Internal auditing: A safety net for those at the top

By William G. Bishop III, The Institute of Internal Auditors

June 20, 2003 — The shareholders and other stakeholders of American businesses have had a rough ride the past few years.

For that matter, so have those at the top of their organizations. A seemingly endless succession of financial frauds has cast public doubt on the credibility of even untarnished corporations. And trust, once lost, is slow to rebuild.

As dismal as that sounds, it’s not all bad, for failures like Enron and WorldCom have opened the eyes of the public to the importance of corporate responsibility. Today’s investors appear to be a bit smarter than they used to be. Through adversity, they seem to have grown in their understanding of such practices as risk management, financial stewardship, internal control, and corporate governance. And they are demanding a much higher level of accountability from the companies in which they invest.

One internal resource is uniquely positioned to serve as a safety net for management and the board. That resource is internal auditing, an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal control is at the center of the internal auditor’s world. It is also integral to effective corporate governance and thereby, is critical to management and the board. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control consists of (1) the control environment that sets the tone of the organization; (2) risk assessment, or the identification and analysis of relevant risks; (3) the policies and procedures or control activities that help ensure management directives are carried out; (4) the identification and communication of pertinent information; and (5) a monitoring process that assesses the quality of the internal control system’s performance.

An organization’s chief audit executive (CAE), who ideally reports directly to the audit committee on a functional basis and to the CEO administratively, can provide assurance that appropriate policies and procedures are followed in preparing the annual financial statement, and there are adequate controls in place to mitigate the risks. The CAE also ensures that corporate governance entities are informed about new rules and regulations in order to achieve full compliance.

To meet the demands of the public and help restore investor confidence in America’s capital markets, Congress has passed legislation and the U.S. Securities and Exchange Commission (SEC) has issued regulations affecting corporate disclosures and financial reporting.

Specifically, the Sarbanes-Oxley Act of 2002 paved the way for sweeping reform by requiring additional disclosures and certification of financial statements by chief executive and financial officers. This new law challenges companies to devise processes that will permit senior officers to acquire the necessary assurances on which to base their personal certification. A key component of the certification process is the management of risk and internal controls over the recording and reporting of financial information.

Section 302 of the Sarbanes-Oxley Act outlines corporate responsibility for disclosure of both financial and non-financial information. The SEC has issued regulations to implement that section of the act. SEC Rules 13a-14 and 15d-14 require an issuer’s principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, to sign off on each quarterly and annual report, including transition reports.

Internal auditing should review and evaluate the disclosure controls and processes. The SEC defines disclosure controls as, “controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the [SEC’s] rules and forms.”

The SEC recommends that companies form a disclosure review committee comprising legal, investor relations, risk management, and financial business professionals. It is appropriate for the CAE to be an ex-officio member of the Disclosure Review Committee, to attend the meetings and provide counsel and recommendations in terms of the procedures and process, to read and review all of the filings and have input into the certification and sub-certification process. In order to preserve independence, however, the internal auditor should not be responsible for executing the duties of the committee.

Section 404 of the Sarbanes-Oxley Act requires an annual assessment of internal control to ensure financial statement accuracy. The internal auditors fill this need by evaluating the adequacy and effectiveness of controls throughout the organization. Their work includes an examination of the reliability and integrity of financial and operational information, the effectiveness and efficiency of operations, and the ways in which the organization safeguards assets and complies with laws, regulations, and contracts.

Some organizations that do not have internal auditing have recently begun to understand the critical role the function plays in achieving effective and efficient operations. Since the enactment of Sarbanes-Oxley, The Institute of Internal Auditors (IIA) has received numerous queries for advice and counsel on setting up an internal audit department. As a result, The IIA recently released a step-by-step how-to manual for establishing internal auditing. The Institute also provides Standards and best-practice guidance for internal auditors and actively works toward spreading the news about internal auditing’s role in effective corporate governance.

Although there has been much discussion about the changes brought about by recent legislation and regulations, many organizations have long followed best practices and effective models of internal control. They have never lost sight of their responsibility to investors. They have visibly demonstrated an integrity-rich tone at the top and have maintained strict adherence to their Code of Ethics. And they have fully and proactively utilized internal auditing’s capabilities. Well prepared to comply with Sarbanes-Oxley and other requirements, those organizations have yet to disappoint their stakeholders.

Simply good business

Corporate governance comprises the procedures utilized by the representatives of the organization’s stakeholders to provide oversight of risk and control processes administered by management.

According to The Institute of Internal Auditors (IIA), the four cornerstones of effective corporate governance are the audit committee of the board of directors, executive management, the internal auditors, and the external auditors.

When all of these entities work together well with healthy interdependence, internal controls are strong, reporting is accurate, ethics are maintained, oversight is effective, risks are mitigated, and investments are protected. Good corporate governance is simply good business.

For more, visit The IIA’s Web site at

Bishop, a certified internal auditor, is president of the Institute of Internal Auditors (

Founded in 1941, IIA is an international professional association with world headquarters in Altamonte Springs, Fla. IIA has more than 84,000 members in internal auditing, risk management, governance, internal control, IT audit, education, and security. For more information, contact Trish W. Harris at, 407-937-1245.

Previous articleSustainable energy groups present White House with criteria for next U.S. EPA administrator
Next articleCommittee holds workshop to find promising research for carbon management from energy systems

No posts to display