Responsibility for SOX 404
We know that management is responsible for implementing and executing internal control over financial reporting, but who should have responsibility for carrying out the assessment process required for reporting under SOX 404?
In the early days of 404 compliance, the job typically fell to companies' chief audit executives and their staffs, who stepped up to the plate big time. Studies show that internal audit functions spent one-half or more of their resources dealing with this new role. Because of its knowledge, skills, and experience, there's typically no better group than internal audit to comprehend, document, and test the enterprise's internal control over financial reporting, or to monitor remediation efforts.
Chief audit executives with whom I've worked have found that their groups' performance with 404 received high marks. Their ability to quickly grasp the scope of the 404 initiative, mobilize staff, coordinate with others internally, and provide expert guidance in documenting and testing controls enabled many companies to meet deadlines with positive results. Even in companies at which senior management and audit committee members already held internal audit in high esteem, there was a newfound appreciation of the chief audit executive's ability to provide critical leadership under intense pressure.
Another result has been greater attention from audit committees on internal audit's resources, positioning the function to better carry out its mission. ...