Professional Documents
Culture Documents
Chapter 8 Reviewing Internal Control Over Financial Reporting
Chapter 8 Reviewing Internal Control Over Financial Reporting
Oxley Approach]
Section 404 (Management Assessment of Internal Control) requires management of US
quoted companies to establish, maintain, assess and certify to an adequate internal control
structure for financial reporting. It also requires the company’s external auditors
to attest to, and report on, management’s assessment.
Section 302 (Corporate responsibility for financial statements) which requires the signing
officers of a published report to certify, inter alia, that they have designed and evaluated
internal controls over reporting and that the report is reliable in all respects (Figure 8.2), not
just with respect to internal controls over financial reporting but other disclosure controls as
well. Section 302, at (6), also requires signing officers to certify in their companies’ published
reports that they have indicated whether or not there have been any significant changes in
internal controls or in other factors that could significantly affect internal controls
subsequent to the date of their evaluation, including any corrective actions with
regard to significant deficiencies and material weaknesses.
Section 301 of the Act (Figure 8.5) makes an audit committee a statutory listing
requirement and sets out other statutory requirements for audit committees. These
include, but are not limited to, giving the audit committee direct responsibility for
the appointment, compensation and oversight of the external auditor. Section 301 also
establishes a statutory independence definition for audit committee members, including that
they must receive no fees from the company other than for their board service and must not be
an “affiliated person” of the issuer or any subsidiary.
Section 407 requires disclosure, with reasons, if the company does not have a financial expert
as a member of the audit committee. The SEC’s Final Rule has defined an audit committee
financial expert as a person with all of the five following attributes:
1. An understanding of generally accepted accounting principles and financial statements;
2. The ability to assess the general application of such principles in connection with the
accounting for estimates, accruals and reserves;
3. Experience preparing, auditing, analyzing or evaluating financial statements that present
a breadth and level of complexity of accounting issues that are generally\ comparable to
the breadth and complexity of issues that can reasonably be expected to be raised by
the registrant’s financial statements, or experience actively supervising one or more
persons engaged in such activities;
4. An understanding of internal controls and procedures for financial reporting; and
5. An understanding of audit committee functions.
Under the Final Rules, in order to qualify as an audit committee financial expert a person must
have acquired the above listed attributes through any one or more o the following:
• Education and experience as a principal financial officer, principal accounting officer,
controller, public accountant or auditor or experience in one or more positions that involve the
performance of similar functions;
• Experience actively supervising a principal financial officer, principal account- ing officer,
controller, public accountant, auditor or person performing similar functions;
• Experience overseeing or assessing the performance of companies or public accountants with
respect to the preparation, auditing or evaluation of financial statements; or
• Other relevant experience; and, if other relevant experience is what qualifies the director,
that experience must be described.
Section 406 requires a US issuer to disclose whether it has a Code of Ethics for its senior
financial officers. Any changes to the Code of Ethics must be disclosed. The Act requires that
the Code cover honest and ethical conduct, including the ethical handling of actual or apparent
conflicts of interest between personal and professional relationships; full, fair, accurate, timely,
and understandable disclosure in the periodic reports required to be filed by the issuer; and
compliance with applicable governmental rules and regulations. The SEC in their Rule has
expanded the requirement to cover:
1. Honest and ethical conduct, including the ethical handling of actual or apparent conflicts
of interest between personal and professional relationships;
2. Avoidance of conflicts of interest, including disclosure to an appropriate person or
persons identified in the code of any material transaction or relationship that
reasonably could be expected to give rise to such a conflict;
3. Full, fair, accurate, timely, and understandable disclosure in reports and documents that
a company files with, or submits to, the Commission and in other public
communications made by the company;
4. Compliance with applicable governmental laws, rules and regulations;
5. The prompt internal reporting to an appropriate person or persons identified in the
code of violations of the code; and
6. Accountability for adherence to the code.
PCAOB Standard No. 5 requires the external auditor to evaluate the extent to which he or she
will use the work of others, such as internal auditors, to reduce the work the auditor might
otherwise perform himself or herself to meet the audit requirements of s. 404. The Standard
explains that the degree of competence and objectivity of the other party has to be assessed to
determine the extent the auditor may use their work. In practice, the company should set out
to achieve a maximum amount of coordination between internal and external auditors with
respect to s. 404. The external auditor is likely to be able to place more reliance on internal
audit if internal audit is auditing the SOX process rather than performing the process of
designing, documenting and testing the control processes.