ABSTRACT: We examine detection and severity classification of internal control deficiencies (ICD) identified under Section 404 of the Sarbanes-Oxley Act of 2002. While the cost/benefit balance of auditor testing of internal controls is highly controversial, prior research has not examined auditor versus client detection of ICD, nor has it examined factors auditors consider in judging ICD severity. We find that auditors detect about three-fourths of unremediated ICD, usually though control testing. This finding contrasts with extant research inferring control deficiency detection effectiveness from publicly available data, underscoring the value of Section 404 auditor testing in improving financial reporting quality. Auditors judge greater severity when a misstatement has already occurred. In the absence of a misstatement, severity is contingent on client and ICD characteristics, implying a more complex and nuanced judgment process without objective evidence of control failure. We also find that clients often underestimate ICD severity, but this tendency is lower among well-controlled companies with a well-designed Section 404 process.

This content is only available via PDF.
You do not currently have access to this content.