Problems and Warning Signs 19902000 During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities

Problems and Warning Signs

1990 2000

During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities

to market a variety of high-margin nonaudit services to their audit clients.

Problems and Warning Signs

An Explosion of Scandals

Enron

WorldCom

Tyco

Xerox Adelphia

Government Regulation

In July 2002, Congress passed the Sarbanes-Oxley Public Company Accounting Reform and Investor

Protection Act.

The Sarbanes-Oxley Act effectively ended the profession’s era of “self-

regulation,” creating and transferring authority to set and enforce standards to the Public Company Accounting

Oversight Board (PCAOB).

A Model of Business

Board of Directors

Audit Committee

Business organizations exist to create value for their stakeholders. Due to the way resources are invested and managed in the modern business

world, a system of corporate governance is necessary, through which managers are overseen and

supervised.

Auditing Standards

Auditing standards serve as guidelines for and measures of

the quality of the auditor’s performance.

Public Companies

PCAOB

Nonpublic Companies

Auditing Standards

Board

GAAS

Statements on Auditing Standards (SAS)—Interpretations of GAAS

GAAS and SAS are considered to be minimum standards of performance for auditors.

PCAOB adopted, on an interim basis, GAAS and SAS. Standards issued

by PCAOB are called Auditing Standards (AS).

Organizations That Affect the Public Accounting Profession

American Institute of Certified Public

Accountants (AICPA)

Securities and Exchange

Commission (SEC)

Public Company Accounting Oversight

Board (PCAOB)

Financial Accounting Standards Board

(FASB)

Legal Liability

Historical Perspective

1970

Claims against auditors were

relatively uncommon before the 1970’s.

19901980

Due to a slump in the economy in the early 1970’s and the recession of the 1980’s, it became more common for

auditors to be sued.

The recession of 1990-1992 led to another upsurge in litigation against auditors.

The profession pushed for litigation reform, and in the 1990’s Congress passed litigation reform acts that provided some limits to auditor liability and made it more difficult to sue auditors successfully.

Historical Perspective

1970

Claims against auditors were

relatively uncommon before the 1970’s.

19901980

Due to a slump in the economy in the early 1970’s and the recession of the 1980’s, it became more common for

auditors to be sued.

The recession of 1990-1992 led to another upsurge in litigation against auditors.

2002Due to several high-profile frauds, Congress refocused attention on auditors in the Sarbanes-Oxley Act of 2002.

Common Law—Third Parties

Four Legal Standards for Third

Parties

Privity

Near Privity

Foreseen 3rd Parties

Reasonably Foreseeable 3rd Parties


Near Privity 3rd parties whose

relationship with the CPA approaches

privity.

Foreseen 3rd Parties3rd parties whose

reliance should be foreseen, even if the

specific person is unknown to the auditor.

Reasonably Foreseeable 3rd Parties

3rd parties whose reliance should be

reasonably foreseeable, even if the specific

person is unknown to the auditor.

Ultramares (1931)

Credit Alliance (1985)Security Pacific

Business Credit, Inc. (1992)

Rusch Factors, Inc. (1968)

H. Rosenblum, Inc. (1983)

Privity Yes Yes Yes YesNear Privity No Yes Yes YesForeseen Third Parties (Restatement Standard) No No Yes YesReasonably Foreseeable Third Parties No No No Yes

Auditor's Liability to 3rd Parties for Negligence


NegligenceThird Party Must Prove

1. The auditor had a duty to the plaintiff to exercise due care. 2. The auditor breached that duty and was negligent in not

following the professional standards. 3. The auditor’s breach of due care was the direct cause of the

3rd party’s injury. 4. The 3rd party suffered an actual loss as a result.


NegligenceAuditor’s Defense

1. No duty was owed to the 3rd party (level of duty required depends on the case law followed by the courts).

2. The 3rd party was negligent.3. The auditor’s work was performed in accordance with

professional standards.4. The 3rd party suffered no loss.5. Any loss was caused by other events.6. The claim is invalid because the statute of limitations has

expired.

Fraud

If an auditor has acted with

knowledge and intent to deceive a third party, he or she can be held liable for fraud.

Fraud

Third Party Must Prove

1. A false representation by the CPA.2. Knowledge or belief by the CPA that the representation was

false.3. The CPA intended to induce the 3rd party to rely on the false

representation.4. The 3rd party relied on the false representation.5. The 3rd party suffered damages.

Statutory Liability

The Securities Act of 1933

The Securities Exchange Act of

1934

Three major statutes that provide sources of liability for auditors:

Sarbanes-Oxley Act of 2002

Securities Act of 1933

Generally regulates the disclosure of information in a registration statement for a new

public offering of securities.

Section 11 imposes a liability on issuers and others, including auditors, for losses suffered by 3rd parties

when false or misleading information is included in a registration statement.

Securities Act of 1933


1. The 3rd party suffered losses by investing in the registered security.

2. The audited financial statements contained a material omission or misstatement.

Securities ExchangeAct of 1934

Concerned primarily with ongoing reporting by companies whose securities are listed and

traded on a stock exchange.

Section 18 imposes liability on any person who makes a material false or misleading statement in documents

filed with the SEC. Section 10(b) and Rule 10b-5 are the greatest source of liability for auditors under this act.

Securities ExchangeAct of 1934


1. A material, factual misrepresentation or omission.2. Reliance on the financial statements.3. Damages suffered as a result of reliance on the financial

statements.4. Scienter.

Private Securities Litigation ReformAct of 1995 and the Securities Litigation

Uniform Standards Act of 1998

Private Securities Litigation Reform Act

of 1995

Provides for proportionate liability for defendants based

on percentage of responsibility and a specific statement of

fraud at the beginning of the case

Securities Litigation Uniform Standards

Act of 1998

Prevents plaintiffs from seeking to evade

the protections that Federal law provides

against abusive litigation by filing suit in State, rather than

Federal Court


Most sweeping securities law

since 1934


since 1934

Creation of PCAOBCreation of PCAOB

Stricter independence rules


Audits of internal controls


Increased reporting responsibilities


SEC and PCAOB Sanctions

Suspend Practicing Privilege Impose

FinesRemedial Measures

Foreign Corrupt PracticesAct (FCPA)

An auditor may be subject to

administrative proceedings, civil liability, and civil

penalties.

Passed in 1977 in response to the discovery of bribery and other misconduct on the part of

more than 300 American companies.

Racketeer Influenced and Corrupt Organizations Act (RICO)

RICO provides for civil and

criminal sanctions for certain illegal

acts.

Passed in 1970 to combat the infiltration of legitimate businesses by organized crime.

Criminal Liability

Gross Negligence

Fraud

Auditors can be held criminally liable under the laws discussed in the previous section.

Criminal prosecutions require that some form of criminal intent be present, such as

gross negligence or fraud.

Approaches to MinimizingLegal Liability

Professional Level

1. Establish stronger auditing and attestation standards.

2. Update Code of Professional Conduct and sanction members who do not comply.

3. Educate users.

Firm Level

1. Institute sound quality control and review procedures.

2. Ensure independence.

3. Follow sound client acceptance and retention procedures.

4. Be alert to risk factors.

5. Perform and document work diligently.



since 1934


since 1934

Creation of PCAOBCreation of PCAOB







Management Responsibilities under Section 404

Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue

an internal control report that explicitly accepts responsibility for establishing and maintaining

“adequate” internal control over financial reporting.

Management Responsibilities under Section 404

Management must comply with the following in order for its public accounting firm to complete an audit of

internal control over financial reporting.

1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.

2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.

2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

Auditor Responsibilities under Section 404

The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an integrated audit of the entity’s internal control over financial reporting and its financial statements.

Internal Control over Financial Reporting Defined

Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.

Internal Control Deficiencies Defined

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s annual or interim financial statements that is more than inconsequential will not be prevented or detected (AS2, ¶9).


A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be presented or detected (AS2, ¶10).

As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (remote or more than remote) and magnitude (material, consequential, or inconsequential).


Material

Consequential

Inconsequential

Remote More than remote

MaterialMaterialweaknessweakness

Significant Significant deficiencydeficiency

Control deficiencyControl deficiency

L I K E L I H O O DL I K E L I H O O D

MMAAGGNNIITTUUDDEE

Management’s Assessment Process

Management must:Management must:

1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.

2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.

3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.

Management must:Management must:

1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.

2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.

3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.

Management’s Documentation

Management must develop sufficient documentation to support its assessment of the

effectiveness of internal control. This documentation may take many forms, such as paper, electronic files, or other media. It also

includes policy manuals, job descriptions, flowcharts, and process models.

Framework Used by Management to Conduct Its Assessment

Most entities use the framework developed by COSO.Most entities use the framework developed by COSO.This framework identifies three primary objectives of This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.and (3) compliance with laws and regulations.

COSO

LO# 7

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate management’sassessment process.

The auditor typically obtains his or her understanding of management’s assessment process through inquiry of

management and others.



Evaluate management’sassessment process.

Obtain and document anunderstanding of internal control.

As part of gaining this understanding the auditor must:

1. Understand and assess company-level controls.

2. Evaluate the effectiveness of the audit committee.

3. Identify significant accounts.4. Identify relevant financial

statement assertions.

1. Understand and assess company-level controls.

2. Evaluate the effectiveness of the audit committee.

3. Identify significant accounts.4. Identify relevant financial

statement assertions.

5. Identify significant processes and major classes of transactions.

6. Understand the period-end financial reporting process.

7. Perform walkthroughs.8. Identify controls to test.

5. Identify significant processes and major classes of transactions.

6. Understand the period-end financial reporting process.

7. Perform walkthroughs.8. Identify controls to test.



Evaluate the management’sassessment process.


Evaluate the design effectivenessof internal control.

Controls are effectively designed when they prevent or detect errors or fraud that could result in material

misstatements in the financial statements.






Test and evaluate the operatingeffectiveness of internal control.

In testing the effectiveness of controls, the auditor needs to consider the nature, timing, and extent of testing.






Test and evaluate the operatingeffectiveness of internal control.

Form an opinion of theeffectiveness of internal control.

The auditor should evaluate all evidence

before forming an opinion on internal control,

including (1) the adequacy of management’s

assessment, (2) the results of the auditor’s evaluation, (3) the negative results of substantive procedures

performed, (4) any control deficiencies.

Special Consideration:Using the Work of Others

AS2 requires the auditor to perform enough of the testing thatAS2 requires the auditor to perform enough of the testing thathis or her own work provides the principal evidence for his or her own work provides the principal evidence for

the auditor’s opinion. However, a major consideration forthe auditor’s opinion. However, a major consideration forthe external auditor is how much the work performed by others the external auditor is how much the work performed by others

(internal auditors or others working for management)(internal auditors or others working for management)can be relied on in adjusting the nature, timing, orcan be relied on in adjusting the nature, timing, or

extent of the auditor’s work. In determining the extent to whichextent of the auditor’s work. In determining the extent to whichthe auditor may use the work of others, the auditor should:the auditor may use the work of others, the auditor should:

(1) evaluate the nature of the controls subjected(1) evaluate the nature of the controls subjectedto the work of others, (2) evaluate the competenceto the work of others, (2) evaluate the competence

and objectivity of the individuals who performed the work, and objectivity of the individuals who performed the work, and (3) test some of the work performed by others to evaluateand (3) test some of the work performed by others to evaluate

the quality and effectiveness of their work.the quality and effectiveness of their work.

Written Representations

In addition to the management representations obtained as part of a financial statement audit, the auditor also

obtains written representations from management related to the audit of internal control over financial reporting.

Failure to obtain written Failure to obtain written representations from representations from

management, including management, including management’s refusal to management’s refusal to

furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an

unqualified opinion.unqualified opinion.

Failure to obtain written Failure to obtain written representations from representations from

management, including management, including management’s refusal to management’s refusal to

furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an

unqualified opinion.unqualified opinion.

Auditor Documentation Requirements

The auditor must properly document the processes, procedures, judgments, and results relating to the audit

of internal control.

When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

Reporting on Internal ControlSarbanes-Oxley requires management’s description of

internal control to include:

1. A statement of management’s responsibility for establishing and maintaining adequate internal control.

2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control.

3. An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective.

4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control.

The Auditor’s Report on Internal Control over Financial Reporting

Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in

the company’s annual report.

Safeguarding of Assets

Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company’s assets that could have a material effect on the financial statements.”


Its principal reforms pertain to: – Creation of the Public Company Accounting

Oversight Board (PCAOB)– Auditor independence—more separation between a

firm’s attestation and non-auditing activities – Corporate governance and responsibility—audit

committee members must be independent and the audit committee must oversee the external auditors

– Disclosure requirements—increase issuer and management disclosure

– New federal crimes for the destruction of or tampering with documents, securities fraud, and actions against whistleblowers

Five Internal Control Components: SAS 78 / COSO

1. Control environment

2. Risk assessment

3. Information and communication

4. Monitoring

5. Control activities

1: The Control Environment• Integrity and ethics of management• Organizational structure• Role of the board of directors and the audit

committee• Management’s policies and philosophy• Delegation of responsibility and authority• Performance evaluation measures• External influences—regulatory agencies• Policies and practices managing human

resources

2: Risk Assessment• Identify, analyze and manage risks

relevant to financial reporting:– changes in external environment– risky foreign markets– significant and rapid growth that strain

internal controls– new product lines– restructuring, downsizing– changes in accounting policies

3: Information and Communication• The AIS should produce high quality

information which:– identifies and records all valid transactions– provides timely information in appropriate

detail to permit proper classification and financial reporting

– accurately measures the financial value of transactions

– accurately records transactions in the time period in which they occurred

Information and Communication • Auditors must obtain sufficient knowledge of the IS to

understand:– the classes of transactions that are material

• how these transactions are initiated• the associated accounting records and accounts

used in processing– the transaction processing steps involved from the

initiation of a transaction to its inclusion in the financial statements

– the financial reporting process used to compile financial statements, disclosures, and estimates

4: Monitoring

The process for assessing the quality of internal control design and operation

• Separate procedures—test of controls by internal auditors

• Ongoing monitoring:– computer modules integrated into routine operations– management reports which highlight trends and

exceptions from normal performance

5: Control Activities

• Policies and procedures to ensure that the appropriate actions are taken in response to identified risks

• Fall into two distinct categories:– IT controls—relate specifically to the computer

environment– Physical controls—primarily pertain to human

activities

Six Types of Physical Controls

• Transaction Authorization

• Segregation of Duties

• Supervision

• Accounting Records

• Access Control

• Independent Verification

Physical Controls

Transaction Authorization• used to ensure that employees are

carrying out only authorized transactions

• general (everyday procedures) or specific (non-routine transactions) authorizations

Segregation of Duties• In manual systems, separation between:

– authorizing and processing a transaction– custody and recordkeeping of the asset– subtasks

• In computerized systems, separation between:– program coding– program processing– program maintenance

Physical Controls

Physical Controls

Supervision• a compensation for lack of segregation;

some may be built into computer systems

Accounting Records• provide an audit trail

Access Controls• help to safeguard assets by restricting

physical access to them

Independent Verification• reviewing batch totals or reconciling

subsidiary accounts with control accounts

Physical Controls

Physical Controls in IT Contexts

Transaction Authorization• The rules are often embedded within

computer programs.– EDI/JIT: automated re-ordering of inventory

without human intervention

Segregation of Duties

• A computer program may perform many tasks that are deemed incompatible.

• Thus the crucial need to separate program development, program operations, and program maintenance.


Supervision

• The ability to assess competent employees becomes more challenging due to the greater technical knowledge required.


Accounting Records

• ledger accounts and sometimes source documents are kept magnetically– no audit trail is readily apparent


Access Control • Data consolidation exposes the organization

to computer fraud and excessive losses from disaster.


Independent Verification

• When tasks are performed by the computer rather than manually, the need for an independent check is not necessary.

• However, the programs themselves are checked.


Documents

Problems and Warning Signs 19902000 During the economic boom of the late 1990s and the early 2000s, accounting firms aggressively sought opportunities