Mind of Jacka: SOX, Internal Audit, and a Disturbing Number

Now, to the question. Is the news good or bad? Quick answer: Bad.

What? You want more? Fine, be that way.

Workiva recently issued a report titled 2020 State of the SOX/Internal Controls Market Survey. It contains some interesting information about how organizations are approaching U.S. Sarbanes–Oxley Act of 2002 compliance. But there was one stat that jumped up and smacked me upside my metaphorical head:

"45% of respondents identify internal audit as the owner of SOX compliance."

Let me be blunt. This is not a good thing. Sarbanes–Oxley compliance is not our job. And, when I see an internal audit shop in this position — in particular when I see them proud of this kind of involvement — I feel as if it's closing time and internal audit was the last one at the bar, just glad someone cared enough to say "Hi." It feels as if the department is accepting this responsibility under the pretense that someone needs to do it, the department has the expertise, and "Gosh, management asked us to do it, so they finally know we exist."

There are three major issues involved here, none of them shining a positive light on the internal audit department that takes on this responsibility.

First, I would make the argument that "owning" Sarbanes–Oxley compliance is a violation of the International Standards for the Professional Practice of Internal Auditng. I believe this is the quintessential example of being the control.

Second, a focus on Sarbanes–Oxley is a misuse of internal audit's limited services. To their credit, the authors of the report commented on this point, saying that the burden of Sarbanes–Oxley on internal audit teams is impinging on assurance review. And the report provides a couple of stats to back up this assertion: "31% of IA teams with SOX responsibility were spending more than 50% of their time on SOX" and "44% of these teams are only managing 1 to 10 operational audits." This is not risk-based audit. This is not added-value audit. This is not internal audit.

Finally, and perhaps most importantly, any audit department that accepts itself as the "owner" of Sarbanes–Oxley compliance is culpable in management's abdication of responsibilities related to controls. Management no longer needs to worry about Sarbanes–Oxley. It is no longer management's job to ensure Sarbanes–Oxley compliance. And management need not waste a smidgen of an iota worrying about Sarbanes–Oxley, except when those pesky internal auditors arrive. After all, it is internal audit's responsibility, not management's.

Sarbanes–Oxley compliance, while important, is not a crucial role for internal audit. In fact, if the most important thing your audit department can find to do is Sarbanes–Oxley compliance, then just go ahead and start stamping "irrelevant" across every workpaper.

I can barely spell SOX. I can't even change my SOX. There are holes in my SOX. The only SOX I know are White and Red and they play in Chicago and Boston. To say I have no experience in this area is like saying the Grand Canyon is the start of a semi-decent ditch. So, feel free to explain to me why I'm wrong. I'm more than willing to learn. And I am more than willing to hear how ownership of SOX by internal audit is a good thing.

But be forewarned. I do know a bit about internal audit. And the minute the word "ownership" rears its ugly head, my hackles rise.