20 Questions Auditors Should Ask About Sarbanes Oxley
Essay Preview: 20 Questions Auditors Should Ask About Sarbanes Oxley
Report this essay
The emergence of the Sarbanes Oxley Act has placed an emphasis towards managements responsibility of ensuring quality financial reporting and integrity of their organizations internal controls. As an external auditor, it is imperative to not only ascertain managements compliance in providing corporate accountability, but also to ensure that it is not used to negate their own responsibility to the public and compromise the performance of their audits. In assessing the governing bodies of the organization, the auditor must keep in mind that managements actions set the tone of the organizations structure, which, in a well-governed organization, is propagated throughout all levels of the organization and determines the effectiveness of the organizations internal controls.
In evaluating managements compliance with SOX, how has management embraced the Acts initiative towards greater corporate responsibility from the resulting evidence? What audit implications (if any) could this impose on the company?
Why its important:
Public confidence in capital markets can only be restored when corporate governance is in line with these interests. Though an audit is a means to establish credibility, an auditor cannot perform a good audit without depending in part upon management. It is important to keep in mind that an auditors role in financial reporting is secondary, which explains why the SOX Act focus upon corporate accountability above all else. Corporate governance sets the tone of an organization by determining the degree of data integrity involved. Furthermore, since management is given responsibility over the effectiveness of internal controls, it could be stated that good governance equates to the adoption of strong internal controls (and information technology), which consequently leads to the production of quality financial reports. Because of this, it is essential to determine managements initiative towards corporate accountability and the priority it holds, as it is fundamental in attaining the objective of SOX. From an auditors perspective, this also helps establish whether reliance on management is warranted, and if such an audit engagement should be accepted in the interest of the accounting firm.
What should be considered?
In assessing an organizations corporate governance, auditors should consider:
Whether the organization is in compliance with the Act (particularly section 302 and 404) at an appropriate level determined based on the size, resources, and nature of the organization
The decisions of management (with respect to the preparation, processing, availability, and storage of financially related data and mechanisms) and whether their choices reflect good governance procedures
Whether corporate accountability and responsibilities are effectively communicated throughout all levels of the organization to ensure that established practices (such as, code of ethics) and procedures are carried out
If their standards of corporate accountability are in line with the publics interest and a greater responsiveness to business requirements.
How has the relationship between auditors and their respective registrants changed from prior to the implementation of SOX, and will this new rapport have a significant impact on the reliability of their assessment on management controls?
Why its important:
Section 404 of SOX not only demands management to report a statement on their assessment of internal controls, but it also requires auditors to evaluate and provide an opinion on the appropriateness of such assessment. In addition, SOX also emphasizes the importance of auditor independence from the company it is auditing. In the pre-SOX era, auditors and independent accountants were typically called for general business advisement. Now, however, due to the strict paradigm of the Act, the relationship between auditors and their issuing companies changed. In the wake of such financial scandals, auditors have become more cautious in maintaining open communication with companies for fear that it will impede on their independent status. Now when management looks to auditors for guidance, it may give auditors a reason to qualify their reports due to their display of uncertainty. Despite such changes, auditors must still be able to gather the necessary evidence in order to provide a reliable opinion on the companys assessment of its internal controls and assertions on its financial report . Therefore, the importance of this question addresses the auditors ability to remain in compliance with the Act, while not allowing such limitations to affect the thoroughness of their audit and obligation they have to alert management of material weaknesses.
Things to keep in mind
On May 16, 2005, the SEC issued a Statement on Managements Report on Internal Controls Over Financial Reporting, which further clarified the extent of communication that is allowed between management and auditors
The AICPA Code of Professional Guidance can also provide insight on the limitations of the relationship
That in adopting an overly cautious demeanour, auditors may be compromising the integrity of financial statement due to lack of sufficient communication and information between management and the auditor
As per COSO, an effective internal control should address: the control environment, risk assessment, control activities, information and communication, as well as monitoring. In addition, SOX also requires internal controls to be designed and executed in a manner that aids in the prevention, detection, and deterrence of fraud. Thus, while it is managements responsibility to design, execute, and evaluate such controls, it is the auditors responsibility to objectively evaluate managements reports of such controls, and to assess the controls including its effect on the organizations financial reporting.
In comparing the audits assessment of the companys controls with the managements assessment of such (internal control report), is managements interpretation accurate and not misleading to the public? Does the accuracy of their interpretation at a level where reliance on the controls and management is warranted?