Should SOX responsibilities be included in the IA Charter? 1827
I think the message title says it all. Everything I’ve read consistently states that SOX is a function of management and not IA. IA however gets stuck in the middle as the ‘facilitator’ but with no real authority over the project, at least not in my role at my company. I submitted the IA charter and was asked why SOX was not included, and while I don’t think it should be, I really wasn’t 100% certain, hence this post.%0AThanks.
milan last edited by
The decision is entrely optional and from a SOX compliance standpoint, there is no relevance as to IA involvement in SOX and the IA Charter.
Personally, I would not include it for the same reason that you mentioned in the message title.
I agree with Milan and our original poster. SOX is a senior management responsibility. SOX is important and IA will be involved in a # of ways (e.g., coordining with external auditors, etc). However SOX should be viewed as one of many projects or regulatory compliance areas, IA will be involved in and they should not been seen as a primary facilitator of the SOX compliancy process.
P.S. Some of my thoughts about IA’s role in an organization are expresed here (esp. the bold text):
plaire1 last edited by
Internal Audit role should be included in SOX.
It creates the element for an unbiased opinion in the testing area for the company. IT now should obtain a role within IA and reflect the support of IT in the business role. IA can create the templates and test plans, they can be the facilitators in the dissemination of CoBIT objectives that will be required to support the business. They can be the mediators between the Company and Ext Audit. The role for IA has been enhanced and should include support of the SOX effort
Internal Audit role should be included in SOX …
I agree with this and the excellent list of recommendations
In composing a charter for the organizational functions of the department, I’ve thought a little further:
- Maybe it’s okay to mention SOX given the importance it has for public companies. I can see a more generic connotation as our original poster shared (e.g., like policies, a charter should be generic, static, and less subject to change over time).
- If SOX participation is included in the ‘manifesto’, then clear deliniations of IA’s roles and responsiblities should be documented (e.g., facilitator, advisor, coordinator with external auditors). In some companies, they may be assigned actual responsibilities to make things happen, so from company to company YMMV.
- My second thoughts on this, is that sometimes it’s even better to document roles and responsibilities clearly, so IA isn’t responsible to make this happen or duties outside their established roles in a company
I agree that IA should support the SOX effort, however I’m still reluctant to add language to the charter regarding IA’s SOX responsibilities. Unless clearly defined (as harrywaldron stated) I think IA runs the risk of becoming targets of blame, if and when material weaknesses occur. To avoid this risk, I’d rather rely on the generalized language in the charter that includes activities such as: ‘Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.’ and ‘Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the organization is in compliance’. I would think these types of statements in the charter could potentially include SOX coverage.
To avoid this risk, I’d rather rely on the generalized language in the charter that includes activities such as: ‘Reviewing the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.’ and ‘Reviewing the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the organization is in compliance’. I would think these types of statements in the charter could potentially include SOX coverage.
I agree and would submit these well written generic responsibilites. They logically emcompass SOX as well as other statutory requirements. If you still need to add specific language for SOX, then I’d add clear generic guidelines denoting IA’s role in your company.
kymike last edited by
SOX’ may not be around forever. As such, you probably do not want to refer to it in specifically in the charter. I would suggest that you would have wording to the effect that you will partner with or support management’s efforts to monitor internal controls to ensure that they are operating as intended. Don’t limit the support to ICOFR as it should also encompass controls over operations and compliance.
‘SOX’ may not be around forever. .
You shouldn’t toy with me like that. I think SOX, in one form or another, is here to stay. I agree with your suggestion though, as my previous post indicates.
kymike last edited by
I could have said that better. ‘SOX’ as it is known today will not be around forever. There will be recurring focus on ICOFR, though, since we let it slip from a must-have to a nice-to-have when things were going well.