Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

A Hole in Our SOX

Comments Views

In my last blog post​, I took a few swipes at the Sarbanes-Oxley Act. Actually, they weren’t swipes at SOX, per se. Rather, they were swipes at the internal audit shops whose infatuation with the act took on, shall we call them, an unhealthy turn. I think what I said was some internal audit departments began “succumbing to the siren call of popularity…and the promise of continued work, no matter how rudimentary.”

Okay, that’s exactly what I said.

It was my intent to continue this discussion by talking about the lessons we should learn from this past – lessons that might help us navigate some potentially rocky reefs in our near future. However, more than one person took me to task for those comments. In particular, a few people on LinkedIn took exception to what I had to say.

Their reactions made me think that, perhaps, I hadn’t been completely clear about my concerns. And I decided it might be a good idea to provide some additional explanation.

One respondent wrote “As you note, SOX raised awareness of the value of controls. SOX was never meant to be the end all, but just another leg in the Control and Risk Mitigation chair. I am at a loss as to what specifically was the ‘Near Disaster’.” Another respondent said about my comments, “I can’t disagree [with you] more. SOX actually raised the importance of internal controls. Internal audit became more focused on maintaining a framework of integrated controls rather than on compliance in the industry.”

They are both correct…partially. And that was one of the points I was trying to make in the original post. By forcing organizations to find an effective control framework, SOX put COSO’s ICF squarely in the lap of boards, CFOs, CEOs, etc. And “those-in-charge” were forced to understand much of the information that internal audit had spent years trying to get across to them. (Amazing how a regulation and threats of significant fine and jail time will get an executive’s attention.)

And, of course, SOX was never meant to be the solution – merely a tool. A regulated tool, but a tool nonetheless.

But therein lies the rub. Half-baked approaches, knuckling under to the pressure to do more, and a misunderstanding by executive management of internal audit’s true role resulted in audit shops that took on too much responsibility and work, all at the expense of no longer providing the broader value that internal audit should have been supplying.

Many audit shops became nothing but SOX shops. Yes, there was a resulting increase in the controls around external financial reporting. But many of the SOX aficionados forgot that external financial reporting objectives represent one-fourth of one-​third of the objectives within the COSO ICF framework. So that meant internal audit was ignoring a whole host of risks. And a false sense of security was being provided to the board and executives.

In addition, internal auditors jumped on that bandwagon and eventually forgot how a full, robust internal audit department adds value.

And, in the process, the word got out that internal audit was doing all the SOX work. And, after all, it was all about controls and that is what internal auditors did – controls. So, in far too many organizations, the mindset became “internal audit owns the SOX process.”

I know it’s wrong, you know it’s wrong, and the audit departments involved knew it was wrong. But it happened. And it was accepted. And still, to this day, if you ask around you will see audit shops doing nothing but SOX work. And, while no one says it out loud, the expectation in some of those situations is that it is internal audit’s responsibility to get it all under control.

Ultimately, SOX became a distraction. An important distraction, but a distraction nonetheless. And many internal audit shops still find themselves under the sway of that distraction. And, for many others, that distraction meant they had to make up a lot of ground as they were forced to relearn the true value that internal audit can provide, and then begin reselling that value to its stakeholders.

Which leads us right back to the question, what is it we can learn from all this that may help us avoid another impending disaster.

That will be covered in my next post.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Idea-September-2020-Blog-1
  • Galvanize-September-2020-Blog-2
  • CIA-September-2020-Blog-3