The emergence of the Sarbanes Oxley Act has placed an emphasis towards management's responsibility of ensuring quality financial reporting and integrity of their organization's internal controls. As an external auditor, it is imperative to not only ascertain management's compliance in providing corporate accountability, but also to ensure that it is not used to negate their own responsibility to the public and compromise the performance of their audits. In assessing the governing bodies of the organization, the auditor must keep in mind that management's actions set the tone of the organization's structure, which, in a well-governed organization, is propagated throughout all levels of the organization and determines the effectiveness of the organization's internal controls.1. In evaluating management's compliance with SOX, how has management embraced the Act's initiative towards greater corporate responsibility from the resulting evidence? What audit implications (if any) could this impose on the company?Why it's important:Public confidence in capital markets can only be restored when corporate governance is in line with these interests.
Though an audit is a means to establish credibility, an auditor cannot perform a good audit without depending in part upon management. It is important to keep in mind that an auditor's role in financial reporting is secondary, which explains why the SOX Act focus' upon corporate accountability above all else. Corporate governance sets the tone of an organization by determining the degree of data integrity involved.Furthermore, since management is given responsibility over the effectiveness of internal controls, it could be stated that good governance equates to the adoption of strong internal controls (and information technology), which consequently leads to the production of quality financial reports. Because of this, it is essential to determine management's initiative towards corporate accountability and the priority it holds, as it is fundamental in attaining the objective of SOX. From an auditor's perspective, this also helps establish whether reliance on management is warranted, and if such an audit engagement should be accepted in the interest of the accounting firm.
What should be considered?In assessing an organization's corporate governance, auditors should consider:* Whether the organization is in compliance with the Act (particularly section 302 and 404) at an appropriate level determined based on the size, resources, and nature of the organization* The decisions of management (with respect to the preparation, processing, availability, and storage of financially related data and mechanisms) and whether their choices reflect good governance procedures* Whether corporate accountability and responsibilities are effectively communicated throughout all levels of the organization to ensure that established practices (such as, code of ethics) and procedures are carried out* If their standards of corporate accountability are in line with the public's interest and a greater responsiveness to business requirements.2. How has the relationship between auditors and their respective registrants changed from prior to the implementation of SOX, and will this new rapport have a significant impact on the reliability of their assessment on management controls?Why it's important:Section 404 of SOX not only demands management to report a statement on their assessment of internal controls, but it also requires auditors to evaluate and provide an opinion on the appropriateness of such assessment. In addition, SOX also emphasizes the importance of auditor independence from the company it is auditing. In the pre-SOX era, auditors and independent accountants were typically called for general business advisement.
Now, however, due to the strict paradigm of the Act, the relationship between auditors and their issuing companies changed. In the wake of such financial scandals, auditors have become more cautious in maintaining open communication with companies for fear that it will impede on their independent status.Now when management looks to auditors for guidance, it may give auditors a reason to qualify their reports due to their display of uncertainty. Despite such changes, auditors must still be able to gather the necessary evidence in order to provide a reliable opinion on the company's assessment of its internal controls and assertions on its financial report . Therefore, the importance of this question addresses the auditors' ability to remain in compliance with the Act, while not allowing such limitations to affect the thoroughness of their audit and obligation they have to alert management of material weaknesses.
Things to keep in mind* On May 16, 2005, the SEC issued a Statement on Management's Report on Internal Controls Over Financial Reporting, which further clarified the extent of communication that is allowed between management and auditors* The AICPA Code of Professional Guidance can also provide insight on the limitations of the relationship* That in adopting an overly cautious demeanour, auditors may be compromising the integrity of financial statement due to lack of sufficient communication and information between management and the auditorAs per COSO, an effective internal control should address: the control environment, risk assessment, control activities, information and communication, as well as monitoring. In addition, SOX also requires internal controls to be designed and executed in a manner that aids in the prevention, detection, and deterrence of fraud. Thus, while it is management's responsibility to design, execute, and evaluate such controls, it is the auditor's responsibility to objectively evaluate management's reports of such controls, and to assess the controls including its effect on the organization's financial reporting.1. In comparing the audit's assessment of the company's controls with the management's assessment of such (internal control report), is management's interpretation accurate and not misleading to the public? Does the accuracy of their interpretation at a level where reliance on the controls and management is warranted?Why it's important:The internal control report prepared by management is a new rule set by SOX that serves three purposes:1) A detective control which supports the Preventative-Detective-Corrective Control model (PDC) required to establish a strong internal control structure2) Audit evidence for the period's attest engagement3) To restore market integrity by strengthening corporate accountability, which is the main premise for SOXAuditors must audit the report to assess that the information conveyed is complete (with respect to section 402) and that the opinion given is reflective of whether or not internal controls are in fact performing effectively.
Moreover, because of the report's impact on the organization's controls, the audit engagement, and what it should convey to external stakeholders, this question ensures that the report and audit of the company is at a level that makes it credible to serve such purposes.What should be considered?* Whether the report is in compliance with SOX and if auditors have taken the necessary procedures to ensure that the management opinion on the effectiveness of its internal control is accurate* Keep in mind that even with SOX compliance, good management and good IT governance; controls within an organization do not mitigate all risks as there is no such thing as a risk-free environment. If a risk persists, assess its materiality* When possible, design tests that can simultaneously satisfy both internal control and financial statement audit objectives (cost savings)?* In the event of a material weakness, ensure that management does not render it effective or the auditor does not qualify unless it corrected to eliminate the material weakness sufficiently in advance of the "as of" date and has been tested to be effective over a duration adequate to determine effective on financial reporting* What changes have been made to the systems and management controls in order to comply with Sarbanes and Oxley? What audit implications (if any) does this create?Why it's important:From an auditor's perspective, controls are relevant primarily to create and retain data integrity (especially IT controls). Internal controls are critical functions of financial reporting as they ensure reliability by establishing complete, accurate, authorized, and timely data.
With the rise of SOX, organizations require a greater scope for financial reporting, and hence, control responsibilities, as external stakeholders expect auditors to hold audited organizations at a higher degree of accountability in reporting, control compliance, and transparency. Noncompliance poses a significant deficiency and weakness that would require the auditor to express a qualified opinion, setting up several negative consequences in motion. However, while undesirable, it is still the auditor's responsibility to provide assurance that such material weaknesses do not mislead the public - this is why a bridge between what is required and what exists is essential.What's to be considered:* Communication between auditors and the management is critical in ensuring auditors are always are of changes made in the financial reporting environment and the implications of the same are understood clearly* Both significant general (organization controls, access controls, program change controls, and disaster recovery) and application controls that are directly supporting financial objectives should be compared with the prior period as they are more likely to result in material weaknesses* An assessment of the whether they have defective identification and security monitoring set in place by management* That management understands the vital role IT plays in internal control and that it is conveyed to IT professionals (particularly those in executive positions)A lack of disclosure could result in severe consequences including the discontinuation of operations.
Auditors play a critical role in ensuring that an adequate and reliable degree of disclosure is provided with the focus being on the public's best interest. However despite greater awareness of its relevance, faithful representation has become increasingly harder to attain, particularly due to the emergence of e-commerce and the ever-growing complexity of IT systems.Documentation is a common medium of disclosure and may take the form of paper, electronic files, and media. The emergence of SOX has imposed greater emphasis on the use of such a medium as it conveys transparency in financial reports, serves as evidence for audit engagements, and is essential to daily operations as well. Documentation stands as a form of control and as an asset that requires safeguarding.
1. Since PCAOB does not specifically define management's documentation requirements, what guidelines are created to ensure that the assessment of such is standardized? Are the controls in place sufficient to preserve the integrity of such documentations?Why it's important:Since auditing has become more regulated with SOX, it is necessary for accounting firms to establish guidelines even in unregulated areas to ensure compliance and consistency between audits. Inadequate documentation of the design of controls and relevant assertions related to significant accounts is a deficiency in the company's internal control over financial reporting. Furthermore, the disclosure of controls and procedures need to be in place to ensure data integrity and that all material information is disclosed and reported to the SEC.
What to be considered:* Convey to management that documented controls is not only beneficial in complying with SOX, but also because the clarity from documentation controls will enable auditors to gain a better understanding of management assertions in assessing the control risk of the organization (which reduces the work of auditors)* The variety of adequate document control designs (policy manuals, procedures, narratives, flowcharts, configuration, assessments questionnaires) and what it implies about other areas related to an audit* "Over-documenting" in companies can set the stage for potential fraud as the company database will store such a vast array of information that the detection of errors within these files becomes a much bigger challenge2. In the event of a material change in internal controls, is it disclosed? More importantly, is the definition of "material changes" used by both parties (the organization and the accounting firm) appropriate?Why it's important:It is the auditor's responsibility to refrain from qualifying an organization's financial report and to enable management to effectively improve controls when material weaknesses exist in their internal controls. Previously, companies were allowed to communicate all material weaknesses alone, but SOX has now mandated the disclosure of all material changes in an organization's internal controls that will affect financial reporting(shortened sentence). In fact, non-disclosure of material changes is now considered a material weakness in itself.
Thus, it is important to ensure auditors are aware of this modification and are taking the necessary procedures to ensure that management complies with it. Aside from examining that material changes disclosed are adequate, they must also ensure that changes that are made and not disclosed are in fact immaterial based upon a definition consistent with their own and the Board.What to consider:* That auditors are aware of the definition of "material" used by the organization and that it is consistent* That the disclosure level or lack of disclosure in changes over internal control are appropriate based on their effect on financial reporting* That financial reporting in this area is transparent, and when taken in aggregate, (financial reports) are not misleading to users
