In my last blog post, I took a few swipes at the
Sarbanes-Oxley Act. Actually, they weren’t swipes at SOX, per se. Rather, they
were swipes at the internal audit shops whose infatuation with the act took on,
shall we call them, an unhealthy turn. I think what I said was some internal
audit departments began “succumbing
to the siren call of popularity…and the promise of continued work, no matter
how rudimentary.”
Okay, that’s
exactly what I said.
It was my intent to
continue this discussion by talking about the lessons we should learn from this
past – lessons that might help us navigate some potentially rocky reefs in our
near future. However, more than one person took me to task for those comments. In
particular, a few people on LinkedIn took exception to what I had to say.
Their reactions
made me think that, perhaps, I hadn’t been completely clear about my concerns. And
I decided it might be a good idea to provide some additional explanation.
One respondent
wrote “As you note, SOX raised awareness of the value of controls. SOX was
never meant to be the end all, but just another leg in the Control and Risk
Mitigation chair. I am at a loss as to what specifically was the ‘Near
Disaster’.” Another respondent said about my comments, “I can’t disagree [with
you] more. SOX actually raised the importance of internal controls. Internal
audit became more focused on maintaining a framework of integrated controls
rather than on compliance in the industry.”
They are both
correct…partially. And that was one of the points I was trying to make in the
original post. By forcing organizations to find an effective control framework,
SOX put COSO’s ICF squarely in the lap of boards, CFOs, CEOs, etc. And “those-in-charge”
were forced to understand much of the information that internal audit had spent
years trying to get across to them. (Amazing how a regulation and threats of
significant fine and jail time will get an executive’s attention.)
And, of course,
SOX was never meant to be the solution – merely a tool. A regulated tool, but a
tool nonetheless.
But therein lies
the rub. Half-baked approaches, knuckling under to the pressure to do more, and
a misunderstanding by executive management of internal audit’s true role resulted
in audit shops that took on too much responsibility and work, all at the
expense of no longer providing the broader value that internal audit should have
been supplying.
Many audit shops
became nothing but SOX shops. Yes, there was a resulting increase in the
controls around external financial reporting. But many of the SOX aficionados
forgot that external financial reporting objectives represent one-fourth of
one-third of the objectives within the COSO ICF framework. So that meant internal
audit was ignoring a whole host of risks. And a false sense of security was
being provided to the board and executives.
In addition, internal
auditors jumped on that bandwagon and eventually forgot how a full, robust
internal audit department adds value.
And, in the
process, the word got out that internal audit was doing all the SOX work. And,
after all, it was all about controls and that is what internal auditors did –
controls. So, in far too many organizations, the mindset became “internal audit
owns the SOX process.”
I know it’s
wrong, you know it’s wrong, and the audit departments involved knew it was
wrong. But it happened. And it was accepted. And still, to this day, if you ask
around you will see audit shops doing nothing but SOX work. And, while no one
says it out loud, the expectation in some of those situations is that it is
internal audit’s responsibility to get it all under control.
Ultimately, SOX
became a distraction. An important distraction, but a distraction nonetheless. And
many internal audit shops still find themselves under the sway of that
distraction. And, for many others, that distraction meant they had to make up a
lot of ground as they were forced to relearn the true value that internal audit
can provide, and then begin reselling that value to its stakeholders.
Which leads us
right back to the question, what is it we can learn from all this that may help
us avoid another impending disaster.
That will be
covered in my next post.