Control consciousness: internal auditors need to use their knowledge and experience to provide innovative methods of adding value

Internal Auditor, April, 2006 by Jason A. Gross

AS COMPANIES CONTINUE TO FOCUS ON meeting the requirements of the U.S. Sarbanes-Oxley Act of 2002, internal auditors need to ensure that other areas of the business do not suffer. Management resources have been redeployed to ensure compliance with the act, but internal auditing needs to ensure that management does not lose sight of the bigger picture and, in doing so, compromise other areas of the business.

A process management focus on Sarbanes-Oxley is key, as it will ensure a structured and program-oriented approach for greater consistency and sustainability. Auditors should convey that the organization not only has obligations related to accurate financial reporting and disclosure, but also to achieving its performance objectives. Thus, an integrated control ideology should be embraced to ensure all key control objectives are met, not just those over financial reporting and disclosure.

Internal auditors have an obligation to remind management that there are more to controls than just accounting or finance. Internal controls are closely related to the operation of the business itself, and more benefits can be gained by not restricting management assessments solely to those related to financial reporting. Auditors should help ensure internal controls are integrated with the way management does business and not "layered on top" as an afterthought. This integration of controls throughout the business should drive a long-term focus on strengthening and remediation of internal controls.

Controls should not only be effective, but also efficient. Auditors should encourage a better mix of preventive and detective controls. Management needs the right "red flags" in place to help ensure the control structure doesn't fail.

Internal auditors also have an opportunity to train management on conducting control self-assessments. Auditors who are trained in the process should facilitate sessions with management. When management has a mature control self-assessment process in place, the extent of internal auditing's testing in these areas may be minimized. Control self-assessment can help management establish a continuous improvement ideology regarding internal controls. Tone-at-the-top and the control environment are critical to ensuring the appropriate mix of both entity-level and process-level internal controls and should re-emphasize the importance of control self-assessments.

Internal auditors must ensure that the culture does not hamper the organization's ability to identify, disclose, and remedy control deficiencies. As self-assessment mechanisms identify control deficiencies, this must not be frowned upon or categorized as a negative in the eyes of management. An appropriately functioning control self-assessment process should be viewed as positive in that the organization's assessment and monitoring practices are effective. Auditors should stress the importance of companywide controls, including adequately providing for the safeguarding of whistleblowers. This is yet another way of ensuring that the system of internal controls operates without restriction.

Internal auditors also need to stress the importance of instituting anti-fraud programs and controls. Auditors should consider addressing these controls at both an entity and process level. They should advise management that business controls developed to provide reasonable assurance might not necessarily suffice as a means of fraud prevention. Whether it is collusion among employees or circumvention of controls, management needs indicators that show when these controls have been breached. Instituting a fraud risk assessment and an anti-fraud program should help management protect both the organization and its employees. Internal auditing should serve as liaison to both management and the audit committee to ensure fraud prevention benefits the organization as a whole.

Internal auditors should proactively share their insights, methods, and approaches so management, too, can self-assess its controls. While auditors are interjecting value from a consultative approach, they need to enable management to make its own decisions regarding implementation and not compromise internal auditing's objectivity and ability to audit these areas effectively in the future.

Organizations are best served by internal auditors who remain independent from the execution of Section 404 tasks. This provides the necessary objectivity and transparency for the audit committees. By treating Section 404 the same as any other management process, internal auditors can:

* Recommend improvements to the Section 404 process, whether it is in the management of the process or the way in which management performs its scoping of key controls, documentation, or testing of these controls.

* Enable management to reach its own conclusions regarding its assertions.

* Provide the audit committee with the objective information that it expects from the internal audit department.

* Educate the organization overall on how best to approach and evaluate processes effectively and objectively. Only limited learning or process improvement will occur if internal auditing is always conducting these activities on others' behalf.