While “Sarbanes-Oxley Act” may conjure negative thoughts about the initial confusion and burden the law wrought on finance departments, it created a positive turnabout for at least one profession.
Applying their expertise and knowledge about their organizations during the first few years of Sarbox compliance, internal auditors saw their stature rise within their companies. Now, they have more direct contact with their audit committees and the CEO to understand what the top expects out of them and what risks they should be focusing on.
However, with their higher status comes more demands and possibly more work now that the Sarbox dust has settled. Recent reports from two Big Four audit firms predict that internal auditors will be expected to focus on more strategic and operational areas and to prove their individual worth to their company’s bottom line.
That’s not to say that checking controls won’t continue to be an important task for internal audit teams. It’s just that now that those companies using Sarbox have adjusted to the more onerous provisions of the law — and regulators have formally emphasized that companies and their audit firms should concentrate on only those internal controls that could have a bearing on a material misstatement — complying with the law won’t take up 100 percent of internal auditors’ time anymore.
Nearly half of the nearly 100 chief audit executives in a PricewaterhouseCoopers survey predict their teams will spend less time on testing internal controls under Section 404. “As internal auditors have become more proficient in the way they do their testing, there’s been less of a requirement to spend as much time on it,” Richard Chambers, a PwC managing director, told CFO.com.
PwC says the shift in the profession will require internal auditors to take a broader approach and go beyond just focusing on their companies’ controls by adopting a risk-centric mindset. Doing so will involve anticipating higher-ups’ needs, considering risk assurance as a main objective, and enhancing how they cover risk in technology and fraud, areas where in general they lack skills.
Although a shift is occurring in the profession, internal auditors are still focusing on three key areas: governance, internal controls, and risk management, notes Dave Richards, president of the Institute of Internal Auditors.
Indeed, although companies are expecting more out of their internal auditors, they have to be careful to make sure the department doesn’t stray from its primary responsibilities outlined in the company’s charter. “It would create a challenge if any one company were to swing the pendulum too far in the opposite direction and take it off-kilter,” says Steve Singer, a partner at Ernst & Young and Americas leader for internal audit.
So what will internal auditors spend their newfound time on? In addition to focusing on areas besides just finance and accounting, they will be playing more of a role in companies’ expanded ERM (enterprise risk management) systems and increase the practice of continuous auditing, the audit firms predict. Nearly half of the PwC survey respondents expect their continuous auditing programs to be fully running by 2012, and the majority believe the programs will be mostly automated.
While the bar has been raised for internal auditors’ purview, the profession is still crying out for more people. In a recent E&Y study of 138 internal audit executives, 38 percent reported they are using less than 90 percent of their budgeted headcount. But they do expect to do more hiring; nearly two-thirds of PwC’s survey respondents said the number of internal auditors will increase in the next five years, particularly in the technology area.
In the meantime, companies are supplementing their lack of internal-audit bodies with outside help. Companies that do not pull in these subject-matter experts are in the minority, according to the IIA, as most companies cannot afford or don’t find it efficient to pay someone with a specialty year-round who is needed only for a short period of time.
Another way to make up for the lack of internal-audit resources is to train your staff to do more strategic and operational auditing, suggests Singer. Companies are also bringing in “guest auditors” from other departments, although that’s harder to do at a small organization.
The higher expectations put on internal auditors will be a boon for the profession, according to Singer. “The fact that we are asking internal audit to have a different focus going forward, beyond compliance, to a more strategic and operational focus on the surface looks like a challenge. But I think it’s a tremendous opportunity for the industry,” he says. It could further elevate the role as companies are looking at the internal audit department to be an “incubator for talent,” opening up the possibilities for an internal auditor’s next career move.
To be sure, it’s up to the internal auditors themselves to prove their worth, observers suggest. After all, “internal auditors by nature have not been good salesmen,” notes Richards.
Now that they should have direct connection to audit committees and senior managers, they should also be able to better market themselves than they could have pre-Sarbox. They can do that by documenting changes they made that resolved a problem found during an audit, for example. In addition, they could more closely align themselves with other organizations within their company — while still maintaining their independence — to understand those organizations’ issues and problems so that a final audit opinion will not end up sounding like a one-sided judgment call.