The external auditor's overall objective is to form an opinion about management's assessment of the effectiveness of internal control. Several key provisions of the reporting requirement that impact the external audit include:
"As of" reporting. Management assesses the effectiveness of internal control as of the end of the fiscal year, rather than throughout the reporting period.
Material weakness in internal control. Management is required to disclose any material weakness in the company's internal control. The existence of one or more material weaknesses precludes management from concluding that its internal control is effective.
The COSO framework is not a fixed, prescriptive approach to internal control. Consequently, the approach recognizes that internal control cannot be evaluated against a detailed set of fixed, required procedures. The SEC has frowned on checklist, canned approaches used by certain companies. Management needs to exercise a great deal of judgment, customized to the needs of the entity, to determine the nature of the controls in place and whether they are functioning effectively. Public Accounting Oversight Board ("PCAOB") auditing standards and interpretations have modified both the level of and the manner in which procedures are performed.
Key provisions of the proposed standard are: (1) that inadequate documentation is a control deficiency that may rise to the level of a material weakness; (2) in certain areas of testing the outside auditors are prohibited from using management's tests. The auditor's non-reliance does not relieve management of its responsibilities to perform tests; and (3) entities that lack sufficient resources or expertise may look to third parties for assistance; however, management remains ultimately responsible for evaluating and reporting on the effectiveness of the entity's internal control.
The Sarbanes-Oxley Act has also changed the relationship between management and the audit committee of the Board of Directors. Previously, both sides worked as a team with the audit committee following the company's lead, but the Sarbanes-Oxley Act clarifies that the Audit Committee has direct oversight responsibility for hiring and firing of the external auditor. This was intended to motivate audit committees to identify and understand audit risks, as well as to make sure that audit scopes are designed to address those risks.
Sarbanes-Oxley raises a noble challenge for companies and auditors to make the system work to regain the investing public's trust. An important aspect of Sarbanes-Oxley is the Section 404 Managements Assessment of Internal Controls. The Sarbanes-Oxley Act formalizes the approach to evaluating and testing the internal control structure while limiting the involvement of the external auditor. Also, the "Experienced Auditor Test" is the proposed measure for sufficient documentation.