Internal Audit _and_amp; External Audit Interaction 2130



  • Hello,
    Thank you in advance for any suggestions any of you have. I have recently been asked to manage the SOX program at a small (USD110 million) company. I’ve worked in Internal Audit for a few years, and familiar with SOX requirements, methodology, scoping, etc. However, in my past position I was removed from interaction our SOX Manager had with the external firm. So, my question - what is the typical process after internal testing is done?
    Is there a deadline that anyone doing internal testing has to submit results to the external auditors? Does all the work the internal function do lead up to a final internal opinion and test results that are given to the external firm? I know there are a lot fewer ‘shoulds’ with AS5, so I’m interested to hear some best practices. Any suggestions you have for a new SOX Manager that is feeling a little overwhelmed is greatly appreciated…



  • We share all of our internal testing results with our external auditors. They may place reliance on some of our testing (in areas deemed by them to be lower-risk) to reduce their testing and need to have our test information to support their controls effectiveness conclusions in those areas.
    Our IA team is not involved in our primary testing, they only perform a QA review fo the testing towards the end of the year.



  • Hi DNA and welcome 🙂
    As a new SOX manager, I believe you’ll find these forums to be an excellent resource and they might help in providing ideas, practical examples, and guidance as you help your firm comply.
    As Kymike shares, there are no ‘absolutes’ in working with external auditors, as the IA/EA relationships will vary from company to company on both normal and SOX related audits. However, it’s an advantage for IA to build up a good and open relationship with external audit firms.
    Some ideas that might help you as a new SOX manager:

    • Plan and research SOX compliancy requirements thoroughly (e.g., esp. the new SOX 404 requirements that will be forthcoming at the end of the year)
    • Build relationships with senior management, the financial, and the IT areas (e.g., everyone should be working for the ‘same company’ and attempting to achieve the same goals)
    • Establish a thorough e-Library (electronic repository) to hold key documentation, test samples, etc.
    • Obtain latest COBIT 4 and COSO documentation to ensure your company
    • Develop rapport with the new external auditors and work with them closely when needed to ensure requirements can be met effectively and as efficiently as possible.

Log in to reply