be directly involved with performing those reviews, either as independent internal auditors or as agents for their external audit firm. This approach
allows internal audit to devote more time and resources to other audit projects similar to those described in other chapters of this book. This also may be the only alternative for a very small internal audit function.
The chief audit executive (CAE), senior financial management and the audit committee should work with the external auditors to define responsibilities for the required Section 404 internal control reviews. In some cases all parties will decide that it is most efficient for management, other than internal audit, to take the second approach described earlier. External audit might make arrangements with internal audit to review and assess the adequacy of that internal controls review work. Internal audit would be working for external audit in reviewing and attesting to the results of those internal controls reviews but would not be performing the actual reviews. As mentioned, this type of arrangement will save on overall external audit costs by giving internal audit an important role in help- ing external audit in achieving the Section 404 review objectives. The negative side of this arrangement is that the management team or the consultants assigned often does not have the time, resources, or even training to perform these internal controls assessments. This arrangement only works effectively when an organization has another internal audit-like function such as a strong quality-assurance or risk assessment function. These are groups that understand how to review, document, and test internal control processes.
In alternative 1, internal audit performs the review work for corporate finan- cial management for a subsequent but separate and independent assessment by the external auditors. The positive side of this arrangement is that internal audit is often the best and most qualified resource in the organization to perform these reviews. They understand internal controls, testing procedures, and good docu- mentation techniques and often have the skill to effectively review supporting information systems applications. Although this arrangement will involve more external audit resources, this may be an effective way to complete the Section 404 review requirement. All parties must realize their roles and responsibilities here. Section 404 reviews are an annual process, and an organization and its inter- nal audit function can change that strategy in future years. There is no reason why the strategy selected should be the same every year going forward, except that changes always introduce increased costs and added time spent relearning approaches. All parties should develop an approach that appears most cost- effective to achieve these legally mandated detailed SOA requirements.
(c) Launching the Section 404 Compliance Review: Organizing the Project Compliance with SOA Section 404 places a major challenge on SEC-registered organizations. While some may have previously taken a hard look at the COSO internal control framework, described in Chapter 4, and evaluated their internal controls using that framework, others may not have completed a COSO internal controls review in any level of detail. Organizations and internal audit functions that previously evaluated their own controls, in a COSO context, almost cer- tainly have some work ahead, but at least should have an understanding of their internal controls environment. A second group may have relied on their external auditors who issued favorable financial reports, with only limited
internal control work, as well as having relied on internal audit, who has been reviewing internal controls in various selected areas but never in totality. This second group faces a potentially major challenge in completing their assessment of internal controls. A third group are the often-smaller organizations that have given little attention to documenting their internal controls and frequently have a small, understaffed internal audit function as well. The latter are potentially facing a major challenge in establishing Section 404 compliance.
An effective internal audit function should play a very major role in helping an organization get ready for SOA and its Section 404 compliance. The external auditors that once did some internal financial controls assessment work as part of their annual audits are no longer directly responsible for these reviews. As discussed, those external auditors will review and attest to management’s inter- nal financial controls assessment report but cannot do the work themselves. As discussed in the prior sections, there are some very qualified and excellent con- sulting firms to help an organization to achieve SOA compliance, but the effec- tive internal audit function should be in a key role to aid senior management here. Based on the IIA standards discussed in Chapter 12, “Internal Audit Profes- sional Standards,” internal audit should not be directly responsible for imple- menting the internal financial controls testing and documentation program that they will eventually be requested to review. They should not assume the role as project manager, but only play an active participant role on the implementation team. Internal audit’s role in auditing new systems under implementation might prove a good example. Typically, internal auditors will serve on the team that is installing a new application and will recommend internal control improvements as the new application is being developed. However, they are not responsible for installing those changes or for the overall new system. Thus, they can return later and review the new system maintaining their independence.
An internal audit function should begin its Section 404 compliance review process by launching a formal, special project. While the actual project would vary based on the strength of the extent and sophistication of an organization’s internal control processes, the project could be launched following these steps:
1. Organize the Section 404 Compliance Project Approach. Assign a