Module I: Auditing Internal Controls and Reporting using Sarbanes-Oxley Act

Module I: Auditing & Assurance Services

Overview of Internal Control Audits
  • Internal controls are essential for maintaining the integrity of financial reporting in publicly-held companies.
  • Under the Sarbanes-Oxley Act of 2002, specifically Sections 404(a) and 404(b), management must assess the effectiveness of internal controls over financial reporting.
Objectives of the Audit of Internal Control
  1. Define internal control effectiveness in the context of financial reporting audits for issuers.
  2. Auditor responsibilities regarding internal control systems as mandated by the PCAOB.
  3. Five components of internal control serve as benchmarks for effectiveness.
  4. Audit planning processes for assessing internal controls.
  5. Evaluating deficiencies and determining significant deficiencies or material weaknesses.
  6. Communicating deficiencies to governance bodies (audit committee, management).
  7. Auditors' reporting responsibilities for internal control audits.
Effectiveness of Internal Control
  • The Sarbanes-Oxley definition emphasizes:
    • Maintains detailed transaction records.
    • Financial statements align with GAAP standards.
    • Capital transactions authorized by management.
    • Timely detection of unauthorized asset transactions.
Costs and Benefits of Section 404 Auditing
  • Cost-benefit analysis from Section 404(b) indicates:
    • Audit Fee Savings: $388 million (2007–2014) for small issuers exempt from Section 404(b).
    • Costs of Non-compliance: $719 million in operational performance decline and $935 million in delayed market value drop due to ineffective internal control disclosure.
Management’s Responsibilities
  • CEO and CFO must certify financial statements, including assessing internal control effectiveness per Section 404.
  • Management must:
    • Establish and maintain adequate internal control.
    • Identify the framework used for evaluating effectiveness.
    • Provide an assessment statement on the effectiveness of internal controls.
Auditor’s Responsibility
  • Auditors under PCAOB standards must:
    • Plan the audit to gain assurance about effective controls:
    • Focus on identifying material weaknesses.
    • Issue an adverse opinion if material weaknesses are found.
Internal Control Components (COSO)

  1. Control Environment: Sets the organizational 'tone' and influences employee accountability, with five principles:

    • Commitment to integrity and ethical values.
    • Board independence and oversight.
    • Established organizational structures and accountability.
    • Attracting and retaining competent individuals.
    • Accountability for internal control responsibilities.

  2. Risk Assessment: Management assesses risks that may impede objectives, focusing on fraud risks.

  3. Control Activities: Policies and procedures ensuring directives are fulfilled, including:

    • Security controls, separation of duties, information processing controls, authorizations, verifications, and reconciliations.

  4. Information and Communication: Understanding and utilizing effective information systems for financial reporting, including clear audit trails.

  5. Monitoring Activities: Ongoing evaluations and reporting deficiencies through internal audits and management reviews.

Audit Planning and Testing
  • Audit planning aims to attain evidence verifying control system effectiveness.
  • Significant accounts and disclosures are identified for testing control effectiveness.
  • Top-Down Approach: Start with financial statement level and understand overall risks before verifying specific process risks and selecting controls.
Evaluating Control Deficiencies
  • Internal control deficiency arises when controls fail to detect or prevent misstatements.
    • Material Weakness: Generates reasonable possibilities of undetected material misstatements.
    • Significant Deficiencies: Less severe, yet critical for management review.
Communicating Audit Results
  • Auditor opinions can include:
    • Unqualified Opinion: No material weaknesses identified.
    • Disclaimer of Opinion: Unable to perform certain necessary procedures.
    • Adverse Opinion: Identified material weaknesses requiring disclosure to the audit committee.
Auditor Reports
  • Four critical sections include opinions on:
    • Financial statements and internal control.
    • Basis for opinion, definitions, and limitations regarding internal control.
Conclusion
  • Continuous monitoring and internal control evaluations are pivotal in maintaining the integrity and effectiveness of financial reporting mechanisms.