Scaling up the Internal Audit and SOX Compliance Programs for Growth

As organizations step up for high growth by launching new businesses, products, and services, and expand into newer geographies, they also need to upgrade their internal audit and SOX compliance programs to enhance risk coverage, ensure better governance and business performance at lower costs. With increasing scrutiny and expectations from external auditors, cost, and effort, organizations need to reexamine their current internal audit and internal control management programs to see if it is scalable to support organization’s growth and changing risk profile.

Organizations are seeing a huge impact on the overall cost of compliance programs, money paid to external auditors, time spent by internal teams and the effectiveness of the program itself due to the lack of a structured approach, decentralized internal controls function and not using the right technology and tools. Organizations that have automated their manual processes and controls have matured their SOX compliance and Internal Audit programs and have been able to drive continuous improvement of business processes, and financial growth as well.

Stepping up the SOX Compliance Process

According to the 2016 Sarbanes-Oxley Compliance Survey by Protiviti, the estimated internal cost (excluding external audit-related fees) for an organization is an average of $1.1 million and the hours spent on SOX compliance has increased by more than 10% compared to 2015. On an average organizations had 50 entity level controls and 96 process level controls, out of which 45 - 50% are classified as key controls. For each key control, organizations spent more than 42 hours including testing or re-testing for control operating effectiveness, testing management review controls, testing data produced by the entity to execute key controls, creating and updating control documentation, and evaluating and remediating control design. As the number of hours devoted to SOX compliance increases so does the cost.

Here are some of the focus areas or practices, companies are following now to improve the process effectiveness:

• Shifting from only managing internal controls and compliance tasks to a risk-based approach to rationalize controls. Organizations are identifying high-risk processes, adopting risk control matrix and ensuring better documentation of controls, deficiencies, and related processes
• Increase in testing of controls with enhanced control automation and standardization
• Managing SOX processes, risks, controls, and test details in a centralized framework with better linkages and visibility, instead of a fragmented approach
• Revisiting control design to improve risk coverage of international, regional, and remote locations
• Increased focus on segregation of duties analysis for systems
• Enhanced focus on evidence and documentation ensuring greater reliance on the internal controls team, thereby reducing overall auditing effort and cost
• Real-time tracking of management’s assessment of its internal controls, with reports and dashboards, to help auditors track the status of internal controls and tests.

Also, with increasing cyber security incidents, organizations are planning to have a relook at their IT controls, and decide on regular assessment and testing, disclosure and reporting mechanism

The Changing Face of Internal Audit

Internal auditors play an important role in helping organizations ensure effective compliance, manage existing and emerging risks, and improve business performance by providing timely, valuable, and meaningful risk insights. However, the board and executive management are asking internal auditors to do more and solidify their role as strategic partners.

According to a 2016 PwC’s study “State of the Internal Audit Profession,” about 62% of stakeholders expect more value from internal auditors, including half of those who already reported experiencing significant value.

• Business Model Changes - Mergers and acquisitions, changing regulatory requirements, new product lines, and delivery methods, partnerships etc. require new business operating and financial models as well as changes to the existing ones. While these are important to meet emerging business opportunities, auditors need to review the changes, transition plans, and validity of current control designs, scope and suggest changes. They should also assist in identification and documentation of key risks and controls to new models, check impact of regulatory compliance and reporting requirements
• Expansion of International Operations - While expanding, organizations need to enhance the visibility and oversight of their international operations as there have been instances when subsidiaries and local business units have had compliance violations impacting the parent organization. Auditor’s need to relook at the control design, effectiveness of controls in the context of local business practices and ensure compliance with corporate policies and regulations. As the trade rules change, organizations need to ensure controls are in place to ensure compliance with export laws and regulations, sanctions compliance etc. Also, with the increasing instances of bribery and corruption, organizations need to develop and enforce relevant controls, policies, communication aspects, compliance assessments to track international business practices, international employees, and partners and avoid potential anti-bribery and corruption issues among foreign entities or business partners
• Vendor Management Practices and Associated Risks - With increasing reliance on vendors, it is important to get a better visibility of vendor ecosystem and ensure risks are identified and mitigated. Internal auditors should ensure the effectiveness of third-party relationship management from initial screening, data collection, and documentation reviews to contract management and ongoing monitoring of third-party risk. Also, internal auditors should work with procurement and other groups to review the processes being followed and ensure appropriate controls are in place and evaluate whether risk management has sufficiently been integrated into the supply chain management
• Increased focus on Cyber Security Issues and IT Controls– With increasing data security breaches, organizations expect internal auditors to play an important role in assessing internal processes, adoption of industry standards or framework, implementation of revised security models and suggest improvements. As the adoption of cloud increases, organizations are expecting internal auditors to look at system controls and general IT controls even closer than before and be able to provide timely assurance on the adequacy of cyber security efforts, thereby helping the audit committee oversee cyber security.

Role of Internal audit in enhancing SOX compliance

In most organizations, internal auditors play a significant role in implementing SOX and studies have proved that organizations derive significant benefits when auditors contribute to the SOX program.

In its survey, Protiviti quoted organization as saying that their audit committee has primary responsibility for SOX compliance and this increased from 11 percent in 2013 to 35 percent in 2016.

• Integrating the auditing plan of the Internal Controls and IA function will help improve the internal control environment significantly.
• The partnership between internal auditors and SOX compliance groups will help with gap analyses and rationalize controls. It will also help identify red flags, inefficiencies, redundancies and areas for improvement before they become a problem.
• Internal auditors can offer a centralized source of information to management regarding the effectiveness of an organization’s control environment and governance process.
• Internal auditors can ensure an approved communication and reporting mechanisms with management and other relevant parties. This will help management review the effectiveness of controls and decide if the controls need to be enhanced and take real-time remediation measures.
• Internal auditors can add value to external audits by participating in meetings with the external auditor to assist in identifying and meeting the internal control design, documentation, and testing expectations. This will also help cut the cost of external audits.

Convergence with the internal audit function can be facilitated by including internal audit in all key management committees, requiring and enforcing timely management responses and action plans for all significant internal audit findings and creating a reporting hierarchy and culture whereby internal audit can present potential contentious issues without hesitation. Internal audit can provide internal controls and COSO training to management and serve as a subject matter expert for the organization.