The Defense Contract Audit Agency issued additional guidance on new reporting requirements of certain Security Exchange Commission final section rulings intended to implement the Sarbanes-Oxley Act.  The guidance analyzes and summarizes Sections 204, 302, 404, 406 and 407 and addresses how the required reports affect DCAA’s planning of its internal control, incurred cost and financial capability audits.  The guidance adds to prior guidance issued in April that addressed requirements of the SEC’s final ruling related to Section 401.

Section 204.  The SEC requires public accounting firms performing audit services to report to audit committees of public companies information related to critical accounting policies and practices, all material alternative accounting treatments that have been discussed with company management and all other significant written communications between the independent auditor and company management. Auditors are told to be aware of these communications since they disclose information having a bearing on their audits or that may provide audit leads for subsequent audits.

Section 302.  Requires the public company’s principle executive and financial officers to certify financial and other information contained in the quarterly and annual reports filed with the SEC as well as certifications regarding disclosure controls and procedures and internal controls over financial reporting.  Though the resulting disclosure made to the outside auditors and audit committee need not be made public DCAA auditors are told to inquire into obtaining access to the audit work performed in support of the required certifications.  Executive certifications alone cannot be relied upon to assess risk but work performed by the auditors that was relied upon by company executives in providing their certifications “may be of value in reducing DCAA audit effort.”  Lack of certifications should be assessed on a case-by-case basis.

Section 404.  Requires public companies to include in the annual report to the SEC “a report of management on the company’s internal controls over financial reporting.”  The guidance lists the items to be discussed in this report and encourages DCAA auditors to ascertain the audit work that was used to develop the report in order to reduce the audit effort on reviewing contractors’ internal controls.  Though auditors are told the absence of internal control deficiencies should not lead to the conclusion that internal control risk is “less than maximum” the report and attending audit work can be fruitful ways of identifying internal control weaknesses.

Sections 406 and 407.  These two sections, respectively require public companies disclose whether they have (1) adopted a code of ethics that apply to its principle executive office and senior financial officers and (2) placed at least one “financial expert” that is independent of management to serve on its audit committee.  Auditors are told to examine these disclosures during their audit of the control environment and overall accounting controls (MRD 03-PPD-072(R). 

{TAG_FORM_TITLE}