External Auditor Workpapers/Test Plans 1387



  • Does anyone know if it is appropriate to ask for the External Auditor workpapers and test plans as part of the 404 Assertion work?
    I would like to ensure that our management testing follows as closely as possible to the tests our external auditors are performing, but am being told that they cannot provide them to us.
    Thanks in advance.



  • Nice try asking the (external) auditor for their workpapers. I would have been shocked if they had provided them to you, given the need for management to assess the control environment cleanly.
    However, the larger firms (especially the Big 4) have published their SOx Section 404 management guides, and can be downloaded. If you’re dealing with one of the Big 4, then your problem is solved. However, the smaller firms have not re-invented the wheel, they have most likely adopted the bigger firm’s approaches. So, in that case, just ask them which model they follow.
    John



  • Does anyone know if it is appropriate to ask for the External Auditor workpapers and test plans as part of the 404 Assertion work?

    In short, No.



  • [quote=‘RCox’]Does anyone know if it is appropriate to ask for the External Auditor workpapers and test plans as part of the 404 Assertion work?
    I would like to ensure that our management testing follows as closely as possible to the tests our external auditors are performing, but am being told that they cannot provide them to us.
    quote]
    The auditor may not test the same controls as management does as they are supposed to perform their own risk assessment and test the controls that they feel create the highest risk of a misstatement if not performing correctly. I have also read where it is assumed that management testing will be more extensive than the auditor testing.
    You should share your test plans with your auditor in advance of testing to get their general feedback as to the adequacy of the tests. They shouldl be willing to tell you at that point if they feel that you are missing something.



  • Very helpful. Thanks to you all.



  • It’s always a good idea to run your RACM (Risk Assessment Control Matrix) by Independent auditors. We have convinced them to rely on our test work papers for SOX controls tested by us.
    Basically, this is possible if we take them into confidence at all levels of RACM creation and incorporate their suggestion before embarking to test these identified SOX controls.
    Most probably, our RACM, our working papers would form part of their SOX 404 work papers.


Log in to reply