Given the need for independence in the current regulatory environment, there is some confusion around the roles that internal audit can and should play. Each organization is unique and must make its own decisions regarding the appropriate role of its internal audit function – there is no “one size fits all” solution. Experience shows, however, that internal auditors can generally play one of three roles in the certification process.

Defining the roles of the internal auditor
Depending on an organization’s needs, budget, time constraints, and related factors, internal auditors can assume a number of roles within an organization’s certification process. That said, some responsibilities are more suited to the internal audit function than others. Here’s an overview of the primary roles internal auditors can play:

1. Traditional role
The least involved role that internal auditors can play is to fulfill the traditional role of monitoring compliance activities and reporting on management’s performance. While this remains an option, it is not necessarily the most appropriate one as it prevents organizations from benefiting from the internal control skills and competencies that internal auditors can bring to the table. For instance, internal auditors possess experience in a wide number of areas, ranging from business process analysis and risk management to forensic accounting and financial, operational, compliance, and information technology control testing. Therefore, it often makes good sense to turn to internal audit for assistance in the certification process.

2. Active participation and monitoring role
The second role internal auditors can play in the certification process is to assume an active role that sees them consulting on a range of issues designed to add value to the organization’s certification process, including:

• Liaising between external auditor and management
  
• Assisting in the development and training of management personnel involved in conducting certification documentation and testing
  
• Performing quality assurance reviews of documentation and testing
  
• Conducting ongoing monitoring (design, scope and frequency) of testing and remediation activities
  

Admittedly, it is not always possible for the internal audit function to achieve this “ideal” role in all areas of compliance. Each organization has its own set of circumstances related to internal controls, and its own set of resource constraints. The role your internal audit function plays, therefore, will depend on your organization’s size, industry, geographic dispersion, budget, IT infrastructure, board and management preferences, and the skill set and experience of your personnel. It will also depend on your compliance timeline. For instance, organizations with less time to comply with the certification requirements tend to task their internal auditors with a more hands-on role.

3. Management assertion testing role
In some instances, internal auditors are asked to become key contributors to management’s testing process in more complex areas such as entity controls. This can prove beneficial due to the expertise that internal auditors bring, but also the fact that external auditors can place high reliance if the internal audit function is deemed to be competent and independent. Notwithstanding the assistance that internal audit may provide with management’s testing, the following activities must continue to remain management’s responsibility:

• Setting the “risk appetite”
  
• Creating risk management processes
  
• Responding to risks and making control decisions
  
• Concluding on classification of deficiencies
  
• Determining the approach to remedy control deficiencies
  
• Ongoing monitoring of changes in the control environment and to financial reporting controls

Leveraging opportunities and understanding limits
Without question, internal audit can provide tremendous value and assistance supporting the organization’s certification initiative. However, determining the appropriate balance for your organization of hands-on assistance versus independent oversight is vitally important. Here’s a quick summary of both recommended and likely inappropriate roles that internal audit can play in certification:

Recommended certification roles of internal audit include:

• Actively participating on, and monitoring, projects
  
• Acting as a liaison between the external auditor and management
  
• Conducting quality assurance reviews and training
  
• Conducting ongoing monitoring and testing of internal controls over financial reporting
  
• Training and educating staff and audit committees on controls
  
• Consulting on the sustaining process
  
• Playing advisory ex-officio role on committees (disclosure/steering)

Recommended roles of internal audit by certification stage include:

• Planning and scoping: Providing advice and recommendations; participating in project team planning
  
• Documentation: Advising management on processes to use; conducting independent quality assurance
  
• Testing and assessment: Assessing management’s documentation and testing; performing effectiveness testing; helping to identify and assess control gaps; facilitating management discussions
  
• Deficiency management: Performing follow up reviews and independent validation that remediation has been implemented
  
• Reporting: Facilitating and providing advice on management reporting; acting as a coordinator between management and external audit; assisting management in providing updates to the audit committee
  
• Monitoring: Performing periodic assessment of the certification process
  
• Ongoing controls education and training

• Quarterly and annual assessment of internal control
  
• Decision-making oversight
  
• Setting “risk appetite”
  
• Creating risk management processes
  
• Risk response decisions
  
• Continuous monitoring of changes in the control environment and to financial reporting controls
  
• Making decisions to adopt or implement recommendations made as a result of an internal audit

• Establishing and deciding on compliance processes
  
• Substantially performing management’s testing of control effectiveness
  
• Extending any compliance project manager role to being the primary decision-maker as to acceptability of work product or authorizing redirection of resources
  
• Making final decisions on control design and operating effectiveness, deficiency classifications, whether and what to remediate, and the sufficiency of information produced from which the assertions are to be made
  
• Implementing new processes or controls to remediate identified control gaps
  
• Assuming responsibility for specific operations
  
• Designing, installing, and drafting procedures for, or operating, system controls

Ultimately, the role assumed by your internal audit function will depend on your organization’s unique needs and resources. However, in assessing appropriate internal audit activity, it remains imperative to assess where ultimate decision-making responsibility lies. Management is solely responsible for the system of internal control over financial reporting. Internal audit may serve management in many capacities – but its responsibilities should never cross the line into a decision-making role.

Additional areas of internal auditor involvement in corporate governance
Although the role internal audit can play within the certification process may vary, internal auditors generally have a much broader role to play within an organization from a risk and governance perspective. As organizations create an annual sustained certification process, internal audit can begin to re-focus on other risk areas to fulfill its mandate, including:

• Fraud programs: Given the focus on fraud deterrence, it makes sense for internal audit to provide advice and assistance to management in the implementation of a robust anti-fraud program.
  
• Risk management: Proper risk management lies at the heart of an effective internal audit function. According to the Institute of Internal Auditors (IIA), “Internal auditing’s core role with regard to enterprise risk management (ERM) is to provide objective assurance to the board on the effectiveness of an organization’s ERM activities to help ensure key business risks are being managed appropriately and that the system of internal control is operating effectively.” A risk-focused internal audit function, therefore, will provide assurance on risk management processes and risk evaluation, will evaluate the risk management processes and risk reporting, and will review the management of key risks.

Internal Audit’s New Role, American Institute of Certified Public Accountants, September 2004

Internal Auditing’s Role in Sections 302 and 404 of the U.S. Sarbanes-Oxley Act of 2002, The Institute of Internal Auditors, May 2004