Get the most out of your Inc. online experience by registering and joining the Inc. community today. Get access to all Inc.com content and priority invites to free Inc. networking events in your area.

Login using:


Or login directly through Inc.com

Audits, Internal

 

The Sarbanes-Oxley Act is a wide-reaching and complex law that imposes heavy reporting requirements on all publicly traded companies. Meeting the requirements of this law has increased the workload of auditing firms and increased the need for internal audits and controls in publicly held companies. In particular, Section 404 of the Sarbanes-Oxley Act requires that a company's annual report include an official write-up by management about the effectiveness of the company's internal controls. The section also requires that outside auditors attest to management's report on internal controls.

Private companies are not covered by the Sarbanes-Oxley Act. However, analysts suggest that even private firms should be aware of the law and how it may impact them under specific circumstances. For example, if a private company anticipates being acquired by a public company, it will need to comply with Sarbanes-Oxley's requirements on internal controls for several quarters before the acquisition date in order to reassure the acquiring company's CEO and CFO that they may certify the consolidated financials. In general, Sarbanes-Oxley has raised the bar in terms of expectations regarding internal controls and corporate governance.

INTERNAL AUDITING AND INTERNAL CONTROL

The manner in which internal auditing has evolved has linked it directly to the concepts and objectives of internal control. The IIA clearly advocates an internal control focus when it defines the scope of internal auditing: "The scope of internal auditing should encompass the examination and evaluation of the adequacy and effectiveness of the organization's system of internal control and the quality of performance in carrying out assigned responsibilities." At the most basic level, internal controls can be identified as individual preventive, detective, corrective, or directive actions that keep operations functioning as intended. These basic controls are aggregated to create whole networks and systems of control procedures which are known as the organization's overall system of internal control.

The IIA's Standards of Professional Practice outlines five key objectives for an organization's system of internal control: 1) reliability and integrity of information; 2) compliance with policies, plans, procedures, laws and regulations; 3) safeguarding of assets; 4) economical and efficient use of resources; and 5) accomplishment of established objectives and goals for operations or programs. It is these five internal control objectives that provide the internal auditing function with its conceptual foundation and focus for evaluating an organization's diverse operations and programs.

KEY ASSUMPTIONS ABOUT THE INTERNAL AUDIT FUNCTION

There are three important assumptions implicit in the definition, objectives, and scope of internal auditing: Independence, competence, and confidentiality.

Independence

Internal auditors have to be independent from the activities they audit so that they can evaluate them objectively. Internal auditing is an advisory function, not an operational one. Therefore, internal auditors should not be given responsibility or authority over any activities they audit. They should not be positioned in the organization where they would be subject to political or monetary pressures that could inhibit their audit process, sway their opinions, or compromise their recommendations. Independence and objectivity of internal auditors must exist in both appearance and in fact; otherwise the credibility of the internal auditing work product is jeopardized.

Related to independence is the assumption that internal auditors have unrestricted access to whatever they might need to complete an appraisal. That includes unrestricted access to plans, forecasts, people, data, products, facilities, and records necessary to perform their independent evaluations.

Competence

A business's internal auditors have to be people who possess the necessary education, experience, and proficiency to complete their work competently, in accordance with accepted internal auditing standards. An understanding of good business practices is essential for internal auditors. They must have the capability to apply broad knowledge to new situations, to recognize and evaluate the impact of actual or potential problems, and to perform adequate research as a basis for judgments. They must also be skilled communicators and be able to deal with people at various levels throughout the organization.

Confidentiality

Evaluations and conclusions contained in internal auditing reports are directed internally to management and the board, not to stockholders, regulators, or the public. Presumably, management and the board can resolve issues that have surfaced through internal auditing and implement solutions privately, before problems get out of hand. Management is expected to acknowledge facts as stated in reports, but has no obligation to agree with an internal auditor's evaluations, conclusions, or recommendations. After internal auditors report their conclusions, management and the board have responsibility for subsequent operating decisions—to act or not to act. If action is taken, management has the responsibility to ensure that satisfactory progress is made and internal auditors later can determine whether the actions taken have the desired results. If no action is taken, internal auditors have the responsibility to determine that management and the board understand and have assumed any risks of inaction. Under all circumstances, internal auditors have the direct responsibility to apprise management and the board of any significant developments that the auditors believe warrant ownership/management consideration or action.

It should be noted, however, that the "confidential" aspect of the internal audit function is not absolute. According to the Securities and Exchange Commission (SEC), internal audit reports must be made available for review in case of regulatory inquiries. Business owners dislike this state of affairs because of an understandable reluctance to divulge sensitive business information. But the SEC cites Section 21 of the Securities and Exchange Act, which grants the agency the power to subpoena financial records as part of investigations. The United States' major stock exchanges, NASDAQ and the New York Stock Exchange (NYSE), have adopted similar positions regarding their own inquiries into alleged misdeeds, seeing internal audits as key indicators of supervision, policies, and controls within the firm in question. These exchanges generally regard failure to produce internal audit reports or other records when demanded as violations of their basic tenets.

 PREV  1 | 2 | 3 | 4  NEXT