• Evaluate management’s process for:
• Determining controls and locations to be tested
• Evaluating the design effectiveness
• Evaluating operating effectiveness
• Obtain an understanding of internal controls
• Inquiries of personnel who perform controls
• Observe performance of controls
• Review documents to support application of controls
• Compare supporting documents to the accounting records
• Determine effectiveness of the audit committee
• Independence
• Clarity of responsibilities
• Level of involvement and interaction with internal and external auditors
• Time devoted to control issues and committee activities
• Ineffective audit committees should be treated as significant deficiencies

Auditor also must:
– Express an opinion on whether management’s written assertion about the effectiveness of internal control over financial reporting is fairly stated in all material respects
– Consider management’s assessment and directly evaluate the effectiveness of internal control over financial reporting
– Plan the audit to obtain reasonable assurance of detecting material weaknesses
• Existence of a material weakness precludes an unqualified opinion
Internal Control Report/Audit Opinion

• Deficiencies and the opinion:
– Following are at least significant deficiencies:-
• Controls over selection and application of accounting policies
• Antifraud programs and controls
• Controls over non-routine and nonsystematic transactions
• Controls over the period-end financial reporting process

– Following are strong indicators of a material weakness:
• Restatements
• Auditor identified material misstatements
• Ineffective audit committee
• Uncorrected deficiencies previously communicated to management

• to assess internal controls over financial reporting
• to report on the assessment
• subject the assessment to audit

In the Management’s annual report on internal control, they must state the following:- management’s responsibility for establishing and maintaining an adequate internal control structure and

procedures for financial reporting, and

-Contain management’s assessment, as of year-end, of the effectiveness of the internal control structure and procedures for financial reporting

-independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by the PCAOB
The objectives of management’s assessment process are two-fold:

– To support management’s public assertion about the effectiveness of internal control
– To satisfy a condition of the independent audit of internal control

Management: Supporting the Evaluation:

• Determine which controls are significant:

– Controls over significant classes of transactions, account balances, disclosures and related assertions

– Controls over significant non-routine transactions, journal entries, and accounts involving judgments and estimates

– Controls over period-end financial reporting process

– Anti-fraud programs and controls

– Controls on which other controls are dependent (e.g., general controls)

• Also consider:– The likelihood that failure could cause misstatements
– Whether other controls achieve same objectives
• Determine which locations/business units to include:
• Document design of significant controls related to all control components
• Evaluate design effectiveness

• Evaluate operating effectiveness

• Determine whether internal control deficiencies are significant deficiencies or material weaknesses
• Document the results of the evaluation
• Communicate findings to auditor and others
Management: Document Design of Controls: • Management documentation should include the following:
– each of the components of internal control
– how significant transactions are initiated, recorded, processed, and reported
– the controls that are designed to prevent or detect errors or fraud
– who performs the controls and the related segregation of duties
– the financial statement closing process and the related controls
– safeguarding controls
Management: Evaluating Operating Effectiveness• Procedures must be sufficient to verify operating effectiveness:
– testing of controls by internal audit or others under the direction of management
– self-assessment processes
– use of service organization reports
• Inquiry alone is not adequate

• Procedures performed and controls and locations selected are affected by risk assessment and monitoring processes
• All significant controls and locations must be evaluated annually

• The Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley

• Administered by the Securities and Exchange Commission, Sox publishes rules on requirements and defines which records are to be stored and for how long, stating that all business records, including electronic records and electronic messages, must be saved for not less than five years.

• Failure to comply with SOX can result in fines, imprisonment, or both.

• The Sarbanes Oxley Act also made it illegal for companies to take negative action against employees for blowing the whistle on various improper financial practices; it has, in fact, become one of the most important Whistleblower protection laws.

• Legislation is wide ranging and establishes new or enhanced standards for all US public company Boards, Management and public accounting firms

• The law contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties. Requires Security and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law.

The Sarbanes-Oxley addresses the following:

• establishes new standards for Corporate Boards and Audit Committees
• establishes new accountability standards and criminal penalties for Corporate Management
• establishes new independence standards for External auditors
• establishes a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC) to oversee public accounting firms and issue accounting standards