Title: Sarbanes-Oxley Act from an Accounting Point of View
1Sarbanes-Oxley Act from anAccounting Point of
View
- Or
- Is There Anything About SOX
- That I Have Not Heard Before?
2Objectives
- Discuss how SOX has generally affected the CPA
profession (the outside auditors) - Discuss the CPAs use of internal control
information in the audit of financial statements,
both past and present (SOX) - Discuss the CPAs new interest in IT auditing and
the internal and IT auditors new interest in the
CPAs FS audit
3Quick Review of SOX
- Became law in 2002, fully effective in 04
- Seeks to protect investors by improving the
accuracy and reliability of corporate disclosures
(financial statements or FS) made pursuant to the
securities laws - Requires most public companies and their external
auditors to report on the effectiveness of
internal control (IC) over financial reporting
including FS
4Quick Review of SOX (cont.)
- The mgmt report on IC will clearly state that
mgmt is responsible for and has established and
understands IC - Thus, mgmt in the c-suite (or below) cannot say
I didnt know or I didnt understand - Mgmt must state that We designed IC and IC is
operating and IC is effective - Mgmt must also report quarterly and annually any
changes in IC over FS
5Quick Review of SOX (cont.)
- Outside auditors must audit mgmts assessment of
IC and the assessment process, and give an
opinion as to whether mgmts assessment is
correct or incorrect - Outside auditors must also assess and give an
opinion on IC effectiveness, i.e., CPAs must
audit IC in addition to the FS - Mgmt must give its outside auditors documentation
of its processes, evidence of functioning IC over
the processes, and documented results of testing
procedures
6Quick Review of SOX (cont.)
- SOX established the Public Company Accounting
Oversight Board (PCAOB) - Outside auditors (CPAs) will also be subject to
an audit by PCAOB of their internal procedures,
processes, quality controls, and general
adherence to auditing standards in conducting
outside audits of IC and FS of public companies
7PCAOB Duties
- Register CPA firms that prepare audit reports
- Establish auditing, quality control, ethics,
independence, other standards relating to the
preparation of audit reports (This is a big
change for CPAs!) - conduct inspections of adherence to auditing
standards of registered CPAs in accordance with
PCAOB rules
8PCAOB Duties (cont.)
- Conduct investigations and disciplinary
proceeding of CPA firms CPAs - Perform other duties
9Big Changes for CPAs
- CPAs are licensed by each state, but.
- CPAs are governed by the American Institute of
Certified Public Accountants (AICPA) - The AICPA has set auditing, attestation, and
ethics standards for CPAs in the past, i.e., the
CPA profession has been self-governed as to
auditing standards
10Big Changes for CPAs
- Auditing standards used by CPAs were promulgated
by the AICPA - The AICPA issued 10 generally accepted auditing
standards (GAAS) - Two examples of GAAS
- An understanding of IC should be obtained to plan
the audit and determine testing of IC - Sufficient competent evidence should be obtained
to support the audit opinion
11Big Changes for CPAs
- AICPA has also issued over 100 more specific and
detailed Statements on Auditing Standards or SAS - Several SASs pertain to the understanding of IC
needed by the CPA for the audit of FS SAS 55,
78, 94 - PCAOB has adopted all SASs as their standards
until replaced by new AS
12Big Changes for CPAs
- Prior to SOX, CPAs had to understand IC, but not
audit nor give an opinion on IC itself, only an
opinion on FS - Since the audit opinion did not cover IC, CPA
could collect evidence about FS amounts using
methods that did not require strong IC, i.e.,
substantive testing - This model is gone with the wind
- Must audit IC which means audit IT IC
13Big Changes for CPAs
- PCAOB has issued AS 2 Auditing IC over
Financial Reporting as of 3/9/04 - CPAs will have to become more knowledgeable and
competent concerning IT controls and IT auditing - Auditing around the computer is dead
- Continuous auditing will grow, e.g.
- Embedded audit modules
- Snapshots
- Integrated test facilities
14How Does the CPA Audit FS?
- Understand the business its processes its
information system - Start with the financial cycles of the business
- Revenue cycle, expenditure cycle, conversion
cycle - What are the significant and material accounts in
the FS (all of them?) and which financial cycles
produce them and what process do they go through
in each cycle in the sequence of recognition,
authorization, recording, summarizing, and
reporting?
15The CPA Audit of FS (cont.)
- Understand mgmts assertions about FS
- Existence or occurrence do assets exist and did
revenues actually occur (World Com ?) - Completeness have all liabilities and expenses
have been reported (Enron ?) - Valuation or allocation - amount is correct?
- Rights and obligations assets liabilities
- Presentation and disclosure format and
classifications of BS and IS and content of notes
16The Balance Sheet
ASSETS
LIABILITIES EQUITY
Cash
- LIABILITIES
- Accts Payable
- Accrued Expense
- Notes Payable
- Bonds Payable
Accounts Receivable
Inventory
Long-term Assets Less Accum Depr
- OWNERS EQUITY
- Common Stock
- Retained Earnings
- Other Comp. I/L
Other Assets
17The Income Statement
18The CPA Audit of FS (cont.)
- Determine any threats to mgmts assertions about
its FS - Determine if IC are in place to mitigate the
threats and risks concerning mgmts assertions
about FS - Design of controls
- Operation of controls
- Effectiveness of controls via testing
19The CPA Audit of FS (cont.)
- Plan the audit based on the strength or weakness
of controls and the assessed level of control
risk - If strong IC, less substantive testing and
evidence - If weak IC, more substantive testing and evidence
- Before SOX, could ignore IC, assess IC risk at
max, and perform more substantive testing to
reach conclusion
20Internal Controls
- IC is part of managements planning control
function - Internal control (IC) of what?
- Business processes procedures
- The system of IC is itself a business process
- SOX only addresses IC over Financial Reporting
and FS - Both manual controls and IT controls are included
in the scope
21Internal Controls
- Who defines IC and its processes?
- The committee of Sponsoring Organizations of the
Treadway Commission, aka COSO - COSO has issued a report in 1992 defining and
discussing the objectives and components of IC - COSOs framework of IC has been blessed by PCAOB
AS 2 as one that can be used by companies and
CPAs in their SOX compliance others can be used
instead
22COSO
- Who are the sponsoring organizations?
- AICPA, IIA, FEI, IMA, AAA
- COSO was formed to reach agreement on a
definition of IC - COSO has recently updated and expanded its
original framework - Not widely reported nor discussed, but it is COSO
nevertheless and the auditor may want to use it
in the audit of IC
23COSO IC Framework in 3-D
24COSO Control Activities Component
- Computer Controls
- General controls
- Application controls
- Physical controls all systems incl. IT
- Transaction authorization
- Segregation of duties
- Supervision
- Accounting records
- Access control
- Independent verification
25COSO Information Communication
- The AIS consists of the records and methods used
to initiate, identify, analyze, classify, and
record the transactions and to account for the
related assets and liabilities - The quality of information generated by the AIS
impacts managements ability to take actions and
make decisions and to prepare accurate and
reliable financial statements
26COSO Information Communication
- An effective AIS will
- Identify and record all financial transactions
- Provide timely information in sufficient detail
to permit classification and financial reporting - Accurately measure the financial value of
transactions so their effects can be recorded in
the financial statements in the proper amount - Accurately record transactions in the time period
in which they occurred
27COSO Information Communication
- The auditor must have sufficient knowledge of the
AIS to understand - The classes of transactions that are material to
the FS and how they are initiated - The accounting records and accounts used in
processing transactions - Transaction processing steps involved from
initiation of a transaction to its inclusion in
the financial statements - The financial reporting process used to prepare
financial statements, disclosures, and accounting
estimates
28COSO Risk Mgmt Framework
29SOX, COSO, and CobiT
- SOX requires assessment of IC
- SOX suggest COSO as an IC framework to use in
assessing IC - COSO does not specify specific IT control
objectives or procedures - CobiT can (should? must?) be combined with COSO
to forge a complete IC framework that includes IT
control activities
30PCAOB Audit Standard 2
- 185 pages
- Defines an IC deficiency, significant deficiency,
and material weakness - IC cannot be effective if a material weakness
exists - Inadequate documentation by management is a
deficiency in IC over FS - Documentation includes design and planned
operation - Also includes mgmts process to evaluate IC
31PCAOB Audit Standard 2 (cont.)
- IT general controls mentioned
- Program development
- Program change controls
- Computer operation controls
- Access security of programs and data
32PCAOB Audit Standard 2 (cont.)
- Using the work of others internal auditors, IT
auditors, and others - CPA must evaluate the competence and objectivity
of IA or ITA - Competence factors
- Education experience
- Professional certification continuing education
- Supervision review of their activities
- Quality of the documentation of their work
- Performance evaluations
33PCAOB Audit Standard 2 (cont.)
- Objectivity factors
- Who they report to
- Policies/procedures relating to objectivity and
conflict of interest of IA/ITA - CPA must test the work (tests) of IA/ITA to
evaluate their quality effectiveness - CPA must product the majority of IC evidence
himself by independent (of IA) testing
34PCAOB AS 2 and CobiT
35Any Conclusions ??
- The worlds of IA and CPA have collided
- The CPA must increase knowledge and skills in IT
auditing, with all that entails - IA must spend more time documenting their systems
because of the control deficiency definition - IA must increase knowledge and skills in
accounting, financial reporting, and mgmts FS
assertions