Sarbanes-Oxley compliance (SOX) is more routine than in the past but continues as a major distraction to the internal audit profession.  The continued PCAOB scrutiny with published Inspection Report Findings continue to pressure external audit firms performing 404 Reviews, who in turn require expanded SOX compliance activities at their clients to earn a “clean” opinion.  More recently, cybersecurity and data governance have garnered a lot of attention and resources.  Perhaps lost in these distractions is the appropriateness, accuracy and availability of information management needs to effectively direct and oversee the strategic, financial and operational objectives of the business.  Certainly, compliance professionals can “walk and chew gum at the same time”, but is scrutiny of the most important business information “taking a back seat”?

Financial accounting reports follow generally accepted accounting principles (GAAP).  The users of financial accounting results are mostly external parties to the organization (investors, analysts, banks, government).  Financial accounting is of some value for management, mainly to retrospectively compare their results to others in their industry using the same baseline accounting principles (GAAP).  Managerial accounting provides organizational leaders with the accounting information to run the business, assess current performance, and forecast future performance.  This information is critical to directing operations, setting near term funding needs, and communicating goals to internal stakeholders.

Much of the Management Discussion and Analysis (MD&A) section of financial filings and the information discussed on the earnings call is the information management uses to assess performance.  This information falls more in the realm of managerial accounting.  How deeply do we audit this information?  Do we only make sure there is evidence that is it is prepared and reviewed w/ appropriate sign-offs or do we audit the accuracy of the information?  Do we question the appropriateness of the information versus other managerial accounting measures that perhaps gives better insight into the performance of the firm?

Management accounting helps management to discern between value-added activities and those activities that do not add value.  Financial accounting only concerns proper classification of the expenditures related to either activity type.  While it is certainly helpful to understand the cost of activities, it is much more important to identify and eliminate wasteful activities.  Moreover, to choose optimal value-added activities over those that add less value.  Regardless of the core mission of the business, whether profit or not-for-profit, profits are necessary to sustain the mission over time.

How does internal audit refocus on ensuring the information management needs for decision-making in available and accurate?  Are internal auditors equipped to assess management reporting?  The answer is to simply expand the tools and techniques we use for all internal control activities.  The COSO Framework is as appropriate for managerial accounting and reporting as for all other critical business functions.  As the use of “Non-GAAP” measures expand in financial filings and the need for immediate information for management to make informed decisions grow, the reporting risks increase and the assessment of the processes and controls to ensure ongoing accurate and timely managerial accounting information should become an important part of the annual internal audit plan.  Auditors frequently speak about earning a “seat at the table”.  The best way to earn this “seat” is to provide assurance to key decision makers regarding the accuracy and appropriateness of the information they receive, which is typically managerial accounting information, not financial accounting information.  Look at your risk-assessment and audit plan process to make sure that there is an appropriate identification and focus on managerial accounting information and controls.  If necessary, refocus your process to ensure you effectively leverage your compliance activities optimize your service to all key business constituents.


About the Author

Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting LLC, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications, and the “Leverage Compliance” blog.  In addition, Glenn provides licensee compliance audits in conjunction with Licensing Compliance Group and Cybersecurity/Penetration Tests/SOC for Cyber/SOC 2/3 Assessments in conjunction with Ra Security Systems.  Find Glenn’s full profile at, follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at