Internal Audit

The internal audit function must maintain a direct reporting line to the audit committee to ensure its independence from executive management. This structural autonomy allows auditors to report on sensitive issues involving the control environment without fear of professional retaliation. The audit committee utilizes these reports to evaluate the adequacy of the company's financial reporting processes and its system of internal controls. SJKP LLP advises audit committees on how to structure these reporting lines to satisfy the rigorous independence standards required by the Securities and Exchange Commission (SEC) and various exchange listing requirements.

Internal Audit is a central pillar of the GRC framework, providing the verification necessary to ensure that risk management strategies are being executed according to plan. A well-integrated GRC program allows for the real-time identification of compliance gaps and the alignment of business objectives with regulatory obligations. By focusing on the governance aspect, internal auditors evaluate how decisions are made and how accountability is maintained across the enterprise. This holistic view is essential for preventing the systemic failures that often lead to catastrophic regulatory exposure.

Objectivity is the hallmark of the internal audit profession, requiring that auditors have no personal or professional involvement in the activities they audit. This independence is not merely a professional courtesy but a jurisdictional requirement for the findings to be considered credible by external regulators. Internal auditors must be free from any influence that could impair their judgment or bias their reporting. We provide the technical oversight needed to audit the auditors, ensuring that your internal function maintains the highest standards of professional conduct and evidentiary integrity.

The development of an audit plan begins with the identification of the company’s "risk universe," which encompasses all potential areas of operational, financial and regulatory concern. Auditors then prioritize these risks based on their likelihood of occurrence and the magnitude of their potential impact. This process requires a deep understanding of the current federal enforcement posture and the specific regulatory triggers that impact the company’s industry. SJKP LLP assists clients in refining these audit plans to ensure they are sufficiently aggressive to satisfy the expectations of both internal boards and external regulators.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides the gold standard for internal control frameworks used by internal auditors. The COSO cube defines five integrated components of internal control: control environment, risk assessment, control activities, information and communication and monitoring activities. By aligning audit activities with these components, the internal audit function provides a comprehensive evaluation of the organization's defensive posture. We provide the incisive insight required to interpret COSO standards in a way that enhances your enforcement readiness.

In the digital age, traditional periodic audits are often insufficient to capture the rapid evolution of corporate risk. Many sophisticated internal audit functions are moving toward continuous monitoring, utilizing data analytics to identify control deficiencies in real-time. This allows for immediate corrective action before a minor error evolves into a systemic compliance failure. We advise on the implementation of these advanced monitoring tools, ensuring that your data collection methods are legally defensible and provide a clear audit trail for future review.

Control activities include the specific actions established by management through policies and procedures to help ensure that risk responses are carried out. These include authorizations, verifications, reconciliations and reviews of operating performance. Internal auditors perform "walkthroughs" of these activities to confirm that the documented process matches the actual behavior of employees. SJKP LLP provides the clinical legal analysis needed to evaluate whether your control activities meet the "reasonable assurance" standard required by federal law.

A fundamental component of a strong control environment is the segregation of duties, which ensures that no single individual has control over all aspects of a transaction. This is particularly critical in financial systems and procurement processes where the potential for misappropriation is highest. Internal auditors also evaluate digital access controls to ensure that sensitive data is only available to authorized personnel. We audit these access protocols to identify potential vulnerabilities that could be exploited by external threats or internal actors.

Design effectiveness is only half of the equation; internal auditors must also test for operating effectiveness to ensure that the controls are actually working in the field. This involves selecting a sample of transactions and verifying that the required control activities were performed and documented correctly. If a control fails the test, it must be reported as a deficiency and prioritized for remediation. Our firm specializes in the technical oversight of these testing protocols, ensuring that your internal audit findings are based on statistically significant data that can withstand jurisdictional scrutiny.

When a control deficiency is identified, the internal auditor must look beyond the immediate symptom to find the underlying root cause. Whether the failure resulted from inadequate training, poor system design or a lack of management oversight, the remediation plan must address the core issue. SJKP LLP assists management in developing corrective action plans that are both practical and legally robust, ensuring that the remediation satisfies the expectations of federal regulators.

Once management claims that a deficiency has been remediated, the internal audit function must perform "follow-up testing" to verify the fix. This prevents the organization from reporting a false sense of security to the board or the audit committee. If the re-testing fails, the remediation process must begin again with a more aggressive approach. We oversee this verification process to ensure that your remediation tracking logs are accurate and reflect the true state of your control environment.

Even after remediation, some level of "residual risk" will always remain within any complex business process. Internal auditors must clearly communicate this residual risk to the audit committee so that the board can determine if the risk level is acceptable to the organization. This transparent communication is essential for maintaining the board's informed consent and protecting individual directors from liability. We provide the incisive insight required to draft these risk disclosures in a way that is transparent yet professionally balanced.

Under normal circumstances, internal audit reports are not protected by the attorney-client privilege because they are considered a business function rather than a request for legal advice. However, if an audit is conducted at the specific direction of legal counsel to assist in providing legal advice, a limited privilege may apply. SJKP LLP provides the authoritative oversight needed to structure these "privilege-sensitive" audits, ensuring that the organization can identify risks without creating an unprotected evidentiary trail for adverse parties.

The work-product doctrine may protect documents prepared in anticipation of litigation, but this protection is often narrower than the attorney-client privilege. If the internal audit function utilizes third-party consultants to assist in a high-stakes review, the engagement must be managed through legal counsel to maintain the highest level of protection. We provide the technical oversight for these complex engagements, ensuring that all third-party work is performed under the umbrella of legal privilege whenever possible.

Enforcement readiness requires that the internal audit function maintains a "clean" record of its activities, including workpapers, evidence and correspondence. If a federal agency initiates a review, the organization must be able to demonstrate that it has a disciplined audit process and a history of addressing deficiencies. Any gaps in the audit record can be interpreted by regulators as evidence of a weak control environment. We provide the clinical legal analysis needed to ensure that your audit documentation is professional, consistent and prepared for potential jurisdictional review.

Systematic and periodic reviews of business processes allow the organization to evolve in lockstep with the changing legal environment. Internal auditors identify emerging trends and regulatory shifts that could impact the company’s operations, allowing for proactive adjustments to the compliance program. This cycle of continuous review and improvement ensures that the organization remains agile and responsive to external pressures. SJKP LLP advises on the long-term strategic planning of the audit function to ensure it remains aligned with the company’s growth objectives.

Federal regulators often evaluate the "culture of compliance" within a corporation when determining the severity of penalties for an accidental violation. A robust, well-funded and independent internal audit function is the most persuasive evidence that a company takes its regulatory obligations seriously. By documenting a consistent history of risk identification and remediation, the organization can build a reservoir of goodwill that may prove invaluable during an enforcement action. We help our clients leverage their audit function to build this essential institutional credibility.

The future of the internal audit function lies in the integration of data analytics and artificial intelligence to identify anomalies and trends that are invisible to the human eye. These tools allow for a more granular and comprehensive review of corporate activities, significantly enhancing the effectiveness of the control environment. However, the use of these technologies also introduces new risks that must be managed. SJKP LLP provides the technical oversight needed to integrate these emerging tools into your audit process while maintaining strict adherence to evidentiary standards.