Problems and Warning Signs 1990 2000 During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities to market a variety of high-margin nonaudit services to their audit clients. Problems and Warning Signs An Explosion of Scandals WorldCom Enron Tyco Adelphia Xerox Government Regulation In July 2002, Congress passed the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act. The Sarbanes-Oxley Act effectively ended the profession’s era of “selfregulation,” creating and transferring authority to set and enforce standards to the Public Company Accounting Oversight Board (PCAOB). A Model of Business Business organizations exist to create value for their stakeholders. Due to the way resources are invested and managed in the modern business world, a system of corporate governance is necessary, through which managers are overseen and supervised. Board of Directors Audit Committee Auditing Standards Auditing standards serve as guidelines for and measures of the quality of the auditor’s performance. PCAOB Auditing Standards Board Public Companies Nonpublic Companies GAAS Statements on Auditing Standards (SAS)—Interpretations of GAAS GAAS and SAS are considered to be minimum standards of performance for auditors. PCAOB adopted, on an interim basis, GAAS and SAS. Standards issued by PCAOB are called Auditing Standards (AS). Organizations That Affect the Public Accounting Profession American Institute of Certified Public Accountants (AICPA) Securities and Exchange Commission (SEC) Public Company Accounting Oversight Board (PCAOB) Financial Accounting Standards Board (FASB) Legal Liability Historical Perspective Due to a slump in the economy Claims against in the early 1970’s and the The recession of auditors were recession of the 1980’s, it 1990-1992 led to another relatively uncommon became more common for upsurge in litigation against auditors to be sued. before the 1970’s. auditors. 1970 1980 1990 The profession pushed for litigation reform, and in the 1990’s Congress passed litigation reform acts that provided some limits to auditor liability and made it more difficult to sue auditors successfully. Historical Perspective Due to a slump in the economy Claims against in the early 1970’s and the auditors were recession of the 1980’s, it The recession of 1990-1992 relatively uncommon became more common for led to another upsurge in before the 1970’s. litigation against auditors. auditors to be sued. 1970 1980 1990 2002 Due to several high-profile frauds, Congress refocused attention on auditors in the Sarbanes-Oxley Act of 2002. Common Law—Third Parties Four Legal Standards for Third Parties Privity Near Privity Foreseen 3rd Parties Reasonably Foreseeable 3rd Parties Common Law—Third Parties Auditor's Liability to 3rd Parties for Negligence Ultramares (1931) Credit Alliance (1985) Security Pacific Business Credit, Inc. (1992) Rusch Factors, Inc. (1968) H. Rosenblum, Inc. (1983) Yes No Yes Yes Yes Yes Yes Yes No No Yes Yes No No No Yes Privity Near Privity Foreseen Third Parties (Restatement Standard) Reasonably Foreseeable Third Parties Near Privity 3rd parties whose relationship with the CPA approaches privity. Foreseen 3rd Parties 3rd parties whose reliance should be foreseen, even if the specific person is unknown to the auditor. Reasonably Foreseeable 3rd Parties 3rd parties whose reliance should be reasonably foreseeable, even if the specific person is unknown to the auditor. Common Law—Third Parties Negligence Third Party Must Prove 1. The auditor had a duty to the plaintiff to exercise due care. 2. The auditor breached that duty and was negligent in not following the professional standards. 3. The auditor’s breach of due care was the direct cause of the 3rd party’s injury. 4. The 3rd party suffered an actual loss as a result. Common Law—Third Parties Negligence Auditor’s Defense 1. No duty was owed to the 3rd party (level of duty required depends on the case law followed by the courts). 2. The 3rd party was negligent. 3. The auditor’s work was performed in accordance with professional standards. 4. The 3rd party suffered no loss. 5. Any loss was caused by other events. 6. The claim is invalid because the statute of limitations has expired. Fraud If an auditor has acted with knowledge and intent to deceive a third party, he or she can be held liable for fraud. Fraud Third Party Must Prove 1. A false representation by the CPA. 2. Knowledge or belief by the CPA that the representation was false. 3. The CPA intended to induce the 3rd party to rely on the false representation. 4. The 3rd party relied on the false representation. 5. The 3rd party suffered damages. Statutory Liability Three major statutes that provide sources of liability for auditors: The Securities Act of 1933 The Securities Exchange Act of 1934 Sarbanes-Oxley Act of 2002 Securities Act of 1933 Generally regulates the disclosure of information in a registration statement for a new public offering of securities. Section 11 imposes a liability on issuers and others, including auditors, for losses suffered by 3rd parties when false or misleading information is included in a registration statement. Securities Act of 1933 Third Party Must Prove 1. The 3rd party suffered losses by investing in the registered security. 2. The audited financial statements contained a material omission or misstatement. Securities Exchange Act of 1934 Concerned primarily with ongoing reporting by companies whose securities are listed and traded on a stock exchange. Section 18 imposes liability on any person who makes a material false or misleading statement in documents filed with the SEC. Section 10(b) and Rule 10b-5 are the greatest source of liability for auditors under this act. Securities Exchange Act of 1934 Third Party Must Prove 1. A material, factual misrepresentation or omission. 2. Reliance on the financial statements. 3. Damages suffered as a result of reliance on the financial statements. 4. Scienter. Private Securities Litigation Reform Act of 1995 and the Securities Litigation Uniform Standards Act of 1998 Private Securities Litigation Reform Act of 1995 Securities Litigation Uniform Standards Act of 1998 Provides for proportionate liability for defendants based on percentage of responsibility and a specific statement of fraud at the beginning of the case Prevents plaintiffs from seeking to evade the protections that Federal law provides against abusive litigation by filing suit in State, rather than Federal Court Sarbanes-Oxley Act of 2002 Creation of PCAOB Stricter independence rules Audits of internal controls Increased reporting responsibilities Most sweeping securities law since 1934 SEC and PCAOB Sanctions Suspend Practicing Privilege Impose Fines Remedial Measures Foreign Corrupt Practices Act (FCPA) Passed in 1977 in response to the discovery of bribery and other misconduct on the part of more than 300 American companies. An auditor may be subject to administrative proceedings, civil liability, and civil penalties. Racketeer Influenced and Corrupt Organizations Act (RICO) Passed in 1970 to combat the infiltration of legitimate businesses by organized crime. RICO provides for civil and criminal sanctions for certain illegal acts. Criminal Liability Auditors can be held criminally liable under the laws discussed in the previous section. Criminal prosecutions require that some form of criminal intent be present, such as gross negligence or fraud. Gross Negligence Fraud Approaches to Minimizing Legal Liability Firm Level Professional Level 1. Establish stronger auditing and attestation standards. 2. Update Code of Professional Conduct and sanction members who do not comply. 3. Educate users. 1. Institute sound quality control and review procedures. 2. Ensure independence. 3. Follow sound client acceptance and retention procedures. 4. Be alert to risk factors. 5. Perform and document work diligently. Sarbanes-Oxley Act of 2002 Creation of PCAOB Stricter independence rules Audits of internal controls Increased reporting responsibilities Most sweeping securities law since 1934 Management Responsibilities under Section 404 Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue an internal control report that explicitly accepts responsibility for establishing and maintaining “adequate” internal control over financial reporting. Management Responsibilities under Section 404 Management must comply with the following in order for its public accounting firm to complete an audit of internal control over financial reporting. 1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting. 2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria. 3. Support its evaluation with sufficient evidence, including documentation. 4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year. Auditor Responsibilities under Section 404 The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an integrated audit of the entity’s internal control over financial reporting and its financial statements. Internal Control over Financial Reporting Defined Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that: 1. Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company. 2. Provide reasonable assurance that transactions are recorded in accordance with GAAP. 3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets. Internal Control Deficiencies Defined A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s annual or interim financial statements that is more than inconsequential will not be prevented or detected (AS2, ¶9). Internal Control Deficiencies Defined A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be presented or detected (AS2, ¶10). As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (remote or more than remote) and magnitude (material, consequential, or inconsequential). Internal Control Deficiencies Defined Material weakness M Material A G N I Consequential T U D E Inconsequential Significant deficiency Control deficiency Remote More than remote LIKELIHOOD Management’s Assessment Process Management must: 1. Design and implement an effective system of internal control. This process involves determining whether a necessary control is missing or an existing control is not properly designed. 2. Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood that failure of a control could result in a misstatement. 3. Management must decide which business units to include in the assessment process. Management’s Documentation Management must develop sufficient documentation to support its assessment of the effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also includes policy manuals, job descriptions, flowcharts, and process models. LO# 7 Framework Used by Management to Conduct Its Assessment Most entities use the framework developed by COSO. This framework identifies three primary objectives of internal control: (1) reliable financial reporting; (2) efficiency and effectiveness of operations; and (3) compliance with laws and regulations. Performing an Audit of Internal Control over Financial Reporting Plan the engagement. Evaluate management’s assessment process. The auditor typically obtains his or her understanding of management’s assessment process through inquiry of management and others. Performing an Audit of Internal Control over Financial Reporting Plan the engagement. Evaluate management’s assessment process. Obtain and document an understanding of internal control. As part of gaining this understanding the auditor must: 1. Understand and assess company-level controls. 2. Evaluate the effectiveness of the audit committee. 3. Identify significant accounts. 4. Identify relevant financial statement assertions. 5. Identify significant processes and major classes of transactions. 6. Understand the period-end financial reporting process. 7. Perform walkthroughs. 8. Identify controls to test. Performing an Audit of Internal Control over Financial Reporting Plan the engagement. Evaluate the management’s assessment process. Obtain and document an understanding of internal control. Evaluate the design effectiveness of internal control. Controls are effectively designed when they prevent or detect errors or fraud that could result in material misstatements in the financial statements. Performing an Audit of Internal Control over Financial Reporting Plan the engagement. Evaluate the management’s assessment process. Obtain and document an understanding of internal control. Evaluate the design effectiveness of internal control. Test and evaluate the operating effectiveness of internal control. In testing the effectiveness of controls, the auditor needs to consider the nature, timing, and extent of testing. Performing an Audit of Internal Control over Financial Reporting Plan the engagement. The auditor should evaluate all evidence Evaluate the management’s before forming an opinion assessment process. on internal control, including (1) the adequacy Obtain and document an of management’s understanding of internal control. assessment, (2) the results of the auditor’s evaluation, Evaluate the design effectiveness (3) the negative results of of internal control. substantive procedures performed, (4) any control Test and evaluate the operating deficiencies. effectiveness of internal control. Form an opinion of the effectiveness of internal control. Special Consideration: Using the Work of Others AS2 requires the auditor to perform enough of the testing that his or her own work provides the principal evidence for the auditor’s opinion. However, a major consideration for the external auditor is how much the work performed by others (internal auditors or others working for management) can be relied on in adjusting the nature, timing, or extent of the auditor’s work. In determining the extent to which the auditor may use the work of others, the auditor should: (1) evaluate the nature of the controls subjected to the work of others, (2) evaluate the competence and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluate the quality and effectiveness of their work. Written Representations In addition to the management representations obtained as part of a financial statement audit, the auditor also obtains written representations from management related to the audit of internal control over financial reporting. Failure to obtain written representations from management, including management’s refusal to furnish them, constitutes a limitation on the scope of the audit sufficient to preclude an unqualified opinion. Auditor Documentation Requirements The auditor must properly document the processes, procedures, judgments, and results relating to the audit of internal control. When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level. Reporting on Internal Control Sarbanes-Oxley requires management’s description of internal control to include: 1. A statement of management’s responsibility for establishing and maintaining adequate internal control. 2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control. 3. An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective. 4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control. The Auditor’s Report on Internal Control over Financial Reporting Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in the company’s annual report. Safeguarding of Assets Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.” Sarbanes-Oxley Act of 2002 Its principal reforms pertain to: – Creation of the Public Company Accounting Oversight Board (PCAOB) – Auditor independence—more separation between a firm’s attestation and non-auditing activities – Corporate governance and responsibility—audit committee members must be independent and the audit committee must oversee the external auditors – Disclosure requirements—increase issuer and management disclosure – New federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers Five Internal Control Components: SAS 78 / COSO 1. 2. 3. 4. 5. Control environment Risk assessment Information and communication Monitoring Control activities 1: The Control Environment • Integrity and ethics of management • Organizational structure • Role of the board of directors and the audit committee • Management’s policies and philosophy • Delegation of responsibility and authority • Performance evaluation measures • External influences—regulatory agencies • Policies and practices managing human resources 2: Risk Assessment • Identify, analyze and manage risks relevant to financial reporting: – changes in external environment – risky foreign markets – significant and rapid growth that strain internal controls – new product lines – restructuring, downsizing – changes in accounting policies 3: Information and Communication • The AIS should produce high quality information which: – identifies and records all valid transactions – provides timely information in appropriate detail to permit proper classification and financial reporting – accurately measures the financial value of transactions – accurately records transactions in the time period in which they occurred Information and Communication • Auditors must obtain sufficient knowledge of the IS to understand: – the classes of transactions that are material • how these transactions are initiated • the associated accounting records and accounts used in processing – the transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements – the financial reporting process used to compile financial statements, disclosures, and estimates 4: Monitoring The process for assessing the quality of internal control design and operation • Separate procedures—test of controls by internal auditors • Ongoing monitoring: – computer modules integrated into routine operations – management reports which highlight trends and exceptions from normal performance 5: Control Activities • Policies and procedures to ensure that the appropriate actions are taken in response to identified risks • Fall into two distinct categories: – IT controls—relate specifically to the computer environment – Physical controls—primarily pertain to human activities Six Types of Physical Controls • • • • • • Transaction Authorization Segregation of Duties Supervision Accounting Records Access Control Independent Verification Physical Controls Transaction Authorization • used to ensure that employees are carrying out only authorized transactions • general (everyday procedures) or specific (non-routine transactions) authorizations Physical Controls Segregation of Duties • In manual systems, separation between: – authorizing and processing a transaction – custody and recordkeeping of the asset – subtasks • In computerized systems, separation between: – program coding – program processing – program maintenance Physical Controls Supervision • a compensation for lack of segregation; some may be built into computer systems Accounting Records • provide an audit trail Physical Controls Access Controls • help to safeguard assets by restricting physical access to them Independent Verification • reviewing batch totals or reconciling subsidiary accounts with control accounts Physical Controls in IT Contexts Transaction Authorization • The rules are often embedded within computer programs. – EDI/JIT: automated re-ordering of inventory without human intervention Physical Controls in IT Contexts Segregation of Duties • A computer program may perform many tasks that are deemed incompatible. • Thus the crucial need to separate program development, program operations, and program maintenance. Physical Controls in IT Contexts Supervision • The ability to assess competent employees becomes more challenging due to the greater technical knowledge required. Physical Controls in IT Contexts Accounting Records • ledger accounts and sometimes source documents are kept magnetically – no audit trail is readily apparent Physical Controls in IT Contexts Access Control • Data consolidation exposes the organization to computer fraud and excessive losses from disaster. Physical Controls in IT Contexts Independent Verification • When tasks are performed by the computer rather than manually, the need for an independent check is not necessary. • However, the programs themselves are checked.