Sarbanes-Oxley Act from an Accounting Point of View - PowerPoint PPT Presentation

About This Presentation
Title:

Sarbanes-Oxley Act from an Accounting Point of View

Description:

Sarbanes-Oxley Act from an Accounting Point of View Or Is There Anything About SOX That I Have Not Heard Before? Objectives Discuss how SOX has generally ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 36
Provided by: JohnWhit9
Category:

less

Transcript and Presenter's Notes

Title: Sarbanes-Oxley Act from an Accounting Point of View


1
Sarbanes-Oxley Act from anAccounting Point of
View
  • Or
  • Is There Anything About SOX
  • That I Have Not Heard Before?

2
Objectives
  • Discuss how SOX has generally affected the CPA
    profession (the outside auditors)
  • Discuss the CPAs use of internal control
    information in the audit of financial statements,
    both past and present (SOX)
  • Discuss the CPAs new interest in IT auditing and
    the internal and IT auditors new interest in the
    CPAs FS audit

3
Quick Review of SOX
  • Became law in 2002, fully effective in 04
  • Seeks to protect investors by improving the
    accuracy and reliability of corporate disclosures
    (financial statements or FS) made pursuant to the
    securities laws
  • Requires most public companies and their external
    auditors to report on the effectiveness of
    internal control (IC) over financial reporting
    including FS

4
Quick Review of SOX (cont.)
  • The mgmt report on IC will clearly state that
    mgmt is responsible for and has established and
    understands IC
  • Thus, mgmt in the c-suite (or below) cannot say
    I didnt know or I didnt understand
  • Mgmt must state that We designed IC and IC is
    operating and IC is effective
  • Mgmt must also report quarterly and annually any
    changes in IC over FS

5
Quick Review of SOX (cont.)
  • Outside auditors must audit mgmts assessment of
    IC and the assessment process, and give an
    opinion as to whether mgmts assessment is
    correct or incorrect
  • Outside auditors must also assess and give an
    opinion on IC effectiveness, i.e., CPAs must
    audit IC in addition to the FS
  • Mgmt must give its outside auditors documentation
    of its processes, evidence of functioning IC over
    the processes, and documented results of testing
    procedures

6
Quick Review of SOX (cont.)
  • SOX established the Public Company Accounting
    Oversight Board (PCAOB)
  • Outside auditors (CPAs) will also be subject to
    an audit by PCAOB of their internal procedures,
    processes, quality controls, and general
    adherence to auditing standards in conducting
    outside audits of IC and FS of public companies

7
PCAOB Duties
  • Register CPA firms that prepare audit reports
  • Establish auditing, quality control, ethics,
    independence, other standards relating to the
    preparation of audit reports (This is a big
    change for CPAs!)
  • conduct inspections of adherence to auditing
    standards of registered CPAs in accordance with
    PCAOB rules

8
PCAOB Duties (cont.)
  • Conduct investigations and disciplinary
    proceeding of CPA firms CPAs
  • Perform other duties

9
Big Changes for CPAs
  • CPAs are licensed by each state, but.
  • CPAs are governed by the American Institute of
    Certified Public Accountants (AICPA)
  • The AICPA has set auditing, attestation, and
    ethics standards for CPAs in the past, i.e., the
    CPA profession has been self-governed as to
    auditing standards

10
Big Changes for CPAs
  • Auditing standards used by CPAs were promulgated
    by the AICPA
  • The AICPA issued 10 generally accepted auditing
    standards (GAAS)
  • Two examples of GAAS
  • An understanding of IC should be obtained to plan
    the audit and determine testing of IC
  • Sufficient competent evidence should be obtained
    to support the audit opinion

11
Big Changes for CPAs
  • AICPA has also issued over 100 more specific and
    detailed Statements on Auditing Standards or SAS
  • Several SASs pertain to the understanding of IC
    needed by the CPA for the audit of FS SAS 55,
    78, 94
  • PCAOB has adopted all SASs as their standards
    until replaced by new AS

12
Big Changes for CPAs
  • Prior to SOX, CPAs had to understand IC, but not
    audit nor give an opinion on IC itself, only an
    opinion on FS
  • Since the audit opinion did not cover IC, CPA
    could collect evidence about FS amounts using
    methods that did not require strong IC, i.e.,
    substantive testing
  • This model is gone with the wind
  • Must audit IC which means audit IT IC

13
Big Changes for CPAs
  • PCAOB has issued AS 2 Auditing IC over
    Financial Reporting as of 3/9/04
  • CPAs will have to become more knowledgeable and
    competent concerning IT controls and IT auditing
  • Auditing around the computer is dead
  • Continuous auditing will grow, e.g.
  • Embedded audit modules
  • Snapshots
  • Integrated test facilities

14
How Does the CPA Audit FS?
  • Understand the business its processes its
    information system
  • Start with the financial cycles of the business
  • Revenue cycle, expenditure cycle, conversion
    cycle
  • What are the significant and material accounts in
    the FS (all of them?) and which financial cycles
    produce them and what process do they go through
    in each cycle in the sequence of recognition,
    authorization, recording, summarizing, and
    reporting?

15
The CPA Audit of FS (cont.)
  • Understand mgmts assertions about FS
  • Existence or occurrence do assets exist and did
    revenues actually occur (World Com ?)
  • Completeness have all liabilities and expenses
    have been reported (Enron ?)
  • Valuation or allocation - amount is correct?
  • Rights and obligations assets liabilities
  • Presentation and disclosure format and
    classifications of BS and IS and content of notes

16
The Balance Sheet
ASSETS
LIABILITIES EQUITY
Cash
  • LIABILITIES
  • Accts Payable
  • Accrued Expense
  • Notes Payable
  • Bonds Payable

Accounts Receivable
Inventory

Long-term Assets Less Accum Depr
  • OWNERS EQUITY
  • Common Stock
  • Retained Earnings
  • Other Comp. I/L

Other Assets
17
The Income Statement
18
The CPA Audit of FS (cont.)
  • Determine any threats to mgmts assertions about
    its FS
  • Determine if IC are in place to mitigate the
    threats and risks concerning mgmts assertions
    about FS
  • Design of controls
  • Operation of controls
  • Effectiveness of controls via testing

19
The CPA Audit of FS (cont.)
  • Plan the audit based on the strength or weakness
    of controls and the assessed level of control
    risk
  • If strong IC, less substantive testing and
    evidence
  • If weak IC, more substantive testing and evidence
  • Before SOX, could ignore IC, assess IC risk at
    max, and perform more substantive testing to
    reach conclusion

20
Internal Controls
  • IC is part of managements planning control
    function
  • Internal control (IC) of what?
  • Business processes procedures
  • The system of IC is itself a business process
  • SOX only addresses IC over Financial Reporting
    and FS
  • Both manual controls and IT controls are included
    in the scope

21
Internal Controls
  • Who defines IC and its processes?
  • The committee of Sponsoring Organizations of the
    Treadway Commission, aka COSO
  • COSO has issued a report in 1992 defining and
    discussing the objectives and components of IC
  • COSOs framework of IC has been blessed by PCAOB
    AS 2 as one that can be used by companies and
    CPAs in their SOX compliance others can be used
    instead

22
COSO
  • Who are the sponsoring organizations?
  • AICPA, IIA, FEI, IMA, AAA
  • COSO was formed to reach agreement on a
    definition of IC
  • COSO has recently updated and expanded its
    original framework
  • Not widely reported nor discussed, but it is COSO
    nevertheless and the auditor may want to use it
    in the audit of IC

23
COSO IC Framework in 3-D
24
COSO Control Activities Component
  • Computer Controls
  • General controls
  • Application controls
  • Physical controls all systems incl. IT
  • Transaction authorization
  • Segregation of duties
  • Supervision
  • Accounting records
  • Access control
  • Independent verification

25
COSO Information Communication
  • The AIS consists of the records and methods used
    to initiate, identify, analyze, classify, and
    record the transactions and to account for the
    related assets and liabilities
  • The quality of information generated by the AIS
    impacts managements ability to take actions and
    make decisions and to prepare accurate and
    reliable financial statements

26
COSO Information Communication
  • An effective AIS will
  • Identify and record all financial transactions
  • Provide timely information in sufficient detail
    to permit classification and financial reporting
  • Accurately measure the financial value of
    transactions so their effects can be recorded in
    the financial statements in the proper amount
  • Accurately record transactions in the time period
    in which they occurred

27
COSO Information Communication
  • The auditor must have sufficient knowledge of the
    AIS to understand
  • The classes of transactions that are material to
    the FS and how they are initiated
  • The accounting records and accounts used in
    processing transactions
  • Transaction processing steps involved from
    initiation of a transaction to its inclusion in
    the financial statements
  • The financial reporting process used to prepare
    financial statements, disclosures, and accounting
    estimates

28
COSO Risk Mgmt Framework
29
SOX, COSO, and CobiT
  • SOX requires assessment of IC
  • SOX suggest COSO as an IC framework to use in
    assessing IC
  • COSO does not specify specific IT control
    objectives or procedures
  • CobiT can (should? must?) be combined with COSO
    to forge a complete IC framework that includes IT
    control activities

30
PCAOB Audit Standard 2
  • 185 pages
  • Defines an IC deficiency, significant deficiency,
    and material weakness
  • IC cannot be effective if a material weakness
    exists
  • Inadequate documentation by management is a
    deficiency in IC over FS
  • Documentation includes design and planned
    operation
  • Also includes mgmts process to evaluate IC

31
PCAOB Audit Standard 2 (cont.)
  • IT general controls mentioned
  • Program development
  • Program change controls
  • Computer operation controls
  • Access security of programs and data

32
PCAOB Audit Standard 2 (cont.)
  • Using the work of others internal auditors, IT
    auditors, and others
  • CPA must evaluate the competence and objectivity
    of IA or ITA
  • Competence factors
  • Education experience
  • Professional certification continuing education
  • Supervision review of their activities
  • Quality of the documentation of their work
  • Performance evaluations

33
PCAOB Audit Standard 2 (cont.)
  • Objectivity factors
  • Who they report to
  • Policies/procedures relating to objectivity and
    conflict of interest of IA/ITA
  • CPA must test the work (tests) of IA/ITA to
    evaluate their quality effectiveness
  • CPA must product the majority of IC evidence
    himself by independent (of IA) testing

34
PCAOB AS 2 and CobiT
35
Any Conclusions ??
  • The worlds of IA and CPA have collided
  • The CPA must increase knowledge and skills in IT
    auditing, with all that entails
  • IA must spend more time documenting their systems
    because of the control deficiency definition
  • IA must increase knowledge and skills in
    accounting, financial reporting, and mgmts FS
    assertions
Write a Comment
User Comments (0)
About PowerShow.com