While “Sarbanes-Oxley Act” may conjure negative thoughts about the initial confusion and burden the law wrought on finance departments, it created a positive turnabout for at least one profession.
Applying their expertise and knowledge about their organizations during the first few years of Sarbox compliance, internal auditors saw their stature rise within their companies. Now, they have more direct contact with their audit committees and the CEO to understand what the top expects out of them and what risks they should be focusing on.
However, with their higher status comes more demands and possibly more work now that the Sarbox dust has settled. Recent reports from two Big Four audit firms predict that internal auditors will be expected to focus on more strategic and operational areas and to prove their individual worth to their company’s bottom line.
That’s not to say that checking controls won’t continue to be an important task for internal audit teams. It’s just that now that those companies using Sarbox have adjusted to the more onerous provisions of the law — and regulators have formally emphasized that companies and their audit firms should concentrate on only those internal controls that could have a bearing on a material misstatement — complying with the law won’t take up 100 percent of internal auditors’ time anymore.
Nearly half of the nearly 100 chief audit executives in a PricewaterhouseCoopers survey predict their teams will spend less time on testing internal controls under Section 404. “As internal auditors have become more proficient in the way they do their testing, there’s been less of a requirement to spend as much time on it,” Richard Chambers, a PwC managing director, told CFO.com.
PwC says the shift in the profession will require internal auditors to take a broader approach and go beyond just focusing on their companies’ controls by adopting a risk-centric mindset. Doing so will involve anticipating higher-ups’ needs, considering risk assurance as a main objective, and enhancing how they cover risk in technology and fraud, areas where in general they lack skills.
Although a shift is occurring in the profession, internal auditors are still focusing on three key areas: governance, internal controls, and risk management, notes Dave Richards, president of the Institute of Internal Auditors.
Indeed, although companies are expecting more out of their internal auditors, they have to be careful to make sure the department doesn’t stray from its primary responsibilities outlined in the company’s charter. “It would create a challenge if any one company were to swing the pendulum too far in the opposite direction and take it off-kilter,” says Steve Singer, a partner at Ernst & Young and Americas leader for internal audit.
So what will internal auditors spend their newfound time on? In addition to focusing on areas besides just finance and accounting, they will be playing more of a role in companies’ expanded ERM (enterprise risk management) systems and increase the practice of continuous auditing, the audit firms predict. Nearly half of the PwC survey respondents expect their continuous auditing programs to be fully running by 2012, and the majority believe the programs will be mostly automated.