Sarbanes-Oxley Act from an Accounting Point of View
description
Transcript of Sarbanes-Oxley Act from an Accounting Point of View
Sept. 16, 2004 John White, PhD, CPA 1
Sarbanes-Oxley Act from anAccounting Point of View
Or“Is There Anything About SOXThat I Have Not Heard Before?”
Sept. 16, 2004 John White, PhD, CPA 2
Objectives
Discuss how SOX has generally affected the CPA profession (the outside auditors)
Discuss the CPA’s use of internal control information in the audit of financial statements, both past and present (SOX)
Discuss the CPA’s new interest in IT auditing and the internal and IT auditor’s new interest in the CPA’s FS audit
Sept. 16, 2004 John White, PhD, CPA 3
Quick Review of SOX
Became law in 2002, fully effective in ‘04Seeks to protect investors by improving
the accuracy and reliability of corporate disclosures (financial statements or FS) made pursuant to the securities laws
Requires most public companies and their external auditors to report on the effectiveness of internal control (IC) over financial reporting including FS
Sept. 16, 2004 John White, PhD, CPA 4
Quick Review of SOX (cont.)
The mgmt report on IC will clearly state that mgmt is responsible for and has established and understands ICThus, mgmt in the c-suite (or below) cannot
say “I didn’t know” or “I didn’t understand” Mgmt must state that “We designed IC and
IC is operating and IC is effective”Mgmt must also report quarterly and
annually any changes in IC over FS
Sept. 16, 2004 John White, PhD, CPA 5
Quick Review of SOX (cont.)
Outside auditors must audit mgmt’s assessment of IC and the assessment process, and give an opinion as to whether mgmt’s assessment is correct or incorrect
Outside auditors must also assess and give an opinion on IC effectiveness, i.e., CPAs must audit IC in addition to the FS
Mgmt must give its outside auditors documentation of its processes, evidence of functioning IC over the processes, and documented results of testing procedures
Sept. 16, 2004 John White, PhD, CPA 6
Quick Review of SOX (cont.)
SOX established the Public Company Accounting Oversight Board (PCAOB)
Outside auditors (CPAs) will also be subject to an “audit” by PCAOB of their internal procedures, processes, quality controls, and general adherence to auditing standards in conducting outside audits of IC and FS of public companies
Sept. 16, 2004 John White, PhD, CPA 7
PCAOB Duties
Register CPA firms that prepare audit reports
Establish auditing, quality control, ethics, independence, & other standards relating to the preparation of audit reports (This is a big change for CPAs!)
conduct inspections of adherence to auditing standards of registered CPAs in accordance with PCAOB rules
Sept. 16, 2004 John White, PhD, CPA 8
PCAOB Duties (cont.)
Conduct investigations and disciplinary proceeding of CPA firms & CPAs
Perform other duties
Sept. 16, 2004 John White, PhD, CPA 9
Big Changes for CPAs
CPAs are “licensed” by each state, but….CPAs are “governed” by the American
Institute of Certified Public Accountants (AICPA)
The AICPA has set auditing, attestation, and ethics standards for CPAs in the past, i.e., the CPA profession has been self-governed as to auditing standards
Sept. 16, 2004 John White, PhD, CPA 10
Big Changes for CPAs
Auditing standards used by CPAs were promulgated by the AICPA
The AICPA issued 10 generally accepted auditing standards (GAAS)
Two examples of GAASAn understanding of IC should be obtained
to plan the audit and determine testing of ICSufficient competent evidence should be
obtained to support the audit opinion
Sept. 16, 2004 John White, PhD, CPA 11
Big Changes for CPAs
AICPA has also issued over 100 more specific and detailed Statements on Auditing Standards or SAS
Several SASs pertain to the understanding of IC needed by the CPA for the audit of FS – SAS 55, 78, & 94
PCAOB has adopted all SASs as their standards until replaced by new AS
Sept. 16, 2004 John White, PhD, CPA 12
Big Changes for CPAs
Prior to SOX, CPAs had to understand IC, but not audit nor give an opinion on IC itself, only an opinion on FS
Since the audit opinion did not cover IC, CPA could collect evidence about FS $ amounts using methods that did not require strong IC, i.e., substantive testingThis “model” is gone with the windMust audit IC which means audit IT IC
Sept. 16, 2004 John White, PhD, CPA 13
Big Changes for CPAs
PCAOB has issued AS #2 – Auditing IC over Financial Reporting as of 3/9/04
CPAs will have to become more knowledgeable and competent concerning IT controls and IT auditingAuditing “around” the computer is deadContinuous auditing will grow, e.g.
Embedded audit modulesSnapshots Integrated test facilities
Sept. 16, 2004 John White, PhD, CPA 14
How Does the CPA Audit FS?
Understand the business & its processes & its information systemStart with the financial cycles of the business
Revenue cycle, expenditure cycle, conversion cycleWhat are the significant and material accounts
in the FS (all of them?) and which financial cycles produce them and what process do they go through in each cycle in the sequence of recognition, authorization, recording, summarizing, and reporting?
Sept. 16, 2004 John White, PhD, CPA 15
The CPA Audit of FS (cont.)
Understand mgmt’s assertions about FSExistence or occurrence – do assets exist and
did revenues actually occur (World Com ?)Completeness – have all liabilities and
expenses have been reported (Enron ?)Valuation or allocation - $ amount is correct?Rights and obligations – assets & liabilitiesPresentation and disclosure – format and
classifications of BS and IS and content of notes
Sept. 16, 2004 John White, PhD, CPA 16
The Balance Sheet
Cash
Other Assets
LIABILITIESAccts Payable
Accrued ExpenseNotes PayableBonds Payable
OWNERS EQUITYCommon Stock
Retained EarningsOther Comp. I/L
=
Accounts Receivable
Inventory
Long-term AssetsLess: Accum Depr
ASSETS LIABILITIES & EQUITY
Sept. 16, 2004 John White, PhD, CPA 17
The Income Statement
REVENUE
COST OF SALES
GROSS PROFIT
+
-
=
SELLING, GENERAL,& ADMINISTRATIVE
EXPENSE-
NET INCOME =
Sept. 16, 2004 John White, PhD, CPA 18
The CPA Audit of FS (cont.)
Determine any threats to mgmt’s assertions about its FS
Determine if IC are in place to mitigate the threats and risks concerning mgmt’s assertions about FSDesign of controlsOperation of controlsEffectiveness of controls via testing
Sept. 16, 2004 John White, PhD, CPA 19
The CPA Audit of FS (cont.)
Plan the audit based on the strength or weakness of controls and the assessed level of control risk If strong IC, less substantive testing and
evidence If weak IC, more substantive testing and
evidenceBefore SOX, could ignore IC, assess IC
risk at max, and perform more substantive testing to reach conclusion
Sept. 16, 2004 John White, PhD, CPA 20
Internal Controls
IC is part of management’s planning & control function
Internal control (IC) of what?Business processes & procedures
The system of IC is itself a business processSOX only addresses IC over Financial
Reporting and FSBoth manual controls and IT controls are
included in the scope
Sept. 16, 2004 John White, PhD, CPA 21
Internal Controls
Who defines IC and its processes?The committee of Sponsoring Organizations
of the Treadway Commission, aka COSOCOSO has issued a report in 1992 defining
and discussing the objectives and components of IC
COSO’s framework of IC has been blessed by PCAOB AS #2 as one that can be used by companies and CPAs in their SOX compliance; others can be used instead
Sept. 16, 2004 John White, PhD, CPA 22
COSO
Who are the sponsoring organizations?AICPA, IIA, FEI, IMA, AAA
COSO was formed to reach agreement on a definition of IC
COSO has recently updated and expanded its original frameworkNot widely reported nor discussed, but it is
COSO nevertheless and the auditor may want to use it in the audit of IC
Sept. 16, 2004 John White, PhD, CPA 23
COSO IC Framework in 3-D
Internal Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring
Objectives
Components
Sept. 16, 2004 John White, PhD, CPA 24
COSO Control Activities Component
Computer Controls General controls Application controls
Physical controls – all systems incl. IT Transaction authorization Segregation of duties Supervision Accounting records Access control Independent verification
Sept. 16, 2004 John White, PhD, CPA 25
COSO Information & Communication
The AIS consists of the records and methods used to initiate, identify, analyze, classify, and record the transactions and to account for the related assets and liabilities
The quality of information generated by the AIS impacts management’s ability to take actions and make decisions and to prepare accurate and reliable financial statements
Sept. 16, 2004 John White, PhD, CPA 26
COSO Information & Communication
An effective AIS will Identify and record all financial transactionsProvide timely information in sufficient detail
to permit classification and financial reporting
Accurately measure the financial value of transactions so their effects can be recorded in the financial statements in the proper $ amount
Accurately record transactions in the time period in which they occurred
Sept. 16, 2004 John White, PhD, CPA 27
COSO Information & Communication
The auditor must have sufficient knowledge of the AIS to understand: The classes of transactions that are material to the
FS and how they are initiated The accounting records and accounts used in
processing transactions Transaction processing steps involved from
initiation of a transaction to its inclusion in the financial statements
The financial reporting process used to prepare financial statements, disclosures, and accounting estimates
Sept. 16, 2004 John White, PhD, CPA 28
COSO Risk Mgmt Framework
Internal Control Environment
Risk Assessment
Objective Setting
Information & Communication
Monitoring
Control Activities
Risk Response
Event Identification
Objectives
Components
Sept. 16, 2004 John White, PhD, CPA 29
SOX, COSO, and CobiT
SOX requires assessment of ICSOX suggest COSO as an IC framework to
use in assessing ICCOSO does not specify specific IT control
objectives or proceduresCobiT can (should? must?) be combined
with COSO to forge a complete IC framework that includes IT control activities
Sept. 16, 2004 John White, PhD, CPA 30
PCAOB Audit Standard #2
185 pagesDefines an IC deficiency, significant
deficiency, and material weakness IC cannot be effective if a material
weakness exists Inadequate documentation by management
is a deficiency in IC over FSDocumentation includes design and planned
operationAlso includes mgmt’s process to evaluate IC
Sept. 16, 2004 John White, PhD, CPA 31
PCAOB Audit Standard #2 (cont.)
IT general controls mentionedProgram developmentProgram change controlsComputer operation controlsAccess security of programs and data
Sept. 16, 2004 John White, PhD, CPA 32
PCAOB Audit Standard #2 (cont.)
Using the work of others: internal auditors, IT auditors, and others
CPA must evaluate the competence and objectivity of IA or ITACompetence factors
Education & experienceProfessional certification & continuing educationSupervision & review of their activitiesQuality of the documentation of their workPerformance evaluations
Sept. 16, 2004 John White, PhD, CPA 33
PCAOB Audit Standard #2 (cont.)
Objectivity factorsWho they report toPolicies/procedures relating to objectivity and
conflict of interest of IA/ITACPA must test the work (tests) of IA/ITA
to evaluate their quality & effectivenessCPA must product the majority of IC
evidence himself by independent (of IA) testing
Sept. 16, 2004 John White, PhD, CPA 34
PCAOB AS #2 and CobiT
Sept. 16, 2004 John White, PhD, CPA 35
Any Conclusions ??
The worlds of IA and CPA have collidedThe CPA must increase knowledge and
skills in IT auditing, with all that entailsIA must spend more time documenting
their systems because of the control deficiency definition
IA must increase knowledge and skills in accounting, financial reporting, and mgmt’s FS assertions