Internal Audit’s Journey from Compliance Cop to Risk Advisor

internal-auditThe passage of the Sarbanes-Oxley Act of 2002 (SoX) had profoundly positive impacts on many aspects of corporate governance, not the least of which was on the role of the internal audit department.

Although the costs and benefits of SoX have been widely debated, it is clear that one of the benefits of SoX is that internal audit now has a significantly expanded role in corporate governance and is increasingly being viewed as a key risk management resource by senior management and audit committees alike.

Prior to the passage of SoX, internal audit departments developed annual audit plans often focused in two areas: compliance auditing and cost reduction audits. While neither of these areas is inappropriate for an internal audit department to address, the insight that they provided stakeholders into the company’s ability to mitigate or avoid the impacts of existing or emerging business risks was limited.

Though management and the board were focused on looking ahead and positioning the company for growth, internal audit was typically focused on the past. It took SoX to reshape internal audit’s focus to more fully align with the orientation of its stakeholders.

SoX facilitated the redefinition of the internal audit department’s mission through several key factors.

Factor 1: Increased exposure of internal audit

Given their control knowledge and process documentation skills, many companies relied heavily on internal audit to drive their SoX implementation efforts. Because of the cost and regulatory implications of SoX implementation, chief audit executives commonly gained a significantly enhanced level of exposure to the audit committee and senior management.

Factor 2: Increased understanding of the importance of process controls

SoX greatly increased management’s and the audit committee’s appreciation for the importance of process controls. Historically internal audit was focused on validating the accuracy of a previously reached conclusion. With the requirements of SoX, they were now being pushed to give confidence that processes were designed such that they would provide predictable and sustainable results. This focus on process durability and the importance of controls in consistently driving desired outcomes would later translate directly into operational audits and a desire to minimize disruptions to business process regardless of whether there was a direct financial reporting impact.

Factor 3: Increased desire to understand management’s ability to not just deliver results, but to respond to unforeseen events

The economic shocks endured by the economy in general, and very established and mature companies in particular, increased the audit committee’s interest in understanding business risk and management’s ability to adequately anticipate and respond to rapidly changing conditions.

When combined, these three factors created a perfect environment for internal audit to sustainably elevate its role within a company’s governance structure and to gain better balance between its historical role of “auditing” past performance and its new charge of helping management and the audit company look forward and prepare themselves to anticipate and address future challenges.

At the same time that this need for increased active risk management came about, internal audit departments found that they could effectively shift some of their historical activities to other functions within their company, thus providing the budgetary flexibility to meet this new demand. Specifically:

  • Compliance auditing of financial controls and process results were now being addressed, at least in part, through SoX compliance groups. In some environments, this role continues to reside within internal audit, but it is typically viewed as a component of the internal audit plan and not the primary focus (as had often been the case during SoX implementation).
  • Cost reduction/revenue enhancement projects were increasingly being addressed by Six Sigma programs that became popular beginning in the late 1990s.

Free of having primary responsibility for these two important objectives, internal audit departments were able to reposition themselves to meet the emerging demand for active risk management. Suddenly, chief audit executives were involved in helping companies drive enterprise risk management (ERM) efforts designed to help management identify, manage and monitor current and future business risks.

They further found themselves increasingly turned to for insight into whether existing business processes were exposing the company to unacceptable risk (particularly in light of significant staff reductions endured by many companies). Finally, their recognized expertise in process controls led to an increasing demand for internal audit to assess stable processes to identify opportunities to make alterations that help companies achieve greater or similar levels of predictability in a streamlined manner.

Although most chief audit executives had little ability to fully anticipate the impact that SoX would have on their departments, it turns out to have been the perfect catalyst to transform internal audit into a critical pillar of corporate governance. Internal audit’s role in helping stakeholders anticipate, monitor and assess business and operational risks far exceeds what most chief audit executives had dreamed possible just one decade ago.

By combining their process and control knowledge with an understanding of risk management practices, internal audit has assumed the enviable role of being an indispensable advisor to audit committees as they strive to obtain sufficient insight into management’s preparedness to address the business challenges of tomorrow.


About the Author

Rob Kastenschmidt is a national leader in risk advisory services with RSM McGladrey.