The Sarbanes Oxley Act, otherwise known as SOX, is a very complex piece of legislation. It has introduced significant changes to the financial management of publicly traded companies in the United States. Top management is now required to certify that they have reviewed internal controls and that the controls are functioning properly. Independent auditors are required to issue a report attesting to management’s certification of internal controls. Auditors performing SOX compliance audits must be trained on the new requirements and how to determine and measure compliance in order to attest to management’s certification.
Gain an understanding of the SOX law and all of the compliance issues that go along with it. The annual audits require a more in depth understanding of internal controls than in the past. In order to express an opinion on internal controls, the auditor must do sufficient tests of controls to obtain high levels of assurance about their effectiveness. This will require the CPA to adequately test preventative as well as detective controls.
Gain an understanding of the COSO internal control framework. There are five components to the COSO internal control framework: control environment, risk assessment, information and communication, control activities, and monitoring. Auditors must have an understanding of all five components in order to properly evaluate internal controls and attest to their effectiveness.
Learn how to map and document internal controls. This involves process mapping (flow charting) to show how a particular control or series of controls works. The auditor will review this documentation and test the controls as part of the audit, so it is important that the auditor is trained on process mapping.
Learn how to test internal controls to determine if they are working as intended. These tests may involve picking sample transactions to examine for compliance with internal controls and/or running test data through the control systems and examining the results. In any case auditors need to be trained on these techniques.
Learn how to identify and report on internal control issues. Some control issues may be relatively minor and easily fixed while others may be a material weakness that creates a risk of financial misstatement. Any material weakness would be reported and management would have to present a corrective action plan. Minor weaknesses could be communicated informally and management could correct them without a formal corrective action plans. Auditors need training on the reporting aspects of the audit as well.