Question

1.What is management's responsibilities for reporting internal control under Section 404 Sarbanes Oxley Act ?

2.What is auditor's responsibilities for reporting internal control under Section 404 Sarbanes Oxley Act?

Answer 1

(1)

All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective.

(2)

The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data are accurate (within 5% variance) and adequate controls are in place to safeguard financial data. Year-end financial dislosure reports are also a requirement. An independent external SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.

An audit will also look at personnel and may interview staff to confirm that their duties match their job description, and that they have the required training to safely access financial information.SOX auditing requires that "internal controls and procedures" can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information.

A SOX IT audit will look at the following internal control items:

IT security

Access controls

Data backup

Change management