39 Questions To Expect From Your Audit Committee

No comments

Building a compliance program in line with Sections 404 and 302 of the Sarbanes-Oxley Act is a difficult task, one in which the audit committee plays a critical role.

It is up to audit committee members to ask key questions and review relevant information throughout the process. By the time an external auditor assesses a company's compliance efforts, it may be too late to fix material internal control weaknesses and other deficiencies.

The following checklist can help audit committees gauge how well the compliance program is proceeding. It can serve as a point-in-time assessment or be used as an agenda for periodic meetings with senior management, the compliance team or external and internal auditors.

SOX Section 404 & 302 Education

Have the important elements of the Act been communicated to managers throughout the organization?

Is there a formal training program in place to educate managers on their responsibilities?

Have managers and employees been trained on Committee of Sponsoring Organizations of the Treadway Commission (COSO) concepts and methodologies?

Has the external audit firm communicated its needs based on Public Company Accounting Oversight Board requirements?

Assessment Of Current Internal Control Environment

Has there been an organizational risk assessment and internal control evaluation, preferably using the COSO methodology?

Have major risk exposures and areas of internal control concern that expose the business to financial fraud or reporting error been identified?

Company Commitment To Compliance

Has senior management communicated its commitment to and endorsement of Sarbanes-Oxley compliance?

Is senior management actively involved in developing the approach to compliance?

Is the project steering committee providing regular and sufficient detail to understand the relevant issues and progress made?

Are sufficient resources allocated to the project to meet compliance deadlines?

Compliance Project Team

Do the project team members have sufficient experience and training to document, evaluate and test the significant controls upon which the company will rely for its assertion report?

Have sufficient tools and methods been provided to ensure that the process is thorough and productive?

Does the company have an open forum to communicate major issues, roadblocks or problems to senior management and the audit committee?

If internal audit plays a major role in the compliance effort, is its independence compromised?

Project Scope And Plan

Have major accounts and significant business units and processes been identified and agreed upon by senior management and the external auditor?

Is the company focusing on internal control over financial reporting? Or is the company also looking at internal controls more broadly to include operational efficiency and effectiveness, and compliance with laws and regulations?

Are project planning and reporting tools adequate?

Has the company allotted enough time in the project plan for testing, control remediation and other procedures that the external audit firm will perform?

Defining Key Internal Control Objectives & Associated Risks

Has the company used the correct account assertions?

Have the major risks associated with achieving these assertions been identified and approved by senior management and the external auditor?

Identifying Significant Internal Control Activities Against Key Control Objectives

Does the process flow and "walk-through" documentation provide sufficient information to understand how transactions are processed and summarized in the financial records?

Have significant internal controls been identified and prioritized?

Is there too much focus on procedures versus actual internal control checkpoints?

Identifying Internal Control Deficiencies

How are internal control deficiencies communicated to the steering committee, senior management and the audit committee?

Does the company have a sufficient understanding of what a "material weakness" and "significant deficiency" are?

Is there a process to identify compensating controls that may mitigate the risk when certain internals controls are not followed?

Have sufficient action plans for change been developed? Has responsibility been assigned and a timeframe for completion created?

Internal Control Testing

What is the company's approach to testing routine and non-routine transactions? What is the sample size and frequency, and who is performing the tests? Have these tests been reviewed by the external auditor?

Has the company developed an ongoing process for regular review of the significant internal controls?

How are the results of the tests communicated to senior management and the audit committee?

Does the company have a contingency plan for addressing internal controls that are not operating in a predictable manner?

External Auditor Assertion Process

Has the external auditor communicated its assertion process in sufficient detail to understand the nature, extent and timing of the evaluation?

Do external auditor team members have the necessary experience and training to evaluate an internal control environment?

When potential material weaknesses and/or significant deficiencies are identified, is there a process to discuss, evaluate and remediate?

Will the external auditor provide the company with details to understand what it reviewed and tested, and the time required?

Contingency Planning

Does the company have independent validation that project status reports are accurate and complete, and that the project plan is on schedule?

Has the company developed a communications plan for employees and shareholders through which a qualified opinion will be issued on internal controls over financial reporting?

Has the company identified other resources that can used if the project plan is falling behind?

Has the company developed a plan for improving this process for next year's assertion?

The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

Topics

No comments

39 Questions To Expect From Your Audit Committee

Topics

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Related articles

Ex-Outcome Health execs sentenced for overbilled ad revenue, misleading auditor

Silvergate Bank to pay $63M to Fed, California over BSA/AML deficiencies

Women in Compliance highlights: Mentorship driving DEI; fostering board buy-in

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Weekshould be your prime source.”

39 Questions To Expect From Your Audit Committee

Topics

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor. googletag.cmd.push(function() { googletag.display('div-gpt-ad-B'); });

Related articles

Ex-Outcome Health execs sentenced for overbilled ad revenue, misleading auditor

Silvergate Bank to pay $63M to Fed, California over BSA/AML deficiencies

Women in Compliance highlights: Mentorship driving DEI; fostering board buy-in

No comments yet

Only registered users can comment on this article.

“For tracking litigation, enforcement, and regulatory developments, Compliance Week
should be your prime source.”

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.