IIA recommends SOX update

The Institute of Internal Auditors is calling on Congress to "modernize" the Sarbanes-Oxley Act of 2002 by adding provisions related to internal auditing.

The IIA released a position paper Tuesday with a set of recommendations for lawmakers who may be evaluating the effectiveness and cost of SOX compliance. The paper points to the effort last year to transfer the responsibilities of the PCAOB, which was created by the Sarbanes-Oxley Act, over to the Securities and Exchage Commission. That provision was included in the version of the One Big Beautiful Bill Act that the House passed last year, but the Senate Parliamentarian struck it from the Senate version last June since it didn't fit within the rules for a budget reconciliation bill. 

Also last June, the paper noted, the House Financial Services Subcommittee on Capital Markets held a hearing regarding the cost of SOX compliance.

"These activities indicate a potential enhanced interest by some Members of Congress in revisiting the law, said the paper. "While SOX does not explicitly recognize the role of internal audit, the PCAOB has acknowledged the profession's place within the broader compliance and assurance ecosystem."

The IIA said it believes this is an important step, but Congress and the PCAOB should do more to strengthen organizational assurance by more fully integrating internal audit into SOX compliance. 

"In light of recent congressional actions, should a SOX legislative window of opportunity occur, The IIA seeks, through this paper, to proactively provide Congress and relevant federal regulators with its recommendations on how SOX and its implementation might be improved, specifically as it relates to SOX's relationship to the internal audit profession," said the paper.

It includes a number of recommendations in case that happens.

• Enhance legal and regulatory clarity by codifying the definitions of "internal auditing" and the "internal audit function" and recognizing the profession's standards, roles and responsibilities in providing assurance to governing bodies and executive management while supporting SOX compliance.
• Reexamine contemporary understandings of compliance in relation to Sections 302 and 404 of SOX, with particular attention on the role internal audit functions play in helping organizations meet these requirements.
• Strengthen the partnership between internal and external auditors to improve coordination across the broader assurance ecosystem.
• Explore opportunities for SOX compliance cost reductions, including through the use of emerging technologies and more effective collaboration with internal audit functions.
• Encourage deeper engagement between regulators and the internal audit profession, ensuring that internal auditors have a voice in policy discussions and that stakeholders better understand the value internal audit provides in protecting investors and capital markets.

"Since its enactment more than two decades ago, SOX has served as a cornerstone of corporate governance, financial reporting integrity, and confidence in U.S. capital markets," said IIA president and CEO Anthony Pugliese in a statement Tuesday. "As the risk landscape continues to evolve, it is important that SOX evolves with it. Policymakers and governance leaders have an opportunity to ensure the law continues to protect investors and strengthen financial markets while also promoting greater efficiency and reducing unnecessary compliance burdens."