Communication of 404 Test Results to Multi-locations 1940



  • Hello all,
    In your experiences, to what extent (if any) is the external auditor responsible for communicating to the individual locations whether they have passed the controls that have been tested?
    In your experiences, how does the chain of communication flow between the external auditor, Corporate Management, and the Leaders of the multi-locations whose internal controls are being tested.
    Thanks for any perspective you can share.



  • The usual expectation is that the external auditor will discuss the issues with managment prior to issuing their final report. This is so as to clarify that their conclusions are adequate and obtain detail re. compensating controls.
    This was always the approach taken when I was with PWC.
    To be fair though, I have recently come accross auditors who do not do this, and the first time you may see all deficiencies , might be within a documented report as opposed to on a one-on-one meeting.



  • I agree with EMM. As our SOX lead, I insist that any deficiencies that KPMG (or our Internal Audit team) note are first discussed with local management and with the control owners to validate that the deficiency exists before I will add them to our consolidated deficiency list and report them to senior management,



  • The usual expectation is that the external auditor will discuss the issues with managment prior to issuing their final report. This is so as to clarify that their conclusions are adequate and obtain detail re. compensating controls.
    Hi --As an IT professional, I’ve been on the other side, in receiving audit results 😉 🙂 However, I like and agree with EMM’s and Kymike’s comments, as that was common practice in our company for both internal and external audit. What I typically saw was:

    1. Brief audit exit review with IT and the applicable department(s) being audited (review of findings and recommendations)
    2. More formal audit exit review with senior managment (review of findings and recommendations)
    3. Multiple locations were not usually included.
    4. Formal publication of all control audits in writing

Log in to reply