Problems and Warning Signs

1990 2000

During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities to market a variety of

high-margin nonaudit services

to their audit clients.

Problems and Warning Signs

An Explosion of Scandals

WorldCom Enron Tyco Adelphia Xerox

Government Regulation

In July 2002, Congress passed the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act. The

Sarbanes-Oxley Act

effectively ended the profession’s era of “self regulation,” creating and transferring authority to set and enforce standards to the

Public Company Accounting Oversight Board (PCAOB)

.

A Model of Business

Business organizations exist to create value for their stakeholders. Due to the way resources are invested and managed in the modern business world, a system of

corporate governance

is necessary, through which managers are overseen and supervised.

Board of Directors Audit Committee

Auditing Standards

Auditing standards serve as guidelines for and measures of the quality of the auditor’s performance.

PCAOB Auditing Standards Board Public Companies Nonpublic Companies

GAAS

Statements on Auditing Standards (SAS) —Interpretations of GAAS

GAAS and SAS are considered to be minimum standards of performance for auditors.

PCAOB adopted, on an interim basis, GAAS and SAS. Standards issued by PCAOB are called Auditing Standards (AS).

Organizations That Affect the Public Accounting Profession

American Institute of Certified Public Accountants (AICPA) Securities and Exchange Commission (SEC) Public Company Accounting Oversight Board (PCAOB) Financial Accounting Standards Board (FASB)

Legal Liability

Historical Perspective

Due to a slump in the economy Claims against auditors were in the early 1970’s and the recession of the 1980’s, it The recession of 1990-1992 led to another relatively uncommon before the 1970’s.

became more common for auditors to be sued.

upsurge in litigation against auditors.

1970 1980 1990

The profession pushed for litigation reform, and in the 1990’s Congress passed litigation reform acts that provided some limits to auditor liability and made it more difficult to sue auditors successfully.

Historical Perspective

Claims against auditors were Due to a slump in the economy in the early 1970’s and the recession of the 1980’s, it The recession of 1990-1992 relatively uncommon before the 1970’s.

became more common for auditors to be sued.

led to another upsurge in litigation against auditors.

1970 1980 1990 2002

Due to several high-profile frauds, Congress refocused attention on auditors in the Sarbanes-Oxley Act of 2002.

Common Law —Third Parties

Four Legal Standards for Third Parties

Privity Near Privity Foreseen 3 rd Parties Reasonably Foreseeable 3 rd Parties

Common Law —Third Parties

Auditor's Liability to 3rd Parties for Negligence Ultramares (1931) Credit Alliance (1985) Security Pacific Business Credit, Inc. (1992) Rusch Factors, Inc. (1968) H. Rosenblum, Inc. (1983) Privity Near Privity Foreseen Third Parties (Restatement Standard) Reasonably Foreseeable Third Parties Yes No No Yes Yes No

Near Privity

3 rd parties whose relationship with the CPA approaches privity.

No No

Foreseen 3 rd

3 rd

Parties

parties whose reliance should be foreseen, even if the specific person is unknown to the auditor.

Yes Yes Yes Yes Yes Yes No Yes

Reasonably Foreseeable 3 rd Parties

3 rd parties whose reliance should be reasonably foreseeable, even if the specific person is unknown to the auditor.

Common Law —Third Parties

Negligence Third Party Must Prove

1. The auditor had a duty to the plaintiff to exercise due care. 2. The auditor breached that duty and was negligent in not 3.

following the professional standards. The auditor’s breach of due care was the direct cause of the 3 rd party’s injury. 4. The 3 rd party suffered an actual loss as a result.

Common Law —Third Parties

Negligence Auditor’s Defense

1. No duty was owed to the 3 rd party (level of duty required depends on the case law followed by the courts).

2. The 3 rd 3.

party was negligent.

The auditor’s work was performed in accordance with professional standards.

4. The 3 rd party suffered no loss.

5. Any loss was caused by other events.

6. The claim is invalid because the statute of limitations has expired.

Fraud If an auditor has acted with knowledge and intent to deceive a third party, he or she can be held liable for fraud.

Fraud

Third Party Must Prove

1. A false representation by the CPA.

2. Knowledge or belief by the CPA that the representation was false.

3. The CPA intended to induce the 3 rd party to rely on the false representation.

4. The 3 rd party relied on the false representation.

5. The 3 rd party suffered damages.

Statutory Liability

Three major statutes that provide sources of liability for auditors: The Securities Act of 1933 The Securities Exchange Act of 1934 Sarbanes-Oxley Act of 2002

Securities Act of 1933

Generally regulates the disclosure of information in a registration statement for a new public offering of securities.

Section 11 imposes a liability on issuers and others, including auditors, for losses suffered by 3 rd parties when false or misleading information is included in a registration statement.

Securities Act of 1933

Third Party Must Prove

1. The 3 rd party suffered losses by investing in the registered security.

2. The audited financial statements contained a material omission or misstatement.

Securities Exchange Act of 1934

Concerned primarily with ongoing reporting by companies whose securities are listed and traded on a stock exchange. Section 18 imposes liability on any person who makes a material false or misleading statement in documents filed with the SEC. Section 10(b) and Rule 10b-5 are the greatest source of liability for auditors under this act.

Securities Exchange Act of 1934

Third Party Must Prove

1. A material, factual misrepresentation or omission.

2. Reliance on the financial statements.

3. Damages suffered as a result of reliance on the financial statements.

4. Scienter.

Private Securities Litigation Reform Act of 1995 and the Securities Litigation Uniform Standards Act of 1998 Private Securities Litigation Reform Act of 1995 Securities Litigation Uniform Standards Act of 1998 Provides for proportionate liability for defendants based on percentage of responsibility and a specific statement of fraud at the beginning of the case Prevents plaintiffs from seeking to evade the protections that Federal law provides against abusive litigation by filing suit in State, rather than Federal Court

Sarbanes-Oxley Act of 2002

Creation of PCAOB Stricter independence rules Audits of internal controls Increased reporting responsibilities Most sweeping securities law since 1934

SEC and PCAOB Sanctions

Suspend Practicing Privilege Impose Fines Remedial Measures

Foreign Corrupt Practices Act (FCPA)

Passed in 1977 in response to the discovery of bribery and other misconduct on the part of more than 300 American companies. An auditor may be subject to administrative proceedings, civil liability, and civil penalties.

Racketeer Influenced and Corrupt Organizations Act (RICO)

Passed in 1970 to combat the infiltration of legitimate businesses by organized crime. RICO provides for civil and criminal sanctions for certain illegal acts.

Criminal Liability

Auditors can be held criminally liable under the laws discussed in the previous section. Criminal prosecutions require that some form of criminal intent be present, such as gross negligence or fraud.

Gross Negligence Fraud

Approaches to Minimizing Legal Liability

Professional Level

1. Establish stronger auditing and attestation standards.

2. Update Code of Professional Conduct and sanction members who do not comply.

3. Educate users.

Firm Level

1. Institute sound quality control and review procedures.

2. Ensure independence.

3. Follow sound client acceptance and retention procedures.

4. Be alert to risk factors.

5. Perform and document work diligently.

Sarbanes-Oxley Act of 2002

Creation of PCAOB Stricter independence rules Audits of internal controls Increased reporting responsibilities Most sweeping securities law since 1934

Management Responsibilities under Section 404

Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting.

Management Responsibilities under Section 404

Management must comply with the following in order for its public accounting firm to complete an audit of internal control over financial reporting.

1.

Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.

2.

Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

Auditor Responsibilities under Section 404

The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an

integrated audit

of the entity’s internal control over financial reporting and its financial statements.

Internal Control over Financial Reporting Defined

Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: 1. Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.

2. Provide reasonable assurance that transactions are recorded in accordance with GAAP.

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets.

Internal Control Deficiencies Defined

A

control deficiency

exists when the

design or operation

of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A

significant deficiency

is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is

more than a remote likelihood

that a misstatement of the entity’s annual or interim financial statements that is

more than inconsequential

¶9).

will not be prevented or detected (AS2,

Internal Control Deficiencies Defined

A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a

material weakness

in the system of internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in

more than a remote likelihood

that a material misstatement of the annual or interim financial statements will not be presented or detected (AS2, ¶10).

As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (remote or more than remote) and magnitude (material, consequential, or inconsequential).

Internal Control Deficiencies Defined

M A G N I T U D E Material Consequential Inconsequential Material weakness Significant deficiency Control deficiency Remote More than remote L I K E L I H O O D

Management’s Assessment Process

Management must: 1. Design and implement an effective system of internal control. This process involves determining whether a necessary control is missing or an existing control is not properly designed.

2. Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.

3. Management must decide which business units to include in the assessment process.

Management’s Documentation

Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also includes policy manuals, job descriptions, flowcharts, and process models.

Framework Used by Management to Conduct Its Assessment

LO# 7

Most entities use the framework developed by COSO.

This framework identifies three primary objectives of internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations.

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate management’s assessment process.

The auditor typically obtains his or her understanding of management’s assessment process through inquiry of management and others.

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate management’s assessment process.

Obtain and document an understanding of internal control.

As part of gaining this understanding the auditor must:

1. Understand and assess company-level controls.

2. Evaluate the effectiveness of the audit committee.

3. Identify significant accounts.

4. Identify relevant financial statement assertions.

5. Identify significant processes and major classes of transactions.

6. Understand the period-end financial reporting process.

7. Perform walkthroughs.

8. Identify controls to test.

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate the management’s assessment process.

Obtain and document an understanding of internal control.

Evaluate the design effectiveness of internal control.

Controls are effectively designed when they prevent or detect errors or fraud that could result in material misstatements in the financial statements.

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate the management’s assessment process.

Obtain and document an understanding of internal control.

Evaluate the design effectiveness of internal control.

Test and evaluate the operating effectiveness of internal control.

In testing the effectiveness of controls, the auditor needs to consider the

nature

,

timing

, and

extent

of testing.

Performing an Audit of Internal Control over Financial Reporting

The auditor should evaluate all evidence before forming an opinion on internal control, including (1) the adequacy of management’s assessment, (2) the results of the auditor’s evaluation, (3) the negative results of substantive procedures performed, (4) any control deficiencies.

Plan the engagement.

Evaluate the management’s assessment process.

Obtain and document an understanding of internal control.

Evaluate the design effectiveness of internal control.

Test and evaluate the operating effectiveness of internal control.

Form an opinion of the effectiveness of internal control.

Special Consideration: Using the Work of Others

AS2 requires the auditor to perform enough of the testing that his or her own work provides the principal evidence for the auditor’s opinion. However, a major consideration for the external auditor is how much the work performed by others (internal auditors or others working for management) can be relied on in adjusting the nature, timing, or extent of the auditor’s work. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work.

Written Representations

In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of internal control over financial reporting.

Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion.

Auditor Documentation Requirements

The auditor must properly document the

processes

,

procedures

,

judgments

, and

results

relating to the audit of internal control.

When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a

low level

.

Reporting on Internal Control

Sarbanes Oxley requires management’s description of internal control to include: 1.

A statement of management’s responsibility for establishing and maintaining adequate internal control.

2. A statement identifying the framework used by management to 3.

conduct the required assessment of the effectiveness of the company’s internal control.

An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective.

4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control.

The Auditor’s Report on Internal Control over Financial Reporting

Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in the company’s annual report.

Safeguarding of Assets

Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”

Sarbanes-Oxley Act of 2002

Its principal reforms pertain to: – Creation of the Public Company Accounting Oversight Board (PCAOB) – Auditor independence—more separation between a firm’s attestation and non-auditing activities – Corporate governance and responsibility—audit committee members must be independent and the audit committee must oversee the external auditors – Disclosure requirements—increase issuer and management disclosure – New federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers

Five Internal Control Components: SAS 78 / COSO

1. Control environment 2. Risk assessment 3. Information and communication 4. Monitoring 5. Control activities

1: The Control Environment

• Integrity and ethics of management • Organizational structure • Role of the board of directors and the audit committee • Management’s policies and philosophy • Delegation of responsibility and authority • Performance evaluation measures • External influences—regulatory agencies • Policies and practices managing human resources

2: Risk Assessment

• Identify, analyze and manage risks relevant to financial reporting: – changes in external environment – risky foreign markets – significant and rapid growth that strain internal controls – new product lines – restructuring, downsizing – changes in accounting policies

3: Information and Communication

• The AIS should produce high quality information which: – identifies and records all

valid

transactions – provides

timely

information in appropriate detail to permit proper classification and financial reporting –

accurately

transactions measures the financial value of – accurately records transactions

in the time period in which they occurred

Information and Communication

• Auditors must obtain sufficient knowledge of the IS to understand: – the classes of transactions that are material • how these transactions are initiated • the associated accounting records and accounts used in processing – the transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements – the financial reporting process used to compile financial statements, disclosures, and estimates

4: Monitoring

The process for assessing the quality of internal control design and operation • Separate procedures—test of controls by internal auditors • Ongoing monitoring: – computer modules integrated into routine operations – management reports which highlight trends and exceptions from normal performance

5: Control Activities

• Policies and procedures to ensure that the appropriate actions are taken in response to identified risks • Fall into two distinct categories: – IT controls—relate specifically to the computer environment – Physical controls—primarily pertain to human activities

Six Types of Physical Controls

• Transaction Authorization • Segregation of Duties • Supervision • Accounting Records • Access Control • Independent Verification

Physical Controls

Transaction Authorization

• • used to ensure that employees are carrying out only authorized transactions

general

(everyday procedures) or

specific

(non-routine transactions) authorizations

Physical Controls

Segregation of Duties

• In manual systems, separation between: – – –

authorizing and processing a transaction custody and recordkeeping of the asset subtasks

• In computerized systems, separation between: – – –

program coding program processing program maintenance

Physical Controls

Supervision

• a compensation for lack of segregation; some may be built into computer systems

Accounting Records

• provide an audit trail

Physical Controls

Access Controls

• help to safeguard assets by restricting physical access to them

Independent Verification

• reviewing batch totals or reconciling subsidiary accounts with control accounts

Physical Controls in IT Contexts

Transaction Authorization

• The rules are often embedded within computer programs.

– EDI/JIT: automated re-ordering of inventory without human intervention

Physical Controls in IT Contexts

Segregation of Duties

• A computer program may perform many tasks that are deemed incompatible. • Thus the crucial need to separate program development, program operations, and program maintenance.

Physical Controls in IT Contexts

Supervision

• The ability to assess competent employees becomes more challenging due to the greater technical knowledge required.

Physical Controls in IT Contexts

Accounting Records

• ledger accounts and sometimes source documents are kept magnetically – no audit trail is readily apparent

Physical Controls in IT Contexts

Access Control

• Data consolidation exposes the organization to computer fraud and excessive losses from disaster.

Physical Controls in IT Contexts

Independent Verification

• When tasks are performed by the computer rather than manually, the need for an independent check is not necessary. • However, the programs themselves are checked.