Does the Internal Auditor provide ratings? (D/SD/MW) 2389

  • I am a SOx risk manager at a mid-size financial institution. We do not have our own internal audit area so, we’ve engaged an outside audit company to perform audit testing for internal audit and for SOx. We have engaged one of the Big 4 audit companies as our external auditor.
    The question is whether the internal auditor (who is acting as management) should provide ratings for our Sox key controls. (I.E.; identify the effective key controls, or if exceptions occur, specifically rate the exception as a deficiency, significant deficiency, or material weakness). The internal auditor is reluctant to provide ratings even though the external auditor has requested it.
    Thanks in advance for your help.

  • As management, I think that you need to rate each deficiency as to magnitude. This will allow you to consolidate your deficiencies at the end of the year to come up with an overall position as to the effectiveness of your controls. How else will you be able to determine whether or not you have a significant deficiency (required to be reported to auditors, Audit Committee and Sr management) or a material weakness (required to be reported externally?

  • Thank you for your fast reply, Kymike.
    Just to clarify your response, may I infer that you include the internal auditor as ‘management’? Since this is our first year for SOx, my company is looking to the internal auditor for guidance in the assessment of exceptions. The internal audit firm’s hesitance to commit to a rating is troublesome.

  • The internal audit function is acting on behalf of management. If they are hesitant to provide a rating, I would suggest that you work with them to understand the potential magnitude of any deficiencies and make a rating recommendation to your SOX oversight committee. Another approach would be for your SOX committee to define USDUSD ranges for each level of deficiency and have the auditor rate according to those guidelines. There is a bit of judgment involved and I can see the hesitancy of an external consultant to want to make that judgment call.

  • Your feedback is much appreciated, kymike.

  • Hi - I also agree with kymike and the Internal Auditor’s position on this matter. The following are ideas related to the risk assessments process:
    – Internal Audit can help facilitate the process and provide input on how to ascertain SOX related risk. From a functional perspective, Internal Audit’s role is to provide expert audit opinion. However, in assigning risks or valuations, they must remain an independant entity and use an ‘arm’s length’ approach.
    – The overall responsibility for the actual risk assessment assignments should rest with the company’s management itself (e.g., as SOX 302 and 404 put the overall responsibility for SOX financial controls and integrity on the company’s management)
    – I like the approach of the SOX steering committee brainstorming and coming up with their best guesses on risk assessments and allowing the Internal auditor (plus external SOX auditor) to critique it.

  • Hello again.
    I apologize to harrywaldron for neglecting to thank you and others for the previous responses. I used harrywaldron’s facts in the discussion with our SOx Steering Committee, and they asked me to research the response further.
    Is there a section in the SOx regulation or AS5 guidellines that require an internal auditor to ‘remain an independant entity and use an ‘arm’s length’ approach’ to providing ratings to findings? Our managment still contends that our internal auditor is acting on managment’s behalf and thus becomes the voice of our management. I hate to beat a dead horse but any facts you, or anyone else can provide, would be greatly appreciated.
    Best wishes,

  • This is our first year of going through SOX. Does anyone have guidance/resources for how to aggregate/rank deficiencies?
    Thank you.

  • Hi,
    A methodology was previously developed by a number of audit firms to help auditors to assess control deficiencies for reporting purposes.
    www dot
    Hope this helps,

  • Hi,
    To my knowledge, SOX does not specifically require internal audit to be objective or to follow an ‘arm’s length’ approach’
    Often, managment believes that the internal audit function is an extension of itself and provides management with a basis to appraise the intern controls.
    Back to your question…specific rules and requirements are not in place to ensure that the internal audit function is objective and independent. If your company is must comply with SOX because you are a public company, you must also be subject to periodic independent audits by an external auditor.
    The external auditor will place reliance on the work of others including the internal audit function. The degree of reliance will be based on factors including the competency and objectivity of the internal audit function. The latter is generally evaluated based on the reporting relationship of the internal audit function…the higher up the reporting, the more likelihood of greater independence.
    In short, if the external auditor can rely on the work that is performed by the internal auditor, so should management and the SOx Steering Committee. I think your challenge is to simply educate the SOx Steering Committee that the although the IA function is considered to an arm of management, they are an integral part of the ICS (internal control system) and reliance on their work may prove advantageous to reduce audit fees.
    Hope this helps,

Log in to reply