Some Observations about SOX 404(b) Control Process Audits
William R. Kinney, Jr.
University of Texas at Austin - Department of Accounting
Roger D. Martin
University of Virginia - McIntire School of Commerce
Marcy L. Shepardson
Indiana University - Kelley School of Business - Department of Accounting
September 24, 2012
In the decade since the July, 2002 passage of the quickly-legislated Sarbanes-Oxley Act, audit production in the U.S. has been substantially augmented by implementation of mandated internal control process audits. Audit production changes are important as the control audit mandate is unique and imposes substantial costs on U.S.-traded firms, yet little is known about the conduct of control process audits or the efficacy of substantially lower cost alternative mechanisms to provide auditor scrutiny and reporting on internal control quality. This paper reflects our collective experiences and observation of a consistent message across the decade from analyses of extensive public and limited non-public archival data, analytical studies, and numerous personal experiences of audit practitioners. Our primary observation is that, absent knowledge of any financial misstatements, auditors find it difficult to identify material weaknesses in internal control over financial reporting. Conversely, with knowledge of misstatements, auditors can and do identify, at low incremental cost, most entities that have ineffective internal controls as identified by control audits. Financial misstatement detection is, of course, the primary tangible output of a financial statement audit. Thus, it appears possible to exploit this observation to obtain for investors information about companies with weak controls without incurring the cost of a full internal control process audit. We believe that U.S. markets could benefit from more transparency about the current U.S. audit production process and from informed debate about the best mechanism design for balancing the needs of all parties interested in internal control quality disclosure.
Number of Pages in PDF File: 26
Keywords: internal control audits, integrated audits, audit risk model, SOX 404
Date posted: October 2, 2012