The role of the internal auditor is summed up in its formal definition: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processess. The three related concepts of risk management , control, and governance processes drive the new look audit process. Internal audit is one of the few parts of the organization that seeks to provide services to management, the board, and the audit committee that are free from spin and therefore reliable.


The Sarbanes-Oxley Act (SOX) came into force in July 2002. Its principles supported three main objectives: integrity, reliability, and accountability. SOX was created to ensure that financial records were complete and accurate (integrity), that the information was reliable, and that management would be held accountable. By doing this, SOX's authors hoped to instill investor trust and confidence. SOX introduced major changes to the regulation of corporate governance and financial practice, and set deadlines for compliance with the eleven titles. This caused great anxiety in the business world as companies struggled to meet the deadlines; the most important secions are usually considered to be 302, 401, 404, 409, 802 and 906. In addition, an overarching institution, the Public Company Accounting Oversight Board (PCAOB), was also established by SOX, to provide guidance and assess compliance. The following summarizes the main requirements of the important compliance sections.

Important SOX Sections

Section 302

Section 302 deals with the requirements for periodic statutory financial reports to include certifications. Briefly, the certification must state that the report is accurate, complete, not misleading, and fairly represents the financial conditions of the organization; and it has been reviewed by the signing officers (usually the Chief Financial Officer and Chief Executive Officer). Since the CFO and CEO are responsible for the internal controls, they must also certify that these controls have been reviewed within the last 90 days. Further, Section 302 requires that all controls deficiencies, significant changes to the controls, and related frauds must be disclosed.


Section 401 discusses the need for financial reporting to be transparent. Quaterly and annual reports must be accurate and presented in a manner that conforms with generally accepted accounting principles (GAAP). These reports must include all material off-balance sheet liabilities, obligations, or transactions, and any relationships that could have a material impact on the current or future financial condition of the company.


Section 404 states that the scope and adequacy of internal controls and procedures for financial reporting must be published in the company's annual report. The annual report must also include a statement regarding the effectiveness of the internal controls and procedures. The annual report must also contain a statement from the registered accounting firm that attests to and reports on the effectiveness of the internal control structure and procedures for financial reporting.


Section 409 deals with the reporting of material changes in an organization's financial condition or operations. It states that the information must be disclosed to the public in a timely manner (rapid or current basis). These disclosures should be easily understood by the public and be supported by quantitative and qualitative (graphs) information as appropriate.


Section 802 discusses the fines and or imprisonment for altering, destroying, or changing documents or tangible objects with the intent to affect the outcome or progress of a legal investigation. This section also imposes fines and or imprisonment for the failure to maintain audit or review papers for a period of five years.


Section 906 discusses corporate responsibility for financial reports and outlines the criminal penalties the CEO and CFO could face for certifying a misleading or fraudulent report.

In response to concerns over the cost and effort required to comply with SOX, both the Securities and Exchange Comission (SEC) and the PCAOB offered additional guidance in the form of PCAOB Auditing Standard No 5 (AS5). This standard was written to reduce the overall burden of compliance, while addressing the main areas of financial risk. AS5 encouraged both management and auditors to use their judgment and develop a top-down approach to assess and select controls to be tested.


The risk-based systems approach brings a systematic and disciplined approach to the audit process and in so doing meets the requirements of the International Standards for the Professional Practice of Internal Auditing ("IIA standards"). In assessing whether the controls in place make sense and work, reference may be had to the way organization sets control standards. Where there are well developed control standards in place, the auditor needs to check that they are working. Where these standards have not been well developed, the auditor may focus on helping management make progress in this respect. The following outlines the basic steps that should be followed when applying risk-based systems approach:

-Plan engagement;
-Ascertain systems objective;
-Identify inherent risks;
-Assess risks for impact and likelihood;
-Evaluate current risk mangement and internal controls;
-Isolate areas where internal controls are crucial;
-Test for evidence of risk exposure due to control weakness;
-Discuss and agree on action on internal controls;
-Report results;
-Follow up.


Auditors must define the key controls that sould be included in their assessment. There are two main approaches to defining the scope of controls.

The first is consistent with the top-down approach and starts with the identification the key GL accounts that make up each line in the financial statements. Auditors should assess each account and determine if it is significant. For the significant accounts, it is important to identify the business processes that generate the transactions and to determine the underlying information system. The key controls to be assessed will be those that address the integrity of the key transactions (IIA-SOX Section 404).

The second approach to determining the key controls that should be considered starts with identifying the financial statements assertions. AS5 requires that relevant assertions must be assessed. The assertions suggested by AS5 include :

-Existence : Verify that assets or liabilities exist and transactions occurred during the reporting time period.

-Completeness : All transactions and accounts are included in the financial statement.

-Validation: Appropriate amounts have been used.

-Rights and obligations: Verify they exist and are for the proper period.

-Disclosure: Financial statements are properly classified, described, and disclosed.

One approach to identifying key controls relevant to these assertions starts by listing all risks that may prevent the assertions from being satisfied and identifying the controls that address the risks. A second approach identifies the material transactions that affect the assertions and identifies the appropriate controls over these transactions. In either case, by determining the relevant assertions, auditors can identify the associated accounts and appropriate key controls. This supports auditors in determining the scope - the material transactions together with the business process and the automated and manual controls - to be assessed (IIA- SOX Section 404).

For further information on Internal Audit go to IIA's Web site