• No results found

Moving Internal Audit Back into Balance

N/A
N/A
Protected

Academic year: 2021

Share "Moving Internal Audit Back into Balance"

Copied!
41
0
0

Loading.... (view fulltext now)

Full text

(1)

Moving Internal Audit Back into Balance

A Post-Sarbanes-Oxley Survey

Fourth Edition

(2)

Table of Contents

IntroductIon... 1

ExEcutIvE Summary ... 2

ovErvIEw of rEbalancIng InItIatIvES ... 4

current Status of Sarbanes-oxley compliance ... 4

State of rebalancing ... 5

making Progress ... 6

Primary benefits ... 7

Key activities by organizations Seeking to rebalance ... 8

addressing It audits ... 9

Sarbanes-oxley compliance Strategies as Part of rebalancing Efforts ... 10

addressing It audits ... 12

Primary ownership ... 13

ImPact of SEc’S IntErPrEtIvE guIdancE and Pcaob aS5 ... 14

rebalancing Efforts ... 14

changes in Efforts/Hours ... 15

Quantity and Scope of Processes and controls ... 20

ImPact of rEbalancIng InItIatIvES ... 22

Internal audit responsibilities in Sarbanes-oxley compliance ... 22

allocating Internal audit Efforts for coSo Internal control objectives ... 23

rebalancing the Skills gap ... 24

Internal audit Staffing, Hours and budget allocations ... 25

Impact of SEc’s and Pcaob’s guidance ... 26

outsourcing Sarbanes-oxley compliance activities... 27

External Quality assessments ... 28

cHangIng landScaPE dEmandS ongoIng rEbalancIng ... 30

mEtHodology ... 31

SurvEy dEmograPHIcS ... 32

about ProtIvItI Inc. ... 34

(3)

1

Moving Internal Audit Back into Balance

Introduction

“Unless commitment is made, there are only promises and hopes ... but no plans.”

– Peter drucker

without question, much has changed in the seven years since the u.S. Sarbanes-oxley act became law. we conducted our first Internal audit rebalancing study in 2005 to assess how organizations were relying on their internal audit departments for Sarbanes-oxley compliance-related activities while seeking to “rebalance” these functions to also address more traditional internal auditing responsibilities. (for the purposes of this survey,

“rebalancing” is defined as the process of moving activities away from Sarbanes-oxley compliance to a broader coverage of business objectives as defined by the coSo framework.)

In subsequent years of the study, we noted how the landscape continued to change, with organizations becoming more familiar with the Sarbanes-oxley compliance process and thus streamlining their efforts. Perhaps most nota- bly, in 2007, a potential paradigm shift was introduced with the u.S. Securities and Exchange commission’s (SEc) interpretive guidance to management on implementing Section 404 of Sarbanes-oxley, along with a new standard, auditing Standard no. 5 (aS5), from the Public company accounting oversight board (Pcaob). both of these were intended, in part, to alleviate some of the time and cost burdens associated with the compliance process. the results of our 2008 rebalancing survey suggested that both the SEc’s interpretive guidance and Pcaob aS5 were having their intended effect.

In our 2009 rebalancing survey, one of the more interesting trends emerging from our analysis of the data is an apparent drop among organizations in activities and perceived benefits relating to these regulatory pronounce- ments. both were designed to ease compliance burdens among companies and facilitate a more efficient and streamlined attestation by external auditors of internal control over financial reporting. there could be several reasons behind this trend. certainly there is a heightened regulatory environment in the wake of the many well-publicized bank and corporate failures worldwide. there also could be a general aura of “compliance conservatism” because of the global financial crisis that is impacting virtually every organization around the world. It also could be that the rate of changes being implemented by companies has slowed since it has now been two years since the SEc’s and Pcaob’s announcements. we explore these and other themes further throughout this report.

this year’s survey, which was modified slightly from previous years, consisted of questions grouped into two divi- sions: “rebalancing Strategy” and “Internal audit organization and focus.” more than 600 respondents – a major- ity of whom are chief audit executives, audit directors and audit managers – took part by completing the survey in person or online. we would like to extend our appreciation to all of the chief audit executives and internal audit professionals who participated in our 2009 rebalancing survey. we also want to recognize the Institute of Internal auditors for its continued leadership and guidance for the profession.

we are very appreciative of the continued positive feedback on this study that we receive from chief executive offi- cers, chief financial officers, board members and other executives, as well as internal audit leaders. we are certain our 2009 report will again be of interest to any organization assessing how to balance ongoing Sarbanes-oxley compliance with traditional internal auditing responsibilities.

Protiviti June 2009

(4)

3

2

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 3

2

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Executive Summary

Impact of the SEC’s Interpretive Guidance and PCAOB Auditing Standard No. 5

while approximately half of survey participants reported the SEc’s guidance and Pcaob aS5 are enabling them

to increase rebalancing efforts significantly or moderately, the response was down from 2008.

Hours for external audit, internal company and other external resources have decreased, but not as much as

reported last year.

a majority of respondents reported decreases in the number of key controls and total controls documented

and tested.

one of the more notable trends in this year’s results is an apparent lessening in the positive effects of the SEc’s interpretive guidance and Pcaob aS5, with a general across-the-board decrease in their respective impact.

this could be a result of many factors, including the global economic crisis, heightened regulatory environment, continued significant reliance on manual processes and controls, growing conservatism among companies in order to “maintain the status quo,” or a belief among organizations that they already have implemented changes in response to these regulatory rulings and are not planning further adjustments.

Primary Benefits of Rebalancing

“Internal audit being able to perform more traditional audits” and “more appropriate coverage of risk” rank as

the top benefits.

“reduced Section 404 and 302 compliance costs” is the third-highest ranked benefit, yet the response was

down 7 percent from 2008.

after 2005 (the first year of the survey), there is a clear trend showing more traditional audits to be a top benefit of rebalancing, which is understandable given the interest in shifting internal audit away from a Sarbanes-oxley-only emphasis. Such a shift enables organizations to achieve more appropriate coverage of their risks.

Sarbanes-Oxley Compliance: Current Status

most respondents are in or beyond their fourth year of Sarbanes-oxley compliance, generally mirroring the

compliance timeline since the act went into effect for large accelerated filers.

these results are similar to those from the 2008 rebalancing study. of note, there was a year-over-year increase in the number of organizations identifying themselves as in either the “first year” or “pre-first year” of compliance.

this is the result of the pending deadline for smaller companies to comply with the auditor attestation requirement of Section 404 (beginning for fiscal years ending on or after december 15, 2009).

Rebalancing Status: One Year Ago Versus Today

nearly three out of four organizations have achieved or moved beyond rebalancing, or have rebalancing under-

way or in the planning stages.

this is very consistent with results from the 2008 and 2007 rebalancing surveys. these results clearly show that even with the ongoing requirements for Sarbanes-oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks.

(5)

3

2

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 3

2

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Strategies: Current Versus Planned

as in 2008, reducing the number of key controls and using a risk-based testing approach were the top two

strategies, but percentages for both were down year-over-year.

“reduction in number of key controls” leads the strategies that organizations are currently employing, followed by

“use of a risk-based testing approach,” “greater reliance on internal auditors by external auditors” and “reduction in total population of controls.” However, when comparing this year’s results to those from 2008, there was a consistent decrease in the percentage of responses for each category. this may be a signal that some companies believe they have completed making adjustments in response to the SEc’s and Pcaob’s pronouncements, or be further indication of an apparent hesitancy among organizations to fully implement practices based on the SEc’s interpretive guidance and Pcaob aS5. It also could mean that some organizations believe they have applied a top-down, risk-based approach, consistent with the SEc’s guidance. based on our experience, we believe many organizations with this point of view continue to rely heavily on manual financial reporting processes and controls.

Activities as Part of Rebalancing

risk-based testing and rescoping workloads are the top rebalancing activities.

“Implement risk-based testing,” added to the rebalancing survey this year, ranked as the top activity, with two out of three organizations including this as part of their rebalancing efforts. “rescope workloads” has ranked first or second in the past three studies. also of note, just one in five respondents cited “add additional resources” this year, continuing a downward trend from 2005 (62 percent).

(6)

5

4

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 5

4

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Overview of Rebalancing Initiatives

Current Status of Sarbanes-Oxley Compliance: Most in their Fourth Year or Beyond

A majority of respondents are in or beyond their fourth year of Sarbanes-Oxley compliance, generally mirroring the compliance timeline since the act went into effect for large accelerated filers.

Similar to the results from the 2008 rebalancing study, among all respondents, a majority are at least in their fourth year of Sarbanes-oxley compliance, and 40 percent are beyond the fourth year. of note, there was a year- over-year increase in the number of organizations identifying themselves as in either the “first year” or “pre-first year” of compliance (22 percent this year versus 16 percent in 2008). this could be the result of the pending deadline that smaller companies – or nonaccelerated filers, as defined by the SEc – must comply with the auditor attestation requirement of Section 404 beginning in fiscal years ending on or after december 15, 2009. this group of companies includes those that underwent initial public offerings in 2007.

Year of Sarbanes-Oxley Compliance (Base: All Respondents)

40%

Beyond 4th year of compliance

20%

4th year of compliance

16%

Pre-1st year of compliance

2nd year of 7%

compliance 1st year of 6%

compliance

11%

3rd year of compliance Year of Sarbanes-Oxley Compliance

(Base: All Respondents)

(7)

5

4

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 5

4

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

State of Rebalancing

Most organizations recognize the importance of rebalancing their internal audit departments to focus more on traditional responsibilities.

respondents were asked the following two questions:

one year ago, how would you have described your organization’s efforts to rebalance internal audit priorities

away from Sarbanes-oxley compliance projects?

today, how would you describe your organization’s efforts to rebalance internal audit priorities away from

Sarbanes-oxley compliance projects?

nearly three out of four organizations today – 73 percent – have achieved or moved beyond rebalancing, or have rebalancing underway or in the planning stages. this is very consistent with results from the 2008 and 2007 rebalanc- ing surveys. these results clearly show that even with the ongoing requirements for Sarbanes-oxley compliance, most companies view rebalancing the internal audit department as a key priority to ensure the long-term effectiveness of the internal audit function in helping management and the board identify, manage, mitigate and monitor key risks.

Doesn’t apply – not yet under first

year of S-O Act compliance Beyond

rebalancing Haven’t started

planning, but intend to rebalance Rebalancing

achieved Rebalancing underway

Rebalancing

planned Not intending

to rebalance 0%

10%

20%

30%

40%

6%

13%

State of Rebalancing (Base: All Respondents)

One year ago Today

12%

15%

21%

27%

32%

8%

15%

13%

7%

17%

7% 7%

State of Rebalancing

(Base: All Respondents)

(8)

7

6

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 7

6

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Making Progress

Most organizations consistently report “moderate” progress in their rebalancing efforts.

over the past three years of the rebalancing study, results on the progress of rebalancing efforts have been very consistent, with 71 percent to 73 percent of respondents reporting their rebalancing projects are making signifi- cant or moderate progress. results related to expectations also have been consistent, with a growing number of respondents noting progress has met or exceeded them. these trends show that once an organization initiates rebalancing efforts, it is likely to achieve significant or moderate progress toward its goals – in other words, there is a strong chance of success.

0%

10%

20%

40%

30%

50%

60%

Rebalancing Progress Made So Far (Base: Rebalancing Underway)

2009 2008 2007

Significant 14%

17% 18%

Moderate 59%

56% 53%

Minimal 27% 26% 26%

None

0% 1% 3%

Rebalancing Progress Made So Far: Three-Year Comparison

(Base: Rebalancing Underway)

0%

10%

20%

40%

30%

50%

60%

Expectations of Rebalancing Progress to Date (Base: Rebalancing Underway)

2009 2008 2007

Much less than expected 5% 5% 5%

Somewhat less than expected 24%

36%

29%

About the same as expected 59%

48%

54%

Much more than expected

1% 1% 1%

Somewhat more than expected 11% 11% 10%

Expectations of Rebalancing Progress to Date: Three-Year Comparison

(Base: Rebalancing Underway)

Overview of Rebalancing Initiatives

(cont.)

(9)

7

6

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 7

6

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Primary Benefits

Consistent with previous years’ results, the top two benefits of rebalancing are having internal audit perform more traditional audits and achieving more appropriate coverage of risk.

the top responses for 2009 – “internal audit being able to perform more traditional audits” and “more appropriate coverage of risk” – have been relatively consistent over the four years of the rebalancing study. However, one notable change this year was a drop in the benefit of having reduced Section 404 and 302 compliance costs. while this may be unexpected to some given that the SEc’s interpretive guidance and Pcaob aS5 were intended to facilitate a reduction in efforts and costs for reporting companies, some organizations were of the view that they were already applying a top-down, risk-based approach when the 2007 guidance was issued, while other companies may have the view that they have completed their implementation of the new guidance and standard. again, significant reliance on manual financial reporting processes and controls can limit the potential benefits from implementing the SEc interpretive guidance and Pcaob aS5.

Internal audit able to perform more traditional (operational and nonfinancial reporting-related) audits

More appropriate coverage of risk

Reduced Section 404 and 302 compliance costs

Increased reliance by external auditors on work of internal audit (PCAOB AS5)

Increased effectiveness and efficiency of operations

Increased objectivity of the internal audit department

Other

No benefit

Primary Benefit of Rebalancing: 4-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing)

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

25%

15%

29%

1%

3%

19%

15%

18%

3%

1%

12%

7%

2%

4%

47%

35%

18%

2009 2008 2007 2005 36%

25%

12%

8%

12%

13%

8%

7%

3%

3%

9%

3%

5%

2%

0%

Primary Benefit of Rebalancing: Four-Year Comparison

(Base: All respondents except those not engaged in or planning rebalancing)

(10)

9

8

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 9

8

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Key Activities by Organizations Seeking to Rebalance

Risk-based testing and rescoping workloads stand out as the top rebalancing activities.

“Implement risk-based testing” was added to the rebalancing survey this year and ranked as the top activity, with two out of three organizations including it as part of their rebalancing efforts. “rescope workloads” has ranked first or second in the past three studies. both “application of (Pcaob) aS5 by the company’s external auditors” and

“increase testing and reliance on monitoring controls” were cited by half of respondents. of note, the latter activity coincides with the recent release of the new coSo monitoring guidance, which further indicates the higher priority being placed on the monitoring of controls.

notable four-year trends in the findings for this category include the following:

nearly two out of three respondents – 62 percent – cited “add additional resources” in 2005, but just 22 percent

did so in 2009, continuing a four-year decline for this rebalancing activity.

“reallocate existing resources” received approximately half of the response in 2005 and 2007, but just 32 percent

in 2009.

“rescope workload” has increased over the past four years as a rebalancing activity, from 41 percent in 2005

to 65 percent this year.

Implement risk-based testing***

Rescope workload

Increase testing and reliance on monitoring controls***

Application of AS5 (vs. AS2) by the company’s external auditors*

Conduct an enterprisewide risk assessment

Automating more controls (moving more controls from manual to automated)***

Increased ownership by process owners**

Utilize more self-assessment and self-audits by process owners and executives Reallocate existing resources

Company’s effort in applying the SEC’s interpretive guidance*

Add additional resources

Use third parties to complete certain work to assist in the rebalancing effort Create a separate risk and controls function to focus primarily on Section 404

Other

Key Rebalancing Activities

(Base: all respondents except those not engaged in or planning rebalancing)

0% 10% 20% 30% 40% 50% 60% 70%

41%

66%

50%

65%

26%

22%

45%

49%

39%

32%

34%

18%

21%

2%

Key Rebalancing Activities

(Base: All respondents except those not engaged in or planning rebalancing)

* not applicable in 2005 and 2007 surveys

** not included in 2005 survey

*** not included in previous surveys

Overview of Rebalancing Initiatives

(cont.)

(11)

9

8

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 9

8

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Addressing IT Audits

respondents specifically were asked how It audits not related to Sarbanes-oxley compliance were being ad- dressed as part of their rebalancing efforts. consistent with last year, the most common response was “no change.” However, collectively over half of all respondents reported they are increasing It audits when it comes to rebalancing efforts.

this year’s results show that technology remains an important part of the rebalancing process. now that or- ganizations have more experience with Sarbanes-oxley, It audit efforts might be shifting toward maintaining compliance efforts while also working to lower compliance costs and improve the balance of audit coverage for other areas of risk.

Protiviti’s 2009 Internal Audit Capabilities and Needs Survey supports the continued importance of technology as a critical enabler of virtually all business processes and helping organizations achieve objectives and address risks.1 In this study, technology skills hold a prominent place in the “need to improve” category of general technical knowledge.

the recent changes to the IIa Standards also corroborate the importance of technology audits. for example, IIa Standard 2110.a2 now includes the word “must” when providing guidance to internal audit in its role related to as- sessing It governance. as organizations adopt the new and revised Standards as of January 1, 2009, we will moni- tor whether It audits continue to hold an important role in rebalancing efforts, and it is quite possible the survey results for this category will change next year.

1 for more information, read Protiviti’s 2009 Internal Audit Capabilities and Needs Survey, available at www.protiviti.com.

0%

10%

20%

30%

40%

50%

IT (IT audits not related to Sarbanes-Oxley) Assessed as Part of Rebalancing: Four-Year Comparison (Base: All respondents except those not engaged in or planning rebalancing)

2009 2008 2007 2005

Increase(d) It audits >25%

25%

14% 13%

12%

26% 26%

20%

Increase(d) It audits 10-25%

25%

15%

20% 20%

Increase(d) It audits <10%

15%

31%

37%

41%

no change 44%

5% 4% 3%

decrease(d) It audits 4%

IT (IT audits not related to Sarbanes-Oxley) Assessed as Part of Rebalancing:

Four-Year Comparison

(Base: All respondents except those not engaged in or planning rebalancing)

(12)

11

10

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 11

10

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Sarbanes-Oxley Compliance Strategies as Part of Rebalancing Efforts

As in 2008, reducing the number of key controls and using a risk-based testing approach were the top two strategies, but percentages for both were down year-over-year.

Similar to last year, “reduction in number of key controls” leads the strategies organizations are currently employing, followed by “use of a risk-based testing approach,” “greater reliance on internal auditors by external auditors” and

“reduction in total population of controls.” for each of these strategies, there also was a significant increase compared to the percentage of respondents who reported in 2008 that they were planning to employ it in the coming year. this shows that, in one sense, the SEc’s interpretive guidance and Pcaob aS5 are having their intended effect.

However, when comparing the current results with the prior year, there was a consistent decrease in the percentage of responses for each category in 2009. In last year’s survey, for example, 47 percent of respondents reported they were “currently” reducing the number of key controls, versus 33 percent this year. for “use of a risk-based testing approach,” the 2008 “currently” response was 45 percent versus 30 percent this year, and for “reduction in total population of controls” the numbers were 43 percent versus 26 percent. these findings could be a further indica- tion that some organizations have already taken steps to reduce their control populations, and thus no longer see a need to incorporate these specific strategies as part of their rebalancing efforts. However, it is also possible that some organizations have an apparent hesitancy in 2009 to implement practices based on the SEc’s interpretive guidance as well as Pcaob aS5. this could be attributed to a more conservative approach in order to preserve the status quo.

also of note, “increase in number of automated controls” leads the strategies organizations are planning to employ in 2009, followed by “use of data mining and analytics to better understand process performance,” “reduction in manual controls,” “increase in number of monitoring controls” and “consolidation of redundant It platforms and systems.” these strategies are key because, for many organizations, they represent the “last frontier” for improving the cost-effectiveness of financial reporting controls, reducing financial reporting risks and streamlining Sarbanes-oxley compliance. the notable increase in focus on these strategies indicates that some organizations understand their importance in this regard.

Overview of Rebalancing Initiatives

(cont.)

(13)

11

10

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 11

10

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

reduction in number of key controls use of a risk-based testing approach*

greater reliance on internal auditing by external auditors reduction in total population of controls

tightening of “overall scope”

centralization of common processes and functions Increase in testing within key risk areas reduction in number of in-scope locations**

consolidation of redundant It platforms and systems Increase in number of monitoring controls accelerate timing of selected control tests**

Increase in number of automated controls

reduction in manual controls

use of self-assessment techniques Improvement in quality and compression of time in business processes affecting financial reporting reduction of independent tests of controls use of data mining and analytics to increase understanding of process performance other**

no specific strategies considered or employed**

don't know**

Strategies: Current vs. Planned (Base: All Respondents)

currently Employing 2009 Planning to Employ 2009 Planning to Employ 2008

0% 5% 10% 15% 20% 25% 30% 35%

21%

14% 25%

12%14%

13%

9% 30%

13%

12% 26%

14%

14%16%

16%

11% 27%

14%

10% 33%

14%

18% 23%

14%

16%

12% 18%

15% 18%

26%

13%13%

18%

11% 18%

13%

13%15% 21%

27%

12% 19%

14% 20%

29%

18%

0% 9%

11% 14%

0%

2%

0%2%

4%4%

0%

0%

9%10%

Strategies: Current vs. Planned

(Base: All Respondents)

* not included in 2007 survey

** not included in 2007 and 2008 surveys

(14)

13

12

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 13

12

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Addressing IT Audits

when asked what percentage of It audits were related to Sarbanes-oxley for each year of compliance, respondents re- ported that most It auditing activity occurs in years two and four. organizations continue to express that these audits do not have a prominent role in the first year of Sarbanes-oxley compliance, even though their importance increases significantly in year one when compared to the precompliance period.

as organizations become more experienced with Sarbanes-oxley, they come to realize the important role It plays in managing related risks and processes. more than 60 percent of respondents whose organizations are beyond year four reported that they spend at least 20 percent of their time on It audits. this is consistent with the 2008 study.

over the years, organizations have acknowledged the benefits of automating internal controls: increased reli- ability, lower error rates, and less time and effort required to test compared to manual controls. the bottom line is that technology, when used appropriately, improves risk coverage and test results, leading to an improved internal control environment and effective compliance strategy. this is in line with the intention of the SEc’s interpretive guidance and Pcaob aS5.

as noted earlier (see page 9), changes this year to IIa Standard 2110.a2, which states that internal audit functions must assess It governance, reinforce the importance of technology audits. In next year’s rebalancing survey, there may be notable changes in the results for this category.

0% 10% 20% 30% 40% 50% 60%

Beyond 4th year of compliance

4th year of compliance

3rd year of compliance

2nd year of compliance

1st year of compliance

Pre-1st year of compliance

IT Audits Related to SOX Compliance (Base: All Respondents)

0%

4%

5% 9%

25% 52%

9%

18%

13%13%

13% 17%

17%

13%

35%

9% 26%

4% 13%

0%

13%

29%

9% 18%

6% 16%

9%

12%

35%

5% 23%

3% 13%

9%

13%

21%

18% 23%

4% 11%

10%

5%

Don’t know None

<10%

10-19%

20-49%

50-75%

>75%

Percentage of IT Audits Related to Sarbanes-Oxley Compliance

(Base: All Respondents)

Overview of Rebalancing Initiatives

(cont.)

(15)

13

12

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 13

12

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Primary Ownership

Internal audit owns the rebalancing process in most organizations.

a review of rebalancing survey results over the past three years shows that internal audit departments consistently have primary ownership of rebalancing activities in their organizations. this year, in fact, there was an even larger gap between internal audit and other business owners in the organization.

respondents also were asked to indicate, in terms of rebalancing efforts, the level of involvement of different groups and individuals in the organization. more than half reported that executive management, the audit committee, management and/or process owners, and the external auditor are involved to a “significant” or “moderate” extent.

Internal audit staff

Management Other

Executive management

Audit committee No one

primary owner

Don’t know

Primary Ownership of Rebalancing

(Base: Beyond Rebalancing, Rebalancing Achieved, Underway, Planned and Intended) 70%

60%

50%

40%

30%

20%

10%

0%

2009 2008 2007 67%69%

49%

7% 10% 10%

7% 5%

14%

6% 3%

9% 6% 8%

12%

4% 5% 3% 3% 0% 3%

Primary Ownership for Rebalancing: Three-Year Comparison

(Base: Beyond Rebalancing, Rebalancing Achieved, Underway, Planned and Intended)

(16)

15

14

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 15

14

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Similar to results from the 2008 rebalancing study, this year’s response shows a continued positive impact as a result of Pcaob aS5 and the SEc’s interpretive guidance for Section 404. However, across all sections in this category of the study, there is a noticeable decrease in the “positive impact” responses compared to 2008.

these findings are interesting given that guidance from both organizations was intended to increase the emphasis on applying a top-down, risk-based approach and enable organizations to reduce the time and costs required for compliance. It also would be expected that rebalancing efforts would be sustained.

Rebalancing Efforts

Efforts have decreased, but less so than in 2008.

while nearly 40 percent of respondents reported that the impact of the SEc’s interpretive guidance is enabling them to increase rebalancing efforts significantly or moderately, the cumulative “increase” figures dropped from 60 percent in 2008. Similarly, while 56 percent of respondents last year said that, as a result of Pcaob aS5, they were increasing rebalancing activities significantly or moderately, the response dropped to 44 percent this year.

Impact of SEC’s Interpretive Guidance and PCAOB AS5

Significantly increased rebalancing efforts

Moderately increased

rebalancing efforts Moderately decreased

rebalancing efforts No change

9% 14%

35%

42% 40%

4% 4%

Impact of PCAOB AS5 (vs. AS2) on Rebalancing (Base: All Respondents)

0%

10%

20%

40%

30%

50%

60%

52%

2009 2008

*Significantly decreased rebalancing efforts

1%

Impact of PCAOB AS5 (vs. AS2) on Rebalancing: Two-Year Comparison

(Base: All Respondents) Significantly increased

rebalancing efforts

Moderately increased

rebalancing efforts Moderately decreased

rebalancing efforts No change

6%

14%

32%

46%

37%

1% 3%

Impact of SEC’s Interpretive Guidance on Rebalancing (Base: All Respondents)

0%

10%

20%

40%

30%

50%

60%

70%

61% 2009

2008

Impact of SEC’s Interpretive Guidance on Rebalancing: Two-Year Comparison

(Base: All Respondents)

(17)

15

14

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 15

14

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

0%

10%

20%

30%

40%

Decreased

>25%

4% 6%

SEC’s Interpretive Guidance:

Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

16% 18% 20%

5%

50%

26%

49%

1%

Decreased

10-25% Decreased

<10%

No change Increased

2009 2008 60%

55%

SEC’s Interpretive Guidance – Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

Changes in Efforts/Hours

Organizations are being more conservative in reducing hours and activities.

a large percentage of respondents reported that as a result of the SEc’s interpretive guidance and Pcaob aS5, external audit hours have decreased, as have the hours required of other external and internal resources. However, these charts do illustrate slight drops in the percentages of decrease in all three categories. for example, this year a combined 40 percent of respondents reported a decrease in external audit hours as a result of the SEc’s guidance, whereas 50 percent reported such a decrease in 2008. Similar changes are evident in the other two categories.

we will continue to monitor these trends and determine why these changes might be occurring.

Changes in Efforts/Hours – SEC’s Interpretive Guidance

(18)

17

16

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 17

16

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

0%

10%

20%

30%

40%

Decreased

>25%

5%

10%

SEC’s Interpretive Guidance:

Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

15% 17% 17%

14%

50%

18%

44%

11%

Decreased

10-25% Decreased

<10%

No change Increased

2009 2008 60%

49%

SEC’s Interpretive Guidance – Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

0%

10%

20%

30%

40%

Decreased

>25%

8%

12%

SEC’s Interpretive Guidance:

Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

8%

14%

10%

4%

50%

10%

4%

Decreased 10-25%

Decreased

<10% No change Increased

60%

70%

80%

2009 60% 2008

70%

SEC’s Interpretive Guidance – Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

Impact of SEC’s Interpretive Guidance and PCAOB AS5

(cont.)

(19)

17

16

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 17

16

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

ARE COMPANIES FAIlING TO TAKE Full AdVANTAGE OF REVISEd REGulATIONS?

This year’s findings that suggest a diminished positive impact of PCAOB AS5 and the SEC’s interpretive guidance on Section 404 are worth further commentary. Both of these standards relaxed previously stringent guidelines for companies and external auditors with regard to establishing and attesting to internal control over financial reporting, as mandated by Section 404.

Among the new guidance from each of these regulatory bodies were opportunities to rely more heavily on the “work of others,” such as the internal audit function. For example, as detailed in Protiviti’s Guide to Internal Audit: Frequently Asked Questions About Developing an Effective Internal Audit Function:

The PCAOB encourages greater use of the work of others in AS5 by requiring auditors to (1) understand the relevant activities of others and determine how the results of that work may affect his or her audit, and (2) evaluate whether and how to use their work to reduce audit testing. There is no reason why the external auditor should not do this, particularly if an effectively functioning internal audit function is in place. AS5 emphasizes the importance of assessing the competency and objectivity “of the persons who the (external) auditor plans to use to determine the extent to which the (external) auditor may use their work. The higher degree of competence and objectivity, the greater use the (external) auditor may make of the work.”

The guidance included in AS5 applies the principles in Au 322 to focus the auditor’s use of the work of others more specifically on altering the nature, timing and extent of the external auditor’s work than otherwise would have been performed to test the operating effectiveness of controls as part of an integrated audit of the financial statements and internal control over financial reporting (ICFR). The basic premise of AS5 is that the external auditor may use work performed by, or receive assistance from, internal auditors, other company personnel (in addition to internal auditors) and third parties working under the direction of management or the audit committee that provides evidence about ICFR effectiveness.

In assessing the results from this year’s Rebalancing study, it is possible that some companies are being too conservative.

There could be a variety of reasons at play to explain why, among them:

• “If it isn’t broken, don’t fix it” – Without question, achieving Sarbanes-Oxley compliance was an engrossing and time-consuming process for most reporting companies. Many failed to plan properly or begin their compliance efforts early enough, resulting in organizational “fire drills.” It is possible that as a result of these trials and tribula- tions, some companies may have little appetite to rescope workloads or otherwise change processes that currently have them in compliance. This, of course, defeats the purpose of the SEC’s guidance and AS5. We have also seen circumstances where managers responsible for Sarbanes-Oxley compliance are rewarded for compliance and not for cost-effectiveness; therefore, there is little incentive for them to alter the status quo.

• Law of diminishing returns – We see many companies continuing to rely heavily on manual processes and controls.

The SEC interpretive guidance and PCAOB AS5 can only take a company and its auditors so far until the process reaches the point where there is a declining impact from applying the SEC guidance and the PCAOB standard.

There is a strong linkage between (a) improving process quality, time and cost performance, and (b) strengthening the effectiveness of ICFR. A simple, more streamlined and automated process is easier to control than a complex, cumbersome and manual one. Many companies continue to have opportunities to improve their process performance by building in (versus inspecting in) quality, reducing costs and compressing time within their processes – and all of this while simultaneously reducing financial reporting risks and the costs of Sarbanes-Oxley compliance.

• Still figuring it out – The difference between this year’s results and last year’s could be a reflection of companies still determining exactly where and how to achieve time and cost savings by rescoping workloads, reducing controls (key and total number) and increasing their rebalancing efforts. If this year’s results indicate a “swing back” as companies, through trial and error, continue to define how to accomplish these objectives, we might expect higher

“positive impact” responses in the 2010 Rebalancing survey.

(20)

19

18

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 19

18

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

0%

10%

20%

30%

40%

Decreased

>25%

5%

8%

PCAOB AS5:

Change in External Audit Efforts (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

19%

23% 25%

3%

50%

32%

2%

Decreased

10-25% Decreased

<10% No change Increased

2009 2008 35%

48%

PCAOB AS5 – Change in External Audit Efforts (Hours)

Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

Impact of SEC’s Interpretive Guidance and PCAOB AS5

(cont.)

Changes in Efforts/Hours

(cont.) Changes in Efforts/Hours – PCAOB AS5

• More small companies beginning the compliance process – Beginning for fiscal years ending on or after december 15, 2009, nonaccelerated filers must comply with the auditor attestation requirement of Section 404.

It is possible that this year’s results reflect the fact that 7 percent of respondents are in the smaller public company category and would not be initiating rebalancing or other cost- and time-saving activities as of yet.

• Lack of knowledge – Despite the SEC’s and PCAOB’s well-publicized announcements of their respective actions in 2007, it could be that many companies are not fully aware of these new guidelines and the potential opportunities to reduce time and costs involved with compliance. It could be expected in most cases that the external auditor would provide such knowledge; however, there could be some hesitancy among the auditors to leverage the revised guidelines, which could be attributable to custom and habit, the perceived reporting risks, or lack of support for certain AS5 principles such as the use of the work of others to ascertain the effectiveness of an organization’s ICFR.

Regardless of the reasons, the bottom line is that it behooves any company to acquire a full understanding of the SEC’s interpretive guidance and PCAOB AS5, and to talk to its external auditor about activities internal audit and other departments can perform to assist in the ICFR attestation process.

ARE COMPANIES FAIlING TO TAKE Full AdVANTAGE OF REVISEd REGulATIONS? (cont.)

(21)

19

18

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 19

18

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

0%

10%

20%

30%

40%

Decreased

>25%

5%

9%

PCAOB AS5:

Change in Internal Company Efforts (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

17% 17% 17%

15%

50%

19%

15%

Decreased 10-25%

Decreased

<10% No change Increased

2009 2008 40%

46%

PCAOB AS5 – Change in Internal Company Efforts (Hours)

Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

0%

10%

20%

30%

40%

Decreased

>25%

9% 11%

PCAOB AS5:

Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year (Base: All Respondents)

10%

14%

10%

4%

50%

12%

4%

Decreased 10-25%

Decreased

<10% No change Increased

60%

70%

2009 2008 59%

67%

PCAOB AS5 – Change in Use of External Resources (Hours) Between the Year in Effect and the Prior Year: Two-Year Comparison

(Base: All Respondents)

(22)

21

20

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 21

20

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Quantity and Scope of Processes and Controls

Decreases were reported, but not as much as in 2008.

respondents were asked about the impact of the SEc’s guidance on numerous compliance-related processes and controls in the organization. they also were asked about the impact of the application of Pcaob aS5 by their external auditors on these same processes and controls. Similar to 2008, there are several positive trends, including a majority of respondents reporting decreases in key controls and total controls documented and tested. However, in most compliance-related process and control categories, the percentage of “decreased”

responses dropped compared to 2008, while the “increased” response percentages rose year-over-year.

Impact of SEC’s Interpretive Guidance and PCAOB AS5

(cont.)

2009 Number of key controls documented and tested 2008 Number of key controls documented

and tested

2009 Number of total controls documented and tested 2008 Number of total controls documented

and tested

2009 Number of key in-scope processes 2008 Number of key in-scope processes

2009 Number of total risks identified 2008 Number of total risks identified

2009 Number of in-scope locations 2008 Number of in-scope locations

2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach

2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring

and/or entity-level controls

2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the

external auditor

*2009 Increased reliance on self-assessment techniques Impact of SEC’s Interpretive Guidance

(Base: all respondents )

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

60% 35% 5%

75% 23% 2%

9% 75% 16%

15% 47% 38%

14% 40% 46%

15% 56% 29%

17% 41% 42%

15% 50% 35%

18% 41% 41%

24% 70% 6%

36% 61% 3%

44% 50% 6%

58% 38% 4%

45% 50% 5%

58% 40% 2%

56% 39% 5%

68% 30% 2%

2009 Decreased No Change Increased 2008 Decreased No Change Increased

Impact of SEC’s Interpretive Guidance: Two-Year Comparison

(Base: All Respondents)

* not included in 2008 survey

(23)

21

20

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 21

20

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

THE IMPORTANCE OF uNdERSTANdING RISK

The real key in Year Four and beyond of Sarbanes-Oxley compliance is how to keep things fresh and keep people vigilant.

The recent financial collapse of so many companies shows that Sarbanes-Oxley was not the “be all and end all” to prevent loss of shareholder wealth. While companies were spending significant time and money ensuring things were recorded properly, they lost sight of the business risks that could bring down a company or an industry, wiping out billions of dollars in shareholder wealth in the process. The real key for investors (and employees) is around understanding risk: What are the risks? Are they independent or dependent? If they are dependent, what are they dependent on? How can they impact the company? What is the magnitude and likelihood? Are they being monitored properly? This is where internal audit can best assist the audit commit- tee and management, and where we must strengthen our skill set as a profession – hence the importance to rebalance resources.

Without understanding risk, we can be auditing the wrong areas at the wrong time. The bottom line is that businesses face far greater risks today than Sarbanes-Oxley, and internal audit must not only rebalance but also retool to meet the current requirements.

There is going to be a sea change in internal audit, and each of us has a choice – be ready, willing and able, or become obsolete.

larry Harrington, Vice President, Internal Audit, Raytheon Company

2009 Number of key controls documented and tested 2008 Number of key controls documented

and tested

2009 Number of total controls documented and tested 2008 Number of total controls documented

and tested

2009 Number of total risks identified 2008 Number of total risks identified

2009 Number of key in-scope processes 2008 Number of key in-scope processes

2009 Number of in-scope locations 2008 Number of in-scope locations

2009 Use of a risk-based testing approach 2008 Use of a risk-based testing approach

2009 Increased reliance on monitoring and/or entity-level controls 2008 Increased reliance on monitoring

and/or entity-level controls

2009 Reliance on the work of others by the external auditor 2008 Reliance on the work of others by the

external auditor

*2009 Increased reliance on self-assessment techniques Impact of PCAOB AS5 (Base: all respondents )

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

55% 40% 5%

64% 34% 2%

7% 77% 16%

10% 48% 42%

15% 38% 47%

12% 56% 32%

16% 45% 39%

12% 53% 35%

17% 44% 39%

24% 72% 4%

36% 62% 2%

42% 54% 4%

51% 48% 1%

39% 57% 4%

53% 46% 1%

51% 44% 5%

60% 39% 1%

2009 Decreased No Change Increased 2008 Decreased No Change Increased

Impact of PCAOB AS5: Two-Year Comparison

(Base: All Respondents)

* not included in 2008 survey

(24)

23

22

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance 23

22

Moving Internal Audit Back into Balance Moving Internal Audit Back into Balance

Impact of Rebalancing Initiatives

Internal Audit Responsibilities in Sarbanes-Oxley Compliance

“Lead responsibility” remains the most common role for internal audit.

findings regarding internal audit’s role in Sarbanes-oxley compliance have been consistent over the course of the rebalancing studies. of note, “control design evaluation and testing of operational effectiveness” decreases with each year of compliance, as do serving as members of compliance teams and steering committees, and “developer of documentation.” this could indicate that process owners are taking more direct ownership and responsibility for their processes and controls, as permitted under Pcaob aS5.

(Please note that in the interest of simplicity, the chart below illustrates internal audit’s primary roles in the first year of Sarbanes-oxley compliance and beyond the fourth year of compliance. Percentages of responses for years two to four consistently fall in the gap between these two trend lines.)

Control design evaluation and testing of operational effectiveness

Member of compliance team/steering

committee

Limited to testing of operational

effectiveness

Limited to control design

evaluation

None Don’t know Other

Lead responsibility

Developer of documentation

Advisor to compliance team/steering

committee 0%

5%

10%

15%

20%

25%

30%

35%

1st year of compliance Beyond 4th year of compliance

Internal Audit Primary Roles (Base: All Respondents)

Internal Audit Primary Roles

(Base: All Respondents)

References

Related documents

To maintain a successful and healthy business relationship with card companies, acquiring banks must ensure that their merchants are adequately protected; and PCI DSS is the tool

UHF +12 V Preamplificatore Preamplifier Preamplificateur DIAGRAMMA DI CONNESSIONE CONNECTION DIAGRAMS SCHEMAS DE CONNEXION AM-374 Uscita test -15 dB Test output -15 dB Sortie test

The insight in this paper is that if an autoencoder is connected to a Hebbian learning layer, then the resulting Real- time Autoencoder-Augmented Hebbian Network (RAAHN) can

In this paper, a mathematical signal model and the DSD algorithm for the uplink of massive MIMO systems oper- ating in heterogeneous cellular networks with different classes of

Kington is 35 miles from the main Haygrove office and farm.. Cherries are mostly grown here under tunnels which you

Advanced Standing and Exemptions: Students holding relevant degrees and equivalent qualifications which contain ICM Certificate, Diploma and Advanced Diploma subjects could

Based on the results from the questionnaire regarding the credit approval archiving process that can be found in section 4.1.1 GCRMS is a suitable forum for the electronic archiving