The Institute of Internal Auditors (IIA) has trotted out a position paper recommending the role internal auditors should play in a corporation’s compliance with Sections 302 and 404 of the Sarbanes-Oxley Act.
While Sarbox spells out the roles of management, audit committees, and external auditors, it’s silent on the parts internal auditors must play, the trade group stresses.
The 13-page paper, available on the IIA’s Web site, suggests that internal auditor involvement in compliance with the two section of the act should come in four areas: project oversight, consulting and project support,
ongoing monitoring and testing, and project audit.
Section 404 requires top management to sign assess the quality of a company’s internal controls over financial reporting and requires external auditors to attest to management’s assessment of the controls. Section 302 requires chief executives and CFOs to personally certify the accuracy of their companies’ financials.
The IIA proposes that management and the audit committee should depend on the internal auditor to:
Participate on project steering committees, providing advice and recommendations to the project team and monitoring the progress and direction of the project.
Be a “facilitator” between external auditors and top executives.
Provide existing internal audit documentation for processes being reported on.
Advise management on best practices in documentation standards, tools, and test strategies.
Provide line managers and executives with training on project, risk, and control awareness.
Perform a quality assessment of process documentation and key controls before financial information is handed off to the external auditor.
Advise management on the design, scope, and frequency of tests to be performed.
Be an independent assessor of management’s testing and assessment processes.
Test management’s basis for its assertions and then help identify control gaps and review management plans for correcting those gaps.
Put together discussions between management and external auditors on the scope and plans for testing auditing projects.