Question

1. Name at least four of the most important "core" business processes and related business risks for a large automotive company. 2. The Sarbanes Oxley Act requires public companies to identify, document and assess their internal controls over financial reporting (ICFR). Discuss how a company would determine what processes and related activities are part of this legal requirement. (Hint: Start with the F/S...) 3. Discuss the role(s) that an IA department could have in complying with SOX.

Answer 1

Answer :1

  Significant business process would be:
1. Manufacturing of vehicles.
2. Research and development, including innovations in design and technology such as hybrids and vehicles powered by non-traditional fuel sources such as fuel cells.
3. Finance operations, including loan and leasing programs for customers and dealers.
4. Marketing, sales and distribution.

The significant risks include:
1. The inability to offer innovative, new, price-competitive products that meet and satisfy customer demand on a timely basis.
2. The inability to market and distribute effectively, and to maintain brand image
3. High volatile and competitive automobile market.
4. Currency and interest rate fluctuations.

Answer :2

KEY TAKEAWAYS

• The Sarbanes-Oxley Act of 2002 was passed by Congress in response to widespread corporate fraud and failures.
• The Act implemented new rules for corporations, such as setting new auditor standards to reduce conflicts of interest and transferring responsibility for the complete and accurate handling of financial reports.
• To deter fraud and misappropriation of corporate assets, the Act imposes harsher penalties for violators.
• To increase transparency, the Act enhanced disclosure requirements, such as disclosing material off-balance sheet arrangements.

What Does The Sarbanes-Oxley Act Do?

One direct effect of the Sarbanes-Oxley Act on corporate governance is the strengthening of public companies' audit committees. The audit committee receives wide leverage in overseeing the top management's accounting decisions. The audit committee, a subset of the board of directors consisting of non-management members, gained new responsibilities, such as approving numerous audit and non-audit services, selecting and overseeing external auditors, and handling complaints regarding the management's accounting practices.

The Sarbanes-Oxley Act changes management's responsibility for financial reporting significantly. The act requires that top managers personally certify the accuracy of financial reports. If a top manager knowingly or willfully makes a false certification, he can face between 10 to 20 years in prison. If the company is forced to make a required accounting restatement due to management's misconduct, top managers can be required to give up their bonuses or profits made from selling the company's stock. If the director or officer is convicted of a securities law violation, he can be prohibited from serving in the same role at the public company.

The Sarbanes-Oxley Act significantly strengthens the disclosure requirement. Public companies are required to disclose any material off-balance sheet arrangements, such as operating leases and special purposes entities. The company is also required to disclose any pro forma statements and how they would look under the generally accepted accounting principles (GAAP). Insiders must report their stock transactions to the Securities and Exchange Commission (SEC) within two business days as well.

The Sarbanes-Oxley Act imposes harsher punishment for obstructing justice, securities fraud, mail fraud, and wire fraud. The maximum sentence term for securities fraud has increased to 25 years, and the maximum prison time for the obstruction of justice to 20 years. The act increased the maximum penalties for mail and wire fraud from five to 20 years of prison time. Also, the Sarbanes-Oxley Act significantly increases fines for public companies committing the same offense.

The costliest part of the Sarbanes-Oxley Act is Section 404, which requires public companies to perform extensive internal control tests and include an internal control report with their annual audits. Testing and documenting manual and automated controls in financial reporting requires enormous effort and involvement of not only external accountants but also experienced IT personnel. The compliance cost is especially burdensome for companies that heavily rely on manual controls. The Sarbanes-Oxley Act has encouraged companies to make their financial reporting more efficient, centralized and automated. Even so, some critics feel all these controls make the Act expensive to comply with, distracting personnel from the core business and discouraging growth.

Finally, the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board, which promulgates standards for public accountants, limits their conflicts of interest, and requires lead audit partner rotation every five years for the same public company.

Answer :3

Although testing the organization’s controls is something that is a core competency of internal audit, there is no legal requirement under SOX that forces organizations to have an internal audit function or to involve the existing function in SOX compliance projects. SOX defines the roles of management, the audit committee, and the external auditors, but it does not specifically address the internal auditors’ role or assign any specific responsibility to internal audit. There are, however, particular sections of the regulation that may be indirectly associated with internal audit.

Section 404 of SOX requires the organization’s independent auditor to attest to management’s own assessment of internal controls and procedures in accordance with standards established by the Public Company Accounting Oversight Board. In turn, the PCAOB gives place to internal audit in Audit Standard No. 5 with the statement of “Using the work of others” and assumes that external auditors may rely on the work of internal auditors.

In consideration of both SOX Section 404 and PCAOB Standard No. 5, we can conclude that existence of an internal audit function is an important facilitating factor for an independent auditor to attest to the management’s assessment of controls; however, it is not a prerequisite for the organization’s compliance with SOX. Still, it is important to note that some organizations may be required to have such an internal audit function depending on their sector, jurisdiction, or listed exchange. In the United States, for example, companies listed on the New York Stock Exchange are required to conduct internal audit activities, while those listed on Nasdaq have no such requirement.

Under the Section 409 of SOX, public companies must disclose to the public on a prompt and current basis when there is an additional information concerning material changes in the financial conditions or operations of the organization. When doing so, a disclosure committee is responsible for designing and implementing the organization’s disclosure procedures. Accordingly, the disclosure committee detects relevant disclosure problems and develops appropriate systems in order to make sure that material information is released to the steering committee (which should include the CEO and CFO) in a timely manner. When doing so, the disclosure committee is expected to review SEC filings, management’s quarterly and annual evaluations of internal controls over financial reporting, press releases, and internal audit reports.

Once again, the organization can be one move ahead if its management is able to benefit from existing internal auditors’ reports in relation to Section 409. As previously mentioned, however, it is not a prerequisite for compliance with SOX, though consideration is to be made for sector-specific and jurisdictional regulations and guidelines.

Ideal Positioning of Internal Audit in SOX Compliance
As explained above, the Section 404 of SOX requires management to make an annual assertion followed by an independent auditor’s attestation. Similarly, the Section 302 requires the management’s quarterly approval of financial reporting and disclosure controls and procedures.

After organizations had initiated efforts to reach compliance with the reporting requirements of both SOX sections, internal auditors raised many questions related to their actual role and involvement in SOX related activities (along with the limits of their involvement). Despite the fact that there is no direct legal requirement as detailed above, participation by the internal audit function in SOX compliance projects is perceived as a reasonable choice by organizations’ managements because of the fact that internal auditors are deemed to possess various skills and experiences in processes, operations and compliance procedures.

As SOX compliance evolved in the years after the regulation’s passing, this perception converted internal audit activity into a function playing a critical role in control testing on behalf of management as an annual program of SOX compliance. According to the IIA’s survey in 2013 by the Institute of Internal Auditors, 69 percent of Fortune 500 companies’ internal audit functions are involved in SOX compliance efforts, whereas the scope of involvement ranges from a minor role to ownership of the entire SOX process.

A new study finds that companies are increasingly putting internal audit in charge of SOX internal controls compliance, rather than departments such as financial reporting or legal.

The survey, conducted by the SOX & Internal Controls Professionals Group, finds that 46 percent of respondents report that internal audit is in charge of managing the SOX internal controls compliance function, a 5 percent increase from last year, and up from the 32 percent who said internal audit handled it in 2016. There is also an increase in the use of a dedicated SOX/IC compliance team. About a third of respondents say SOX is now headed by a dedicated team, up from 25 percent last year. According to another survey by consulting and advisory firm Proviti this year, the rate for involvement of internal audit in SOX compliance efforts was 82 percent.

While every organization is different, to be able to find an ideal position for the internal audit in SOX compliance, it is good to remember the role of internal audit function as per the IIA’s internal auditing standards. Based on the standards, the Chief Audit Executive (CAE) of the organization is required to establish a risk-based plan to determine the main concerns of the internal audit activity. For this purpose, internal auditors are required to consider a SOX non-compliance situation as a risk to the organization in their risk assessment process when preparing an internal audit plan and determining their focus.

Maintaining Objectivity and Independence
According to the IIA’s Attribute Standard No. 1100, internal audit activity must be independent and internal auditors must be objective in performing their work. Responsibilities for designing, installing, implementing, or drafting controls and procedures by internal audit may lead to the presumption that the internal auditor’s objectivity is impaired. In other words, the appearance of objectivity cannot be preserved when internal audit both designs, installs, implements, or drafts procedures and then audits them at the same time. As such, it is important to note that internal audit should be in a position that provides assurance and consultation without impairing its objectivity and independence, with consideration of the IIA’s above-mentioned standards.

Therefore, when determining internal audit’s role in SOX compliance, it is crucial that internal audit cannot be responsible for developing processes or procedures that ensure the organization’s compliance with SOX. As a natural consequence, internal audit should not be the owner of entire process so that they can refrain from assessing specific operations for which they also have responsibility.

In addition to that, in some cases management may request an internal auditor to manage a SOX project. A project manager is usually deemed as a responsible person for observing the level of progress of the project with consideration of a timeline and organizing appropriate communication of project consequences with relevant parties. If internal audit’s role is limited with such administrative duties, objectivity would not likely be impaired. However, if the project manager’s responsibilities includes designing, approving, or making decisions about controls and procedures, the internal auditor’s objectivity is impaired.

In addition, an internal audit function may assist management in the following tasks and roles as well:

• Internal audit may attend steering committee meetings, as they can provide recommendations to the SOX project team about general direction and progress of the project.
• Internal audit may act as facilitator and coordinator between external auditor and management.
• Internal audit may share existing internal audit documentation with responsible parties.
• Internal audit may make recommendations on documentation standards, tools, and testing strategies without impairment to its objectivity.
• Internal audit may participate in disclosure committee meetings in order to make sure that the committee members are aware of the ongoing results of internal audit activities in relation to SOX Section 409.
• Internal audit may provide training on internal controls, risk assessment, and planning of tests without impairment to their objectivity.
• Internal audit may execute the required tests in relation to SOX; however, it would be optimal that the management or a separate SOX advisor or project team has selected the controls to be tested because they ultimately need to be the responsible party.

Walking a Fine Line
SOX compliance is still one of the most important concerns for companies that fall under its requirements. When complying with SOX, it is certainly useful to have an engaged internal audit function, because not only may such a function assist management in assessment of internal controls but also external auditors are more likely to rely on internal audit’s work in their attestation.

It’s logical that company managements may want to benefit from internal audit’s significant expertise in relation to SOX compliance. However, internal audit’s support should be limited to making recommendations and a level of involvement that refrains from designing, installing, implementing, or drafting controls and procedures in order to protect the independence, objectivity, and integrity of the internal audit function when carrying out its usual role. In cases where there are different approaches or requests on the role of internal audit or instances where objectivity may be impaired, the CAE should discuss them with the audit committee.

An alternative to utilizing internal audit to play a central role in SOX compliance is to enlist support from public organizations, consulting firms, or other providers for testing assistance within the scope of Section 302 and 404. Such arrangements can make life easier because such a service provider may have a better understanding of the expectations of the external auditor as well as relevant authorities. In the meantime, internal audit can focus on its day-to-day responsibilities without potential threats to its independence.