Extracting energy from Sarbanes-Oxley: auditors at Chevron became internal consultants when management took responsibility for performing Sarbanes-Oxley compliance tests.
Organizations that fit in the latter category are not alone. Many companies did not see the opportunity that Sarbanes-Oxley afforded them to bolster controls, or they simply lacked the resources to convert this regulatory mandate into shareholder value.
For companies in both categories, the time is right to take a fresh look at Sarbanes-Oxley compliance with an eye toward elevating the role that internal auditing plays in influencing corporate risk management and compliance.
MIRED IN SARBANES-OXLEY
At many organizations, internal auditing bore the brunt of the initial Sarbanes-Oxley compliance work and often became mired in multiple phases of Sarbanes-Oxley, including flowcharting business processes, risk and control analysis, control design, and the most obvious response to Sarbanes-Oxley Section 404-extensive control testing on management's behalf. These are all necessary steps in the Sarbanes-Oxley process, but six years later, some audit shops are still performing management testing, much to their CAEs' chagrin. These audit executives can't wait to offload the burden of Sarbanes-Oxley and get back to their traditional duties, such as operational, systems, and special project audit work. Many hope to de-emphasize the impact that Sarbanes-Oxley has had on their audit plans and their department's discretionary time.
Yet those CAEs who look fondly at the past should pause for a moment and reconsider. Those organizations that look at Sarbanes-Oxley as an aberration and wish to get back to the "good old days" are missing a golden opportunity to have a positive and influential impact on the control environment. CAEs should be thinking about the opportunities that Sarbanes-Oxley can spark, even now, and should be considering how to make their audit function more effective, efficient, and valuable to the overall organization.
Of course, advice is one thing; implementation, quite another. How can internal audit departments springboard off Sarbanes-Oxley? How can a time and resource sink be converted into value-creating activity? For those seeking answers, these Sarbanes-Oxley lessons from Chevron Corp.'s internal audit experience may prove instructive.
THESE ARE THE GOOD OLD DAYS
Sarbanes-Oxley has raised the profile of the internal audit function as an in-house internal controls expert and, at some organizations, has given the CAE a seat in the executive suite. The value that internal auditing brings to the organization has been demonstrated clearly.
At Chevron, an international oil and gas company headquartered in San Ramon, Calif., the Internal Audit Department collaborated with management to design the company's approach to Sarbanes-Oxley and routinely participates in the oversight of the process through the Sarbanes-Oxley Steering Committee, which comprises finance heads and representatives of the core Sarbanes-Oxley team (today known as the Internal Controls Group). Internal auditing's perspective is sought by all levels of executive management and the audit committee.
TESTING BY MANAGEMENT
Today's internal audit departments are not pure compliance testing shops, solely dedicated to evaluating business units for conformance with company policies and procedures. Instead, modern auditors apply their accumulated knowledge to improving control efficiency and understand that internal audit clients look to them to add value through their assessments and consultations.
Internal auditors who help management recognize the value of Sarbanes-Oxley and deal with its requirements are appreciated. However, internal auditing brings less value when it assumes management's role as the tester, because it does not help business units build a controls mind-set or, most importantly, a sustainable process for ensuring that controls are in place, being performed, and working as intended--the underlying objectives of Sarbanes-Oxley regulations.
How many audit shops are equipped to review all key controls on an annual basis in their company? An audit department's risk-based and cyclically driven audit approach cannot match the impact of ownership, accountability, and real-time awareness achieved when management testing is performed by actual management.
Chevron concluded early on that the intent of Sarbanes-Oxley was for management to assume responsibility for internal control over financial reporting (ICFR). It further concluded that Sarbanes-Oxley testing by each Chevron reporting and business unit--rather than by internal auditing--would reinforce the controls mind-set and ownership that the company was trying to strengthen.
That didn't mean that internal auditing at Chevron was not involved. On the contrary, in year one, the department devoted extensive resources to Sarbanes-Oxley from a consulting perspective. Chevron also employed a third-party consultant to help interpret Sarbanes-Oxley guidelines and to help frame testing methodologies.
Internal auditing collaborated with the Sarbanes-Oxley core team, which was sponsored and staffed through the finance organization, and drew on the perspectives of the external auditor and third-party consultant. Together, the team defined and documented good testing practices for achieving "Sarbanes-Oxley readiness" for external testing. The team helped develop the generic risk control matrices and business process flowcharts that guided a re-evaluation of existing controls, drawing on a control self-assessment. Smaller teams were deployed throughout the company to meet with internal clients to develop the documentation and improve their understanding and know-how to take on their Sarbanes-Oxley responsibilities.
Still, there is a cost and downside to this approach. External audit firms are less able to rely on testing performed by management versus that performed by trained audit professionals. This point becomes even more relevant today with the introduction of the U.S. Public Company Accounting Oversight Board's (PCAOB's) Auditing Standard No. 5 (AS5), which instructs external audit firms to increase their reliance on management's testing.
So how does Chevron deal with this? Chevron accepts this downside, believing that the built-in accountability for the internal control environment is overwhelmingly enhanced through management ownership and testing. And Chevron believes its management testing is reliable and effective. Internal auditing plays a key role in arriving at this conclusion through its approach to Sarbanes-Oxley. The auditors review Sarbanes-Oxley processes and controls in virtually all of their routine audits. More importantly, in addition to concluding on the quality of key internal controls, they assess and conclude on the overall quality and completeness of Sarbanes-Oxley documentation and testing practices. This focus reinforces the existence and quality of a sustainable Sarbanes-Oxley "evergreen" process. With this evidence in hand, Chevron works continuously with its external auditor to reassess and expand reliance opportunities.
MAKING THE CHANGE
The good news is that it is never too late to migrate Sarbanes-Oxley testing and ownership of the process to management. There is no reason not to do it now.
The process starts with persuading management and the board of the merits of management testing if they are ever to wean themselves of their overreliance on internal auditing. To make their case, auditors can benchmark practices at other companies to demonstrate that management testing of key internal controls is an accepted and growing practice. They can also cite the recommendations of the U.S. Securities and Exchange Commission and the PCAOB regarding the role management should play. For example, AS5 allows management to consider ongoing supervisory and monitoring activities as providing evidence of control effectiveness, potentially reducing the amount of separate management testing required. Auditors can also illustrate the benefits that can be gained in terms of improved controls and decreased cost.
At the same time, internal auditing can develop a transition plan to gradually move testing over to management. However, companies shouldn't attempt to accomplish everything at once. The plan should include an educational component, so that managers are thoroughly versed in, and comfortable with, their new responsibilities. Moreover, the transition plan should include a strong management communication component, so that all parties understand that this move is endorsed at the highest levels of the company.
CREATING CONSULTING OPPORTUNITIES
At Chevron, Sarbanes-Oxley initially prompted a focused effort to document and build tools to help clients better understand the concepts of risk and control. Internal auditing helped with nearly every aspect of documenting compliance, especially those items that were needed on an accelerated time line basis, such as:
* Business process flowcharts (controls documentation). Internal auditing traditionally had created or updated this documentation at the start of cyclical audits.
* Inventories of applications and spreadsheets with control implications. This information, which internal auditing struggled to obtain for many years, helped improve risk assessment and audit scoping processes.
* Formalized risk/control matrices. These matrices provided an added benefit of educating those who perform control procedures about the reasons for those processes (e.g., internal controls are directly linked to risk exposures).
Today, these Sarbanes-Oxley work products are valuable to line management, finance and accounting employees, and auditors. Most notably, they provide more opportunities for internal auditing to hold risk-based dialogues with middle management, thus developing a more understanding relationship based on speaking the common language of controls. By mentoring middle management to develop control documentation, internal auditing builds a more trusting relationship with managers
At Chevron, Sarbanes-Oxley prompted an effort to build tools so clients understood the concepts of risk and control through a consulting role. In short, it demonstrates the value of internal auditing to the organization.
Once key controls are developed, they must be refined. Here again, internal auditing plays a key role through its appreciation of the bigger picture and understanding of which controls have a more significant overall impact. Refining key controls is a continuous process at Chevron, as is seeking opportunities to automate key controls to increase their reliability, minimize human error, and reduce testing requirements. Most companies should be able to emulate this approach by having internal auditing work closely with the core Sarbanes-Oxley team and key business unit representatives.
A RELIABLE TESTING HIERARCHY
Management testing has its downside in the reliance debate. However, monitoring and testing of controls by those that best understand the controls in the business unit places ownership and accountability in the right place. But some would question if the right level of independence exists.
At Chevron, the person who performs the control cannot test it for Section 404 compliance. Instead, a manager or supervisor who knows the business unit's processes and is at a higher level than the performer, or who is in an internal control coordination role for the business unit, is responsible for control testing and documentation. Afterward, an even higher-level person often reviews and confirms the test results. This hierarchy is aligned with an age-old maxim from the audit profession: You shouldn't audit your own work. The person who "owns" the control can't be the final arbiter of control effectiveness.
Chevron injects some added integrity in its process. Virtually all of Chevron's business units have internal control coordinators in place who play a key role in Sarbanes-Oxley testing and oversight. These coordinators tend to be experienced former internal auditors. As collocated and easily accessible consultants to the business units, they provide an added level of governance and oversight to ensure the quality of the documentation and testing processes.
ROTATION CREATES CONTROL KNOWLEDGE
Clearly, Sarbanes-Oxley instilled a sense of urgency and importance to understanding the role of internal controls in managing and mitigating risks. No longer could companies inadvertently confine that skill requirement to their internal audit department.
Chevron reinforces its controls awareness objectives by rotating potential finance leaders through the internal audit function as part of their development. Chevron's finance and internal audit leaders quickly realized that the success of one group is closely tied to the success of the other. Rotation serves to increase the finance leaders' knowledge of internal control design and assessment, further socializing the concept of strong internal control and providing a long-term benefit to the organization as these cross-trained employees move into new positions.
PROVIDE BALANCE IN GOVERNANCE
Once management is persuaded that it has primary responsibility for ICFR documentation and testing, internal auditing can assume its appropriate role: providing monitoring and advisory services. Ideally, internal auditing helps balance corporate governance by serving as one leg of the governance "stool," with management and the board making up the other two.
In Chevron's case, internal auditing assesses the quality of management testing as part of its cyclical, risk-based audits. Auditors determine whether management is adhering to standards and guidelines regarding tester qualifications, sample size, and testing frequency. They perform process control testing that combines re-performance and independent samples to substantiate management's testing conclusions. In addition, internal auditing provides assurance that the quality of management's testing is reliable. As a consultant, internal auditing commits to helping management by successful with Sarbanes-Oxley.
REFUEL THE AUDIT FUNCTION
CAEs shouldn't let Sarbanes-Oxley dominate their audit plan and limit internal auditing's ability to establish its worth in other areas. If the internal audit group is currently bogged down in Sarbanes-Oxley work, that doesn't mean it is doomed to a Sisyphean future, rolling the compliance bolder up the hill each year, only to watch it tumble back down, forcing auditors to start anew. Like at Chevron, CAEs can extract energy from Sarbanes-Oxley to fuel future success.
The rigor of Sarbanes-Oxley compliance improves the quality of controls, which should allow for better use of audit resources. If the organization's audit plantilts heavily toward Sarbanes-Oxley compliance, now is the time to restore the equilibrium. By transitioning responsibility for documentation and testing to management, internal auditing can regain its ability to conduct reviews beyond Sarbanes-Oxley key controls and to take on projects to help further the company's other strategic objectives.
To comment on this article, e-mail the authors at email@example.com.
ILLUSTRATION BY DOUG ROSS
GENERAL MANAGER-INTERNAL AUDIT
MICHAEL REILING, CFE
AUDIT MANAGER-PLANNING AND DEVELOPMENT
PATRICIA MILLER, CIA, CISA, CPA
DELOITTE & TOUCHE LLP
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||BEYOND SARBANES-OXLEY|
|Author:||Redmond, Gregory; Reiling, Michael; Miller, Patricia|
|Date:||Jun 1, 2008|
|Previous Article:||A broader array of skills: after years of narrowly focused compliance work, many audit departments are seeing a shift in priorities and a new set of...|
|Next Article:||The PCAOB 101.|