In either event, internal audit often did not have the attention of management to effectively perform their ongoing reviews of internal controls and other audit activities. For many, this first year of achieving Section 404 compliance has been a difficult and time-consuming task. And it is not over quite yet.

Even if they were not heavily involved with that first year of SOX Section 404 work, internal auditors are ideal catalysts to help their organizations to reevaluate and somewhat rethink that first and often very hard year of effort. Some SOX-related internal audit projects to help make the next year a perhaps a little more painless for an organization include:

I. Auditing the Section 404 Compliance Project – Lessons Learned

No matter what their role during the first round of Section 404 compliance work, internal audit should launch a "lessons learned" type of evaluation audit covering the overall SOX project but with an emphasis on the Section 404 work. Internal auditors often perform similar types of reviews such as an audit of the results of an IT disaster recovery test. These are not audits – to use that old line – to visit the battlefield after the battle to shoot the wounded. Rather, this is the type of audit where internal audit should rely on its project oriented skills and abilities to look at what happened and how it could be done better in the future. Even if the SOX Section 404 project went extremely well, this is a time to consider what could be done more efficiently and effectively in the future.

The Section 404 project should have been managed similar to any other major project activity, such as for the installation of a new information system. This would include a definition of the tasks to be accomplished, documentation describing how the various project elements are linked together, some type of progress reporting process, and a mechanism to keep track of the time and expenses. Internal audit should look at this past 404 exercise in terms of how the project was managed and to identify a series of "lessons learned."

II. Cleaning up Reported Control Deficiencies

Almost all organizations ended up with a list of control deficiencies, ranging from major to minor as part of their Section 404 work. After the initial work was completed and assuming there were no major items on this list, it becomes easy to forget them until "next time." However, that next time will soon arrive. Internal audit can perform a real service to management by taking responsibility for this deficiency reporting process. This is very similar to the process of following up on the status of internal audit report findings and recommendations. This is a natural ongoing activity for any internal audit group.

III. Keeping SOX Documentation Current

Many organizations completed their 404 work with a mixture of hard and soft -- paper and computer systems based -- documentation that often was not organized all that well. A plant controller at a remote location, for example, may have ended up with several three ring notebooks of documentation placed in the controller’s office. That arrangement works as long as that same controller stays on the job. However, we all know how often organizational charts and people change. Internal audit should review the existing documentation retention standards, determine that all key processes have been covered, and then perform some limited tests to determine that the documentation is still in place. It is far better to know where things are located at present than to have to do a frantic search for the next round of Section 404 work.

IV. What did it Cost?

Virtually every organization soon found that the entire compliance exercise was very expensive. However with the tight due dates and many outside consultants involved in the process, there often was little attention given to monitoring the cost of this project. Internal audit might perform a real service to management by performing an audit of the costs associated with this compliance. They may find such things as departments that charged totally non-applicable expenses to their Section 404 project. In any case, such an after-the-fact audit will allow financial management and the audit committee to have a better understanding of the costs associated with SOX going forward.

V. Initiating a Continuous Improvement System

Audits of the past SOX Section 404 work will be much more valuable if those "lessons learned" can be turned in to some positive suggestions for improvements. Internal audit should initiate an ongoing process to work closely with the audit committee, financial management and their external auditors to improve the process as we move in to the future. 

VI. Internal Audit’s SOX Role Going Forward

The basic requirements of Sarbanes-Oxley and its section 404 will certainly not change all that much in the short term years. Things hopefully will be less focused on paperwork and more on substance, but organizations will soon be faced with another round. Since much of the documentation has been done, things should be easier going forward. Internal auditors should keep themselves very aware of this process and its ongoing changes. Rather than bringing in teams of outside consultants, who are difficult to locate in future period, they should consider taking a more active and ongoing role in many aspects of SOX compliance.

ROBERT R. MOELLER is the author of Brink's Modern Internal Auditing, 6th Edition (Wiley 2005) and Sarbanes-Oxley and the New Internal Auditing Rules (Wiley 2004). He is an internal audit specialist and project manager with a strong understanding of information systems, corporate governance, and security. A CPA, CISA, and a CISSP, Moeller has managed several information systems audit functions and served as audit director for Sears Roebuck. In the late 1990s, Moeller launched a business, Compliance and Control Systems, that delivered seminars throughout the United States on corporate governance, COSO, and the importance of Codes of Conduct well before Sarbanes-Oxley and today’s interest in those areas.