The Congress handed the Sarbanes-Oxley Act (also known as Public Company Accounting Reform and Investor Protection Act) in July 2002 as a response to the high number of high-profile company scandals that had been experienced in as at 2001. The purpose of the Act was to restore the public confidence in monetary reporting of the publicly traded company by improving corporate governance. It introduced good sized changes in the scope and nature of the auditor’s responsibilities as properly as those of management’s reporting. The SOX Act led to the establishment of the Public Company Accounting Oversight Board (PCAOB) (Coates, 91). It forbids auditors from imparting particular services that are now not in the scope of auditing for the client as well as imposed larger penalties for criminal offenses related to corporate fraud. Besides, the SOX Act enhanced the importance of transparency in accounting and auditing by requiring more and detailed disclosures of financial information. Section 404 of the Act requires the management to assess the internal control systems and for the auditor’s report to contain an opinion about the internal control system of their client (Sarbanes, 789). The Act aims at preventing deceptive accounting as well as management behavior since it calls for more oversight, imposes greater penalties for misconduct and addresses the issue of possible conflict of interest.
Overview of SOX Act Impact on Auditing
The introduction of Sarbanes-Oxley Act meant a significant change for both auditors and companies they audit. Auditors are now required to express an opinion on the client’s internal controls and thus cannot use certain common audit procedures (Ge and McVay, 138). The Act suggested that auditors expressing an opinion on the true fair view of the financial statement was inadequate and it was necessary to certify the internal controls of a company over the financial reporting. The auditors are required to attest to the assessment of the management on the effectiveness and efficiency of the company’s internal controls based on the standards set by the PCAOB (Ge and McVay, 139). For instance, it is the responsibility of the management to identify, evaluate and document the important internal controls which is contrary to the audit approach before the SOX Act where the management could delegate such responsibilities to the auditor. Auditors are required to advise their clients to start the process of assessing the effectiveness of internal controls at an early stage since it is a time-consuming task, and the management have to determine the business units or locations that will involve the evaluation process. Auditors are required not to be too involved in the assessment of their client’s internal control since it may impair their objectivity in the audit process. Besides, the auditor should not accept the responsibility of the client’s management to conclude the internal controls effectiveness. On the other hand, the management cannot base its assertions concerning the internal control effectiveness on the test results presented by the auditor during the audit process.
Audit Opinion on Internal Controls
SOX Act requires an auditor of a public company to express an opinion as to whether the company maintained in all material respect effective internal controls over the financial reporting period in agreement with the control criteria. Control criteria consist of five components that determine the effectiveness of an entity’s internal control system. They include control environment, control activities, risk assessment, monitoring as well as information and communication (Ge and McVay, 141). The accounting framework consists of three categories of controls which include efficiency and effectiveness of operations, compliance with the laws and regulations and the reliability of financial reporting. According to section 404 of the SOX Act, the reliability of the financial reporting is the auditor’s primary focus (Sarbanes, 789).
Before the SOX Act, the auditors performed a mix of substantive testing and test controls to minimize the risk of material misstatements of financial statements to levels that are deemed reasonable. However, the advocates of the Act established that the level in which the auditors should understand the entity’s internal controls to form an audit opinion regarding the fairness and true view of financial statements is inadequate in giving assurance of the internal controls (Zhang, 76). The test controls were not broad enough and failed to provide suitable levels of assurance that regarding the effectiveness of operations in the company.
The Audit Approach Presented by The SOX Act
The auditors are required to give a comprehensive report on the management’s internal controls effectiveness over financial reporting every financial year. Therefore, cycle rotation as a tool for test controls in no longer acceptable while auditing publicly traded companies. Cycle rotation involved testing controls in some of the company’s transaction cycle while performing a transaction walkthrough to be sure that there are no changes in controls to the other cycles. Besides, the approach in which auditors minimize testing of preventative controls will no longer be applicable in auditing of public companies. Instead, the auditor will be required to adequately test both preventive and detective controls in order to gain high levels of assurance concerning their effectiveness. However, the auditors will continue to perform substantive procedures for material account balances due to the risk of management override as well as the inherent limitation associated with internal controls.
The Auditor and The Management
As discussed earlier, the SOX Act requires the auditor to attest to the management’s assessment of effectiveness of internal controls per the standards set by the PCAOB. Therefore, the management is required to accept the responsibility for the effectiveness of internal controls, evaluate their effectiveness supporting it with sufficient evidence and present a written assertion on the effectiveness of internal controls (Raghunandan and Rama, 100). The assertion can be presented either through management representation letter or in separate report which should accompany the auditor’s report. Some of the important controls that the auditor requires management to identify, document and evaluate include antifraud programs and controls as well as controls over initiating, recording, processing and reporting significant account balances, disclosures as well as assertions that are embodied in financial statements. Similarly, controls over important nonsystematic and nonroutine transactions and control for post balance sheet events are also considered to be significant controls (Raghunandan and Rama, 100).
The Sarbanes-Oxley Act imposes significant responsibilities on both the auditor and the management of the publicly traded entity being audited. The management is charged with the responsibility of identifying, documenting as well as evaluating the effectiveness of internal controls and determining the locations or business units that need to be evaluated (Coates, 95). On the other hand, the auditors are required to provide an opinion on the effectiveness of the internal controls which is a critical engagement. The fact that management will be in charge of assessing the internal controls will improve the process of risk identification of a company and ensure consistency. Besides, it enhances controls consciousness throughout the entity, and it is likely to reveal duplicated or unnecessary controls. An effective control process results in operation efficiencies as well as reduced litigation and fraud (Ge and McVay, 156).
Coates, John C. “The goals and promise of the Sarbanes–Oxley Act.” The Journal of Economic Perspectives 21.1 (2007): 91-116.
Ge, Weili, and Sarah McVay. “The disclosure of material weaknesses in internal control after the Sarbanes-Oxley Act.” Accounting Horizons 19.3 (2005): 137-158.
Raghunandan, K., and Dasaratha V. Rama. “SOX Section 404 material weakness disclosures and audit fees.” Auditing: A Journal of Practice & Theory 25.1 (2006): 99-114.
Sarbanes, Paul. “Sarbanes-oxley act of 2002.” The Public Company Accounting Reform and Investor Protection Act. Washington DC: US Congress. 2002.
Zhang, Ivy Xiying. “Economic consequences of the Sarbanes–Oxley Act of 2002.” Journal of Accounting and Economics 44.1 (2007): 74-115.