Even though the internal audit function has historically been a key resource over the years in helping enterprises to build effective internal controls, it was given somewhat of a short shrift in the initial days of Sarbanes-Oxley (SOx). Internal audit was barely mentioned in the SOx legislation, and some advisory consulting firms argued then that internal auditors should have little if any role in helping their enterprises to define and document SOx internal controls. Their argument then was that internal auditors were not truly independent. That is, if internal auditors helped their enterprise to develop that first round of SOx Section 404 internal control documentation, they could not come back later and objectively audit the internal controls they had helped to design. Because of these concerns, some internal audit functions effectively sat on the sidelines in the first years of SOx Section 404 reviews as enterprise financial management, in many cases, brought in outside consultants to document and assess internal controls for their external auditor attestations.

With the ongoing enterprise needs for people with internal auditor-like skills, however, this environment certainly has changed, and internal auditors today have been enjoying a SOx-inspired renaissance. Several factors have been drivers here. First, the external auditor rules for SOx assessments of internal controls have changed. The new Auditing Standard No. ...