Tuesday, July 16, 2013

SARBANES-OXLEY OVERVIEW: KEY INTERNAL AUDIT CONCERNS

The official name for this U.S. federal legislative act to regulate the accounting
and auditing practices of publicly traded companies is the “Public Accounting
Reform and Investor Protection Act.” It became law in August 2002 with some


INTERNAL AUDIT IN THE TWENTY-FIRST CENTURY: SARBANES-OXLEY AND BEYOND

detailed rules and regulations still being released, some over two years later as
this book went to press. The law’s title being a bit long, business professionals
generally refer to it as the Sarbanes-Oxley Act from the names of its congressional
principal sponsors, and it is referred to as SOA throughout this book.
Others refer to the law with the name SOX.

SOA has introduced a totally changed process of issuing external auditing
standards, reviewing external auditor performance, and giving new governance
responsibilities to senior executives and board members. Among other matters,
the SEC has taken over the process for establishing auditing standards from the
AICPA through the Public Company Accounting Oversight Board (PCAOB).
This board also monitors external auditor professional ethics and performance.
As happens with all comprehensive federal laws, an extensive set of specific regulations
and administrative rules is being developed from the broad guidelines
in the SOA text, and the SEC has been given that responsibility.
The provisions of the SOA also have a major impact on internal auditors, particularly
in U.S. publicly traded organizations. Internal audit now must act somewhat
differently in their dealings with audit committees, senior—and in particular
financial—management, and external auditors. Because of the breadth of U.S.
business throughout the world, SOA has an impact on virtually all internal auditors.
The effective modern internal auditor should develop a general understanding
of SOA’s provisions as well as its specific provisions affecting internal audit.
U.S. federal laws are organized and issued as separate sections of legislation
called Titles with numbered sections and subsections under each. Much of the
actual SOA text only mandates rules to be issued to the responsible agency, the
SEC for SOA. These upcoming specific SOA rules to be developed by the SEC
may or may not be significant to most internal auditors. For example, Section 602
(d) of Title I states that the SEC “shall establish” minimum professional conduct
standards or rules for SEC practicing attorneys. While perhaps good to know, an
internal auditor will typically not be that concerned about these specific rules yet
to be promulgated. Others may be of more interest to internal auditors. Section
407 of Title I again says that the SEC will set rules requiring the disclosure that at
least one audit committee member must be a “financial expert.” While this definition
of a “financial expert” is subject to ongoing interpretation, this is important
information for a chief audit executive (CAE) who will be dealing with both members
of the audit committee and senior management. That “financial expert” will
or should have some understanding of an effective internal controls review process
as well as audit committee and internal audit interactions. Since this “financial
expert” may very well be new to the organization’s audit committee, this may
be a key liaison contact for internal audit.

No comments:

Post a Comment