Introduction
Financial auditing has had a dramatic change over the past decade and is still expected to change as more businesses and companies continue to rely on information technology to help them achieve their core objectives. Sarbanes-Oxley Act of 2002 was enacted as a response to a wave of highly publicized business collapses, financial statement restatements as well as allegations of corporate improprieties (Gallegos, 2003). The Act has changed many aspects of auditing for auditors and companies.
Auditing issue impacted by Sarbanes-Oxley Act
One major aspect of auditing that has been impacted by the Sarbanes-Oxley Act is the assessment of the effectiveness of a company’s internal controls by both the internal and external auditor as well as the management. The management has to identify, document, and evaluate significant controls. It also has to determine the business units to be evaluated. The auditor on the other hand provides an opinion on the effectiveness of the company’s internal controls.
Issues before and after the implementation of the Sarbanes-Oxley Act
In the past, auditors used to conduct just substantive procedures instead of testing the controls or performing both while conducting financial statement audits. They applied cycle rotation to test the controls. In this approach, they would test the company’s controls in some of its transaction cycles while undertaking a transaction walk-through to ascertain the absence or presence of control changes throughout the cycles. This is not accepted anymore in public company audits as the Sarbanes-Oxley Act requires the presentation of a comprehensive report on the effectiveness as well as efficiency of internal controls when performing financial audits.
Banks and McConnell (2003) state that “minimizing testing of preventive controls” is no longer appropriate in internal control audits when performing financial audits. Preventive controls are normally classified as transaction-level controls, which are usually automated to ensure that transactions are properly sanctioned and recorded (Banks & McConnell, 2003). Instead, the Sarbanes-Oxley Act proposes performing satisfactory tests of controls to achieve greater levels of assurance on the effectiveness of an organization’s internal controls, by testing both preventive and detective controls (Banks & McConnell, 2003). Auditors have to obtain significant evidence as regards the operating effectiveness of the company’s controls.
Impact of the new internal control assessment measures
Sarbanes-Oxley Act has had a significant impact on the management and auditors. To allow auditors to assess the effectiveness of a company’s internal controls, the management has to acknowledge responsibility for the effectiveness of the company’s internal controls and must also support the evaluation of the company’s internal controls with sufficient evidence. The management is also required to evaluate the effectiveness of the company’s “internal controls using suitable control criteria” (Banks & McConnell, 2003). Again, it is required to perform its own internal controls identification, documentation as well as evaluation without delegating these tasks to the auditors. Thus, the management has to put in place controls for initiating, recording, processing as well as reporting the company’s categories of transactions, significant account balances as well as to disclosures and associated assertions represented in financial statements Banks and McConnell (2003). It also has to implement anti-fraud programs and controls, as well as nonsystematic and nonroutine controls. The management is also required to institute controls over the company’s financial reporting period-end process.
Auditors on the other hand are expected to test controls in all of the company’s transaction cycles to provide comprehensive reports on the effectiveness of the management’s internal controls as regards financial reporting Banks and McConnell (2003). Auditors are required to perform their test controls and not rely on the management’s tests. External auditors are also not expected to rely solely on the internal auditor’s reports. They have to perform their test controls and conduct independent tests for every significant account, category of transactions as well as disclosure. Auditors are also expected to advise companies and help them develop an extensive system of internal controls. Today, internal auditors are required to assure the company’s management that their endorsed internal controls have been implemented and are working efficiently and effectively. As a result, auditors are expected to have good knowledge and experience in information systems besides accounting knowledge (Gallegos, 2003).
Auditors are no longer allowed to audit around the company’s computer as was the case before the enactment of the Sarbanes-Oxley Act. The auditors are now required to understand the automated as well as the manual internal control processes of the organization due to the increase in fraud as well as the ceaseless corporate scandals (Gallegos, 2003). They are expected to base their judgment on the quality of information obtained from the automated as well as the manual internal controls of the company’s information systems. The automated, as well as the manual internal controls, are very important for external auditors since they rely on their effectiveness to generate accurate, valid as well as complete data (Gallegos, 2003). If found that the required controls are not in place or that they are in place but are not being used properly as is intended by the management, then the internal and external auditors have to question the integrity of the data as well as information obtained from the system.
The general impact of Sarbanes-Oxley Act
In general, Sarbanes-Oxley Act has had a significant impact on financial auditing, integrating internal controls with financial statements reporting, thereby improving the effectiveness as well as the efficiency of operations of companies. The Act requires auditors and the management to perform sufficient audits, which have reduced the “risk of material misstatements of financial statements to an appropriately low level” (Banks & McConnell, 2003). Gallegos (2003) states that Sarbanes-Oxley Act places responsibility on the auditors to perform their functions applying professional standards, integrity as well as ethics during their audit work.
Conclusion
The Sarbanes-Oxley Act has established guidelines and laws which help both the management and auditors mitigate business risks as regards corporate fraud, cybercrimes, ineffectiveness as well as inefficiencies. As a result, IT auditors have become very important for companies as they seek to implement effective and efficient internal controls.
Reference List
Banks, G. Y. & McConnell, D. K. (2003). How Sarbanes-Oxley will change the audit process: CPAs will have to develop new procedures and scrap some old ones. Journal of Accountancy. Web.
Gallegos, F. (2003). Sarbanes-Oxley Act of 2002 (PL 107-204) and impact on the IT auditor. Boca Raton, Florida: CRC Press LLC