Big4Guy

Sarbanes Oxley has changed the way auditing is done in the mordern world. Auditing Standard 2 issued by the PCAOB lays down comprehensive guidelines on conducting an audit of internal controls in conjuction with an audit of financial statements. Some of the regular readers here might remember that I have written extensively on SOX 404 implementation. Jonathan one of the readers here asks as to how 404 controls attestation differs from an audit of financial statement performed pre-SOX. Well, to answer his query, here are a some pointers which will help clarify the difference between SOX 404 attestation and audit of financial statements:

Approach - Section 404 controls attestation requires a controls based approach. This was not the case earlier with audit of financial statements. Audit apporach only included an understanding and consideration of internal controls.

Objective - Earlier, an audit of financial statements required the auditor to render just an opinion on financial statements and not on internal controls. Post Sarbanes OXley, auditors are required to evaluate and test internal controls across the various busines processes. Auditors now need to comment on the effectiveness of such internal controls.

Reporting - Internal control reporting was never a part of audit in the pre-sarbanes oxley era. Today, even if a company has a history of a clean audit reports, this by itself does not mean that the organization has effective and strong internal controls.

More on Sarbanes Oxley

Section 404 IT Implementation Best Practices
Four Steps in Designing Internal Controls
Corporate Code of Ethics
Fraud Risk Management - Steps to Treat Fraud