“SOX audits vs. Operational Audits: What is the right balance for your IA department?”
This is a question that has no right or wrong answer, but is one that every Chief Audit Executive (CAE) needs to consider. Even private firms that aren’t required to comply with SOX are likely still tasked with testing some Controls to ensure internal control over financial reporting (ICFR) within the organization, or have some other type of compliance audit to perform (HIPAA, PCI, Fraud, MAR, etc).
So, how do you fulfill this role for testing and reporting on regulatory compliance (SOX), while finding the time and resources to perform your larger role of adding value to your department through oversight of the company’s general activities? To address this issue, let’s start with making sure we are working from a common framework. A standard definition (Farlex Financial Dictionary) of an Operational (sometimes called Management) Audit is as follows:
“A measurement and report of the effectiveness and results of certain business procedures. Management audits are usually performed internally, and check to see that procedures have their intended effect. Unlike a compliance audit (eg. SOX), which simply ensures that procedures are being followed, management audits challenge the assumptions and objectives of procedures, with an eye toward improving efficiency. A management audit may recommend changes in procedures resulting from observed inefficiencies in existing procedures.”
This can include audits of facilities, processes, staff behavior, etc. I believe the majority of you would agree that it should always include Objectives and Risks associated with the entity areas being audited. We also recognize that there is oftentimes some overlap with SOX Controls, so that a SOX test can satisfy part of an Operational Audit, or visa versa.
However, how do you split your workload for those areas that don’t overlap? Some of you have told me that the majority of your auditors’ time is spent doing SOX testing, not “true” auditing. The perceived downside of that mix is it becomes difficult for the CAE to demonstrate the strategic value of his/her Audit department because they are performing what many CFO/CEOs think of as a “commodity” function. After all, SOX has been around for 8 years or so, so how much creativity is involved in the activities to demonstrate ICFR (their opinion, not mine)?
The majority of the CAEs I talk to (particularly those who are relatively new in their assignment) tell me one of their organizational objectives is to reduce the SOX workload to allow for more Operational audits. Many tell me that over 50% of their department’s manhours are spent on SOX-related activities, with their goal to get it down to less than 33%.
One reason they are willing to speak with me about GRC & Audit automation software is so that they can achieve this goal without adding headcount (either internally or thru co-sourcing). As I discussed in last month’s newsletter, automation also offers the option of self-assessments vs. direct testing as a time and money-saving process. This also releases auditors to perform more Operational audit activities vs. SOX Compliance. This assessment “engine” also can be used for Risk Assessments to better focus the Operational audits on areas other than SOX Key Controls.
On a related note, as more Audit Committees and Boards of Directors take up the issue of Enterprise Risk Management (ERM), it is frequently falling to the CAE (if no CRO exists in the organization) to pick up the gauntlet for this responsibility. That puts one more item on their plate without an increase in headcount. The only way to accomplish that goal is to be more efficient and productive in managing the existing key responsibilities (eg. SOX testing), thus freeing up time for more risk-based Operational audits. What the right balance is for your organization is up to you, but I’m pretty sure achieving that desired balance will be easier with automation than without. I’d love to hear from you regarding your point of view on the matter.