IIA Top10 SOX Impacts[1]

8/9/2019 IIA Top10 SOX Impacts[1]

http://slidepdf.com/reader/full/iia-top10-sox-impacts1 1/16

Top 10 Global Impacts of SOX on Internal AuditingTop 10 Global Impacts of SOX on Internal Auditing



Back to Basics:Back to Basics:Risk, Controls, GovernanceRisk, Controls, Governance

Internal auditing is an

independent, objective

assurance and consulting

activity designed to add valueand improve an organization's

operations. It helps an

organization accomplish its

objectives by bringing a

systematic, disciplinedapproach to evaluate and

improve the effectiveness of risk

management, control, and

governance processes.

Re-engaging

Internal Controls

Fostering

Enterprise Risk

Management

Facilitating

more effective

corporate

governance



Should internal auditing andmore specifically, the chief auditexecutive (CAE), participate inincentive compensation awardsystems, based on performance

of the organization¶s bottom line?

#10: Incentive Compensation#10: Incentive Compensation



#9: Access to Information#9: Access to Information

Is the CAE positioned within theIs the CAE positioned within theorganizational structure to haveorganizational structure to haveaccess to and involvement inaccess to and involvement inemerging decisions by senioremerging decisions by seniorexecutives; and to have a ³seat atexecutives; and to have a ³seat atthe table´ when key businessthe table´ when key business

strategies are being developed?strategies are being developed?



#8: Reporting Relationships#8: Reporting Relationships

Does the internal audit activityDoes the internal audit activityproperly report within theproperly report within theorganization directly to the auditorganization directly to the auditcommittee for oversight and to thecommittee for oversight and to theCEO for organizational interface?CEO for organizational interface?



#7: Are MD&A Disclosures Accurate?#7: Are MD&A Disclosures Accurate?

Does the internal audit departmentDoes the internal audit departmentperform tests to ensure the accuracy,perform tests to ensure the accuracy,completeness, and appropriateness of completeness, and appropriateness of the information contained in thethe information contained in themanagement discussions and analysismanagement discussions and analysis(MD&A) portion of the annual report?(MD&A) portion of the annual report?



#6: Quality Assessment#6: Quality Assessment

International Standards for theInternational Standards for theProfessional PracticeProfessional Practice

of Internal Auditingof Internal Auditingrequire an external quality assessmentrequire an external quality assessmentevery five years, plus an ongoing qualityevery five years, plus an ongoing quality

program to ensure the outputs of t

heprogram to ensure t

he outputs of t

heinternal audit department are ininternal audit department are in

accordance with expectations.accordance with expectations.



#5: Control Assessment#5: Control Assessment

EntityEntity--wide assessment of keywide assessment of keycontrols in business processes thatcontrols in business processes thatfeed the general ledger and hencefeed the general ledger and hence

the overall financial statementsthe overall financial statements

Process ownershipProcess ownership

Certification of internal controlCertification of internal control

over financial reportingover financial reporting

Linkage to COSO¶sLinkage to COSO¶s Internal Control Internal Control Framework,Framework, including entityincluding entity--widewide

control component assessmentcontrol component assessment



#4: Fraud#4: Fraud

Awareness of potential fraud risks andAwareness of potential fraud risks andappropriate responsesappropriate responses

Fraud prevention and detection programFraud prevention and detection program

Forensic auditing during financial auditsForensic auditing during financial audits

Increased fraud consideration in theIncreased fraud consideration in theinternal audit department¶s auditsinternal audit department¶s audits



#3: Governance#3: Governance

Audit committee changes to charterAudit committee changes to charterand scope of workand scope of work

Audit committee financial expertAudit committee financial expert

Audit committee member independenceAudit committee member independenceand financial competencyand financial competency

Oversight of fraud, risk, internalOversight of fraud, risk, internalauditing, and external auditingauditing, and external auditing

Self Self--assessmentassessment



EffectiveEffective

GovernanceGovernance



#2: Ethics#2: Ethics

Hotline operationsHotline operations

Compliance programsCompliance programs

TrainingTraining

CultureCulture ±± encourage disclosuresencourage disclosures

Investigative process coordinationInvestigative process coordination Handling complaints and documentationHandling complaints and documentation

Whistleblower protectionWhistleblower protection



#1: Risk#1: Risk

ERMERM

Risk modelRisk model

Risk event identificationRisk event identification Risk assessment techniquesRisk assessment techniques

±±ProbabilityProbability

±±ImpactImpact Risk responseRisk response

RiskRisk--based audit approachesbased audit approaches



COSO¶s ERMCOSO¶s ERM--Integrated FrameworkIntegrated Framework

Entity objectives: four categories

Strategic

Operations

ReportingCompliance

ERM considers activities at

all levels of the organizationEnterprise-level

Division or subsidiary

Business unit processes

Source: COSO Enterprise Risk Management Framework



Today¶s Top 10Today¶s Top 10

RiskRisk

EthicsEthics

GovernanceGovernance

FraudFraud Control AssessmentControl Assessment

QualityQuality

Management Discussion & AnalysisManagement Discussion & Analysis

Reporting RelationshipsReporting Relationships

Access to InformationAccess to Information

Incentive CompensationIncentive Compensation



For more informationFor more information

VisitVisit www.theiia.orgwww.theiia.org

Call +1Call +1--407407--937937--11111111 EE--mail [email protected] [email protected]

Documents

IIA Top10 SOX Impacts[1]