Management’s Responsibilities

Management has the primary responsibility for establishing and maintaining an effective internal control system. This includes:

• Assessing Risks: Identifying financial reporting risks and implementing controls to address them.

• Establishing Control Activities: Ensuring that transactions are authorized, records are accurate, and assets (including data) are secured.

• Maintaining Documentation: Providing sufficient evidence that the internal control system is designed and operating effectively.

• Creating a Control Environment: Establishing an ethical culture and oversight mechanisms.

• Monitoring Internal Controls: Ensuring controls remain effective over time.

Under Sarbanes-Oxley Act (SOX) Section 404, management must also:

• Assess and report on the effectiveness of internal control over financial reporting.

• Use a recognized framework (e.g., COSO) as a benchmark for evaluation​.

• Wiki article

Auditors’ Responsibilities

While management is responsible for the design and implementation of internal controls, auditors are responsible for:

• Understanding Internal Control: Gaining an understanding of the client’s internal control system as part of the audit.

• Assessing Control Risk: Evaluating the risk that internal controls will fail to prevent or detect material misstatements.

• Testing Controls (if relied upon): Performing procedures to determine if controls are functioning effectively.

• Reporting Findings: Communicating significant deficiencies or material weaknesses to management and those charged with governance.

If auditing a public company, auditors must also provide an opinion on internal control effectiveness as required by SOX Section 404(b)​.