Sarbanes-Oxley Act from an Accounting Point of View

Sept. 16, 2004 John White, PhD, CPA 1

Sarbanes-Oxley Act from anAccounting Point of View

Or“Is There Anything About SOXThat I Have Not Heard Before?”


Objectives

Discuss how SOX has generally affected the CPA profession (the outside auditors)

Discuss the CPA’s use of internal control information in the audit of financial statements, both past and present (SOX)

Discuss the CPA’s new interest in IT auditing and the internal and IT auditor’s new interest in the CPA’s FS audit


Quick Review of SOX

Became law in 2002, fully effective in ‘04Seeks to protect investors by improving

the accuracy and reliability of corporate disclosures (financial statements or FS) made pursuant to the securities laws

Requires most public companies and their external auditors to report on the effectiveness of internal control (IC) over financial reporting including FS


Quick Review of SOX (cont.)

The mgmt report on IC will clearly state that mgmt is responsible for and has established and understands ICThus, mgmt in the c-suite (or below) cannot

say “I didn’t know” or “I didn’t understand” Mgmt must state that “We designed IC and

IC is operating and IC is effective”Mgmt must also report quarterly and

annually any changes in IC over FS



Outside auditors must audit mgmt’s assessment of IC and the assessment process, and give an opinion as to whether mgmt’s assessment is correct or incorrect

Outside auditors must also assess and give an opinion on IC effectiveness, i.e., CPAs must audit IC in addition to the FS

Mgmt must give its outside auditors documentation of its processes, evidence of functioning IC over the processes, and documented results of testing procedures



SOX established the Public Company Accounting Oversight Board (PCAOB)

Outside auditors (CPAs) will also be subject to an “audit” by PCAOB of their internal procedures, processes, quality controls, and general adherence to auditing standards in conducting outside audits of IC and FS of public companies


PCAOB Duties

Register CPA firms that prepare audit reports

Establish auditing, quality control, ethics, independence, & other standards relating to the preparation of audit reports (This is a big change for CPAs!)

conduct inspections of adherence to auditing standards of registered CPAs in accordance with PCAOB rules


PCAOB Duties (cont.)

Conduct investigations and disciplinary proceeding of CPA firms & CPAs

Perform other duties


Big Changes for CPAs

CPAs are “licensed” by each state, but….CPAs are “governed” by the American

Institute of Certified Public Accountants (AICPA)

The AICPA has set auditing, attestation, and ethics standards for CPAs in the past, i.e., the CPA profession has been self-governed as to auditing standards



Auditing standards used by CPAs were promulgated by the AICPA

The AICPA issued 10 generally accepted auditing standards (GAAS)

Two examples of GAASAn understanding of IC should be obtained

to plan the audit and determine testing of ICSufficient competent evidence should be

obtained to support the audit opinion



AICPA has also issued over 100 more specific and detailed Statements on Auditing Standards or SAS

Several SASs pertain to the understanding of IC needed by the CPA for the audit of FS – SAS 55, 78, & 94

PCAOB has adopted all SASs as their standards until replaced by new AS



Prior to SOX, CPAs had to understand IC, but not audit nor give an opinion on IC itself, only an opinion on FS

Since the audit opinion did not cover IC, CPA could collect evidence about FS $ amounts using methods that did not require strong IC, i.e., substantive testingThis “model” is gone with the windMust audit IC which means audit IT IC



PCAOB has issued AS #2 – Auditing IC over Financial Reporting as of 3/9/04

CPAs will have to become more knowledgeable and competent concerning IT controls and IT auditingAuditing “around” the computer is deadContinuous auditing will grow, e.g.

Embedded audit modulesSnapshots Integrated test facilities


How Does the CPA Audit FS?

Understand the business & its processes & its information systemStart with the financial cycles of the business

Revenue cycle, expenditure cycle, conversion cycleWhat are the significant and material accounts

in the FS (all of them?) and which financial cycles produce them and what process do they go through in each cycle in the sequence of recognition, authorization, recording, summarizing, and reporting?


The CPA Audit of FS (cont.)

Understand mgmt’s assertions about FSExistence or occurrence – do assets exist and

did revenues actually occur (World Com ?)Completeness – have all liabilities and

expenses have been reported (Enron ?)Valuation or allocation - $ amount is correct?Rights and obligations – assets & liabilitiesPresentation and disclosure – format and

classifications of BS and IS and content of notes


The Balance Sheet

Cash

Other Assets

LIABILITIESAccts Payable

Accrued ExpenseNotes PayableBonds Payable

OWNERS EQUITYCommon Stock

Retained EarningsOther Comp. I/L

=

Accounts Receivable

Inventory

Long-term AssetsLess: Accum Depr

ASSETS LIABILITIES & EQUITY


The Income Statement

REVENUE

COST OF SALES

GROSS PROFIT

+

-

=

SELLING, GENERAL,& ADMINISTRATIVE

EXPENSE-

NET INCOME =



Determine any threats to mgmt’s assertions about its FS

Determine if IC are in place to mitigate the threats and risks concerning mgmt’s assertions about FSDesign of controlsOperation of controlsEffectiveness of controls via testing



Plan the audit based on the strength or weakness of controls and the assessed level of control risk If strong IC, less substantive testing and

evidence If weak IC, more substantive testing and

evidenceBefore SOX, could ignore IC, assess IC

risk at max, and perform more substantive testing to reach conclusion


Internal Controls

IC is part of management’s planning & control function

Internal control (IC) of what?Business processes & procedures

The system of IC is itself a business processSOX only addresses IC over Financial

Reporting and FSBoth manual controls and IT controls are

included in the scope


Internal Controls

Who defines IC and its processes?The committee of Sponsoring Organizations

of the Treadway Commission, aka COSOCOSO has issued a report in 1992 defining

and discussing the objectives and components of IC

COSO’s framework of IC has been blessed by PCAOB AS #2 as one that can be used by companies and CPAs in their SOX compliance; others can be used instead


COSO

Who are the sponsoring organizations?AICPA, IIA, FEI, IMA, AAA

COSO was formed to reach agreement on a definition of IC

COSO has recently updated and expanded its original frameworkNot widely reported nor discussed, but it is

COSO nevertheless and the auditor may want to use it in the audit of IC


COSO IC Framework in 3-D

Internal Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

Objectives

Components


COSO Control Activities Component

Computer Controls General controls Application controls

Physical controls – all systems incl. IT Transaction authorization Segregation of duties Supervision Accounting records Access control Independent verification


COSO Information & Communication

The AIS consists of the records and methods used to initiate, identify, analyze, classify, and record the transactions and to account for the related assets and liabilities

The quality of information generated by the AIS impacts management’s ability to take actions and make decisions and to prepare accurate and reliable financial statements



An effective AIS will Identify and record all financial transactionsProvide timely information in sufficient detail

to permit classification and financial reporting

Accurately measure the financial value of transactions so their effects can be recorded in the financial statements in the proper $ amount

Accurately record transactions in the time period in which they occurred



The auditor must have sufficient knowledge of the AIS to understand: The classes of transactions that are material to the

FS and how they are initiated The accounting records and accounts used in

processing transactions Transaction processing steps involved from

initiation of a transaction to its inclusion in the financial statements

The financial reporting process used to prepare financial statements, disclosures, and accounting estimates


COSO Risk Mgmt Framework

Internal Control Environment

Risk Assessment

Objective Setting

Information & Communication

Monitoring

Control Activities

Risk Response

Event Identification

Objectives

Components


SOX, COSO, and CobiT

SOX requires assessment of ICSOX suggest COSO as an IC framework to

use in assessing ICCOSO does not specify specific IT control

objectives or proceduresCobiT can (should? must?) be combined

with COSO to forge a complete IC framework that includes IT control activities


PCAOB Audit Standard #2

185 pagesDefines an IC deficiency, significant

deficiency, and material weakness IC cannot be effective if a material

weakness exists Inadequate documentation by management

is a deficiency in IC over FSDocumentation includes design and planned

operationAlso includes mgmt’s process to evaluate IC


PCAOB Audit Standard #2 (cont.)

IT general controls mentionedProgram developmentProgram change controlsComputer operation controlsAccess security of programs and data



Using the work of others: internal auditors, IT auditors, and others

CPA must evaluate the competence and objectivity of IA or ITACompetence factors

Education & experienceProfessional certification & continuing educationSupervision & review of their activitiesQuality of the documentation of their workPerformance evaluations



Objectivity factorsWho they report toPolicies/procedures relating to objectivity and

conflict of interest of IA/ITACPA must test the work (tests) of IA/ITA

to evaluate their quality & effectivenessCPA must product the majority of IC

evidence himself by independent (of IA) testing


PCAOB AS #2 and CobiT


Any Conclusions ??

The worlds of IA and CPA have collidedThe CPA must increase knowledge and

skills in IT auditing, with all that entailsIA must spend more time documenting

their systems because of the control deficiency definition

IA must increase knowledge and skills in accounting, financial reporting, and mgmt’s FS assertions

Sarbanes-Oxley Act from an Accounting Point of View

Documents

Transcript of Sarbanes-Oxley Act from an Accounting Point of View