Fix 404, But Read The Fine Print First
October 26, 2006
404 needs to be fixed, no question. But the largest waste of money in compliance is not due to a problem with SOX, but a misunderstanding of SOX.
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
AS-2 requires the external auditors "attest to, and report on, the assessment made by management of the issuer", as well as the effectiveness of internal controls over financial reporting. To form the first opinion, external auditors have reperformed tests done by management, and done extensive reviews and testing of management's documentation.
But that's a lot of unnecessary work. All the external auditors have to do in order to express an opinion on management's process is, well, I'll let you hear it from Thomas Ray: Here's the money quote:
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.Now here's the whole story:
There continues to be some misunderstanding with regard to the first of the two auditor opinions. Some believe that the auditor is expressing an opinion on management's assessment process. That belief, in turn, is fueling what probably is unnecessary additional work directed to evaluating the adequacy of management's process.
Let me dispel the misunderstanding. The first of the two opinions expressed by the auditor is not on management's assessment process. Rather, it is the auditor's opinion as to whether management's required statements about the effectiveness of the company's internal control and its descriptions of any material weaknesses are fairly stated.
So, how is this affecting the auditor's work? Doesn't AS No. 2 equire the auditor to evaluate management's assessment process? Yes, AS No. 2 requires the auditor to obtain an understanding of and evaluate management's assessment process, and provides direction as to what the auditor should look for when performing that evaluation. The principal objective of the auditor's valuation of management's assessment process is for the auditor to be satisfied that management has an appropriate basis for its conclusion.
Accordingly, the extent of the auditor's work is only that which is necessary for the auditor to form a conclusion as to whether management's process was sufficiently complete to provide management with a basis to support its reporting, and whether the results of management's testing support management's conclusion about internal control effectiveness.
In its most basic form, the evaluation of management's process consists of the auditor obtaining from management the documentation of its assessment process, reading that documentation, and discussing the process with management. The procedures the auditor performs to conduct the evaluation need not be extensive and need not include procedures such as retesting items tested by management.
Similarly, the auditor's documentation of his or her evaluation of management's process need not be extensive. For example, the audit documentation might consist of a summary document prepared by management that explains, perhaps for the benefit of the audit committee or other senior managers, the process management used in making its assessment, along with a memorandum prepared by the auditor that documents the auditor's procedures, the results of those procedures, other evidence obtained, if any, and conclusions.