Internal Audit SOX Testwork Responsibility 2848

  • I recently made the move from public accounting to internal audit for a public company. The internal audit department that I work for performs walkthroughs and control testwork for all processes whether they are in 404 scope or out of 404 scope, no difference. Having experience just from the external side I thought that a Company was not required to perform walkthroughs and control testwork on processes that are out of 404 scope. this due to these processes being tied to insignificant low risk accounts. One of the internal auditors mentioned to me that the external auditors asked in the past why they didn’t perform work on the out of scope processes. Since then they have been performing the work. This does not make sense to me. My question is, what has been your experience with internal audit departments performing work for out of scope processes, is this done just for the sake of performing the work, or what is the rationale behind this? The internal audit side can be a little different than the external side.

  • I would agree that there is no requirement to perform work on out of scope processes and controls for SOX purposes.
    Perhaps there are other internal reasons for this? I would suggest taking a look at what the work around the out of scope processes has identified. If no issues have ever been identified, then there would be a good argument to cut back on the frequency of the work, if not eliminating it totally. Certainly, the Internal Audit team can add greater value in other areas if you can free up time currently devoted to low risk areas.

  • I agree with kymike. Walkthroughs are not required for out of scope areas. A risk assessment is done at the beginning of the year to determine in and out of scope areas and that is that for low risk areas. Furthermore, at the company I work at, we do not do walkthroughs for even in scope processes if they have not changed from the prior year. We simply rely on our old documentation, and our external auditors (PwC) were okay with it.

  • Thanks for your response. This answers all my questions.

Log in to reply