Sarbanes-Oxley Act from an Accounting Point of View Or “Is There

Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?” Sept. 16, 2004 John White, PhD, CPA 1

Objectives Discuss how SOX has generally affected the CPA profession (the outside auditors) Discuss the CPA’s use of internal control information in the audit of financial statements, both past and present (SOX) Discuss the CPA’s new interest in IT auditing and the internal and IT auditor’s new interest in the CPA’s FS audit Sept. 16, 2004 John White, PhD, CPA 2

Quick Review of SOX Became law in 2002, fully effective in ‘04 Seeks to protect investors by improving the accuracy and reliability of corporate disclosures (financial statements or FS) made pursuant to the securities laws Requires most public companies and their external auditors to report on the effectiveness of internal control (IC) over financial reporting including FS Sept. 16, 2004 John White, PhD, CPA 3

Quick Review of SOX (cont.) The mgmt report on IC will clearly state that mgmt is responsible for and has established and understands IC Thus, mgmt in the c-suite (or below) cannot say “I didn’t know” or “I didn’t understand” Mgmt must state that “We designed IC and IC is operating and IC is effective” Mgmt must also report quarterly and annually any changes in IC over FS Sept. 16, 2004 John White, PhD, CPA 4

Quick Review of SOX (cont.) Outside auditors must audit mgmt’s assessment of IC and the assessment process, and give an opinion as to whether mgmt’s assessment is correct or incorrect Outside auditors must also assess and give an opinion on IC effectiveness, i.e., CPAs must audit IC in addition to the FS Mgmt must give its outside auditors documentation of its processes, evidence of functioning IC over the processes, and documented results of testing procedures Sept. 16, 2004 John White, PhD, CPA 5

Quick Review of SOX (cont.) SOX established the Public Company Accounting Oversight Board (PCAOB) Outside auditors (CPAs) will also be subject to an “audit” by PCAOB of their internal procedures, processes, quality controls, and general adherence to auditing standards in conducting outside audits of IC and FS of public companies Sept. 16, 2004 John White, PhD, CPA 6

PCAOB Duties Register CPA firms that prepare audit reports Establish auditing, quality control, ethics, independence, & other standards relating to the preparation of audit reports (This is a big change for CPAs!) conduct inspections of adherence to auditing standards of registered CPAs in accordance with PCAOB rules Sept. 16, 2004 John White, PhD, CPA 7

PCAOB Duties (cont.) Conduct investigations and disciplinary proceeding of CPA firms & CPAs Perform other duties Sept. 16, 2004 John White, PhD, CPA 8

Big Changes for CPAs CPAs are “licensed” by each state, but . CPAs are “governed” by the American Institute of Certified Public Accountants (AICPA) The AICPA has set auditing, attestation, and ethics standards for CPAs in the past, i.e., the CPA profession has been selfgoverned as to auditing standards Sept. 16, 2004 John White, PhD, CPA 9

Big Changes for CPAs Auditing standards used by CPAs were promulgated by the AICPA The AICPA issued 10 generally accepted auditing standards (GAAS) Two examples of GAAS An understanding of IC should be obtained to plan the audit and determine testing of IC Sufficient competent evidence should be obtained to support the audit opinion Sept. 16, 2004 John White, PhD, CPA 10

Big Changes for CPAs AICPA has also issued over 100 more specific and detailed Statements on Auditing Standards or SAS Several SASs pertain to the understanding of IC needed by the CPA for the audit of FS – SAS 55, 78, & 94 PCAOB has adopted all SASs as their standards until replaced by new AS Sept. 16, 2004 John White, PhD, CPA 11

Big Changes for CPAs Prior to SOX, CPAs had to understand IC, but not audit nor give an opinion on IC itself, only an opinion on FS Since the audit opinion did not cover IC, CPA could collect evidence about FS amounts using methods that did not require strong IC, i.e., substantive testing This “model” is gone with the wind Must audit IC which means audit IT IC Sept. 16, 2004 John White, PhD, CPA 12

Big Changes for CPAs PCAOB has issued AS #2 – Auditing IC over Financial Reporting as of 3/9/04 CPAs will have to become more knowledgeable and competent concerning IT controls and IT auditing Auditing “around” the computer is dead Continuous auditing will grow, e.g. Embedded audit modules Snapshots Integrated Sept. 16, 2004 test facilities John White, PhD, CPA 13

How Does the CPA Audit FS? Understand the business & its processes & its information system Start with the financial cycles of the business Revenue cycle, expenditure cycle, conversion cycle What are the significant and material accounts in the FS (all of them?) and which financial cycles produce them and what process do they go through in each cycle in the sequence of recognition, authorization, recording, summarizing, and reporting? Sept. 16, 2004 John White, PhD, CPA 14

The CPA Audit of FS (cont.) Understand mgmt’s assertions about FS Existence or occurrence – do assets exist and did revenues actually occur (World Com ?) Completeness – have all liabilities and expenses have been reported (Enron ?) Valuation or allocation - amount is correct? Rights and obligations – assets & liabilities Presentation and disclosure – format and classifications of BS and IS and content of notes Sept. 16, 2004 John White, PhD, CPA 15

The Balance Sheet ASSETS LIABILITIES & EQUITY Cash LIABILITIES Accts Payable Accrued Expense Notes Payable Bonds Payable Accounts Receivable Inventory Long-term Assets Less: Accum Depr OWNERS EQUITY Common Stock Retained Earnings Other Comp. I/L Other Assets Sept. 16, 2004 John White, PhD, CPA 16

The Income Statement Sept. 16, 2004 REVENUE COST OF SALES - GROSS PROFIT SELLING, GENERAL, & ADMINISTRATIVE EXPENSE - NET INCOME John White, PhD, CPA 17

The CPA Audit of FS (cont.) Determine any threats to mgmt’s assertions about its FS Determine if IC are in place to mitigate the threats and risks concerning mgmt’s assertions about FS Design of controls Operation of controls Effectiveness of controls via testing Sept. 16, 2004 John White, PhD, CPA 18

The CPA Audit of FS (cont.) Plan the audit based on the strength or weakness of controls and the assessed level of control risk If strong IC, less substantive testing and evidence If weak IC, more substantive testing and evidence Before SOX, could ignore IC, assess IC risk at max, and perform more substantive testing to reach conclusion Sept. 16, 2004 John White, PhD, CPA 19

Internal Controls IC is part of management’s planning & control function Internal control (IC) of what? Business The processes & procedures system of IC is itself a business process SOX only addresses IC over Financial Reporting and FS Both manual controls and IT controls are included in the scope Sept. 16, 2004 John White, PhD, CPA 20

Internal Controls Who defines IC and its processes? The committee of Sponsoring Organizations of the Treadway Commission, aka COSO COSO has issued a report in 1992 defining and discussing the objectives and components of IC COSO’s framework of IC has been blessed by PCAOB AS #2 as one that can be used by companies and CPAs in their SOX compliance; others can be used instead Sept. 16, 2004 John White, PhD, CPA 21

COSO Who are the sponsoring organizations? AICPA, IIA, FEI, IMA, AAA COSO was formed to reach agreement on a definition of IC COSO has recently updated and expanded its original framework Not widely reported nor discussed, but it is COSO nevertheless and the auditor may want to use it in the audit of IC Sept. 16, 2004 John White, PhD, CPA 22

COSO IC Framework in 3-D Objectives Internal Control Environment Risk Assessment Components Control Activities Information & Communication Monitoring Sept. 16, 2004 John White, PhD, CPA 23

COSO Control Activities Component Computer Controls General controls Application controls Physical controls – all systems incl. IT Transaction authorization Segregation of duties Supervision Accounting records Access control Independent verification Sept. 16, 2004 John White, PhD, CPA 24

COSO Information & Communication The AIS consists of the records and methods used to initiate, identify, analyze, classify, and record the transactions and to account for the related assets and liabilities The quality of information generated by the AIS impacts management’s ability to take actions and make decisions and to prepare accurate and reliable financial statements Sept. 16, 2004 John White, PhD, CPA 25

COSO Information & Communication An effective AIS will Identify and record all financial transactions Provide timely information in sufficient detail to permit classification and financial reporting Accurately measure the financial value of transactions so their effects can be recorded in the financial statements in the proper amount Accurately record transactions in the time period in which they occurred Sept. 16, 2004 John White, PhD, CPA 26

COSO Information & Communication The auditor must have sufficient knowledge of the AIS to understand: The classes of transactions that are material to the FS and how they are initiated The accounting records and accounts used in processing transactions Transaction processing steps involved from initiation of a transaction to its inclusion in the financial statements The financial reporting process used to prepare financial statements, disclosures, and accounting estimates Sept. 16, 2004 John White, PhD, CPA 27

COSO Risk Mgmt Framework Objectives Internal Control Environment Objective Setting Components Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring Sept. 16, 2004 John White, PhD, CPA 28

SOX, COSO, and CobiT SOX requires assessment of IC SOX suggest COSO as an IC framework to use in assessing IC COSO does not specify specific IT control objectives or procedures CobiT can (should? must?) be combined with COSO to forge a complete IC framework that includes IT control activities Sept. 16, 2004 John White, PhD, CPA 29

PCAOB Audit Standard #2 185 pages Defines an IC deficiency, significant deficiency, and material weakness IC cannot be effective if a material weakness exists Inadequate documentation by management is a deficiency in IC over FS Documentation includes design and planned operation Also includes mgmt’s process to evaluate IC Sept. 16, 2004 John White, PhD, CPA 30

PCAOB Audit Standard #2 (cont.) IT general controls mentioned Program development Program change controls Computer operation controls Access security of programs and data Sept. 16, 2004 John White, PhD, CPA 31

PCAOB Audit Standard #2 (cont.) Using the work of others: internal auditors, IT auditors, and others CPA must evaluate the competence and objectivity of IA or ITA Competence factors Education & experience Professional certification & continuing education Supervision & review of their activities Quality of the documentation of their work Performance evaluations Sept. 16, 2004 John White, PhD, CPA 32

PCAOB Audit Standard #2 (cont.) Objectivity factors Who they report to Policies/procedures relating to objectivity and conflict of interest of IA/ITA CPA must test the work (tests) of IA/ITA to evaluate their quality & effectiveness CPA must product the majority of IC evidence himself by independent (of IA) testing Sept. 16, 2004 John White, PhD, CPA 33

PCAOB AS #2 and CobiT Sept. 16, 2004 John White, PhD, CPA 34

Any Conclusions ? The worlds of IA and CPA have collided The CPA must increase knowledge and skills in IT auditing, with all that entails IA must spend more time documenting their systems because of the control deficiency definition IA must increase knowledge and skills in accounting, financial reporting, and mgmt’s FS assertions Sept. 16, 2004 John White, PhD, CPA 35