Does your internal audit shop report to Management/the Audit Committee on SOX/Internal Control testing? We are a not-for-profit, so we do not get a 404 opinion, but we still try and meet the "spirit of SOX". Our auditors rely on the testing. If you do report I would be interested in the format. thanks,
We report any exception we note throughout the year to both Management and the Audit Committee. Management should be notified on a timely basis so it give them ample time to remediate the exception. Our AC has requested that they be notified of any exceptions, even though it's not required, so they can have some insight as to where the issues are at.
When we present to the AC we simply provide a high level description of the control and why it failed. If they want full detail as far as what was tested and how we arrived at our conclusion they'll ask for it. At year end we identify all controls that have been deemed ineffective at year end and generate a report as to our testing process and our opinion over the effectiveness of managment's internal controls.