Big4Guy

Management uses various testing strategies for internal controls evaluation. Testing controls provides assurance to the management that internal controls are in fact achieving business objectives. Looking at the flip side, what if controls fail to achieve business objectives. Yes, you are right, I am talking about control exceptions. How can the management handle or what does it do when control exceptions come up? Three issues normally come up in case of evaluating control exceptions which the management needs to know.

1. Nature and root cause of exception.
2. Financial statement mistatement that could result as a result of exception.
3. And finally, whether the exception could result in a material mis-statement in financial statement.

All control exceptions warrant corrective actions. A through analysis will reveal the exact cause of such exception. Such corrective action normally includes redesigning the control. Once corrective action is taken, management needs to again test the design and operating effectiveness of internal controls to check whether the new control is working fine. I have seen in a few cases, where the internal control deficiency persists resulting in exceptions. At this stage, it is for the management to evaluate whether exceptions noted can lead to a significant deficiency or a material weakness. My advise to management would be to document each exception, find the root cause and take corrective action. If exceptions still remain, document the resolution. It is now for the auditor to decide whether an internal control deficiency exists or not.

Related Posts on Sarbanes Oxley

Remediation of Significant Deficiencies / Material Weaknesses
Spreadsheets and Sarbanes Oxley
IT Risks and Controls Evaluation
Effect of Material Weakness on Financial Statements