SOX and internal audit 2711



  • Hi. I am interested in seeing the relationship and dynamics between the SOX work and internal audit in your organizations. I am seeing a lot of similarities between the two, and in certain cases there may be overlaps. Internal audit’s programs are generally very comprehensive, including testing on the financial, operational/business, and internal control aspects. Is there a reason we cannot rely on Internal Audit to carry out the SOX tests? I know that Internal Audit rotates their audit locations, but I think it would just be as easy to keep the in-scope location in their audit plan every year, and rotate the out-of-scope smaller locations.
    Could you share any thoughts or practice in your organizations in this respect? Thank you.



  • Some companies do use their internal audit team to test SOX controls. Ours does not. We use peer testing due to the number of controls that we have to test. We have a small internal audit team. They do not have the resources to perform both SOX testing and other compliance or operational testing. We do work with them to ensure that we have minimal overlap in their testing and SOX testing. Sometimes our SOX group will rely on internal audit testing for SOX purposes and sometime the internal audit team will scale back testing in some areas that are well tested for SOX purposes.
    Who tests SOX controls generally comes down to budgetary concerns. Many companies want to get it done as inexpensively as possible while also ensuring that the testing is being done by a competent team. The ability to perform peer testing of SOX controls allows us to test with lower paid individuals (generally non-CPAs) than if we utilized our internal audit team (all CPAs), saving us money.
    Each company will be different in their approach to SOX in an effort to make this process fit within the company organizational structure as best as it can.


Log in to reply