Difference between staffing an internal audit department exclusively for SOX Compliance purposes vs. staffing an internal audit department that operates in conformance with IIA Standards.
- SOX Overview, with specific focus on the internal control assessments required under Section 404
- Two criteria used to comply with SOX 404 (COSO Internal Control Framework & PCAOB Auditing Standards)
- Overview of the IIA’s Global Internal Audit Standards (IIA Standards) and how conformance with the Standards is demonstrated
- Key differences between SOX Compliance and IIA Standards Conformance
- Concluding thoughts, including considerations and recommendations for Audit Committees
Overview of SOX Section 404 Requirements
In response to major accounting scandals in the early 2000’s, the US Congress passed the Sarbanes-Oxley Act, which is often abbreviated as SOX. SOX brought significant reform to accounting practices at public companies in the United States, including greater oversight of the financial statement audits conducted by external auditors and increased accountability for executives regarding financial reporting processes and internal controls.
The section of SOX that is most relevant to our analysis is Section 404, which requires the following two assessments of internal control:
- Management Assessment of Internal Control Over Financial Reporting
- Independent Auditor Assessment of Internal Control Over Financial Reporting
While SOX did not mandate that these internal control assessments be performed by internal auditors (indeed, SOX does not even require internal auditors), many public companies began using their internal auditors to assist with these assessments. To achieve SOX Compliance, internal auditors (or those involved in assessing internal controls for SOX purposes) do not need to conform with IIA Standards. In fact, there are no laws or regulations in the United States which require internal auditors to conform with professional standards.
Two Criteria Used to Comply with SOX 404
1: The Committee of Sponsoring Organizations (COSO) Internal Control Framework: it is important to understand the following key problems associated with how the COSO Internal Control Framework defines effective internal control:
- For internal control monitoring purposes, COSO does not require an internal audit department (or conformance with professional standards). Internal control can be assessed through ongoing monitoring by business personnel, separate evaluations (e.g. internal audits), or some combination of the two. The term “auditing standards” appears nowhere in the framework’s literature.
- While the COSO internal control framework notes that there are 3 categories of internal control objectives (i.e. Operations, Compliance, Reporting), SOX Section 404 only requires an assessment of one sub-category of internal control – Internal Control over Financial Reporting (ICFR). SOX does not require assessments of internal controls associated with Operations, Compliance, and Non-Financial Reporting objectives. And the COSO Internal Control Framework does not require comprehensive assessments of internal control across all categories to conclude that internal control is effective.
- Governance, including the role of the audit committee, has very limited coverage within the components of the framework. The concept of auditors providing independent assurance to the governance body, which is the core service of internal auditing, is not covered within the framework’s components. Instead, the framework notes that internal auditors provide assurance to management (and not the board) on internal control.
2. Public Company Accounting Oversight Board (PCAOB) Auditing Standards: SOX created the Public Company Accounting Oversight Board (PCAOB), which has developed auditing standards used by external auditors of public companies. In addition to commonly using the COSO Internal Control Framework as the basis for completing internal control assessments, external auditors must also adhere to PCAOB Auditing Standards.
Overview of IIA Standards:The Global Internal Audit Standards (IIA Standards) are published by the Institute of Internal Auditors (IIA) and are considered mandatory guidance within the IIA’s body of professional literature, known as the International Professional Practices Framework (IPPF).Conformance with IIA Standards is formally assessed through the organization’s Quality Assurance and Improvement Program (QAIP), which requires, among other things, an External Quality Assessment (EQA) to be performed by an external party at least once every five years.
Key Differences between SOX Compliance and IIA Standards Conformance
Risk and Control Coverage – SOX only requires an assessment of one sub-category of internal control objectives (i.e. financial reporting). As a result, the corresponding risk assessment usually involves assessing only one risk (i.e. the risk of material misstatement). SOX does not require an assessment of internal controls associated with other common risks (e.g. corruption, cybersecurity) as well as industry-specific risks (e.g. food safety, academic accreditation).
IIA Standards, on the other hand, require internal auditors to consider all relevant risks to objectives and all relevant categories of internal control. The IIA also categorizes and defines risk and control concepts differently from the COSO Internal Control Framework, which is used as the basis for SOX compliance.
In addition to assessments of internal control, IIA Standards also require that internal auditors assess the governance and risk management processes of the organization, which is not required under SOX.
Corporate Governance Requirements – IIA Standards have heightened governance expectations, as compared to what is required under SOX. IIA Standards have an entire Domain dedicated to Governance, which includes requirements for a direct reporting relationship between the Chief Audit Executive (CAE) and the Board (or Audit Committee). The Board (or Audit Committee) must approve the internal audit plan and budget, as well as authorize the appointment or removal of the CAE, among other criteria deemed to be essential conditions in the Governance Domain. Providing assurance to the governing board on the adequacy of governance, risk, and control is a core service of internal auditing, and the Standards within the Governance Domain ensure effectiveness in this regard. The role and relationship between Internal Audit and the governing body is best illustrated in the IIA’s 3 Lines Model
SOX, on the other hand, only obligates the Audit Committee to oversee the performance of the external auditor. Under COSO, internal auditors provide assurance to management, and the CFO often plays a key role in supervising the activities of personnel involved in the management assessment of financial reporting controls. External auditors are required to assess the objectivity of internal auditors prior to relying on their work; however, this does not necessarily require a direct reporting relationship with the Audit Committee, as would be required under the Standards.
Findings / Internal Control Deficiencies– SOX uses specific terminology to refer to internal control deficiencies that does not appear in IIA Standards. SOX requires that a “Significant Deficiency” and/or a “Material Weakness” in internal control over financial reporting be reported to the Audit Committee. These terms have been further interpreted by PCAOB and the SEC, and they have taken on specific meaning in US securities law.
IIA Standards use an alternative term, “Engagement Finding”, which refers to a difference between the auditor’s observed state (the condition) and the requirements that should have been met (the criteria). A deficient internal control would be one common example of an engagement finding. There are no strict definitions used to rank or classify engagement findings according to their significance. Instead, this is based on internal methodologies developed by the CAE.
To add to further confusion, the COSO Internal Control Framework uses the term “Major Deficiency” in internal control, which does not appear in SOX or IIA Standards. Nevertheless, COSO has stated in other publications that companies should align their definitions of internal control deficiencies with those of applicable regulations.
Quality Requirements – IIA Standards have strict quality requirements, which are not required for the internal control assessments under SOX 404. IIA Standards require the development of a Quality Assurance and Improvement Program (QAIP), which includes Internal Quality Assessments and an External Quality Assessment that is conducted at least once ever 5 years by an independent party. Neither SOX nor the COSO Framework specify quality requirements as part of internal control monitoring
