and control processes that are not functioning right also can put you out of business. So, internal auditing and corporate governance really go hand in hand. Richards: We're not corporate governance; we're part of the process. It's important that the four parties to good corporate governance--the board of directors, executive management, the internal auditors and the external auditors--are working together to assess the risks. It is a never-ending task, ongoing process, not just a once-in-a-lifetime event. Most chief audit executives say they need more resources to accomplish all the work on their plates. It's always is a question of alternatives and prioritizing. "If I only have 20 internal auditors in my organization, I can't look at everything every year; I'm going to have to make the decision about what I look at and where I spend my time." That is why we have been concerned that the internal auditors are spending so much of their time on Sarbanes-Oxley alone. What happens to all that other risk to the organization that also should be looked at? That is where organizations are more at risk today than they have ever been--because we're focused on compliance to a particular law (that is neither unimportant un·im·por·tant adj. Not important; petty. un  im·por tance n. , nor trivial TRIVIAL. Of small importance. It is a rule in equity that a demurrer will lie to a bill on the ground of the triviality of the matter in dispute, as being below the dignity of the court. 4 Bouv. Inst. n. 4237. See Hopk. R. 112; 4 John. Ch. 183; 4 Paige, 364. ). But, it's about getting balance into the internal audit department's focus so that the organization has this function back where it belongs, looking at the right kinds of risks.
|
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion