Internal Audit Independance 2329

  • Hi,
    I work for an MNC. The query that I have is whether Internal Audit function can perform following functions:

    1. Perform Risk Assessment for SOX 404 purpose in consultation with Mangement,
    2. Document Process Maps, Control Self Assessments. IA gets verbal or written confirmation from management about accuracy and completeness of the process maps, key controls etc.
    3. Test the controls on behalf of the management and recommend remediations incase deficiencies are noted. Management is responsible implementing the suggested remediation.
    4. Perform evaluation of deficiencies and present the same to Audit Committee.
      IA performs above task due to non-availability of personnel or limited knowledge of management.

  • IA can, and often does, all of those things.
    The issue of the independence of IA is on whether external audit can rely on the work of internal audit.

  • Of your 4 functions, ‘3’ is the area that has presented some questions. By recommending remediation some IA teams have argued from their own perspective that they are compromising their independence because they are designing processes and controls that makes it diffiuclt for them to critically assess these in the future. Where this has been argued I have found that IA record a process/control failure and then hand it back to management to resolve. Clearly this is down to the local IA management as to what they find acceptable whilst staying within their professional standards.
    The other three function you raise, as Denis states, can be undertaken by IA.

Log in to reply