Risk & Compliance

Internal Auditors Find Control Gaps

Most companies have flaws in their framework for complying with Section 404 of Sarbanes-Oxley, survey finds.
Stephen TaubMay 26, 2004

Section 404 may be one of the smaller sections of the Sarbanes-Oxley act (168 words, to be exact), but it’s creating a mountain of work for finance managers.

In fact, according to a newly released survey, 182 out of 200 internal auditors said their employers have identified gaps in their internal controls framework. That’s 91 percent of the respondents. This, despite the fact that the SEC has twice pushed back the compliance deadline for Section 404 of Sarbanes-Oxley.

The survey, which was conducted jointly by audit firm Jefferson Wells International and the Institute of Internal Auditors, also revealed that many companies still have a ways to go to get into compliance with 404. In fact, only 2 of 200 internal auditors surveyed indicated that their companies had wrapped up their work on Sarbox.

Not surprisingly, lack of resources — brought on by years of cuts to corporate finance departments — has played a big part in slowing the compliance efforts of the surveyed companies. “Understaffed finance departments limit the ability to effectively segregate duties throughout the organization,” the study’s authors noted. “These constraints make it challenging to establish sufficient checks and balances, and often result in an inadequate amount of documentation on the duties and internal controls attached to specific positions.”

Indeed, nearly a third of the respondents said the gap in their internal controls stemmed from a lack of process control-related documentation. Another 23 percent pointed to problems with their formal review and approvals process, while 19 percent cited segregation of duties.

To help meet the new deadlines for 404 compliance, half of the surveyed auditors said their companies are relying on co-sourcing relationships with external service firms. In fact, when prompted to explain the main reason for engaging a third party, the largest percentage of respondents once again pointed to resource constraints (54 percent) and to a need for greater expertise (24 percent).

The auditors were also asked to identify the three biggest challenges their employers face in implementing Sarbox. Again, the most oft-cited reason was “not enough resources and/or time constraints,” identified by slightly more than half of the respondents. That was followed by “documentation issues,” singled out by about a quarter of the survey participants.

The survey also tried to get to the heart of an internal auditor’s job demands. For example, about half of the respondents said the internal audit function at their companies has direct Sarbanes-Oxley project-management responsibility. Nearly a third of the auditors reported that Sarbox compliance took up 70 to 100 percent of their work. Another 23 percent estimated that Sarbanes-Oxley projects eat up around half their time.

While the survey found that few companies have completed their Sarbox projects, a third indicted they are now at the documentation stage. Another 33 percent are even further along: The controllers at those companies said they were now at the testing stage.