20 Questions Auditors Should Ask About Sarbanes Oxley

CONTROL ISSUES:

PERFORMANCE/GOVERNANCE:

The emergence of the Sarbanes Oxley Act has placed an emphasis towards management's responsibility of ensuring quality financial reporting and integrity of their organization's internal controls. As an external auditor, it is imperative to not only ascertain management's compliance in providing corporate accountability, but also to ensure that it is not used to negate their own responsibility to the public and compromise the performance of their audits. In assessing the governing bodies of the organization, the auditor must keep in mind that management's actions set the tone of the organization's structure, which, in a well-governed organization, is propagated throughout all levels of the organization and determines the effectiveness of the organization's internal controls.

1. In evaluating management's compliance with SOX, how has management embraced the Act's initiative towards greater corporate responsibility from the resulting evidence? What audit implications (if any) could this impose on the company?

Why it's important:

Public confidence in capital markets can only be restored when corporate governance is in line with these interests. Though an audit is a means to establish credibility, an auditor cannot perform a good audit without depending in part upon management. It is important to keep in mind that an auditor's role in financial reporting is secondary, which explains why the SOX Act focus' upon corporate accountability above all else. Corporate governance sets the tone of an organization by determining the degree of data integrity involved. Furthermore, since management is given responsibility over the effectiveness of internal controls, it could be stated that good governance equates to the adoption of strong internal controls (and information technology), which consequently leads to the production of quality financial reports. Because of this, it is essential to determine management's initiative towards corporate accountability and the priority it holds, as it is fundamental in attaining the objective of SOX. From an auditor's perspective, this also helps establish whether reliance on management is warranted, and if such an audit engagement should be accepted in the interest of the accounting firm.

What should be considered?

In assessing an organization's corporate governance, auditors should consider:

* Whether the organization is in compliance with the Act (particularly section 302 and 404) at an appropriate level determined based on the size, resources, and nature of the organization

* The decisions of management (with respect to the preparation, processing, availability, and storage of financially related data and mechanisms) and whether their choices reflect good governance procedures

* Whether corporate accountability and responsibilities are effectively communicated throughout all levels of the organization to ensure that established practices (such as, code of ethics) and procedures are carried out

* If their standards of corporate accountability are in line with the public's interest and a greater responsiveness to business requirements.

2. How has the relationship between auditors and their respective registrants changed from prior to the implementation of SOX, and will this new rapport have a significant impact on the reliability of their assessment on management controls?

Why it's important:

Section 404 of SOX not only demands management to report a statement on their assessment of internal controls, but it also requires auditors to evaluate and provide an opinion on the appropriateness of such assessment. In addition, SOX also emphasizes the importance of auditor independence from the company it is auditing. In the pre-SOX era, auditors and independent accountants were typically called for general business advisement. Now, however, due to the strict paradigm of the Act, the relationship between auditors and their issuing companies changed. In the wake of such financial scandals, auditors have become more cautious in maintaining open communication with companies for fear that it will impede on their independent status. Now when management looks to auditors for guidance, it may give auditors a reason to qualify their reports due to their display of uncertainty. Despite such changes, auditors must still be able to gather the necessary evidence in order to provide a reliable opinion on the company's assessment of its internal controls and assertions on its financial report . Therefore, the importance of this question addresses the auditors' ability to remain in compliance with the Act, while not allowing such limitations to affect the thoroughness of their audit and obligation they have to alert management of material weaknesses.

Things to keep in mind

* On May 16, 2005, the SEC issued a Statement on Management's Report on Internal Controls Over Financial Reporting, which further clarified the extent of communication that is allowed between management and auditors

* The AICPA Code of Professional Guidance can also provide insight on the limitations of the relationship

* That in adopting an overly cautious demeanour, auditors may be compromising the integrity of financial statement due to lack of sufficient communication and information between management and the auditor

INTERNAL CONTROLS:

As per COSO, an effective internal control should address: the control environment, risk assessment, control activities, information and communication, as well as monitoring. In addition, SOX also requires internal controls to be designed and executed in a manner that aids in the prevention, detection, and deterrence of fraud. Thus, while it is management's responsibility to design, execute, and evaluate such controls, it is the auditor's responsibility to objectively evaluate management's reports of such controls, and to assess the controls including its effect on the organization's financial reporting.

1. In comparing the audit's assessment of the company's controls with the management's assessment of such (internal control report), is management's interpretation accurate and not misleading to the public? Does the accuracy of their interpretation at a level where reliance on the controls and management is warranted?

Why

...