Upload
buddy-hudson
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Problems and Warning Signs
1990 2000
During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities
to market a variety of high-margin nonaudit services to their audit clients.
Government Regulation
In July 2002, Congress passed the Sarbanes-Oxley Public Company Accounting Reform and Investor
Protection Act.
The Sarbanes-Oxley Act effectively ended the profession’s era of “self-
regulation,” creating and transferring authority to set and enforce standards to the Public Company Accounting
Oversight Board (PCAOB).
A Model of Business
Board of Directors
Audit Committee
Business organizations exist to create value for their stakeholders. Due to the way resources are invested and managed in the modern business
world, a system of corporate governance is necessary, through which managers are overseen and
supervised.
Auditing Standards
Auditing standards serve as guidelines for and measures of
the quality of the auditor’s performance.
Public Companies
PCAOB
Nonpublic Companies
Auditing Standards
Board
Statements on Auditing Standards (SAS)—Interpretations of GAAS
GAAS and SAS are considered to be minimum standards of performance for auditors.
PCAOB adopted, on an interim basis, GAAS and SAS. Standards issued
by PCAOB are called Auditing Standards (AS).
Organizations That Affect the Public Accounting Profession
American Institute of Certified Public
Accountants (AICPA)
Securities and Exchange
Commission (SEC)
Public Company Accounting Oversight
Board (PCAOB)
Financial Accounting Standards Board
(FASB)
Historical Perspective
1970
Claims against auditors were
relatively uncommon before the 1970’s.
19901980
Due to a slump in the economy in the early 1970’s and the recession of the 1980’s, it became more common for
auditors to be sued.
The recession of 1990-1992 led to another upsurge in litigation against auditors.
The profession pushed for litigation reform, and in the 1990’s Congress passed litigation reform acts that provided some limits to auditor liability and made it more difficult to sue auditors successfully.
Historical Perspective
1970
Claims against auditors were
relatively uncommon before the 1970’s.
19901980
Due to a slump in the economy in the early 1970’s and the recession of the 1980’s, it became more common for
auditors to be sued.
The recession of 1990-1992 led to another upsurge in litigation against auditors.
2002Due to several high-profile frauds, Congress refocused attention on auditors in the Sarbanes-Oxley Act of 2002.
Common Law—Third Parties
Four Legal Standards for Third
Parties
Privity
Near Privity
Foreseen 3rd Parties
Reasonably Foreseeable 3rd Parties
Common Law—Third Parties
Near Privity 3rd parties whose
relationship with the CPA approaches
privity.
Foreseen 3rd Parties3rd parties whose
reliance should be foreseen, even if the
specific person is unknown to the auditor.
Reasonably Foreseeable 3rd Parties
3rd parties whose reliance should be
reasonably foreseeable, even if the specific
person is unknown to the auditor.
Ultramares (1931)
Credit Alliance (1985)Security Pacific
Business Credit, Inc. (1992)
Rusch Factors, Inc. (1968)
H. Rosenblum, Inc. (1983)
Privity Yes Yes Yes YesNear Privity No Yes Yes YesForeseen Third Parties (Restatement Standard) No No Yes YesReasonably Foreseeable Third Parties No No No Yes
Auditor's Liability to 3rd Parties for Negligence
Common Law—Third Parties
NegligenceThird Party Must Prove
1. The auditor had a duty to the plaintiff to exercise due care. 2. The auditor breached that duty and was negligent in not
following the professional standards. 3. The auditor’s breach of due care was the direct cause of the
3rd party’s injury. 4. The 3rd party suffered an actual loss as a result.
Common Law—Third Parties
NegligenceAuditor’s Defense
1. No duty was owed to the 3rd party (level of duty required depends on the case law followed by the courts).
2. The 3rd party was negligent.3. The auditor’s work was performed in accordance with
professional standards.4. The 3rd party suffered no loss.5. Any loss was caused by other events.6. The claim is invalid because the statute of limitations has
expired.
Fraud
If an auditor has acted with
knowledge and intent to deceive a third party, he or she can be held liable for fraud.
Fraud
Third Party Must Prove
1. A false representation by the CPA.2. Knowledge or belief by the CPA that the representation was
false.3. The CPA intended to induce the 3rd party to rely on the false
representation.4. The 3rd party relied on the false representation.5. The 3rd party suffered damages.
Statutory Liability
The Securities Act of 1933
The Securities Exchange Act of
1934
Three major statutes that provide sources of liability for auditors:
Sarbanes-Oxley Act of 2002
Securities Act of 1933
Generally regulates the disclosure of information in a registration statement for a new
public offering of securities.
Section 11 imposes a liability on issuers and others, including auditors, for losses suffered by 3rd parties
when false or misleading information is included in a registration statement.
Securities Act of 1933
Third Party Must Prove
1. The 3rd party suffered losses by investing in the registered security.
2. The audited financial statements contained a material omission or misstatement.
Securities ExchangeAct of 1934
Concerned primarily with ongoing reporting by companies whose securities are listed and
traded on a stock exchange.
Section 18 imposes liability on any person who makes a material false or misleading statement in documents
filed with the SEC. Section 10(b) and Rule 10b-5 are the greatest source of liability for auditors under this act.
Securities ExchangeAct of 1934
Third Party Must Prove
1. A material, factual misrepresentation or omission.2. Reliance on the financial statements.3. Damages suffered as a result of reliance on the financial
statements.4. Scienter.
Private Securities Litigation ReformAct of 1995 and the Securities Litigation
Uniform Standards Act of 1998
Private Securities Litigation Reform Act
of 1995
Provides for proportionate liability for defendants based
on percentage of responsibility and a specific statement of
fraud at the beginning of the case
Securities Litigation Uniform Standards
Act of 1998
Prevents plaintiffs from seeking to evade
the protections that Federal law provides
against abusive litigation by filing suit in State, rather than
Federal Court
Sarbanes-Oxley Act of 2002
Most sweeping securities law
since 1934
Most sweeping securities law
since 1934
Creation of PCAOBCreation of PCAOB
Stricter independence rules
Stricter independence rules
Audits of internal controls
Audits of internal controls
Increased reporting responsibilities
Increased reporting responsibilities
Foreign Corrupt PracticesAct (FCPA)
An auditor may be subject to
administrative proceedings, civil liability, and civil
penalties.
Passed in 1977 in response to the discovery of bribery and other misconduct on the part of
more than 300 American companies.
Racketeer Influenced and Corrupt Organizations Act (RICO)
RICO provides for civil and
criminal sanctions for certain illegal
acts.
Passed in 1970 to combat the infiltration of legitimate businesses by organized crime.
Criminal Liability
Gross Negligence
Fraud
Auditors can be held criminally liable under the laws discussed in the previous section.
Criminal prosecutions require that some form of criminal intent be present, such as
gross negligence or fraud.
Approaches to MinimizingLegal Liability
Professional Level
1. Establish stronger auditing and attestation standards.
2. Update Code of Professional Conduct and sanction members who do not comply.
3. Educate users.
Firm Level
1. Institute sound quality control and review procedures.
2. Ensure independence.
3. Follow sound client acceptance and retention procedures.
4. Be alert to risk factors.
5. Perform and document work diligently.
Sarbanes-Oxley Act of 2002
Most sweeping securities law
since 1934
Most sweeping securities law
since 1934
Creation of PCAOBCreation of PCAOB
Stricter independence rules
Stricter independence rules
Audits of internal controls
Audits of internal controls
Increased reporting responsibilities
Increased reporting responsibilities
Management Responsibilities under Section 404
Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue
an internal control report that explicitly accepts responsibility for establishing and maintaining
“adequate” internal control over financial reporting.
Management Responsibilities under Section 404
Management must comply with the following in order for its public accounting firm to complete an audit of
internal control over financial reporting.
1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including documentation.
4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.
1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including documentation.
4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.
Auditor Responsibilities under Section 404
The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an integrated audit of the entity’s internal control over financial reporting and its financial statements.
Internal Control over Financial Reporting Defined
Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:
1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.
2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.
3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.
1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.
2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.
3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.
Internal Control Deficiencies Defined
A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s annual or interim financial statements that is more than inconsequential will not be prevented or detected (AS2, ¶9).
Internal Control Deficiencies Defined
A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be presented or detected (AS2, ¶10).
As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (remote or more than remote) and magnitude (material, consequential, or inconsequential).
Internal Control Deficiencies Defined
Material
Consequential
Inconsequential
Remote More than remote
MaterialMaterialweaknessweakness
Significant Significant deficiencydeficiency
Control deficiencyControl deficiency
L I K E L I H O O DL I K E L I H O O D
MMAAGGNNIITTUUDDEE
Management’s Assessment Process
Management must:Management must:
1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.
2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.
3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.
Management must:Management must:
1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.
2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.
3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.
Management’s Documentation
Management must develop sufficient documentation to support its assessment of the
effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also
includes policy manuals, job descriptions, flowcharts, and process models.
Framework Used by Management to Conduct Its Assessment
Most entities use the framework developed by COSO.Most entities use the framework developed by COSO.This framework identifies three primary objectives of This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.and (3) compliance with laws and regulations.
COSO
LO# 7
Performing an Audit of Internal Control over Financial Reporting
Plan the engagement.
Evaluate management’sassessment process.
The auditor typically obtains his or her understanding of management’s assessment process through inquiry of
management and others.
Performing an Audit of Internal Control over Financial Reporting
Plan the engagement.
Evaluate management’sassessment process.
Obtain and document anunderstanding of internal control.
As part of gaining this understanding the auditor must:
1. Understand and assess company-level controls.
2. Evaluate the effectiveness of the audit committee.
3. Identify significant accounts.4. Identify relevant financial
statement assertions.
1. Understand and assess company-level controls.
2. Evaluate the effectiveness of the audit committee.
3. Identify significant accounts.4. Identify relevant financial
statement assertions.
5. Identify significant processes and major classes of transactions.
6. Understand the period-end financial reporting process.
7. Perform walkthroughs.8. Identify controls to test.
5. Identify significant processes and major classes of transactions.
6. Understand the period-end financial reporting process.
7. Perform walkthroughs.8. Identify controls to test.
Performing an Audit of Internal Control over Financial Reporting
Plan the engagement.
Evaluate the management’sassessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectivenessof internal control.
Controls are effectively designed when they prevent or detect errors or fraud that could result in material
misstatements in the financial statements.
Performing an Audit of Internal Control over Financial Reporting
Plan the engagement.
Evaluate the management’sassessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectivenessof internal control.
Test and evaluate the operatingeffectiveness of internal control.
In testing the effectiveness of controls, the auditor needs to consider the nature, timing, and extent of testing.
Performing an Audit of Internal Control over Financial Reporting
Plan the engagement.
Evaluate the management’sassessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectivenessof internal control.
Test and evaluate the operatingeffectiveness of internal control.
Form an opinion of theeffectiveness of internal control.
The auditor should evaluate all evidence
before forming an opinion on internal control,
including (1) the adequacy of management’s
assessment, (2) the results of the auditor’s evaluation, (3) the negative results of substantive procedures
performed, (4) any control deficiencies.
Special Consideration:Using the Work of Others
AS2 requires the auditor to perform enough of the testing thatAS2 requires the auditor to perform enough of the testing thathis or her own work provides the principal evidence for his or her own work provides the principal evidence for
the auditor’s opinion. However, a major consideration forthe auditor’s opinion. However, a major consideration forthe external auditor is how much the work performed by others the external auditor is how much the work performed by others
(internal auditors or others working for management)(internal auditors or others working for management)can be relied on in adjusting the nature, timing, orcan be relied on in adjusting the nature, timing, or
extent of the auditor’s work. In determining the extent to whichextent of the auditor’s work. In determining the extent to whichthe auditor may use the work of others, the auditor should:the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected(1) evaluate the nature of the controls subjectedto the work of others, (2) evaluate the competenceto the work of others, (2) evaluate the competence
and objectivity of the individuals who performed the work, and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluateand (3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.the quality and effectiveness of their work.
Written Representations
In addition to the management representations obtained as part of a financial statement audit, the auditor also
obtains written representations from management related to the audit of internal control over financial reporting.
Failure to obtain written Failure to obtain written representations from representations from
management, including management, including management’s refusal to management’s refusal to
furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an
unqualified opinion.unqualified opinion.
Failure to obtain written Failure to obtain written representations from representations from
management, including management, including management’s refusal to management’s refusal to
furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an
unqualified opinion.unqualified opinion.
Auditor Documentation Requirements
The auditor must properly document the processes, procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.
Reporting on Internal ControlSarbanes-Oxley requires management’s description of
internal control to include:
1. A statement of management’s responsibility for establishing and maintaining adequate internal control.
2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control.
3. An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective.
4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control.
The Auditor’s Report on Internal Control over Financial Reporting
Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in
the company’s annual report.
Safeguarding of Assets
Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”
Sarbanes-Oxley Act of 2002
Its principal reforms pertain to: – Creation of the Public Company Accounting
Oversight Board (PCAOB)– Auditor independence—more separation between a
firm’s attestation and non-auditing activities – Corporate governance and responsibility—audit
committee members must be independent and the audit committee must oversee the external auditors
– Disclosure requirements—increase issuer and management disclosure
– New federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers
Five Internal Control Components: SAS 78 / COSO
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
1: The Control Environment• Integrity and ethics of management• Organizational structure• Role of the board of directors and the audit
committee• Management’s policies and philosophy• Delegation of responsibility and authority• Performance evaluation measures• External influences—regulatory agencies• Policies and practices managing human
resources
2: Risk Assessment• Identify, analyze and manage risks
relevant to financial reporting:– changes in external environment– risky foreign markets– significant and rapid growth that strain
internal controls– new product lines– restructuring, downsizing– changes in accounting policies
3: Information and Communication• The AIS should produce high quality
information which:– identifies and records all valid transactions– provides timely information in appropriate
detail to permit proper classification and financial reporting
– accurately measures the financial value of transactions
– accurately records transactions in the time period in which they occurred
Information and Communication • Auditors must obtain sufficient knowledge of the IS to
understand:– the classes of transactions that are material
• how these transactions are initiated• the associated accounting records and accounts
used in processing– the transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial statements
– the financial reporting process used to compile financial statements, disclosures, and estimates
4: Monitoring
The process for assessing the quality of internal control design and operation
• Separate procedures—test of controls by internal auditors
• Ongoing monitoring:– computer modules integrated into routine operations– management reports which highlight trends and
exceptions from normal performance
5: Control Activities
• Policies and procedures to ensure that the appropriate actions are taken in response to identified risks
• Fall into two distinct categories:– IT controls—relate specifically to the computer
environment– Physical controls—primarily pertain to human
activities
Six Types of Physical Controls
• Transaction Authorization
• Segregation of Duties
• Supervision
• Accounting Records
• Access Control
• Independent Verification
Physical Controls
Transaction Authorization• used to ensure that employees are
carrying out only authorized transactions
• general (everyday procedures) or specific (non-routine transactions) authorizations
Segregation of Duties• In manual systems, separation between:
– authorizing and processing a transaction– custody and recordkeeping of the asset– subtasks
• In computerized systems, separation between:– program coding– program processing– program maintenance
Physical Controls
Physical Controls
Supervision• a compensation for lack of segregation;
some may be built into computer systems
Accounting Records• provide an audit trail
Access Controls• help to safeguard assets by restricting
physical access to them
Independent Verification• reviewing batch totals or reconciling
subsidiary accounts with control accounts
Physical Controls
Physical Controls in IT Contexts
Transaction Authorization• The rules are often embedded within
computer programs.– EDI/JIT: automated re-ordering of inventory
without human intervention
Segregation of Duties
• A computer program may perform many tasks that are deemed incompatible.
• Thus the crucial need to separate program development, program operations, and program maintenance.
Physical Controls in IT Contexts
Supervision
• The ability to assess competent employees becomes more challenging due to the greater technical knowledge required.
Physical Controls in IT Contexts
Accounting Records
• ledger accounts and sometimes source documents are kept magnetically– no audit trail is readily apparent
Physical Controls in IT Contexts
Access Control • Data consolidation exposes the organization
to computer fraud and excessive losses from disaster.
Physical Controls in IT Contexts