Page 310 - COSO Guidance Book
P. 310
In an integrated audit of internal control over financial reporting and the financial statements, auditors
should design their testing of controls to accomplish the objectives of both audits to simultaneously
obtain sufficient evidence to support the auditor’s opinion on internal control over financial reporting
as of year-end and
obtain sufficient evidence to support the auditor’s control risk assessments for purposes of the audit
of financial statements.
An auditor’s objective in an audit of internal control over financial reporting is to express an opinion on
the effectiveness of the company’s internal control over financial reporting.
Management must do the following:
1. Accept responsibility for the effectiveness of the company’s internal control over financial reporting.
2. Evaluate the effectiveness of the company’s internal control over financial reporting using suitable
control criteria.
3. Support its evaluation with sufficient evidence, including documentation.
4. Present a written assessment of the effectiveness of the company’s internal control over financial
reporting as of the end of the company’s most recent fiscal year.
Typically, companies have tested and evaluated the effectiveness of their internal control over financial
reporting using these three methodologies:
Hiring a CPA firm independent of the firm that audits financial statements and internal control over
financial reporting to provide internal services.
Increasing the number of internal auditors and training existing internal auditors in SOX compliance
work.
Performing a control self-assessment, whereby the company uses staff and line personnel to do the
SOX compliance work.
© 2020 Association of International Certified Professional Accountants. All rights reserved. 10-2
