Beyond SOX Compliance: Expanding Internal Audit’s Role in Risk and Strategy

2025 marks the 23rd anniversary of the passing of the Sarbanes-Oxley Act (SOX).

In 2002, SOX requirements brought Internal Audit to the forefront, as internal auditors were and are uniquely positioned to support management with SOX compliance given their expertise in financial reporting, internal controls, and independence.  

However, one of the unintended consequences of SOX is that Internal Audit functions have been overwhelmed by the focus on SOX. Worse, Internal Audit is seen by some as purely “SOX auditors,” as opposed to risk-informed professionals with broad business acumen who serve as trusted advisors to the most senior leaders in the organization. 

So how can Internal Audit elevate beyond just compliance? 

Internal Audit’s Critical Value

An effective Internal Audit function is essential to more than just SOX. It serves to:  

• Protect company health and stability. 
• Promote sound corporate governance and ethical behavior. 
• Establish proactive risk management and risk advisory services. 
• Baseline strong compliance and compliance testing practices. 
• Identify and mitigate risks of fraud, cyberattacks, financial report misstatements, and more. 
• Assess and improve internal control operating effectiveness. 
• Collaborate with accounting firms and the audit committee/external auditor.  
• Provide assurance of the accuracy and reliability of financial information and the financial reporting process. 

If your Internal Audit function has been mired in the details of SOX compliance requirements – or if your department’s initial charge was to support management’s SOX control and testing program after going public – here are three steps to help your Internal Audit team lift up, look out, and expand risk coverage.  

1. Ask Stakeholders What Their Most Critical Priorities Are 

For Internal Audit to maximize its value and impact on the organization, it needs input from its stakeholders so it can best address unmet needs.  

If “beauty is in the eye of the beholder,” then the value of Internal Audit is in the eye of its stakeholders. So ask them what they value and need. 

Ask your stakeholders what is front of mind – what do they care about? What are their most critical priorities today? What services are needed near term and long term? 

While this process often happens during the Internal Audit Risk Assessment, don’t limit these conversations to predetermined risk assessment timeframes. Lead with continual, open lines of communication so internal auditors can strengthen working relationships and provide insights that cannot be gained elsewhere.  

Featured Insight

Optimizing Risk Intelligence: Practical Steps for Internal Audit and Enterprise Risk Management Collaboration

READ MORE

2. Align With Opportunities and Address the Gaps 

With insight into what stakeholders are focused on, consider:  

• Where management is focusing yet could use an independent perspective to ensure strategic objectives are being met (e.g., robust internal controls for financial data). 
• Where management is not focusing and needs additional support (e.g., emerging non-financial risks and third-party risk management). 
• What needs to go right for management’s strategy and objectives to be successful. 

These gaps are strategic and competitive opportunities. As internal audit activity is re-oriented to more of these value-adds, the organization as a whole builds deeper and more unique core competencies. Internal auditors themselves can also inquire and assess where they can level up their departmental capabilities: 

• Where do controls and other risk mitigation strategies fall short of addressing the risk priority?  
• Can current controls be enhanced for greater coverage, or are new ones needed?  
• What is our internal control maturity, knowing the organization intends to become a public company soon or otherwise engage in a major transaction event? 
• Is additional training and follow-through needed?  

In addition to Internal Audit’s usual assurance activities, the IIA’s International Standards for the Professional Practice of Internal Auditing (“Standards”) specifically allow internal auditors to perform “consulting” activities through the Internal Audit function. This significantly increases the types of projects that Internal Audit can perform – and they don’t all have to be based in providing assurance.  

Depending on the gaps identified, below are some value-add activities that Internal Audit can, and in many cases should, perform to address those gaps:  

• Risk assessments. 
• Policy and procedure reviews. 
• Control gap assessments. 
• Root cause analyses. 
• Process efficiency reviews and benchmarking assessments. 
• Cost-benefit analyses. 
• Strategic initiative reviews – advisory input and postmortem assessment. 
• Training. 
• Culture surveys. 
• Internal Investigations. 
• Supporting the M&A lifecycle from diligence through integration. 

3. Iterate and Improve 

After working to address the gaps, go back to your stakeholders and ask, “How did the plan and activities work?”  

If you don’t receive constructive feedback – question that. Rarely is anything so perfect that no feedback can be offered.  

The priorities and gaps from last year – or even last month – have likely evolved. This is intel and feedback Internal Audit needs for a productive audit plan.  

Internal Audit should evolve in tandem with business demands, leveraging the latest automation, analytics, and AI tools to continuously innovate. For instance, use of data analytics enables internal auditors to view 100% of the population, rather than a sample, and can greatly enhance the assurance the audit function can provide. If common fraud risks appear to be mitigated, Internal Audit should think outside the box to identify unusual or unexpected risks that may be specific to the organization, its employee base, and its industry. Data analytics is one of the most effective anti-fraud controls. 

As internal auditors focus on looking beyond known risks to emerging and potential risks, breaking down silos, and increasing coordination, below are key considerations to help elevate the maturity of internal audit functions: 

• Analyze current state: Perform a needs and feasibility assessment of the department’s current state for technology integration, keeping culture and risk exposure top of mind.  
• Implement: Consider the use of advanced analytics, real-time reporting or dashboards, and integration of internal technologies with people, processes, and external technologies. Invest in a GRC tool. 
• Automation: Start thinking about a roadmap for automation. Start small. 
• Monitor: Measure realistic KPIs to assess what’s working and what isn’t. 

Twenty-three years later, SOX compliance remains critically important to the financial reporting integrity of public companies. But to maximize Internal Audit’s value to the organization, it needs to expand its focus well beyond SOX and continually assess the broader risk landscape to enable Board and C-Suite decision-making. 

To fully capitalize on the value Internal Audit can bring to your organization, contact CrossCountry Consulting today.