SarbanesOxley Act from an Accounting Point of View

1
Sarbanes-Oxley Act from anAccounting Point of
View

• Or
• Is There Anything About SOX
• That I Have Not Heard Before?

2
Objectives

• Discuss how SOX has generally affected the CPA
  profession (the outside auditors)
• Discuss the CPAs use of internal control
  information in the audit of financial statements,
  both past and present (SOX)
• Discuss the CPAs new interest in IT auditing and
  the internal and IT auditors new interest in the
  CPAs FS audit

3
Quick Review of SOX

• Became law in 2002, fully effective in 04
• Seeks to protect investors by improving the
  accuracy and reliability of corporate disclosures
  (financial statements or FS) made pursuant to the
  securities laws
• Requires most public companies and their external
  auditors to report on the effectiveness of
  internal control (IC) over financial reporting
  including FS

4
Quick Review of SOX (cont.)

• The mgmt report on IC will clearly state that
  mgmt is responsible for and has established and
  understands IC
• Thus, mgmt in the c-suite (or below) cannot say
  I didnt know or I didnt understand
• Mgmt must state that We designed IC and IC is
  operating and IC is effective
• Mgmt must also report quarterly and annually any
  changes in IC over FS

5
Quick Review of SOX (cont.)

• Outside auditors must audit mgmts assessment of
  IC and the assessment process, and give an
  opinion as to whether mgmts assessment is
  correct or incorrect
• Outside auditors must also assess and give an
  opinion on IC effectiveness, i.e., CPAs must
  audit IC in addition to the FS
• Mgmt must give its outside auditors documentation
  of its processes, evidence of functioning IC over
  the processes, and documented results of testing
  procedures

6
Quick Review of SOX (cont.)

• SOX established the Public Company Accounting
  Oversight Board (PCAOB)
• Outside auditors (CPAs) will also be subject to
  an audit by PCAOB of their internal procedures,
  processes, quality controls, and general
  adherence to auditing standards in conducting
  outside audits of IC and FS of public companies

7
PCAOB Duties

• Register CPA firms that prepare audit reports
• Establish auditing, quality control, ethics,
  independence, other standards relating to the
  preparation of audit reports (This is a big
  change for CPAs!)
• conduct inspections of adherence to auditing
  standards of registered CPAs in accordance with
  PCAOB rules

8
PCAOB Duties (cont.)

• Conduct investigations and disciplinary
  proceeding of CPA firms CPAs
• Perform other duties

9
Big Changes for CPAs

• CPAs are licensed by each state, but.
• CPAs are governed by the American Institute of
  Certified Public Accountants (AICPA)
• The AICPA has set auditing, attestation, and
  ethics standards for CPAs in the past, i.e., the
  CPA profession has been self-governed as to
  auditing standards

10
Big Changes for CPAs

• Auditing standards used by CPAs were promulgated
  by the AICPA
• The AICPA issued 10 generally accepted auditing
  standards (GAAS)
• Two examples of GAAS
• An understanding of IC should be obtained to plan
  the audit and determine testing of IC
• Sufficient competent evidence should be obtained
  to support the audit opinion

11
Big Changes for CPAs

• AICPA has also issued over 100 more specific and
  detailed Statements on Auditing Standards or SAS
• Several SASs pertain to the understanding of IC
  needed by the CPA for the audit of FS SAS 55,
  78, 94
• PCAOB has adopted all SASs as their standards
  until replaced by new AS

12
Big Changes for CPAs

• Prior to SOX, CPAs had to understand IC, but not
  audit nor give an opinion on IC itself, only an
  opinion on FS
• Since the audit opinion did not cover IC, CPA
  could collect evidence about FS amounts using
  methods that did not require strong IC, i.e.,
  substantive testing
• This model is gone with the wind
• Must audit IC which means audit IT IC

13
Big Changes for CPAs

• PCAOB has issued AS 2 Auditing IC over
  Financial Reporting as of 3/9/04
• CPAs will have to become more knowledgeable and
  competent concerning IT controls and IT auditing
• Auditing around the computer is dead
• Continuous auditing will grow, e.g.
• Embedded audit modules
• Snapshots
• Integrated test facilities

14
How Does the CPA Audit FS?

• Understand the business its processes its
  information system
• Start with the financial cycles of the business
• Revenue cycle, expenditure cycle, conversion
  cycle
• What are the significant and material accounts in
  the FS (all of them?) and which financial cycles
  produce them and what process do they go through
  in each cycle in the sequence of recognition,
  authorization, recording, summarizing, and
  reporting?

15
The CPA Audit of FS (cont.)

• Understand mgmts assertions about FS
• Existence or occurrence do assets exist and did
  revenues actually occur (World Com ?)
• Completeness have all liabilities and expenses
  have been reported (Enron ?)
• Valuation or allocation - amount is correct?
• Rights and obligations assets liabilities
• Presentation and disclosure format and
  classifications of BS and IS and content of notes

16
The Balance Sheet
ASSETS
LIABILITIES EQUITY
Cash

• LIABILITIES
• Accts Payable
• Accrued Expense
• Notes Payable
• Bonds Payable

Accounts Receivable
Inventory

Long-term Assets Less Accum Depr

• OWNERS EQUITY
• Common Stock
• Retained Earnings
• Other Comp. I/L

Other Assets
17
The Income Statement
18
The CPA Audit of FS (cont.)

• Determine any threats to mgmts assertions about
  its FS
• Determine if IC are in place to mitigate the
  threats and risks concerning mgmts assertions
  about FS
• Design of controls
• Operation of controls
• Effectiveness of controls via testing

19
The CPA Audit of FS (cont.)

• Plan the audit based on the strength or weakness
  of controls and the assessed level of control
  risk
• If strong IC, less substantive testing and
  evidence
• If weak IC, more substantive testing and evidence
• Before SOX, could ignore IC, assess IC risk at
  max, and perform more substantive testing to
  reach conclusion

20
Internal Controls

• IC is part of managements planning control
  function
• Internal control (IC) of what?
• Business processes procedures
• The system of IC is itself a business process
• SOX only addresses IC over Financial Reporting
  and FS
• Both manual controls and IT controls are included
  in the scope

21
Internal Controls

• Who defines IC and its processes?
• The committee of Sponsoring Organizations of the
  Treadway Commission, aka COSO
• COSO has issued a report in 1992 defining and
  discussing the objectives and components of IC
• COSOs framework of IC has been blessed by PCAOB
  AS 2 as one that can be used by companies and
  CPAs in their SOX compliance others can be used
  instead

22
COSO

• Who are the sponsoring organizations?
• AICPA, IIA, FEI, IMA, AAA
• COSO was formed to reach agreement on a
  definition of IC
• COSO has recently updated and expanded its
  original framework
• Not widely reported nor discussed, but it is COSO
  nevertheless and the auditor may want to use it
  in the audit of IC

23
COSO IC Framework in 3-D
24
COSO Control Activities Component

• Computer Controls
• General controls
• Application controls
• Physical controls all systems incl. IT
• Transaction authorization
• Segregation of duties
• Supervision
• Accounting records
• Access control
• Independent verification

25
COSO Information Communication

• The AIS consists of the records and methods used
  to initiate, identify, analyze, classify, and
  record the transactions and to account for the
  related assets and liabilities
• The quality of information generated by the AIS
  impacts managements ability to take actions and
  make decisions and to prepare accurate and
  reliable financial statements

26
COSO Information Communication

• An effective AIS will
• Identify and record all financial transactions
• Provide timely information in sufficient detail
  to permit classification and financial reporting
• Accurately measure the financial value of
  transactions so their effects can be recorded in
  the financial statements in the proper amount
• Accurately record transactions in the time period
  in which they occurred

27
COSO Information Communication

• The auditor must have sufficient knowledge of the
  AIS to understand
• The classes of transactions that are material to
  the FS and how they are initiated
• The accounting records and accounts used in
  processing transactions
• Transaction processing steps involved from
  initiation of a transaction to its inclusion in
  the financial statements
• The financial reporting process used to prepare
  financial statements, disclosures, and accounting
  estimates

28
COSO Risk Mgmt Framework
29
SOX, COSO, and CobiT

• SOX requires assessment of IC
• SOX suggest COSO as an IC framework to use in
  assessing IC
• COSO does not specify specific IT control
  objectives or procedures
• CobiT can (should? must?) be combined with COSO
  to forge a complete IC framework that includes IT
  control activities

30
PCAOB Audit Standard 2

• 185 pages
• Defines an IC deficiency, significant deficiency,
  and material weakness
• IC cannot be effective if a material weakness
  exists
• Inadequate documentation by management is a
  deficiency in IC over FS
• Documentation includes design and planned
  operation
• Also includes mgmts process to evaluate IC

31
PCAOB Audit Standard 2 (cont.)

• IT general controls mentioned
• Program development
• Program change controls
• Computer operation controls
• Access security of programs and data

32
PCAOB Audit Standard 2 (cont.)

• Using the work of others internal auditors, IT
  auditors, and others
• CPA must evaluate the competence and objectivity
  of IA or ITA
• Competence factors
• Education experience
• Professional certification continuing education
• Supervision review of their activities
• Quality of the documentation of their work
• Performance evaluations

33
PCAOB Audit Standard 2 (cont.)

• Objectivity factors
• Who they report to
• Policies/procedures relating to objectivity and
  conflict of interest of IA/ITA
• CPA must test the work (tests) of IA/ITA to
  evaluate their quality effectiveness
• CPA must product the majority of IC evidence
  himself by independent (of IA) testing

34
PCAOB AS 2 and CobiT
35
Any Conclusions ??

• The worlds of IA and CPA have collided
• The CPA must increase knowledge and skills in IT
  auditing, with all that entails
• IA must spend more time documenting their systems
  because of the control deficiency definition
• IA must increase knowledge and skills in
  accounting, financial reporting, and mgmts FS
  assertions