You are now a few minutes away to completing this SOX 404 compliance guide. When someone you know says that compliance is expensive, answer them with, “If you think compliance is expensive – try non-compliance.” Let this be a reminder to everyone.

As a SOX auditor, you need to know the following concepts:

If you need to review the most recent part of this series, you can go to Part 10 – Deficiencies and Material Weaknesses.

I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.

 

Forming an Opinion

This is part of paragraph 71 that tells external auditors to write an opinion on the internal controls after doing all of the work.

This extends up to paragraphs 72 to 74, but you can skip those since they are not relevant to SOX auditors.
 

Obtaining Written Representation

The external auditors have to get written representation and these types of representation letters are full of legalese. Again, you can skip these sections from paragraphs 75 to 77 of AS5.

As internal auditors or SOX auditors, you don’t get representation letters from management. Usually, it’s in the engagement letter that says that management is responsible for the financials and internal controls.

 

Communication Certain Matters

SOX 404 Communicating certain matters
Fig. 2 – SOX 404 external auditors communicating certain Matters

This is important to SOX auditors as well even though communicating certain matters is what the external auditors do. We want to know what the external auditors will tell our clients and our management team so we want to know the requirements and what we should do.

  • Paragraph 78 says that auditors must communicate in writing all material weaknesses found during the audit to management and audit committee. Management pertains to the CFO, CEO, and controller. The written communication should be delivered before the external auditors issue the auditor’s report. You want to avoid instances when the auditor tells management and the audit committee that there’s a material weakness at the last minute, then everybody gets surprised.
  • Paragraph 79 says that external auditors have to communicate it to the full board of directors if they conclude that oversight of the company’s financial reporting by the audit committee is ineffective. It happens rarely but there are some well-known cases for this like Enron and WorldCom.
  • Paragraph 80 talks about significant deficiencies that have to be communicated in writing to the audit committee and it has to be done before the auditor’s report is issued. Keep in mind that before going into an audit committee meeting, auditors have required communications and this is one of them.
  • Paragraph 81 talks about the two separate steps the auditors have to do.
    • The first step is the auditor has to communicate to management all the deficiencies found during the audit. It could be a material weakness, significant deficiencies or just a listing of deficiencies during the audit. Management here means the CEO, CFO, controller, VP of Finance, and key accounting leads.
    • The second step is that the auditors have to separately tell the audit committee they’ve done that. It means you do not have to share with the audit committee the full listing of all your deficiencies, only the written communication for significant deficiencies and material weakness. You have to communicate in writing to management all the deficiencies and let the audit committee know that you did afterward.

     
    So there’s a slight nuance to it. Management has a list of all deficiencies and you have to tell the audit committee that they have such a list. If the audit committee wants to see all of it, they can request for the list from management.

Reporting On Internal Controls

This covers paragraphs 85, 86, 87 and 88 are all about the actual opinions that the external auditor has to write for the internal controls opinion.It’s not relevant for SOX auditors or SOX practitioners, so you can skip this again.
 

Report Date

Auditor report date
Fig. 7 – Auditor Report Date paragraph 89

The external auditor has the report date after they wrapped up all their work. Remember that the opinion is usually a month or two afterward the year-end or quarter-end, so the date of the audit opinion is when the auditors have completed testing and documenting the evidence.
In some cases, there may be some wrap-ups or tiny documentation. But all of their evidence should have been obtained at that point before the auditors can date their audit report and issue the financial statements.
 

Material Weaknesses

A2Q2 material weakness
Fig. 8 – Material weakness paragraph 90 and 91

Paragraph 90 talks about the factors we discussed in Paragraphs 62 to 70. Again, if the auditors find that there is a material weakness, they have to express an adverse opinion. They also have to have material weakness wording in their opinion.

Paragraphs 91 onwards have more guidance for the external auditors on what they have to say in their opinion. SOX auditors are less concerned about this, but you can always read about it.

 

Subsequent Events

Considering that external auditors have their audit opinion date sometime after the end of the year has closed, the period in between the end-of-the-year and when the auditors sign their opinion may have subsequent events.

Paragraph 93 and 94 talk about the things that external auditors have to do to make sure that their opinion is still good by that time. To make sure that their opinion is still right, they have to look at the following:

  • Internal audit reports
  • Independent information
  • Regulatory reports

 

Summary

To recap, we covered what the internal and external auditors need to do at the end of the audit.

Congratulations! You reached the end of the SOX 404 compliance training.

 

watch video in youtube

 

If you found this post helpful and
want to receive the next segment
sign up for blog