Academic journal article Journal of Accountancy

How Sarbanes-Oxley Will Change the Audit Process: CPAs Will Have to Develop New Procedures and Scrap Some Old Ones

Academic journal article Journal of Accountancy

How Sarbanes-Oxley Will Change the Audit Process: CPAs Will Have to Develop New Procedures and Scrap Some Old Ones

Article excerpt


* SARBANES-OXLEY WILL MEAN BIG CHANGES FOR BOTH auditors and the companies they audit. The former now will be required to certify a company's internal controls and will no longer be able to use certain common audit strategies. Management faces the cost of implementing the new rules.

* ACCORDING TO THE EXPOSURE DRAFT OF A NEW SAS, the understanding of internal controls required for CPAs to express an opinion on financial statements is not adequate for them to offer an opinion on the controls themselves. This means auditors will have to make changes to the audit process.

* THE AUDITOR MUST ATTEST TO MANAGEMENT'S assessment of the effectiveness of an entity's internal controls using standards the Public Company Accounting Oversight Board issues or adopts. The auditor will require manage merit to identify, document and evaluate significant internal controls--management cannot delegate this function to the auditor.

* AUDITORS SHOULD ADVISE COMPANIES TO BEGIN the process of assessing the effectiveness of controls as early as possible. The task will be time-consuming, requiring management to determine which locations or business units to include in its evaluation.

* AUDITORS SHOULD NOT BE TOO CLOSELY INVOLVED with a company's assessment of its controls or they risk impairing their objectivity. The auditor cannot accept management's responsibility to reach conclusions on the effectiveness of the entity's controls nor can management base its assertion about the controls design and operating effectiveness on the results of the auditor's tests.

Congress enacted the Sarbanes-Oxley Act of 2002 in response to a spate of highly publicized business failures, allegations of corporate improprieties and financial statement restatements. Section 404 of the act requires management to acknowledge its responsibility for establishing and maintaining adequate internal controls, including asserting their effectiveness in writing. The financial statement auditor, in turn, must report on management's assertion about the effectiveness of its internal controls as of the company's yearend. These provisions apply to entities with market capitalization of more than $75 million for fiscal years ending on or after June 15, 2004. (Smaller companies must comply as of the first fiscal year ending on or after June 15, 2005.)

For businesses, following these seemingly innocuous provisions will be costly and time-consuming. For CPAs who audit public companies, the new rules will have a significant impact on how they do their job in the future. To provide guidance the AICPA Auditing Standards Board issued two exposure drafts: Auditing an Entity's Internal Control Over Financial Reporting in Conjunction with the Financial Statement Audit (the SAS ED) and Reporting on an Entity's Internal Control Over Financial Reporting (the SSAE ED). This article explains the impact these internal control certification requirements will have on the audit process, as well as the responsibilities management and external auditors have in meeting the act's requirements.

More specifically, the article discusses

* The extent to which auditors can be involved without compromising their independence.

* How external auditors can make use of a company's internal auditors.

* Key proposals on auditor responsibilities to test controls and evaluate internal control deficiencies.

* When management should consider outsourcing its internal control documentation activities.

CPAs should be aware the future roles of the Public Company Accounting Oversight Board (PCAOB) and the SEC in setting audit standards may change some of the rules described here.


The two EDs describe a public company audit as an integrated activity consisting of an audit of the financial statements and of internal controls. This means the auditor must perform procedures to obtain sufficient evidence to express an opinion on both. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.