Some Observations about SOX 404(b) Control Process Audits
26 Pages Posted: 2 Oct 2012
Date Written: September 24, 2012
In the decade since the July, 2002 passage of the quickly-legislated Sarbanes-Oxley Act, audit production in the U.S. has been substantially augmented by implementation of mandated internal control process audits. Audit production changes are important as the control audit mandate is unique and imposes substantial costs on U.S.-traded firms, yet little is known about the conduct of control process audits or the efficacy of substantially lower cost alternative mechanisms to provide auditor scrutiny and reporting on internal control quality. This paper reflects our collective experiences and observation of a consistent message across the decade from analyses of extensive public and limited non-public archival data, analytical studies, and numerous personal experiences of audit practitioners. Our primary observation is that, absent knowledge of any financial misstatements, auditors find it difficult to identify material weaknesses in internal control over financial reporting. Conversely, with knowledge of misstatements, auditors can and do identify, at low incremental cost, most entities that have ineffective internal controls as identified by control audits. Financial misstatement detection is, of course, the primary tangible output of a financial statement audit. Thus, it appears possible to exploit this observation to obtain for investors information about companies with weak controls without incurring the cost of a full internal control process audit. We believe that U.S. markets could benefit from more transparency about the current U.S. audit production process and from informed debate about the best mechanism design for balancing the needs of all parties interested in internal control quality disclosure.
Keywords: internal control audits, integrated audits, audit risk model, SOX 404
Suggested Citation: Suggested Citation