Failing on management evaluation 327



  • Could someone please explain,

    • If management (internal audit) does not have evidence/documentation of the management evaluation/testing, to the level that PCAOB proposes, will the external auditor then give a qualified opinion, saying that management does not have reasonable evidence for it’s evaluation?
    • Even if ext. auditors would have not identified material weaknesses, they would say that management has no grounds to certify internal controls over financial reporting and that the company is therefore not compliant.
    • Isn’t the risk of companies failing to maintain such evidence higher than the risk that there actually would be material weaknesses?
      In other words, what does SOX compliance mean to you? Is the objective not to have material weaknesses or is it an internal audit effort of retaining loads of testing documentation?


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • If management (internal audit) does not have evidence/documentation of the management evaluation/testing, to the level that PCAOB proposes, will the external auditor then give a qualified opinion, saying that management does not have reasonable evidence for it’s evaluation?

    Absolutely correct and rightly so. Management ( not internal audit) is making an assertion on internal control as part of their SEC filing. The auditor is certifying that assertion based on review of management’s sytem of internal control.
    You can’t just say you have no material weaknesses you have to to be able to justify your statement.
    Even if ext. auditors would have not identified material weaknesses, they would say that management has no grounds to certify internal controls over financial reporting and that the company is therefore not compliant.
    Correct. Identifying material weaknesses in internal control is not the responsibility of the auditors. It is management’s responsibiliity to maintain a system of internal control.
    Isn’t the risk of companies failing to maintain such evidence higher than the risk that there actually would be material weaknesses?
    That’s not really the point. The requirement is on management to implement and maintain a system of internal control and make an assertion on its effectiveness annually.



  • You have to also remember that the external auditors have Audit standards they adhere too. Documentation is high on the list. The ext auditors have to file an assertion to the controls also and if they can not rely on your assessment and documentation to support the control they will consider it a possible material weakness, depending on the severity in lack of documentation. They will also dig very deep if your processes are not functional to attest to the controls. Documentation should be kept and maintained it is an auditing standard and has been forever. IT is just getting thrown into this audit arena and is not used to the audit standards.
    PCAOB considers a control non existent if no documentation exists, that is a material weakness.
    Not only is your Sr. Management attesting to the control but so is the external auditor. They both have to be assured through your evaluation process that you have sufficiently documented, tested and revealed controls are functional and no material weakness or fraud exists.
    External audit also combines your weak controls and uses an aggregate summary of controls to verify any weaknesses…combination of weak controls could create a material weakness…even if individually they are low on the scale.


Log in to reply