ABSTRACT: We examine detection and severity classification of internal control deficiencies (ICD) identified under Section 404 of the Sarbanes-Oxley Act of 2002. While the cost/benefit balance of auditor testing of internal controls is highly controversial, prior research has not examined auditor versus client detection of ICD, nor has it examined factors auditors consider in judging ICD severity. We find that auditors detect about three-fourths of unremediated ICD, usually though control testing. This finding contrasts with extant research inferring control deficiency detection effectiveness from publicly available data, underscoring the value of Section 404 auditor testing in improving financial reporting quality. Auditors judge greater severity when a misstatement has already occurred. In the absence of a misstatement, severity is contingent on client and ICD characteristics, implying a more complex and nuanced judgment process without objective evidence of control failure. We also find that clients often underestimate ICD severity, but this tendency is lower among well-controlled companies with a well-designed Section 404 process.
Skip Nav Destination
Article navigation
1 May 2011
Research Article|
May 01 2011
Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies
Lynford Graham
Lynford Graham
Bentley University
Search for other works by this author on:
Online ISSN: 1558-7967
Print ISSN: 0001-4826
American Accounting Association
2011
The Accounting Review (2011) 86 (3): 825–855.
Citation
Jean C. Bedard, Lynford Graham; Detection and Severity Classifications of Sarbanes-Oxley Section 404 Internal Control Deficiencies. The Accounting Review 1 May 2011; 86 (3): 825–855. https://doi.org/10.2308/accr.00000036
Download citation file:
Pay-Per-View Access
$25.00