Upfront: Fine-Tuning Internal Audit's Role

As some companies complete year two of Sarbanes-Oxley compliance work, confusion remains rife about the role internal audit can or should play in those activities. Deloitte & Touche LLP convened a meeting of leading compliance practitioners to discuss the issue. The results of that discussion found a wide range of Sarbanes-Oxley-related activities to be allowable and appropriate for internal audit, including the following:

• Consulting on internal controls
• Assisting the organization with identification, evaluation and implementation of risk and control assessment methodologies
• Assisting with designing systems of internal controls
• Conducting effectiveness testing on behalf of management
• Aiding management in the design of tests for controls' effectiveness. However, in all cases, management should make the final decision on controls' design and effectiveness.
• Taking on the role of lead project manager for all or part of the efforts related to Section 404 compliance

The following activities were found to be inappropriate:

• Concluding on the effectiveness of internal controls on behalf of management
• Making or directing key management decisions regarding controls, remediation activities and Sarbanes-Oxley compliance
• Installing systems of internal controls
• Performing control activities

The report notes that the department's focus on compliance activities should diminish going forward as compliance processes become operationalized. As a result, internal audit functions should be able to pick up some slack in their traditional areas of responsibility, including fraud investigations and risk management work. For example, while internal audit's input is crucial for major growth initiatives, such as mergers and acquisitions, the function can also make a valuable contribution in assessing new product designs and expansion into new regions, distribution channels or customers.