US internal audit focus moving off Sox, says survey

A new Protiviti survey says US internal audit departments are returning to their roots

CALIFORNIA – Internal audit departments have moved away from their recent preoccupation with the Sarbanes-Oxley (Sox) regulation since its implementation in 2002, according to a new study by risk and internal audit consultants Protiviti.

The survey shows that a quarter of tested firms have rebalanced their focus towards traditional business as usual and away from compliance efforts – up from one in 10 companies in the previous study in 2005.

The four-month study ran from the Institute of Internal Auditors’ October 2006 ‘All Star Conference’ until January 2007, analysing the first wave of companies reaching the turning point of three years of Sox compliance – when 80% of the firms polled achieved rebalancing.

Highlighting firms’ progress, Protiviti’s managing director and head of global internal audit practice Bob Hirth said: “This process of rebalancing is tied closely to the development of a more efficient and sustainable approach to compliance, which is why it takes time to achieve.”

“At the same time, as a result of Sarbanes-Oxley, there is definitely more financial reporting control-related auditing being conducted, and there is a heightened focus on IT auditing, both of which are positive outcomes of the legislation,” Hirth said.

The study focuses on the importance of longer-term rebalancing, rather than a narrow focus on financial reporting at the expense of traditionally core functions and operations.

The study found that 47% of internal auditors said the top benefit of rebalancing away from Sox was performing traditional audits, ahead of other benefits such as better risk coverage – which came out top in 2005.

Hirth said: “This is a strong indicator that after more than three years of Sarbanes-Oxley compliance, internal auditors are ready for – and recognise a need for – the internal audit function to get back to basics.”

The traditional elements consist of assisting management and the audit committee in directing enterprise risk management, identification of potential fraud indicators and focused audits of higher risk operations such as IT security, business continuity, remote locations, revenue processes, capital construction, and other non-Sox compliance.

The survey concluded that rebalancing strategies are in continuous evolution, with the most common being reducing the population of controls, the number of key controls, and reliance for internal audit on external auditors – which remains largely internal but the survey predicted as the next trend in rebalancing.

While the process is in flux, the study also found that once initiated, 45% of firms achieved rebalancing within one year, 28% managing in less, owing to a high degree of creativity in re-scoping workload, increasing process ownership and shifting resources, rather than adding resources less efficiently as before.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Most read articles loading...

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here