Professional Documents
Culture Documents
CHAPTER 5
Risk Assessment: Internal Control Evaluation
LEARNING OBJECTIVES
Review
Checkpoints
Exercises, Problems,
and Simulations
1.
1, 2, 3, 4, 5
62, 63, 67
2.
6, 7, 8
68
3.
64, 72, 74
66, 69, 73
65, 74, 75
30
31, 32, 33
8.
34
9.
35, 36
5-1
70, 71
As stated in the Sarbanes-Oxley Act of 2002, management is responsible for establishing a control
environment, assessing risks it wishes to control, specifying information and communication channels and
content (including the accounting system and its reports), designing and implementing control procedures,
and monitoring, supervising, and maintaining the controls. Business managers can make estimates of
benefits to be derived from controls and weigh them against the cost. Managers are perfectly free to make
their own judgments about the necessary extent of controls. Managers can decide the degree of business
risk they are willing to tolerate.
External auditors are not responsible for designing effective controls for audit clients. They are responsible
for evaluating existing internal control and assessing the control risk in them.
5.2
Control risk is the probability that the clients internal control procedures will fail to prevent or detect
material errors and frauds, provided any enter the data processing system in the first place. Assessing
control risk is part of using the audit risk model in the planning stage of the audit.
5.3
The primary reason for conducting an evaluation of a clients existing internal control system is to give the
auditors a basis for finalizing the details of the account balance audit programto determine the nature,
timing and extent of subsequent substantive audit procedures. For public companies, Sarbanes-Oxley
requires auditors to audit internal controls as part of the financial statement audit.
A secondary purpose for conducting an evaluation of internal control is to be able to make constructive
suggestions for improvements. Officially, the profession considers these suggestions a part of the audit
function and does not define the work as a consulting consultation.
Another purpose of the evaluation is to report to management and the board of directors or its audit
committee any discovery of any significant internal control deficiencies.
5.4
If control risk is low, auditors can perform less effective substantive procedures, earlier in the audit, with
smaller sample sizes, than if control risk is moderate or high.
5.5
Using a numeric evaluation provides a precise level of risk that can be included in statistical sampling
procedures. However, using words recognizes the imprecise nature of evaluating control risk.
5.6
5.7
Internal control is operated by people. People make the system work at every level of company
management. People establish the objectives, put control mechanisms in place, and operate them.
Since people operate the controls, breakdowns can occur. Human error, deliberate circumvention,
management override, and improper collusion among people who are supposed to act independently can
cause failure to achieve objectives. Hence, a companys managers can decide that certain controls are too
costly in light of the risk of loss that may occur.
5-2
Four types of breakdowns relate to people-caused failures. The four are: human error, deliberate
circumvention, management override, and improper collusion among people who are supposed to act
independently can cause failure to achieve objectives. Internal control can help prevent and detect these
people-caused failures, but it cannot guarantee that they will never happen.
5.9
The COSO Report states that internal control consists of five interrelated components:
Managements monitoring
5.10
The control environment sets the tone of the organization. It is the foundation for all other components of
internal control. It provides discipline and structure. Control environment factors include the integrity,
ethical values, and competence of the companys people. The following are general elements of an internal
control environment:
5.11
The purpose of risk assessment is to identify and control for those factors, events, and conditions that may
prevent the organization from achieving its business objectives. All companies face the risk that their
financial statements may be unreliable. They may report assets that do not exist or ones that are not owned
by the company. Asset and liability amounts may be improperly valued. They may fail to report liabilities
and expenses. They may present information that does not conform to GAAP. The risk of producing
unreliable financial reports arises from control breakdowns.
5.12
A company control procedure is an action taken for the purpose of preventing, detecting, or correcting
errors and frauds in transactions
5.13
5.14
The audit trail is the set of accounting operations from transaction analyses to reports. It starts with the
source documents, proceeds to data entry, then to transaction processing and posting to ledger accounts,
then from ledger accounts to the financial reports.
Auditors often follow this trail forwards and backwards! They will follow it backwards from the financial
reports to the source documents to determine whether everything in the financial reports is supported by
appropriate source documents. They will follow it forward from source documents to reports to determine
that everything that happened (transactions) got recorded in the accounts and reported in the financial
statements.
5-3
ITGCs apply to all the applications systems and help insure their continued proper operations. They
include controls over data center operations, system software acquisition and maintenance, access security,
and application system development, including changes in software and data bases. They include physical
security, hardware controls, separation of duties within the IT department, documentation and back-up
procedures, and other controls.
ITACs include computerized steps within the application software and related manual procedures to control
the processing of various types of transactions. ITAC are specific to each cycle (e.g. revenue and
collection, acquisition and expenditure, etc.). They are divided into the following categories: input
controls, processing controls, and output controls.
5.16
1.
2.
3.
4.
5.
5.17
Many financial reporting processes such as final adjusting entries, consolidating entries, and footnote
amounts are performed using spreadsheet applications.
5.18
Operating managers compare internal reports and published financial statements with their
knowledge of the business.
Regulators report to the company on compliance with laws and regulations (e.g., bank examiners
reports, IRS audits).
Recorded amounts are periodically compared to actual assets and liabilities (e.g., internal auditors
inventory counts, receivables and payables confirmations, bank reconciliations).
External auditors report on control performance and give recommendations for improvement.
Training sessions for management and employees heighten awareness of the importance of
controls.
These are monitoring controls when they are used to determine the effectiveness of control procedures.
5.19
Yes and no. The phase 1 understanding must always be followed by a control risk assessment phase and
documentation of control risk less than 100% (compliance phase). However, test of controls procedures are
only required for non public companies if the audit team wants to lower the control risk assessment.
5.20
An audit team can find clients documentation of the accounting system in the:
Chart of accounts
Accounting manualdefinitions and instructions about measuring and classifying transactions
Computer systems documentation
Computer program documentation
Systems and procedures manuals
Flowcharts of transaction processing
Various paper forms
5-4
1.
Easy to complete.
Checklist of questions.
2.
Can explain the precise controls applicable to the particular client. (precise tailoring)
3.
Advantages of flowchart:
Shows the steps required and the flow of forms and documents.
5.22
A bridge working paper connects the control evaluation to the audit program (subsequent procedures). It
contains brief descriptions of control strengths and weaknesses, implications for control or error related to
accounts, and statements of audit program procedures related to the strengths and weaknesses. The
procedures related to control strengths are test of control procedures, and the ones related to control
weaknesses are substantive procedures.
5.23
A test of controls is an audit procedure designed to produce evidence about the effectiveness of a clients
control activity. A test of control procedure is a two-part statement, consisting of:
Part One: Identification of a data population from which a sample of items will be selected for audit.
Part Two: Expression of an action of either (1) determining whether the selected items correspond to a
standard or (2) determining whether the selected items agree with information in another data population.
A test of control procedure may also consist of a direct observation of a control activity that leaves no
documentary trail.
5.24
Inspection, in a test of control procedure, refers to auditors looking to see whether client personnel
stamped, initialed, or left other signs that their assigned control procedures had been performed.
Reperformance, in a test of control procedure, refers to auditors doing again the control that was
supposed to have been performed by the client personnel (recalculating, looking up the right price,
comparing quantities, and so forth).
5.25
A dual-purpose test serves the purposes of (1) obtaining evidence about a clients control performance
[test of control], (2) obtaining evidence to help detect material misstatements in account balances and
disclosures [substantive procedure].
5-5
5-6
Management must (1) acknowledge its responsibility for establishing and maintaining effective internal
control over financial reporting; (2) state that it has performed an evaluation and made a conclusion about
the effectiveness of the entitys internal control over financial reporting; (3) disclose to the audit team any
frauds resulting in a material misstatement to the entitys financial statements (as well as any other
immaterial fraud that involves key managers), all significant deficiencies, and any material weaknesses
identified during its evaluation; and (4) state that management did not use the auditors procedures
performed during the audits of internal control over financial reporting or the financial statements as part of
the basis for managements assessment of the effectiveness of internal control over financial reporting.
5.27
5.28
An internal control deficiency exists when the design or operation of a control does not allow the
companysmanagementoremployeestodetectorpreventmisstatementsinatimelyfashion.Asignificant
deficiencyisdefinedasaconditionthatcouldadverselyaffecttheorganizationsabilitytoinitiate,record,
process,andreportfinancialdatainthefinancialstatements.Amaterialweaknessininternalcontrolis
defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a
materialmisstatementwouldnotbepreventedordetectedonatimelybasis.
5.29
Qualified or disclaimeraudit team cannot perform all of the procedures considered necessary
5.30
The major components of the auditors standard, unqualified report on internal control over financial
reporting are:
Atitlethatincludesthewordindependent.
Statements regarding the responsibility of the auditors and management with respect to the
assessment andevaluation ofinternal control,as well asthe titleof managements report on
internalcontroloverfinancialreporting.
A paragraph indicating that the engagement was conducted in accordance with standards
establishedbythePublicCompanyAccountingOversightBoard,withabriefdescriptionofthe
proceduresperformedintheengagement.
Thedefinitionofinternalcontroloverfinancialreporting.
Anidentificationoftheinherentlimitationsofinternalcontroloverfinancialreporting.
Theauditorsopiniononwhethertheentitymaintainedeffectiveinternalcontroloverfinancial
reporting.Theopinionintheabovereportrepresentsanunqualifiedopiniononinternalcontrol
overfinancialreporting.
Areferencetotheauditorsopiniononthefinancialstatements,indicatingthetypeofopinion
expressed.
Thedateofthereport.
5-7
5.31
5.32
Major reasons for departing from the standard, unqualified report on internal control over financial
reportinginclude:
1.
2.
3.
Managements disclosures of the effectiveness of its internal control over financial reporting are
inappropriate.
4.
Other auditors have audited the financial statements and internal control over financial reporting
of one or more components of the entity.
5.
Changes in internal control have occurred that materially and adversely affect the effectiveness of
the companys internal control over financial reporting.
6.
Management provides other information in its report on internal control over financial reporting.
The auditors should issue an adverse opinion on the effectiveness of internal control over financial
reporting if a material weakness exists.
If a material weakness in internal control is identified, the auditors standard, unqualified opinion on
internal control over financial reporting would be modified to:
Include a paragraph immediately following the inherent limitations paragraph that defines a
material weakness and describes any material weakness(es) identified during the audit.
Modify the opinion paragraph to indicate that because of the effect of the material weakness(es)
identified, the Company has not maintained an effective internal control over financial reporting.
5.33
If a scope limitation exists, disclaimer of opinion would be issued or the auditors would withdraw from the
engagement, depending upon the significance of the limitation.
5.34
Auditors must communicate significant deficiencies and material weaknesses that come to their attention in
the performance of the audit to management, the board of directors, or its audit committee. Auditors often
issue another type of report to management called a management letter. This letter may contain
commentary and suggestions on a variety of matters in addition to internal control matters.
5.35
Internal control cannot provide absolute assurance that financial statements will not contain a material
misstatement because:
Internal controls can break down due to misunderstanding, mistakes, and errors due to
carelessness, distraction or fatigue.
The collusive activities of two or more individuals can result in control failures.
5.36
5-8
a.
Incorrect
b.
c.
Correct
Incorrect
d.
Incorrect
5.38
a.
b.
c.
d.
Incorrect
Correct
Incorrect
Incorrect
5.39
a.
b.
Incorrect
Incorrect
c.
d.
Incorrect
Correct
5.40
a.
b.
c.
d.
Incorrect
Correct
Incorrect
Correct
5.41
a.
b.
c.
d.
Incorrect
Incorrect
Incorrect
Correct
5.42
a.
b.
c.
d.
Correct
Incorrect
Incorrect
Incorrect
5.43
a.
Incorrect
b.
c.
Correct
Incorrect
d.
Incorrect
5-9
a.
b.
Incorrect
Correct
c.
d.
Incorrect
Incorrect
a.
Correct
b.
c.
d.
Incorrect
Incorrect
Incorrect
5.46
a.
b.
c.
d.
Incorrect
Incorrect
Incorrect
Correct
5.47
a.
b.
c.
d.
Incorrect
Correct
Incorrect
Incorrect
5.48
a.
Correct
b.
Incorrect
c.
Incorrect
d.
Incorrect
The audit team identifies significant accounts, locations, and assertions in the
planning stage of an integrated audit..
The audit team conducts a walkthrough of the internal control process when
testing the effectiveness of the companys internal control..
The audit team makes inquiries of employees regarding the existence of control
procedures when testing the effectiveness of the companys internal control...
The audit team reperforms control procedures performed by client employees to
determine their effectiveness when testing the effectiveness of the companys
internal control..
5.49
c.
Correct
5.50
a.
b.
c.
d.
Incorrect
Correct
Incorrect
Incorrect
5.51
d.
Correct
5.52
c.
Correct
5.53
c.
Correct
5.54
c.
Correct
5.45
5-10
a.
b.
c.
d.
5.56
NOTE TO INSTRUCTOR: Because of an error in the textbook question (qualified opinions are not longer
an option), two answers to the posed question are correct.
a.
Incorrect
This is an appropriate report.
b.
Correct
Qualified opinions are no longer permitted under AS 5.
c.
Correct
This is not one of the options offered by AS 5.
d.
Incorrect
This is an appropriate report.
5.57
a.
Correct
5.58
a.
b.
Incorrect
Correct
c.
d.
Incorrect
Incorrect
5.59
5.60
5.61
Incorrect
Incorrect
Incorrect
Correct
NOTE TO INSTRUCTOR: Since this question asks students to identify which statement is not true, the
item labeled correct would not be true and those labeled incorrect would be true.
a.
Correct
b.
Incorrect
c.
d.
Incorrect
Incorrect
a.
b.
Incorrect
Incorrect
c.
Incorrect
d.
Correct
a.
Incorrect
b.
Incorrect
The report would be dated as of the day that enough evidence has been gathered
to support the auditors opinion on the effectiveness of the entitys internal
control. .
The report does express an opinion on managements assessment of internal
control over financial reporting as well as the effectiveness of internal control
over financial reporting.
An adverse opinion is issued if one or more material weakness(es) exists.
The report on internal control over financial reporting can be presented along
with the report on the companys financial statements or as a combined report.
The reporting options when a scope limitation exists is a disclaimer of opinion.
A qualified opinion is no longer a valid reporting option for a scope limitation
and an adverse opinion would only be issued when one or more material
weakness(es) is identified.
While a disclaimer of opinion is one possible reporting option, it is not
appropriate to issue an unqualified opinion if a significant scope limitation
exists.
The reporting option when a scope limitation exists is a disclaimer of opinion.
Reference to the audit of the entitys financial statements would be included in
the introductory paragraph of a combined report on the companys financial
statements and internal control over financial reporting, but not a separate report
on internal control over financial reporting.
If a material weakness is identified, the auditor will add a paragraph to the report
that defines a material weakness. However, this information would not be
included in the introductory paragraph.
5-11
Correct
d.
Incorrect
5.63
In planning an audit, the auditors understanding of the internal control components should be
used to identify the types of potential misstatements that could occur, to consider the factors
affecting the risk of material misstatement, and to influence the design of substantive procedures.
b.
An audit team obtains an understanding of the design of relevant internal control procedures
(policies and procedures) and whether they have been implemented. Assessing control risk below
the maximum level further involves identifying specific control procedures (policies and
procedures) relevant to specific assertions that are likely to prevent or detect material
misstatements in those assertions. It also involves performing tests of controls to evaluate the
operating design and effectiveness of the clients control procedures.
c.
When seeking a further reduction in the assessed level of control risk, an audit team should
consider whether additional audit evidence sufficient to support a further reduction is likely to be
available, and whether it would be efficient to perform tests of controls to obtain that audit
evidence.
d.
An audit team should document the understanding of a clients internal control system components
to plan the audit. The audit team also should document the basis for the conclusion about the
assessed level of control risk. If control risk is assessed at the maximum level, the audit team
should document that conclusion and the reasons for it. However, if the assessed level of control
risk is below the maximum level, the audit team should document the basis for the conclusion that
the effectiveness of the design and operation of internal control procedures supports that assessed
level.
5-12
$450,000
Unknown
($25,000)
small
none (?)
$425,000
$500,000
Unknown
(75,000)
some expected
remote, but high
$425,000
If armed guards are hired, no more loss reductions (benefit) is available to justify the
additional $75,000 direct cost.
2.
Loss expected without control
Remaining expected loss with
control
Benefit (expected loss
reduction)
Cost of control
Net benefit
Doors and
Bars Only
500,000
50,000
Guards
Only
500,000
-0-
Both
500,000
-0-
Neither
500,000
500,000
450,000
500,000
500,000
25,000
75,000
100,000
425,000
425,000
400,000
The armed guards control has two adverse factors not expected with the doors/bars control: (1)
Inflation in guard costs will probably outpace the doors/bars maintenance costs and (2) The
possibility of a shooting incident on company property is not very appealing.
5-13
6,240
6,240
some
*
12,480
*The control is cost-beneficial without considering whether theft of cash had occurred.
Costs
New salary, annual
New calculator, 5-year life
Employee dissatisfaction
TOTAL COST
10,000
500
none expected
10,500
1,980
2,480**
The recording duty and cash custody are separate. Running the cash register
amounts to authorizing and recording transactions for all practical purposes, and
under the former arrangement this person also handled the cash. The cashier
could have failed to ring up a sale and just pocketed the money.
(ii)
The manager can compare the internal calculator cumulative total to the cash
register total for correspondence of amounts. A theft would require collusion of
both persons.
The accountant should not express any opinion on managements statement. You could disclaim
any opinion about the statement. You could give advice to the manager about the analysis. Still,
the manager is responsible for risk analysis and cost-benefit decisions.
5.64
Abigail
Reconcile bank account
b.
e.
f.
j.
g.
Bryan
Open mail and list
checks
Prepare deposit and
take to bank
Maintain petty cash
i.
5-14
c.
Chris
Prepare checks for signature
d.
h.
5-15
5.66
2.
a.
b.
Select a sample of personnel files for new hires and terminations and trace to reports
submitted to the personnel department. Trace also to first or last paycheck issued and to
cumulative payroll records.
c.
Paychecks might be delayed and terminated workers might continue to be paid (with
theft of check by someone else) if payroll is not promptly notified of new hires and
terminations.
d.
a.
b.
c.
5-16
3.
4.
5.67
d.
Same as tests of controls: Select a sample of paychecks, and vouch the deductions to the
amount authorized according to the personnel files.
a.
b.
Observe the timekeeping operations to determine whether they are performed separately.
c.
If payroll department personnel were also responsible for time records, they would have
effective control over transaction authorization (i.e., hours worked approval) and could
overpay themselves or friends.
d.
Select the paychecks issued to the people involved in combined duties. Examine them for
evidence of overpayment (wage rate or overtime).
a.
b.
c.
Cost accounting records might contain more or fewer dollars than actually paid (per
payroll data). Simple errors in cost analyses might occur.
d.
If possible, obtain a total of labor charged to cost accounting jobs or processes, and
reconcile to total wages reported on Federal Form 941. For details: Select a sample of
labor cost analyses, and reconcile to the payroll register for the same period.
5.68
Fraud Opportunities
The discussion could take several directions, including some or all of the following:
1.
Material Weakness. The facts seem to suggest a condition in which specific control features (few
or none are described) or the degree of compliance with them do not reduce to a relatively low
level the risk that errors or frauds in amounts that could be material to the financial statements
may occur and not be detected within a timely period by employees in the normal course of
performing their assigned functions. Gault has authority and influence over too many interrelated
activities. Nothing he does seems to be subject to review or supervision. He even is able to
exclude the internal auditor.
5-17
Gault can collude with customers to rig low bids and take kickbacks, thereby depriving
the company of legitimate revenue.
b.
Gault can direct purchases to favored suppliers, pay unnecessarily high prices and take
kickbacks. He might even set up a controlled dummy company to sell overpriced
materials to the company. No competitive bidding control prevents these activities.
c.
Gault, through the control of physical inventory, can (i) remove materials for himself and
(ii) manipulate the inventory accounts to conceal shortages.
d.
Gault can order truck shipping services for his own purposes and cause the charges to be
paid by the company.
e.
5.68
Gault can manipulate the customer billing (similar to a above) to deprive the company of
legitimate revenue while taking an unauthorized commission or kickback.
Fraud Opportunities (Continued)
3.
Almost every desirable characteristic of good internal control has been circumvented:
a.
b.
c.
Controlled Access. The whole situation gives Gault access to necessary papers, records,
and assets to carry out his one-man show.
d.
Periodic Comparison. No one else apparently has any access to the materials inventory in
order to conduct an actual count for comparison to the book value (recorded
accountability) of the inventory.
5-18
1.
1.
2.
2.
3.
3.
4.
4.
5.
5.
Fictitious employees.
6.
6.
7.
7.
8.
8.
Incorrect deductions.
9.
9.
23. Over/underreporting.
5-19
b.
This situation would result in an adverse opinion being issued on the effectiveness of the
companys internal control over financial reporting. Assuming that managements appropriately
concludes that it has not maintained an effective internal control over financial reporting, the
auditor would express an unqualified opinion on managements assessment of internal control
over financial reporting. The standard report would be modified as follows:
Modify the introductory paragraph to note that managements assessment indicated the
company has not maintained an effective internal control over financial reporting.
Include a paragraph immediately following the inherent limitations paragraph that defines
a material weakness and describes any material weakness identified during the audit.
Modify the opinion paragraph to indicate that because of the effect of the material
weakness identified, the Company has not maintained an effective internal control over
financial reporting.
This situation represents a scope limitation; depending upon the significance of the scope
limitation, the auditor could issue either a qualified opinion or disclaimer of opinion.
If a qualified opinion is issued, the standard report would be modified as follows:
Provide an explanatory paragraph describing the scope limitation. If the scope limitation
is related to the inability to gather sufficient evidence with respect to a potential material
weakness, this paragraph should also include the definition of a material weakness.
Modify the opinion paragraph to reflect a qualified opinion (except for the effect of
matters we might have discovered).
5.70
Delete the sentence describing the auditors responsibility for internal control over
financial reporting in the introductory paragraph.
Provide an explanatory paragraph describing the scope limitation. If the scope limitation
is related to the inability to gather sufficient evidence with respect to a potential material
weakness, this paragraph should also include the definition of a material weakness.
Modify the opinion paragraph to either disclaim an opinion (the scope of our work was
not sufficient to enable us to express, and we do not express, an opinion).
It is important to note that the scope limitation will normally affect the auditors ability to issue an
opinion on both managements assessment of internal control over financial reporting and the
effectiveness of internal control over financial reporting.
Reports on Internal Control Over Financial Reporting (Report Modifications) (Continued)
c.
In this situation, an unqualified opinion would still be appropriate, assuming that the work of other
auditors can be relied upon and does not indicate the existence of one or more material
weakness(es). The introductory, scope, and opinion paragraphs would be modified to indicate the
division of responsibility.
5-20
d.
5.71
If management has not adequately disclosed a material weakness in its internal control over
financial reporting, they should include an explanatory paragraph describing the reasons
the auditors believe managements disclosures should be modified .
Audit Simulation: Reports on Internal Control Over Financial Reporting (Identify Report
Deficiencies)
Introductory Paragraph:
1.
The introductory paragraph does not discuss Van Dykes responsibility with respect to maintaining an
effective internal control over financial reporting.
2.
Auditors no longer report on managements assessment of internal control over financial reporting.
5.
The paragraph identifying the material weaknesses in internal control noted by Sorrell should
provide some brief information on the nature of the material weaknesses.
6.
The paragraph discussing the effect of material weaknesses on the nature, timing, and extent of
audit tests should explicitly indicate that the report on internal control over financial reporting
does not affect Sorrells report on the financial statements.
7.
The paragraph identifying deficiencies in internal control over financial reporting less severe than
material weaknesses is inappropriate. [no applicable reference]
Opinion Paragraph:
8.
Sorrells disclaimer of opinion on Van Dykes assessment of internal control over financial
reporting is inappropriate because auditors no longer report on managements assessment of
internal control over financial reporting.
The date on the report should not be the balance sheet date.
5-21
5.73
2.
3.
4.
5.
6.
7.
8.
9.
5-22
Evidence of material misstatements (caught by the audit team) that were not prevented or detected
by the clients internal controls.
Ineffective oversight of the financial reporting process by the entitys audit committee.
Because Lakeland is a public company, we are required to follow the Sarbanes-Oxley act, which requires
us to identify significant deficiencies and material weakness and report them in writing to the audit
committee.
5.74
5.75
3.
Auditors usually begin with inquiry of management, employees, and others charged with
governance (including the audit committee). Auditors also investigate senior managements
reputation in the community. Indicators of a weak tone at the top include involvement by
nonaccounting managers in accounting issues, pressure to achieve earnings, disputes between the
auditors and clients, and observing a lack of ethics in dealing with customers, suppliers, and
employees.
4.
Auditors have to follow up on all whistle blower accusations, regardless of how far-fetched. The
accusations must be handled with professional skepticismneither assuming they are true or
false. Often client personnel will be asked to assist in the follow-up, but their input must be
independently verified by the auditor. The accusations should be treated as red flags, which may
call for additional evidence gathering in affected areas. Finally, if the accusations appear to be
credible, the auditors should notify their attorneys as well as the client's audit committee.
The high cost of Sarbanes-Oxley compliance can be found by reviewing the total audit fees
reported by GE and by the Fortune 100/500 companies. As shown in Exhibits 2 and 3, these fees
have increased significantly from 2002 to 2004. (A portion of this increase may result from the
SECs revised definition of audit fees).
While the audit fees have continued to increase in 2006, the smaller rate of increase from 2004 to
2006 may reflect a learning curve for auditors and some initial start-up costs with respect to the
implementation of Section 404.
6.
5-23