Internal audit can deliver more value: IA groups have the potential to shape Sarbanes-Oxley compliance into a sustainable process and to position their companies to better leverage the significant investment already made in those compliance efforts.

In most organizations, internal audit (IA) groups are focused solely on their role as an independent reviewer re·view·er
n.
One who reviews, especially one who writes critical reviews, as for a newspaper or magazine.

reviewer
Noun

a person who writes reviews of books, films, etc.

Noun 1. and critical appraiser A person selected or appointed by a competent authority or an interested party to evaluate the financial worth of property.

Appraisers are frequently appointed in probate and condemnation proceedings and are also used by banks and real estate concerns to determine the market of the effectiveness of internal controls and the company's overall financial health. Although IA still owns this responsibility, it has new opportunities under the Sarbanes-Oxley Act See SOX. of 2002 to provide much greater value to the organization.

IA departments have played a significant role in meeting Sarbanes-Oxley Section 404 requirements. Now, they have the potential to shape Sarbanes-Oxley compliance into a sustainable process where business owners shoulder their full responsibility for ownership of business processes and associated controls. Also, IA groups have the opportunity to take on a more strategic role, to position their companies better to leverage the significant investment in compliance, delivering real value to shareholders and management.

Shifting Internal Audit to a Customer-Centric Model

IA departments need to take a customer-centric approach to delivering value. To implement this approach, IA must use some of the same methods that externally-oriented departments utilize, such as:

* Maintaining an open dialog with all business units starting with commencement of their annual strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. process and continuing throughout the year;

* Developing an obsession obsession /ob·ses·sion/ (ob-sesh´un) a persistent unwanted idea or impulse that cannot be eliminated by reasoning.obses´sive

ob·ses·sion
n.
1. with exceeding and anticipating the needs of business units;

* Investing not only in developing better technology and audit skills for IA resources, but also working to build business understanding and industry specific knowledge; and

* Ensuring a pervasive pervasive,
adj indicates that a condition permeates the entire development of the individual. customer orientation Customer orientation (CO) is the set of beliefs in sales that says that customer needs and satisfaction are the priority of an organization. It focuses on dynamic interactions between the organization and customers as well as competitors in the market and its internal stakeholders. approach, as opposed to the traditional "rule-keeper" role, throughout IA's operations.

The Capability Maturity Model (CMM (Capability Maturity Model) A process developed by SEI in 1986 to help improve, over time, the application of an organization's supporting software technologies. ) in this article shows different components of a measurement model that IA can use to measure the value it delivers to the company. The eight capabilities represent different characteristics of IA's role, depending on its current state.

To better understand each state of capability within a company's IA group, read down through any of the columns in the CMM to get a picture of each capability for an enterprise in that stage. If there is a particular area of interest, read across any row and determine which of the stages your company's IA group is in for that capability.

For example, the Strategy capability under the Improvement Needed state indicates IA's role is not linked to business strategy with a sole focus on testing and field work. Conversely con·verse¹
intr.v. con·versed, con·vers·ing, con·vers·es
1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak.

2. , the Best Practices state reflects more sophistication so·phis·ti·cate
v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates

v.tr.
1. To cause to become less natural, especially to make less naive and more worldly.

2. and additional value delivered, with IA taking on a role as a business partner with broad organizational consensus on this role. This state might also include a proactive IA group providing advice on emerging trends, including setting up a rotational system of bringing business unit-trained resources into the IA group to improve linkage linkage

In mechanical engineering, a system of solid, usually metallic, links (bars) connected to two or more other links by pin joints (hinges), sliding joints, or ball-and-socket joints to form a closed chain or a series of closed chains. with various business units.

An IA department might be at different states for different capabilities. Senior management can align align (

līn),
v to move the teeth into their proper positions to conform to the line of occlusion. this model with a charter for IA and a balanced scorecard Balanced Scorecard

A performance metric used in strategic management to identify and improve various internal functions and their resulting external outcomes. The balanced scorecard attempts to measure and provide feedback to organizations in order to assist in implementing to measure progress in each area.

Best Practice Supports Shift to Customer-Centric Model

Each of the eight capabilities in the model shows a progression from a state of needed improvement to best practice. This section details specific descriptors of the best practice state, from each capability, to discuss how it can be achieved and further highlight the value provided.

Strategy -- IA provides additional value when the business units internal to the company regard it as a key business partner. This broader role removes IA's historical limitation as a policing or fault-finding agent. These business units hold IA accountable for their successful execution of their strategy and deliver more company value. To achieve this best-practice state, IA needs frequent dialogs with the business units, beginning with strategic planning for the business unit in question.

Client Service -- To move to a best-practice state where business units own the processes, testing and documentation efforts require a change management process. The most effective method is often the creation is a risk/compliance council with direction from the top of the firm. As these individuals in the council take responsibility for various functions--standardization of documentation; developing a process for presentation of remediation plans to the audit committee; defining, identifying, quantifying, and managing risks; and selecting appropriate support tools--they quickly take ownership. As ownership takes hold, IA is free to focus on its critical value-add tasks of oversight

For Oversight in Wikipedia, see Wikipedia:Oversight.

Oversight may refer to:

Government regulation — The role of an official authority in regulating a separate authority.

and business process improvement suggestions.

Processes -- In a best-practice state, IA can bring benchmark data from industry or risk sources to business process owners The process owner is the person who co-ordinates the various functions and work activities at all levels of a process. This person might have the authority or ability to make changes in the process as required, and manages the entire process cycle to ensure performance . This approach provides value to business unit owners by providing goals and targets they can attempt to achieve. It also provides value to IA by giving it more overall knowledge of the business and setting the stage for process improvement suggestions that IA can make to business unit owners. These changes are critical in the effort to drive out cost and improve the control structure.

Technology -- Embedding 1. (mathematics) embedding - One instance of some mathematical object contained with in another instance, e.g. a group which is a subgroup.
2. (theory) embedding - (domain theory) A complete partial order F in [X -> Y] is an embedding if controls into systems allows for continuous control monitoring. Advanced capabilities with instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or even allow for systems to send notification to key members of the business unit management team when leading indicators Leading Indicator

A measurable economic factor that changes before the economy starts to follow a particular pattern or trend. Leading indicators are used to predict changes in the economy, but are not always accurate. begin to turn negative. This improvement allows for immediate correction of the problem rather than waiting for lagging indicators Lagging indicators

Economic indicators that follow rather than precede the country's overall pace of economic activity. See also: Leading indicators and coincident indicators. , when the cost of correction is far higher.

Reporting and Communication -- A balanced scorecard for IA, with leading and lagging Leading and lagging

Refers to timing of cash flows within a corporation. indicators, makes the performance of the group transparent. Reviewing the scorecard with business unit owners allows for course corrections and lets business unit owners feel that IA serves to achieve their goals. IA, in turn, can focus on value-added activities within the company and measuring the company against metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. within its industry.

Risk Agenda -- Enterprise risk management is on the agenda of IA when management achieves a best-practice state. Improved risk management is the next logical step beyond Sarbanes-Oxley compliance. It delivers value because: it minimizes the capital needed to cover risk when a portfolio view is developed; it leverages the investment of Section 404 documentation; and it helps business units recognize the opportunity side of risk.

Board Involvement -- An IA department working under a best-practice arrangement has tight linkage with the company's board. This partnership allows them to work together in the company's best interests, and helps educate the board on important issues as IA uncovers discrepancies or identifies potential improvements in business processes.

Learning -- Although IA should not perform the work of business unit owners in the best-practice state, it does add value when it shares its knowledge and educates business units on what needs to be done. One best practice here is the creation of webcasts by a Fortune 500 firm to better educate global resources on basic tasks such as account reconciliation and analysis. Results were evident immediately, and the need for adjusting entries decreased significantly.

In summary, to provide additional value, IA must move beyond the role of serving as a monitor for the organization's key controls and take a broader approach to provide assurance over the organization's risk management processes as Sarbanes-Oxley evolves. IA has to align with the business strategies of its stake-holders while delivering quantifiable Quantifiable
Can be expressed as a number. The results of quantifiable psychological tests can be translated into numerical values, or scores.

Mentioned in: Psychological Tests results to the business.

Mary Campbell

This article is about the British American colonial hostage; for others with the name, see Mary Campbell (disambiguation)

Mary Campbell (1748-1801) was an American colonial settler, taken captive by Native Americans during the French and Indian (mcampbell869@yahoo.com) and Gary W. Adams W. Adams (d. 1748) was a captain in the British Navy, slain in Edward Boscawen's unsuccessful siege of Pondicherry. Sources

Rose, Hugh James [1853] (1857). A New General Biographical Dictionary, London: B.

are independent consultants who assist companies with the implementation of strategic initiatives. David R. Campbell, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , is an FEI FEI

Fédération Équestre Internationale. member and a Professor of Accounting and Department Head at Drexel University Drexel University, at Philadelphia, Pa.; coeducational; founded 1891 by Anthony J. Drexel, opened 1892, chartered 1894 as Drexel Institute of Art, Science, and Industry. It was renamed Drexel Institute of Technology in 1936 and gained university status in 1970. in Philadelphia. Michael P. Rose, CPA, CIA CIA: see Central Intelligence Agency.

(1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , CCSA CCSA Canadian Centre on Substance Abuse
CCSA Common Control Switching Arrangement
CCSA Contemporary Ceramic Studios Association
CCSA Certification in Control Self-Assessment
CCSA California Charter Schools Association
CCSA Checkpoint Certified Security Administrator , CISM (Certified Information Security Manager) The award for successful completion of an examination in information security management from the Information Security Audit and Control Association. See ISACA. , is a Senior Partner for GR Consulting LLC (Logical Link Control) See "LANs" under data link protocol.

LLC - Logical Link Control , with offices in Philadelphia and New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of .

RELATED ARTICLE: takeaways

* Internal audit usually functions as an independent critic of internal controls and financial health, but under Sarbanes-Oxley, it can add more value.

* IA departments need to take a more customer-centric approach to delivering value and maintain a continuing dialog with the company's business units.

* An IA Capability Maturity Model offers a way to assess internal audit practices at any point in time and to align those with a balanced scorecard.

* One best-practice idea is the formation of a risk/compliance council with direction from the top. This can help free IA to concentrate on its oversight role.

Internal Audit Capability Maturity Model

               Improvement Needed

Strategy       * IA strategy is program-oriented rather than enterprise
               continuous service model * IA strategy is not aligned and
               linked to business strategy * Communication is sporadic,
               lacking overall purpose or plan * Focus on field work or
               testing * No clear people strategy--inexperienced
               resources often used * Templates are not uniformly
               applied or consistently used
Client         * Focus on audit tasks rather than relationship building
Services       and value delivery * Work is not aligned with value
               delivery to business units
Processes      * Methodology not defined and processes employed are not
               consistent * Knowledge management capability non-existent
               * Disclosure and internal controls testing and
               documentation performed for SOX, etc. * Cycle time
               improvements are not addressed * Inconsistent procedures
               applied in cycle audits
Technology     * Technology is under-utilized in testing, documentation,
               risk assessment, etc. * When technology is used, it tends
               to be one-off systems that are unable to aggregate or
               mine data
Reporting &    * Limited reporting to business except for problems
Communication  identified * IA communication not tied to overall
               business communication plan targeted toward achievement
               of business strategic objectives
Risk           * If assessed, risk is managed in silos/divisions without
Agenda         much involvement from IA * Some testing limited by risk
               assessment * No proactive approach to other risks *
               Impact of changes on internal controls is not anticipated
Board          * Little or no interaction with the board * Board and
Involvement    senior management cannot articulate IA's value
Learning       * No formal training requirements * Many resources are
               unprepared for their role * No support for board or
               organization learning

Internal Audit Capability Maturity Model

               Best Practices

Strategy       * Organizational consensus on the role of IA * IA is a
               business partner throughout the organization * Reliable
               supply of experienced resources for all company needs *
               IA positions filled on a rotational basis for development
               or improved linkage with the business * Advice provided
               on emerging trends * Organizational independence and
               objectivity in work approach
Client         * Expertise of IA clearly sought by business units *
Services       Client process improvements regularly suggested * Proper
               balance of work between IA and business process owners;
               e.g., control self-assessments are used and business
               units own process controls * Full-service group providing
               financial, operational, assurance, consultative,
               governance, computer and fraud-related services * Follow-
               up with clients to ensure that expected results are
               achieved
Processes      * IA provides enterprise compliance strategy oversight *
               Benchmark against proven best-in-class * Q/A review
               employed * Continuous operational excellence stressed *
               Audit methodology meets all professional standards and
               personnel are trained in its use * Focus on automated and
               key controls * Groupware tool employed * Knowledge
               management fully implemented * Audit reports include
               control environment ratings
Technology     * SOX 404 tool is utilized throughout the organization *
               ACL-like software is employed by IA * Automated working
               paper system is in place * Best practices in knowledge
               management * Library of audit programs is available to
               all staff * Continuous control monitoring is utilized *
               Artificial intelligence
Reporting &    * Balanced scorecard is fully implemented, using both
Communication  leading and lagging indicators * Regularly scheduled
               briefings with clients * Regular meetings with the board
               * Exception reporting and graphics are utilized * Reports
               are distributed electronically * Client satisfaction
Risk           * Supports business unit identification and
Agenda         quantification of risk and makes appropriate
               recommendations * ERM is on the agenda of IA * Formal
               risk assessment is in place, and IA checks to ensure that
               the process is followed * Ensures that BU owners can
               defend their risk profiles * IA presents the opportunity
               side of risk management * Risk assessment is broad-based
               * Residual risk is measured
Board          * IA plays a key role in development of the "tone from
Involvement    the top" * Tight overall linkage with the board and its
               agenda * Functional reporting to the audit committee with
               dotted-line reporting to the CEO * Assists board with
               developing an audit committee charter
Learning       * Education provided to operations management on internal
               control responsibilities * Educates the board on
               business, controls and IA's role * Proactively
               communicates key issues to the board and management and
               suggests corrective action

COPYRIGHT 2006 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Author:	Rose, Michael P.
Publication:	Financial Executive
Geographic Code:	1USA
Date:	Jan 1, 2006
Words:	1947
Previous Article:	XBRL: a 'revolution' in corporate reporting? Touted by the SEC chairman as the next revolution in corporate reporting, FERF spoke with three...
Next Article:	Governance and compliance: driving IT priorities; Recent regulatory and marketplace pressures are bringing corporate leaders to a new appreciation of...
Topics:	Financial services Management Reports Financial services industry Management Reports Internal auditing Analysis Reports

Related Articles
Internal audit: active ingredient in reform mix. (Audit).
Ask FERF (financial executives research foundation) about ... private company compliance with section 404.(resources)
Tips for the Sarbanes-Oxley learning curve: the act has brought more complexity to firm management; here's some broad-based help.
Internal audit's new role: put together a top-notch department.
What will you do in Sarbanes-Oxley's second year?(financial reporting)
Companies step up to the Sarbanes-Oxley challenge.(implementation of the act costs more)(Advertisement)
The value proposition: there's more to Sarbanes-Oxley compliance than meets the eye.
Compliance; Poll: most won't find 404 burdens easing.
Applying Continuous Controls Monitoring for achieving compliance and business improvement: Continuous Controls Monitoring has emerged as a solution...
Cherry-picking Sarbanes-Oxley: provisions that deserve a second look.