Problems and Warning Signs

advertisement
Problems and Warning Signs
1990
2000
During the economic boom of the late
1990s and the early 2000s, accounting
firms aggressively sought opportunities
to market a variety of high-margin
nonaudit services to their audit clients.
Problems and Warning Signs
An Explosion of Scandals
WorldCom
Enron
Tyco
Adelphia
Xerox
Government Regulation
In July 2002, Congress passed the
Sarbanes-Oxley Public Company
Accounting Reform and Investor
Protection Act.
The Sarbanes-Oxley Act effectively
ended the profession’s era of “selfregulation,” creating and transferring
authority to set and enforce standards
to the Public Company Accounting
Oversight Board (PCAOB).
A Model of Business
Business organizations exist to create
value for their stakeholders. Due to
the way resources are invested and
managed in the modern business
world, a system of corporate
governance is necessary, through
which managers are overseen and
supervised.
Board of
Directors
Audit
Committee
Auditing Standards
Auditing standards serve as
guidelines for and measures of
the quality of the auditor’s
performance.
PCAOB
Auditing
Standards
Board
Public
Companies
Nonpublic
Companies
GAAS
Statements on Auditing Standards
(SAS)—Interpretations of GAAS
GAAS and SAS are considered to be minimum
standards of performance for auditors.
PCAOB adopted, on an
interim basis, GAAS and
SAS. Standards issued
by PCAOB are called
Auditing Standards (AS).
Organizations That Affect the
Public Accounting Profession
American Institute of
Certified Public
Accountants (AICPA)
Securities and
Exchange
Commission (SEC)
Public Company
Accounting Oversight
Board (PCAOB)
Financial Accounting
Standards Board
(FASB)
Legal Liability
Historical Perspective
Due to a slump in the economy
Claims against in the early 1970’s and the The recession of
auditors were recession of the 1980’s, it
1990-1992 led to another
relatively uncommon became more common for upsurge in litigation against
auditors to be sued.
before the 1970’s.
auditors.
1970
1980
1990
The profession pushed
for litigation reform,
and in the 1990’s
Congress passed
litigation reform acts
that provided some
limits to auditor
liability and made it
more difficult to sue
auditors successfully.
Historical Perspective
Due to a slump in the economy
Claims against in the early 1970’s and the
auditors were recession of the 1980’s, it The recession of 1990-1992
relatively uncommon became more common for led to another upsurge in
before the 1970’s.
litigation against auditors.
auditors to be sued.
1970
1980
1990
2002
Due to several
high-profile frauds,
Congress refocused
attention on auditors
in the Sarbanes-Oxley
Act of 2002.
Common Law—Third Parties
Four Legal
Standards for Third
Parties
Privity
Near Privity
Foreseen
3rd Parties
Reasonably
Foreseeable
3rd Parties
Common Law—Third Parties
Auditor's Liability to 3rd Parties for Negligence
Ultramares
(1931)
Credit Alliance (1985)
Security Pacific
Business Credit, Inc.
(1992)
Rusch Factors,
Inc. (1968)
H. Rosenblum,
Inc. (1983)
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
Yes
No
No
No
Yes
Privity
Near Privity
Foreseen Third Parties
(Restatement Standard)
Reasonably Foreseeable
Third Parties
Near Privity
3rd parties whose
relationship with the
CPA approaches privity.
Foreseen 3rd Parties
3rd parties whose
reliance should be
foreseen, even if the
specific person is
unknown to the auditor.
Reasonably
Foreseeable 3rd Parties
3rd parties whose
reliance should be
reasonably foreseeable,
even if the specific
person is unknown to
the auditor.
Common Law—Third Parties
Negligence
Third Party
Must Prove
1. The auditor had a duty to the plaintiff to exercise due care.
2. The auditor breached that duty and was negligent in not
following the professional standards.
3. The auditor’s breach of due care was the direct cause of the
3rd party’s injury.
4. The 3rd party suffered an actual loss as a result.
Common Law—Third Parties
Negligence
Auditor’s
Defense
1. No duty was owed to the 3rd party (level of duty required
depends on the case law followed by the courts).
2. The 3rd party was negligent.
3. The auditor’s work was performed in accordance with
professional standards.
4. The 3rd party suffered no loss.
5. Any loss was caused by other events.
6. The claim is invalid because the statute of limitations has
expired.
Fraud
If an auditor has
acted with
knowledge and
intent to deceive a
third party, he or
she can be held
liable for fraud.
Fraud
Third Party
Must Prove
1. A false representation by the CPA.
2. Knowledge or belief by the CPA that the representation was
false.
3. The CPA intended to induce the 3rd party to rely on the false
representation.
4. The 3rd party relied on the false representation.
5. The 3rd party suffered damages.
Statutory Liability
Three major statutes that provide
sources of liability for auditors:
The Securities Act
of 1933
The Securities
Exchange Act of
1934
Sarbanes-Oxley Act
of 2002
Securities Act of 1933
Generally regulates the disclosure of
information in a registration statement for a new
public offering of securities.
Section 11 imposes a liability on issuers and others,
including auditors, for losses suffered by 3rd parties
when false or misleading information is included in a
registration statement.
Securities Act of 1933
Third Party
Must Prove
1. The 3rd party suffered losses by investing in the registered
security.
2. The audited financial statements contained a material
omission or misstatement.
Securities Exchange
Act of 1934
Concerned primarily with ongoing reporting by
companies whose securities are listed and
traded on a stock exchange.
Section 18 imposes liability on any person who makes a
material false or misleading statement in documents
filed with the SEC. Section 10(b) and Rule 10b-5 are the
greatest source of liability for auditors under this act.
Securities Exchange
Act of 1934
Third Party
Must Prove
1. A material, factual misrepresentation or omission.
2. Reliance on the financial statements.
3. Damages suffered as a result of reliance on the financial
statements.
4. Scienter.
Private Securities Litigation Reform
Act of 1995 and the Securities Litigation
Uniform Standards Act of 1998
Private Securities
Litigation Reform Act
of 1995
Securities Litigation
Uniform Standards
Act of 1998
Provides for
proportionate liability
for defendants based
on percentage of
responsibility and a
specific statement of
fraud at the beginning
of the case
Prevents plaintiffs
from seeking to evade
the protections that
Federal law provides
against abusive
litigation by filing suit
in State, rather than
Federal Court
Sarbanes-Oxley Act of 2002
Creation of PCAOB
Stricter independence
rules
Audits of internal
controls
Increased reporting
responsibilities
Most sweeping
securities law
since 1934
SEC and PCAOB Sanctions
Suspend
Practicing
Privilege
Impose
Fines
Remedial
Measures
Foreign Corrupt Practices
Act (FCPA)
Passed in 1977 in response to the discovery of
bribery and other misconduct on the part of
more than 300 American companies.
An auditor may be
subject to
administrative
proceedings, civil
liability, and civil
penalties.
Racketeer Influenced and Corrupt
Organizations Act (RICO)
Passed in 1970 to combat the infiltration of
legitimate businesses by organized crime.
RICO provides
for civil and
criminal
sanctions for
certain illegal
acts.
Criminal Liability
Auditors can be held criminally liable under
the laws discussed in the previous section.
Criminal prosecutions require that some
form of criminal intent be present, such as
gross negligence or fraud.
Gross
Negligence
Fraud
Approaches to Minimizing
Legal Liability
Firm Level
Professional Level
1. Establish stronger
auditing and
attestation standards.
2. Update Code of
Professional Conduct
and sanction
members who do not
comply.
3. Educate users.
1. Institute sound
quality control and
review procedures.
2. Ensure
independence.
3. Follow sound client
acceptance and
retention procedures.
4. Be alert to risk
factors.
5. Perform and
document work
diligently.
Sarbanes-Oxley Act of 2002
Creation of PCAOB
Stricter independence
rules
Audits of internal
controls
Increased reporting
responsibilities
Most sweeping
securities law
since 1934
Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining
“adequate” internal control over financial reporting.
Management Responsibilities
under Section 404
Management must comply with the following in order
for its public accounting firm to complete an audit of
internal control over financial reporting.
1. Accepts responsibility for the effectiveness of the entity’s
internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control
over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including
documentation.
4. Present a written assessment of the effectiveness of the
entity’s internal control over financial reporting as of the
end of the entity’s most recent fiscal year.
Auditor Responsibilities under
Section 404
The entity’s independent auditor must audit and report
on management’s assertion about the effectiveness of
internal control. The auditor is required to conduct an
integrated audit of the entity’s internal control over
financial reporting and its financial statements.
Internal Control over Financial
Reporting Defined
Internal control over financial reporting is defined as a
process designed to provide reasonable assurance
regarding the reliability of financial reporting and the
preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.
Internal Control Deficiencies
Defined
A control deficiency exists when the design or operation
of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A significant deficiency is a control deficiency, or
combination of control deficiencies, that adversely affects
the entity’s ability to initiate, authorize, record, process,
or report external financial data reliably in accordance
with GAAP such that there is more than a remote
likelihood that a misstatement of the entity’s annual or
interim financial statements that is more than
inconsequential will not be prevented or detected (AS2,
¶9).
Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a significant deficiency, or
combination of significant deficiencies, that results in
more than a remote likelihood that a material
misstatement of the annual or interim financial
statements will not be presented or detected (AS2, ¶10).
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
(remote or more than remote) and magnitude (material,
consequential, or inconsequential).
Internal Control Deficiencies
Defined
Material
weakness
M
Material
A
G
N
I Consequential
T
U
D
E Inconsequential
Significant
deficiency
Control deficiency
Remote
More than remote
LIKELIHOOD
Management’s Assessment
Process
Management must:
1. Design and implement an effective system of internal
control. This process involves determining whether a
necessary control is missing or an existing control is not
properly designed.
2. Develop an ongoing assessment process for the internal
controls in place. Management must assess the likelihood
that failure of a control could result in a misstatement.
3. Management must decide which business units to include in
the assessment process.
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.
LO# 7
Framework Used by Management
to Conduct Its Assessment
Most entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate management’s
assessment process.
The auditor typically obtains his or her understanding of
management’s assessment process through inquiry of
management and others.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate management’s
assessment process.
Obtain and document an
understanding of internal control.
As part of gaining this understanding the auditor must:
1. Understand and assess
company-level controls.
2. Evaluate the effectiveness of
the audit committee.
3. Identify significant
accounts.
4. Identify relevant financial
statement assertions.
5. Identify significant
processes and major
classes of transactions.
6. Understand the period-end
financial reporting process.
7. Perform walkthroughs.
8. Identify controls to test.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate the management’s
assessment process.
Obtain and document an
understanding of internal control.
Evaluate the design effectiveness
of internal control.
Controls are effectively designed when they prevent or
detect errors or fraud that could result in material
misstatements in the financial statements.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate the management’s
assessment process.
Obtain and document an
understanding of internal control.
Evaluate the design effectiveness
of internal control.
Test and evaluate the operating
effectiveness of internal control.
In testing the effectiveness of controls, the auditor needs to
consider the nature, timing, and extent of testing.
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
The auditor should
evaluate all evidence
Evaluate the management’s
before forming an opinion
assessment process.
on internal control,
including (1) the adequacy
Obtain and document an
of management’s
understanding of internal control.
assessment, (2) the results
of the auditor’s evaluation, Evaluate the design effectiveness
(3) the negative results of
of internal control.
substantive procedures
performed, (4) any control Test and evaluate the operating
deficiencies.
effectiveness of internal control.
Form an opinion of the
effectiveness of internal control.
Special Consideration:
Using the Work of Others
AS2 requires the auditor to perform enough of the testing that
his or her own work provides the principal evidence for
the auditor’s opinion. However, a major consideration for
the external auditor is how much the work performed by others
(internal auditors or others working for management)
can be relied on in adjusting the nature, timing, or
extent of the auditor’s work. In determining the extent to which
the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected
to the work of others, (2) evaluate the competence
and objectivity of the individuals who performed the work,
and (3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of internal control over financial reporting.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective
internal control over financial
reporting, the auditor should
be able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.
Reporting on Internal Control
Sarbanes-Oxley requires management’s description of
internal control to include:
1. A statement of management’s responsibility for establishing
and maintaining adequate internal control.
2. A statement identifying the framework used by management to
conduct the required assessment of the effectiveness of the
company’s internal control.
3. An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including
an explicit statement as to whether internal control is effective.
4. A statement that the public account firm that audited the
financial statements included in the annual report has issued
an attestation report on management’s assessment of internal
control.
The Auditor’s Report on Internal
Control over Financial Reporting
Once the auditor has completed the audit of internal
control, he or she must issue an appropriate report to
accompany management’s assessment, published in the
company’s annual report.
Safeguarding of Assets
Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
disposition of the company’s assets that
could have a material effect on the financial
statements.”
Sarbanes-Oxley Act of 2002
Its principal reforms pertain to:
– Creation of the Public Company Accounting
Oversight Board (PCAOB)
– Auditor independence—more separation between a
firm’s attestation and non-auditing activities
– Corporate governance and responsibility—audit
committee members must be independent and the
audit committee must oversee the external auditors
– Disclosure requirements—increase issuer and
management disclosure
– New federal crimes for the destruction of or
tampering with documents, securities fraud, and
actions against whistleblowers
Five Internal Control
Components: SAS 78 / COSO
1.
2.
3.
4.
5.
Control environment
Risk assessment
Information and communication
Monitoring
Control activities
1: The Control Environment
• Integrity and ethics of management
• Organizational structure
• Role of the board of directors and the audit
committee
• Management’s policies and philosophy
• Delegation of responsibility and authority
• Performance evaluation measures
• External influences—regulatory agencies
• Policies and practices managing human
resources
2: Risk Assessment
• Identify, analyze and manage risks
relevant to financial reporting:
– changes in external environment
– risky foreign markets
– significant and rapid growth that strain
internal controls
– new product lines
– restructuring, downsizing
– changes in accounting policies
3: Information and Communication
• The AIS should produce high quality
information which:
– identifies and records all valid transactions
– provides timely information in appropriate
detail to permit proper classification and
financial reporting
– accurately measures the financial value of
transactions
– accurately records transactions in the time
period in which they occurred
Information and Communication
• Auditors must obtain sufficient knowledge of the IS to
understand:
– the classes of transactions that are material
• how these transactions are initiated
• the associated accounting records and accounts
used in processing
– the transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial
statements
– the financial reporting process used to compile
financial statements, disclosures, and estimates
4: Monitoring
The process for assessing the quality of
internal control design and operation
• Separate procedures—test of controls by internal
auditors
• Ongoing monitoring:
– computer modules integrated into routine operations
– management reports which highlight trends and
exceptions from normal performance
5: Control Activities
• Policies and procedures to ensure that the
appropriate actions are taken in response
to identified risks
• Fall into two distinct categories:
– IT controls—relate specifically to the computer
environment
– Physical controls—primarily pertain to human
activities
Six Types of Physical Controls
•
•
•
•
•
•
Transaction Authorization
Segregation of Duties
Supervision
Accounting Records
Access Control
Independent Verification
Physical Controls
Transaction Authorization
• used to ensure that employees are
carrying out only authorized
transactions
• general (everyday procedures) or
specific (non-routine transactions)
authorizations
Physical Controls
Segregation of Duties
• In manual systems, separation between:
– authorizing and processing a transaction
– custody and recordkeeping of the asset
– subtasks
• In computerized systems, separation between:
– program coding
– program processing
– program maintenance
Physical Controls
Supervision
• a compensation for lack of segregation;
some may be built into computer
systems
Accounting Records
• provide an audit trail
Physical Controls
Access Controls
• help to safeguard assets by restricting
physical access to them
Independent Verification
• reviewing batch totals or reconciling
subsidiary accounts with control
accounts
Physical Controls in IT Contexts
Transaction Authorization
• The rules are often embedded within
computer programs.
– EDI/JIT: automated re-ordering of inventory
without human intervention
Physical Controls in IT Contexts
Segregation of Duties
• A computer program may perform many
tasks that are deemed incompatible.
• Thus the crucial need to separate program
development, program operations, and
program maintenance.
Physical Controls in IT Contexts
Supervision
• The ability to assess competent
employees becomes more challenging
due to the greater technical knowledge
required.
Physical Controls in IT Contexts
Accounting Records
• ledger accounts and sometimes source
documents are kept magnetically
– no audit trail is readily apparent
Physical Controls in IT Contexts
Access Control
• Data consolidation exposes the organization
to computer fraud and excessive losses from
disaster.
Physical Controls in IT Contexts
Independent Verification
• When tasks are performed by the computer
rather than manually, the need for an
independent check is not necessary.
• However, the programs themselves are
checked.
Download