SOX Requirements for External Auditors 3235
CVI last edited by
I’ve read some where that companies are only obligated to provide external auditors with the key controls. Are companies required to provide the process documentation as well? If not, where can I find the guidance?
kymike last edited by
In order to assess the effectiveness of controls over a process, one must understand the process from beginning to end, including both key controls and secondary controls. This applies to both management and external auditors.
Auditors generally start with management’s process narratives and controls matrices, but will also do a walk-through of the process from beginning to end in order to make their own assessment of which controls are key and to validate management’s control documentation. The process is a lot more efficient for the auditor if management shares all of its information about the process and any controls with the auditor and if both management and the auditor agree on which controls are key.
Also, if a key (primary) control fails, then one must look to non-key (secondary) controls to see if they might mitigate the impact of the key control failure.
I would also argue that most audit agreements state that management will make available to the auditor any available information that management has that the auditor requires in order to do a thorough and proper audit.