U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Responses to ACSPC Request for Public Input

SOX Section 404/Internal Controls

Question 12. Current standards require that the auditor must perform enough of the testing himself or herself so that the auditor's own work provides the principal evidence for the auditor's opinion. Are there specific controls for smaller companies for which the auditor should appropriately be permitted to rely on management's testing and documentation? Are there specific controls for smaller companies where this is particularly not the case?

The following answers have been received:

08/02/2005 17:44:12   Cannot answer yet

08/03/2005 01:39:17   Yes. The form of the audit needs to allow small companies, and even large companies, to define the appropriate controls and to dramatically reduce the number of controls. Also, the depth of the testing has been a major expense to our company.

08/03/2005 07:01:34   dont know

08/03/2005 10:40:26   We have internal auditors who assess management's testing, and then the external auditors need to retest the internal auditors work as evidence for their opinion. If an external auditor can't rely on an external loan review, an internal auditor's review, and a regulatory bodies review, what good are these three entities?

08/03/2005 12:17:58   this is a godsend of money for accounting firms.

08/03/2005 15:01:40   Small companies should not have to pay the cost of having so many firms to do the same work. Under SOX, we have completed our internal control assessment and remediation with a special new accounting firm. We are having a separate firm to do testing. Then we have to pay our external auditor an additioanl fee, as much as our normal audit fee, to certify on what the other two firms have done. I think the PCAOB should (1.)require the external audit firm, as part of annual audit, to perform the internal control documentation and testing as was required when I was in public accounting in the late 1970's or (2.) allow small public companies to forego the certification process from the external auditors and let either the firm doing the testing or the firm that did the documentation to sign off on the certification.

08/03/2005 15:22:49   These current standard should continue within the fincial services sector.

08/03/2005 16:58:51   Auditor's should do their own testing on judement issues but they really need to do this as part of their financial statement audits anyway. I believe auditors can spot test a sample of items tested by the company. If test results are the same, they should be able to rely on the company's work. More importantly, if the company hired a consulting firm with qualified individuals, the auditors should be able to rely on a lot of their work with limited detailed testing.

08/03/2005 18:01:35   Please look into item no 29

08/03/2005 18:30:29   x

08/03/2005 19:54:33   I have no opinion on this question.


08/04/2005 09:17:19   If the company has in place its own internal audit department and the staff has proven its work then I think that this should be up tot he auditor to make the decision as to whether or not they do their own testing.

08/04/2005 09:39:15   All entity level controls. IT General Computer controls. All control activities which have a low risk assigned to the control. For control activities with a moderate risk assigned the auditors testing should be extremely limited.

08/04/2005 12:09:05   Auditor should have the ability to determine. Not all small companies are created or controlled the same. The accounting profession has always taken great pride in doing it correctly. There were some overzealous examples where dollars clouded their judgment. You can legislate this away. Let the auditors have some discretion.

08/04/2005 13:38:24   No comment.

08/04/2005 14:20:27   I will have our CFO give his opinion here.

08/05/2005 10:54:31   The auditors need to do the testing.

08/05/2005 12:38:34   The auditor must perform enough of the testing himself or herself so that the auditor's own work provides the principal evidence for the auditor's opinion!

08/05/2005 15:34:53   The management testing should be sufficent reliance for all accounts comprising less than 25% of the balance sheet or revenue.

08/05/2005 15:43:46   Assuming the internal personnel meet the Using the Work of Other paragraphs - Work done in operational (i.e., non-valuation) areas such as operating procedures, IT controls, confirmation procedures (with limitations), reconciliations (with limitations), Accrual proofs (with limitations) (with limitations = subject to traditional reperformance testing). These concepts parallels SAS 65.

08/05/2005 16:45:38   Independence of the auditor can only be enforced when they do not rely on management reports and audits. they can review those reports for accuracy and audit the auditors, but sole relaince on such reports would be an implicit weakness in the intended oversight and should not be allowed.

08/05/2005 19:33:08   Auditors should rely on managment for most assurances other than those already audited for under existing law.

08/06/2005 13:52:06   Much more discretion should be left to the auditor. Many small and medium sized companies have excellent controls and do an excellent job of documenting and testing them. Auditors should be allowed to place greater reliance on the company's work in those cases.

08/08/2005 14:06:10   I think auditors should be given the leeway of making that judgement for themselves. They are the ones that have to sign the report so let them make the call. Generally speaking, this business of having managemant test controls and then have the auditors come in an re-test just to make sure that management's assertions are correct seems to be a grand duplication of effort, and that only translates into additional cost.

08/08/2005 15:43:24   In smaller companies, auditors know where the risk areas are if any and need to test appropriately as they have always done. You don't have Enron or Worldcom situations in smaller companies. Auditors have paid the price when they haven't known and haven't done what they should have.

08/09/2005 09:30:31   If companies internal audit program is strong, well managed and well documented, an external auditor need only review those reports.

08/09/2005 16:26:34   This is a very burdensome provision...the auditor should be able to use the third party or management's tests and samples as prudent and test as is felt necessary...this provision is creating two levels of testing as the auditor is now justified in their increased testing...they make more money and their reputation is on the line.

08/09/2005 17:25:10   No. If the auditor must give its opinion, then he must gain own satisfaction.

08/10/2005 09:04:41   no comment

08/10/2005 16:00:18   Small banks like us seemed to be doing just fine up until now with all the audit and regulator testing.

08/10/2005 22:09:27   I think audits should be randomly applied for all aspects of the business as almost every transaction has consequences on many others.

08/11/2005 08:35:22   Yes, in small organizations the 'evidence' that a control has been performed via signature or initials should be dropped. If Joe who sits next to Sam passes the reconciliaton to Sam should Joe 'sign'? 10K or 10Q materials similarly do not need to have 'evidence' of review.

08/11/2005 20:27:22   Auditors are required to test internal controls if they plan to rely on them to reduce their substantive testing. If a company is too small to have appropriate internal controls, I assume that there should be some managment over-sight (compensating controls)otherwise the auditor should expand his substantive testing.

08/12/2005 13:12:10   No opinion.

08/12/2005 14:46:45   External auditing testing of controls should be limited to minimized "Key Control". Reliance for other testing should be placed on the work of the internal auditors without the external auditors being required to "test" the work of internal audit. It is redundant!

08/12/2005 16:35:01   I believe that auditors should test themselves.

08/13/2005 12:39:43   Don't know

08/15/2005 14:27:30   This may not be on point but one of the big problems that I personally experienced resulted from the total confusion in PCAOB Standard No. 2 as to what standards apply to a conclusion that controls are NOT effective. The Standard is clear that such a conclusion is possible but the specific procedures all assume that they are being implemented in support of the conclusion that the controls are effective. PCAOB needs to address this issue and the SEC needs to address the issue of what opinions comply or fail to comply with the Exchange Act reporting requirements. E.g. Cray, Inc.

08/15/2005 15:10:05   No, in smaller companies they should not depend on management with typically fewer skilled control persons on staff to do their own controls.

08/15/2005 15:13:01   The problem with smaller companies relates to their internal manpower resources. Oftentimes there is no proper segregation of duties. It's a fact of life for small companies. Despite that, the auditors are always writing these types of situations up. I think that where segregation of duites is an issue, the auditor should not rely on management's testing. In other areas, the auditors need to evaluate the significance of the the area, who within management performed the tests and the results of the tests. Depending on the answer to these questions, I believe that the auditor could rely on these tests 100% of the time.

08/15/2005 15:14:45   Yes......

08/15/2005 16:33:43   NO- it is ridiculous to force our auditors to visit 75% of our plants to do testing. For routine testing, management assertion should be enough combined with bank reconciliations.

08/15/2005 18:59:52   I think that the the disclsoure obligation should be on management, with management commenting specifically on each aspect of internal controls, without auditor review.

08/16/2005 09:51:21   Unsure at this time. We have not completed our testing.

08/16/2005 10:10:36   requency and auditing are not the issue. The issue relates to 1) the depth of proving oversight; 2) the number of key controls; and 3) the documentation. The important is not culled from the non-important.

08/16/2005 10:21:17   No.

08/16/2005 10:26:28   yes, sufficient controls

08/16/2005 10:42:02   a)Absolutely. b)That's up to the auditors, but there are likely to be some key controls that auditors should specifically test.

08/16/2005 10:44:16   Up to the auditor. Lower risk areas, I would think.

08/16/2005 11:18:54   No opinion

08/16/2005 11:52:16   THe level of transactions and the dollar size of those transactions should control what the auditor does. Most auditors these days are affraid of their own shadows so do not do anything.

08/16/2005 12:14:10   No comment

08/16/2005 12:40:54   No

08/16/2005 12:42:56   Of course auditors should be allowed to rely on company representations in most situations. It's hard to imagine why it is necessary for an auditor to repeat any test except for random verification or if there is a meaningful reason to suspect errors.

08/16/2005 13:04:14   Controls that are not meant to prevent material error or fraud should not be tested by the auditors if there is evidence provided by mangagement that the controls have been tested and are effective.

08/16/2005 13:12:04   SOX/404 should substantually rely on self-certification with a sampling approach by the auditor to validate... but with heavy burden imposed if the sampling finds intentional miss-statement by management.

08/16/2005 13:19:29   As a bank, our financial statement and reporting is fairly standardized, and to be honest our CPA was doing enough of the testing in the past to be sufficient. They are using SOX 404, however, as an opportunity to charge us twice as much to do the exact same work using two different formats. The issue is not in who does the work (as small companies do not have the internal time to perform the audit work either).

08/16/2005 13:20:23   The auditors should be able to rely upon any or all of the Company's controls, but have to do enough work to satisfy himself that it is appropriate to rely on the Company's work. You should not make "specific" controls suitable or not for reliance. This will only perpetuate the American way and encourage people to do "what the auditor needs" rather than what is really required. This promotes an attitude of doing what you "need to do to get certified" rather than doing what you "should do" for the benefit of the company and to meet the spirit of the 404 process.

08/16/2005 13:25:32   I don't see much difference from small to large on this. What is a waste of resources for one is a waste for the other.

08/16/2005 13:27:00   The auditor should be able to rely on the company's work if the work is appropriately documented and the work is performed by an "independent" person (i.e., reports directly to the Audit Committee)

08/16/2005 13:30:33   All but the most critical.

08/16/2005 14:08:05   Documentation and proof of testing is part of the biggest burden on small companies.

08/16/2005 14:23:10   When we think about most business failures or frauds, the issues typically are not at the day to day transaction level. The adjustments at the corporate consolidation level or at larger divisons general ledgers seem to be where the problems occur. The current level of SOX 404 testing at each division with 5% of sales or assets and at the daily transactional level is very expensive. Clearly there are large accounts and journal entries at the corporate and divisioal offices that need to be scrutinized. I believe that all companies both small and large need to be treated the same. The fundamental issue is the detail testing at a very small transaction level.

08/16/2005 14:54:27   The auditor should be required to test only enough controls to validate their reliance on management's testing. The requirement for a second opinion from the auditor on internal controls adds signficant cost and no value.

08/16/2005 15:15:12   To name specific controls, in my opinion, is a mistake. The external auditor is educated and experienced and has a governing body to direct the scope of his work. I believe each CPA firm should be allowed to determine on their own how much is enough and then be held accountable for their opinion if it is later proved that they did insufficient work. All to often auditors are allowed to disclaimer their way out of any liability for their work. Let's hold a few CPA's accountable instead of doing everything possible to hold them harmless. I realize that this could create an increase in accounting fees, but it would also increase competition in the auditing services. Its time to let the CPAs do a little risk management insted of allowing them to collect the fee but be free of liabliity.

08/16/2005 16:16:04   Smaller companies should be exempt from 404 testing.

08/16/2005 16:45:09   The auditor should perform enough testing to reach an independent conclusion. If the auditor believes he can rely on work performed by the company and still reach an independent conclusion, he should be allowed to make that decision. The quality of the auditors judgement should not be mandated but considered in the review of the effectiveness of the auditor.

08/16/2005 18:35:41   ?

08/17/2005 12:28:22   I believe the auditor should only review the subjective accrual type accounts and the autoamtically posted accounts should be done ny internal audit and maybe the IS external auditor.

08/17/2005 12:36:00   I think a test of materialty should be performed first. Looking at the worst case scenario, could the failure of a particular transaction have a material impact. If not, the test needn't be performed at all.

08/17/2005 18:49:20   I think the nature of smaller companies results in a higher risk for the auditor so I don't believe a different standard of testing should apply simply based on the size of the client's balance sheet. The auditing firm is risking its reputation and capital just as much in a smaller company as in a larger company.

08/17/2005 18:49:27   all by materiality

08/17/2005 21:27:12   No.

08/17/2005 22:55:14   Yes, the lower-risk controls are an area for more reliance on management testing. I believe that revenue recognition and inventory are areas that manangement testing should be least relied upon.

08/18/2005 08:03:31   Auditors should make field audits, not rely entirely on management documentation.

08/18/2005 14:30:38   Auditors should only test top level controls

08/19/2005 02:56:12   The auditor should have judgement to audit which accounts and to receive this assurance on a multi-year basis rather than annually. Currently auditors are more concerned about their being criticized by the SEC or PCAOB to care how management views risk - Deloitte's audit approach seems to be "more is better."

08/19/2005 11:44:44   Any non-critical items tested by management should be a candidate for auditors to rely on.

08/19/2005 13:49:01   The current standards that require auditors to perform enough testing for them to create their own evidence for an opinion are flawed. During an audit of a company´s financial statement the auditor reviews management´s financial statements and supporting data and, based on this review, is able to render an opinion on the data presented in the company´s financial statements. Certain steps are taken to validate the data presented that enforce this process and give comfort to the auditor in giving the opinion – they do not compile the financial statements. If the same process was in place with the SOX internal controls audit the opinion would be arrived at through a review of the accumulated data that management used to reach their assessment of the adequacy of their ICFR. For the auditor to perform tests on the same data population as management and, worse, to retest some of the same tests that management has already performed and documented, is a major reason for the excessive costs associated with the SOX process; there is too little reliance on the work that management has performed and the documentation that has been accumulated. During the process of preparing the SOX documentation we performed ‘walkthroughs´ and accumulated sample documents that support the processes as they existed at the time of the documentation. Subsequently the auditors performed ‘walkthroughs´ and accumulated sample documents as well. This year´s SOX audit is nearly complete and thus far the auditor has not reviewed the ‘walkthrough´ documents that were gathered by management. Reviewing management´s documentation, rather than recreating their own, would have helped to eliminate a significant budgetary line item in the overall SOX audit. In summary to this question, it is felt that ALL of management´s testing and documentation should be relied on much the same as the financial statements are relied on to do a financial audit; the auditor does NOT need to redo what management has already accomplished.

08/19/2005 14:40:28   If there testing is performed by a qualified outside contractor, or qualified internal auditor there should be more reliance on the testing. There is a greater assurance of independence. Also, transactional tests are very time consuming to re-perform. Consideration should be given to review of management testing workpapers rather than re-selection of test samples and re-performance of tests -- unless this is a high risk control.

08/22/2005 15:20:23   If the rule is that the auditors have to sign off, I believe they should have to test the controls. In a small company, I would rather see the auditors test the controls and not have the company test the controls at all. It is redundant for the company to test controls (or hire a consultant to test them) and then to have to pay the auditors to test them again. Management should be able to rely on the auditor's testing to certify as to the sufficiency of the controls.

08/22/2005 15:47:02   All of them. The auditor already performs testing on the financial statements. That should be the ultimate indication of the effectiveness of internal controls. Beyond that, they should be able to determine the effectiveness of internal controls by reviewing the company's internal audit reports.

08/22/2005 17:54:28   Any system which uses a highly standardized software package (such as Oracle)should not need an extensive review by auditors as long as the software is functioning properly. For these cases, reliance on the company or the software itself is low risk for the auditors.

08/22/2005 17:56:59   Auditors can, and do, conduct additional tests in smaller companies, but then that can be done because of smaller size.

08/22/2005 19:27:18   Auditors should be able to reveiw the detial work and do an entity level assesment. They are going to audit more now without testing controls directly. THey are often doubling up on their work effort.

08/22/2005 20:10:17   Small companies should be able to provide the auditor with purchase orders, production logs, and payroll logs which would be sufficient for test proof.

08/23/2005 00:42:38   na - management should not be required to perform testing.

08/23/2005 15:56:30   the auditor should be permitted to rely on mgmt's testing and documentations for ALL controls. Or maybe, managment should step aside and let the CPA firms and SEC run the companies...MGMT could then be the watchdog to make sure the CPA firms and SEC are doing their jobs in a satisfactory way.

08/23/2005 16:49:34   Most auditors are going overboard in their testing in order to protect their own hides. This is creating a huge cost to small companies that I don't feel is justified.

08/23/2005 21:11:03   Process and accounting controls DIRECTLY linked to financial reports should be verified by the auditors but, where possible, rely on the work of management to test and assess on a regular basis. This ONLY makes sense if the basic controls are standardize AND the external auditors are required to perform integrated audits to eliminate the 75-100+% increase in audit fees.

08/24/2005 08:50:18   The auditors should be able to rely on ALL of managements's testing to save substantial amounts of money. They can reperform the testing so management couldn't manipulate (allow the auditor to pick the samples if you want).

08/24/2005 14:30:13   The firms are taking that in the first year of testing thay they cannot rely on any of the companies testwork and have to do perform all of their own work. They should be able to rely on some of that work as part of their samples.

08/24/2005 16:19:27   Pretty much all. The only controls they need to focus on are complex IT issues.

08/24/2005 16:26:56   Yes – the ability of the auditor to rely on management´s testing and control should be left to the judgment of the auditor, based on the relative risk associated with various financial statement items. Of particular concern should be areas where management judgment affects the financial statements and related disclosures significantly.

08/24/2005 16:51:40   At this point, the rules have made the auditors paranoid. As a result their audit charges are huge. I have now seen several instances where the auditor's fee in connection with restatements which followed correction of a problem exceeded the significance of the error. Example--restatement because an expense was shown in the wrong quartter.

08/24/2005 16:54:47   I think the whole independence of auditor issue needs to be relaxed in smaller companies who can't afford to have staff to do all that needs to be done for SOX

08/25/2005 15:23:41   Areas of less risk or unsignificant accounts, the testing results of the Company should be relied upon instead of necessitating the external auditor to conduct their own testing.

08/25/2005 16:04:36   Similar to SAS #65. If the individuals performing the management testing are competent and objective than the external auditors should be able to rely quite heavily on the results of their testing.

08/25/2005 16:26:29   For smaller companies, transaction testing is probaly the most cost effect as opposed to internal control testing.

08/25/2005 17:02:43   Yes, particularly in areas such as disbursement controls. Areas that should not be within management's testing should be revenue recognition.

08/26/2005 12:41:42   For small companies, I recommend that the auditor review client prepared work issue a statemnt that they reviewed work prepared by the client which appeared adequate. I would propose that no testing be performed by the auditor, rather, the auditor provides an oversight for the adequacy of client prepared work.

08/26/2005 13:07:22   No Comment

08/26/2005 15:31:29   Dependent on independence and competency.

08/26/2005 16:22:08   Not really specific. You would have to look at a case-by-case basis.

08/27/2005 11:21:03   All of them. Auditors should not be required to report on internal control of any smaller company until practical and specific testing guidelines are developed. After all, if the national accounting firms are doing too much on the big companies and the SEC's guidance is too vague, then how would smaller accounting firms be expected to exercise consistent judgment (never mind 'reasonable judgment') on testing controls for smaller companies? Only a checklist could be completed consistent.

08/29/2005 07:07:37   Same.

08/29/2005 10:21:15   Where the testing is found to be independent and knowledgeable individuals are performing testing, we believe that external auditors should be able to review and rely on such testing in nearly all cases, much as they have historically done with internal audit work in other areas.

08/29/2005 10:21:25   Where the testing is found to be independent and knowledgeable individuals are performing testing, we believe that external auditors should be able to review and rely on such testing in nearly all cases, much as they have historically done with internal audit work in other areas.

08/29/2005 11:21:29   Auditors should review test work of management and also do test work themselves on key controls with small sample sizes to obtain a comfort level that management assertions are correct.

08/29/2005 14:18:47   I believe that it would not be appropriate for the auditor to rely on management´s testing and documentation for the formation of an opinion on an internal control system. The auditor should be doing its work independently.

08/29/2005 14:53:30   Controls are either worth having and doing or they should not be in place. I believe that the auditors must rely on the competence and integrity of management and the records that management is responsible to create or no small public company will be able to afford to be audited.

08/29/2005 15:31:21   Management's testing and documentation of controls for low risk, low transaction areas could be used by the auditor. Controls that require management to use estimates should always be independently tested.

08/29/2005 16:10:53   Yes---based on risk---two types of risk---the quality of the records and the conservitiveness of the entries.

08/29/2005 17:12:26   I do think this needs more consideration and to ease the requirements, but do not have any specific examples.

08/29/2005 17:12:43   Anything typically covered by an internal audit department should be relied on by the auditors (expense reports, payroll, property & equipment, treasury).

08/29/2005 17:36:32   Unable to comment

08/29/2005 19:02:32   The auditor has access to enough material and staff in a small company that he would know what controls may be suspect and spend more time there.

08/29/2005 19:05:24   No. Smaller companies generally lack the internal expertise and structure (independence) necessary to allow the auditor to rely on the company´s internal tests of controls.

08/29/2005 21:00:01   I don't think that an auditor should rely upon management testing unless the testing was performed by someone other than the preparer.

08/29/2005 22:40:58   Due to the high costs of SOX audits for smaller companies, the auditors should be able to rely on all the testing peformed by the company.

08/30/2005 15:04:16   The controls on balance sheet accounts with a high level of inherent risk should be principally tested by outside auditors. The controls in other areas with less inherent risk could be rotated between management and outside auditors.

08/30/2005 15:07:00   I believe the auditor should be able to review management's testing and use that as the basis for their opinion if the auditor were comfortable.

08/30/2005 17:08:46   External independent auditors should be able to rely on controls that were tested by compentent internal audit personnel.

08/30/2005 18:26:14   Auditors should perform their own testing for entity level controls, antifraud programs, and computer controls. For other controls, once the auditor is satisfied with the competence of the individual who performed the work, and the quality and effectiveness of their work, he or she should be permitted to rely on management´s testing and documentation.

08/30/2005 18:48:02   N/A -- Really need a CPA to answer this one.

08/30/2005 21:39:41   We don´t believe that the Big 4, or even Big 8 auditing firms will ever fully comprehend what the small business rules, and feel to Tone at the Top means. They will always consult their checklist and look specifically for evidence. They cannot document in their file and certify based on the principal that in some smaller locations, the President of the Company talks to every employee everyday, and how they conduct themselves is the ultimate “soft” control, not a checklist with backup. The auditors need to build a file based on the current standards and those standards do not allow a distinction between small and large companies.

08/30/2005 23:57:28   No comment

08/31/2005 08:31:59   Small SEC companies most likely do not have the strong internal audit function found in larger companies. Therefore, we believe "no" is the appropriate answer to both questions.

08/31/2005 10:21:37   External auditors should focus testing on the controls relating to the most material accounts and processes. In our case, receivables and revenue recognition. Beyond that, the external auditors should rely on the internal auditors work.

08/31/2005 14:00:12   The ability of the auditor to rely on management testing in smaller companies is not the primary issue. The requirement that management of smaller companies be required to expend resources to document and test controls, and to pay auditors and spend time to get the auditors through the audit is the issue.

08/31/2005 14:12:37   For companies large and small, we believe that auditors must do a better job of evaluating the competence and objectivity of those performing management´s testing and documentation. There is no dispute that auditors must perform their own work to reach a conclusion, however, our experience has been that auditors are reluctant to place much (if any) reliance on testing performed by management. Instead, external auditors require the use of internal audit or third-party consultants as the only plausible means to significantly reduce the amount of testing they must perform. Assuming that management assigns competent individuals to perform its testing and documentation in a manner that is as objective as possible, auditors should be able to place much more reliance on these results (especially in those areas of lowest risk). For more critical controls, such as those related to the entity-level environment, auditors should continue to perform much of their own testing and rely less on the results of management testing.

08/31/2005 14:25:37   External audit firms should be able to rely on bank examination reports and internal audit reports. External auditors should then be allowed to use their judgement in spot checking final results.

08/31/2005 14:32:46   Not sure.

08/31/2005 15:19:27   Yes - many of your preventive controls (approver signature, preparer signature, reconciliations, etc.) that are straightforward yes or no type testing could certainly be done in house (at least by IA). Of course the financial closing and reporting cycle and any controls over mgmt judgement and estimation would have to be tested solely by the auditors.

08/31/2005 16:16:33   12. During a walk-through of the processes, the auditor should be able to gain confidence in the company´s controls as they are documented. If the walk-through reveals any disconnect between the documentation and actuality, the auditor should then not rely on the company´s testing. Also, the auditor should be able to select different controls each year within given processes for testing. Without prior knowledge of the controls selection, management is forced to test and confirm all controls, while the auditor simply “audits” the process. Therefore, certain controls may not be tested every year, but the processes are tested routinely. Auditors should make this determination on a case-by-case basis. Testing should be proportionate to the risk or comfort level involved with the process. Auditors should be required to use judgment in determining the ability to rely on management´s work.

08/31/2005 16:29:59   no

08/31/2005 18:22:30   In our opinion, it is appropriate to rely on the work of others, the extent of which should be based on auditor judgment. To specify controls for which the auditor should rely on management´s testing, and controls for which the auditor should not rely on management´s testing, reduces the auditor´s ability to make effective judgments in directing their audit efforts effectively and efficiently.

08/31/2005 18:23:08   IT General Controls (dependent on the qualifications), SAS 70s, and controls over routine transactions – the external auditor should be able to rely of the work of others. Not the case for Entity Level Controls, Financial Statement Close, Estimates – these should be tested by the external auditor.

08/31/2005 19:16:05   12. Even if you allow auditors to accept management´s work they will not do it, and regulations will not force them to do it. Once regulation put the responsibility and legal liability on these firms, risk dictated that they must do what ever amount of work is necessary beyond regulated standards to alleviate the risk. No regulatory body will be able to set a standard of what is too much testing.

08/31/2005 20:55:07   Smaller companies should not have these tests, this is the time wasting/consuming part of the process.

09/01/2005 00:55:31   Should be risk based. Testig of more rotine controls could be relied upon by the external auditors provided the qualigfications of "mgmt" doing the testing complies with PCAOB 2 and other applicable guidance.

09/01/2005 11:40:19   I think that auditors should be able to rely, in general, on a higher percentage of managements testing, especially in low risk areas.

09/01/2005 14:30:54   No comment.

09/04/2005 07:42:16   Yes. Reliance on management can be trusted for controls whose materiality to the company's financials is low or medium. This will establish a more cost-effective 404 implementation.

All Survey
Main Survey



Modified: 10/13/2005