Sarbanes-Oxley Act from an Accounting Point of View

Slides:



Advertisements
Similar presentations
Chapter 10 Accounting Information Systems and Internal Controls
Advertisements

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Auditing Concepts.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Sept. 16, 2004 John White, PhD, CPA 1 Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?”
Chapter 1: Auditing, Assurance, and Internal Control
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Audit Planning and Analytical Procedures Chapter 8.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Review of Introduction to Auditing
Chapter 2 Professional Standards “All my growth and development led me to believe that if you really do the right thing, and if you play by the rules,
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Professional Standards. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 2-2 Generally Accepted Auditing Standards-- General.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Audit Programme. Audit Assertions  As part of the planning stage, auditors need to prepare audit tests to test the account areas.  To assist the auditors.
Auditing Internal Control over Financial Reporting
Fraud & Internal Control Frank M. Klaus, CPA. Fraud Definition  Fraud is the misappropriation of assets for the benefit of an individual.  “Willful.
1-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.
Chapter 01 The Role of the Public Accountant in the American Economy McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Financial Accounting and Its Environment Chapter 1.
© The McGraw-Hill Companies, Inc., 2008 McGraw-Hill/Irwin Principles of Accounting (Accounting 1 for BBA - Undergraduate) SBS Victor Yerris, PhD
Sarbanes-Oxley (SOX) John H. Messing, Esq. Law-on-Line,Inc. Providing 3 E’s -- E-Security, Encryption, E-Signatures 3900 E. Broadway Blvd., Suite 201 Tucson,
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 2-1 Chapter Two The Financial Statement Auditing Environment.
OVERVIEW THE AUDIT PROCESS Overview of the Audit Process.
1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.
18-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
AUDIT EVIDENCE AND FINANCIAL STATEMENT ASSERTIONS 1.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 15-1 # Copyright © 2015 Pearson Education, Inc. The Role of Accountants and Accounting.
Auditing Concepts.
The CPA Profession Chapter 2.
The Demand for Audit and Other Assurance Services
Financial Accounting Chapter 1
Chapter Two The CPA Profession
Chapter 15 Auditing the Financing/Investing Process: Long-Term Liabilities, Stockholders′ Equity, and Income Statement Accounts McGraw-Hill/Irwin Copyright.
The Financial Statement Auditing Environment
Audit of the Capital Acquisition and Repayment Cycle
Professional Standards
Financial Statements.
The Demand for Audit and Other Assurance Services
اطار الرقابة الداخلية و فقا للجنة دعم المنظمات COSO
Defining Internal Control
COSO Internal Control s Framework
What information is in the auditor and management letters in The J. M
Audit of the Capital Acquisition and Repayment Cycle
Chapter Two The CPA Profession
Other Assurance Services
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?” Sept. 16, 2004 John White, PhD, CPA

Objectives Discuss how SOX has generally affected the CPA profession (the outside auditors) Discuss the CPA’s use of internal control information in the audit of financial statements, both past and present (SOX) Discuss the CPA’s new interest in IT auditing and the internal and IT auditor’s new interest in the CPA’s FS audit Sept. 16, 2004 John White, PhD, CPA

Quick Review of SOX Became law in 2002, fully effective in ‘04 Seeks to protect investors by improving the accuracy and reliability of corporate disclosures (financial statements or FS) made pursuant to the securities laws Requires most public companies and their external auditors to report on the effectiveness of internal control (IC) over financial reporting including FS Sept. 16, 2004 John White, PhD, CPA

Quick Review of SOX (cont.) The mgmt report on IC will clearly state that mgmt is responsible for and has established and understands IC Thus, mgmt in the c-suite (or below) cannot say “I didn’t know” or “I didn’t understand” Mgmt must state that “We designed IC and IC is operating and IC is effective” Mgmt must also report quarterly and annually any changes in IC over FS Sept. 16, 2004 John White, PhD, CPA

Quick Review of SOX (cont.) Outside auditors must audit mgmt’s assessment of IC and the assessment process, and give an opinion as to whether mgmt’s assessment is correct or incorrect Outside auditors must also assess and give an opinion on IC effectiveness, i.e., CPAs must audit IC in addition to the FS Mgmt must give its outside auditors documentation of its processes, evidence of functioning IC over the processes, and documented results of testing procedures Sept. 16, 2004 John White, PhD, CPA

Quick Review of SOX (cont.) SOX established the Public Company Accounting Oversight Board (PCAOB) Outside auditors (CPAs) will also be subject to an “audit” by PCAOB of their internal procedures, processes, quality controls, and general adherence to auditing standards in conducting outside audits of IC and FS of public companies Sept. 16, 2004 John White, PhD, CPA

PCAOB Duties Register CPA firms that prepare audit reports Establish auditing, quality control, ethics, independence, & other standards relating to the preparation of audit reports (This is a big change for CPAs!) conduct inspections of adherence to auditing standards of registered CPAs in accordance with PCAOB rules Sept. 16, 2004 John White, PhD, CPA

PCAOB Duties (cont.) Conduct investigations and disciplinary proceeding of CPA firms & CPAs Perform other duties Sept. 16, 2004 John White, PhD, CPA

Big Changes for CPAs CPAs are “licensed” by each state, but…. CPAs are “governed” by the American Institute of Certified Public Accountants (AICPA) The AICPA has set auditing, attestation, and ethics standards for CPAs in the past, i.e., the CPA profession has been self-governed as to auditing standards Sept. 16, 2004 John White, PhD, CPA

Big Changes for CPAs Auditing standards used by CPAs were promulgated by the AICPA The AICPA issued 10 generally accepted auditing standards (GAAS) Two examples of GAAS An understanding of IC should be obtained to plan the audit and determine testing of IC Sufficient competent evidence should be obtained to support the audit opinion Sept. 16, 2004 John White, PhD, CPA

Big Changes for CPAs AICPA has also issued over 100 more specific and detailed Statements on Auditing Standards or SAS Several SASs pertain to the understanding of IC needed by the CPA for the audit of FS – SAS 55, 78, & 94 PCAOB has adopted all SASs as their standards until replaced by new AS Sept. 16, 2004 John White, PhD, CPA

Big Changes for CPAs Prior to SOX, CPAs had to understand IC, but not audit nor give an opinion on IC itself, only an opinion on FS Since the audit opinion did not cover IC, CPA could collect evidence about FS $ amounts using methods that did not require strong IC, i.e., substantive testing This “model” is gone with the wind Must audit IC which means audit IT IC Sept. 16, 2004 John White, PhD, CPA

Big Changes for CPAs PCAOB has issued AS #2 – Auditing IC over Financial Reporting as of 3/9/04 CPAs will have to become more knowledgeable and competent concerning IT controls and IT auditing Auditing “around” the computer is dead Continuous auditing will grow, e.g. Embedded audit modules Snapshots Integrated test facilities Sept. 16, 2004 John White, PhD, CPA

How Does the CPA Audit FS? Understand the business & its processes & its information system Start with the financial cycles of the business Revenue cycle, expenditure cycle, conversion cycle What are the significant and material accounts in the FS (all of them?) and which financial cycles produce them and what process do they go through in each cycle in the sequence of recognition, authorization, recording, summarizing, and reporting? Sept. 16, 2004 John White, PhD, CPA

The CPA Audit of FS (cont.) Understand mgmt’s assertions about FS Existence or occurrence – do assets exist and did revenues actually occur (World Com ?) Completeness – have all liabilities and expenses have been reported (Enron ?) Valuation or allocation - $ amount is correct? Rights and obligations – assets & liabilities Presentation and disclosure – format and classifications of BS and IS and content of notes Sept. 16, 2004 John White, PhD, CPA

The Balance Sheet = ASSETS LIABILITIES & EQUITY Cash LIABILITIES Accts Payable Accrued Expense Notes Payable Bonds Payable Accounts Receivable Inventory = Long-term Assets Less: Accum Depr OWNERS EQUITY Common Stock Retained Earnings Other Comp. I/L Other Assets Sept. 16, 2004 John White, PhD, CPA

The Income Statement Sept. 16, 2004 John White, PhD, CPA

The CPA Audit of FS (cont.) Determine any threats to mgmt’s assertions about its FS Determine if IC are in place to mitigate the threats and risks concerning mgmt’s assertions about FS Design of controls Operation of controls Effectiveness of controls via testing Sept. 16, 2004 John White, PhD, CPA

The CPA Audit of FS (cont.) Plan the audit based on the strength or weakness of controls and the assessed level of control risk If strong IC, less substantive testing and evidence If weak IC, more substantive testing and evidence Before SOX, could ignore IC, assess IC risk at max, and perform more substantive testing to reach conclusion Sept. 16, 2004 John White, PhD, CPA

Internal Controls IC is part of management’s planning & control function Internal control (IC) of what? Business processes & procedures The system of IC is itself a business process SOX only addresses IC over Financial Reporting and FS Both manual controls and IT controls are included in the scope Sept. 16, 2004 John White, PhD, CPA

Internal Controls Who defines IC and its processes? The committee of Sponsoring Organizations of the Treadway Commission, aka COSO COSO has issued a report in 1992 defining and discussing the objectives and components of IC COSO’s framework of IC has been blessed by PCAOB AS #2 as one that can be used by companies and CPAs in their SOX compliance; others can be used instead Sept. 16, 2004 John White, PhD, CPA

COSO Who are the sponsoring organizations? AICPA, IIA, FEI, IMA, AAA COSO was formed to reach agreement on a definition of IC COSO has recently updated and expanded its original framework Not widely reported nor discussed, but it is COSO nevertheless and the auditor may want to use it in the audit of IC Sept. 16, 2004 John White, PhD, CPA

COSO IC Framework in 3-D Sept. 16, 2004 John White, PhD, CPA

COSO Control Activities Component Computer Controls General controls Application controls Physical controls – all systems incl. IT Transaction authorization Segregation of duties Supervision Accounting records Access control Independent verification Sept. 16, 2004 John White, PhD, CPA

COSO Information & Communication The AIS consists of the records and methods used to initiate, identify, analyze, classify, and record the transactions and to account for the related assets and liabilities The quality of information generated by the AIS impacts management’s ability to take actions and make decisions and to prepare accurate and reliable financial statements Sept. 16, 2004 John White, PhD, CPA

COSO Information & Communication An effective AIS will Identify and record all financial transactions Provide timely information in sufficient detail to permit classification and financial reporting Accurately measure the financial value of transactions so their effects can be recorded in the financial statements in the proper $ amount Accurately record transactions in the time period in which they occurred Sept. 16, 2004 John White, PhD, CPA

COSO Information & Communication The auditor must have sufficient knowledge of the AIS to understand: The classes of transactions that are material to the FS and how they are initiated The accounting records and accounts used in processing transactions Transaction processing steps involved from initiation of a transaction to its inclusion in the financial statements The financial reporting process used to prepare financial statements, disclosures, and accounting estimates Sept. 16, 2004 John White, PhD, CPA

COSO Risk Mgmt Framework Sept. 16, 2004 John White, PhD, CPA

SOX, COSO, and CobiT SOX requires assessment of IC SOX suggest COSO as an IC framework to use in assessing IC COSO does not specify specific IT control objectives or procedures CobiT can (should? must?) be combined with COSO to forge a complete IC framework that includes IT control activities Sept. 16, 2004 John White, PhD, CPA

PCAOB Audit Standard #2 185 pages Defines an IC deficiency, significant deficiency, and material weakness IC cannot be effective if a material weakness exists Inadequate documentation by management is a deficiency in IC over FS Documentation includes design and planned operation Also includes mgmt’s process to evaluate IC Sept. 16, 2004 John White, PhD, CPA

PCAOB Audit Standard #2 (cont.) IT general controls mentioned Program development Program change controls Computer operation controls Access security of programs and data Sept. 16, 2004 John White, PhD, CPA

PCAOB Audit Standard #2 (cont.) Using the work of others: internal auditors, IT auditors, and others CPA must evaluate the competence and objectivity of IA or ITA Competence factors Education & experience Professional certification & continuing education Supervision & review of their activities Quality of the documentation of their work Performance evaluations Sept. 16, 2004 John White, PhD, CPA

PCAOB Audit Standard #2 (cont.) Objectivity factors Who they report to Policies/procedures relating to objectivity and conflict of interest of IA/ITA CPA must test the work (tests) of IA/ITA to evaluate their quality & effectiveness CPA must product the majority of IC evidence himself by independent (of IA) testing Sept. 16, 2004 John White, PhD, CPA

PCAOB AS #2 and CobiT Sept. 16, 2004 John White, PhD, CPA

Any Conclusions ?? The worlds of IA and CPA have collided The CPA must increase knowledge and skills in IT auditing, with all that entails IA must spend more time documenting their systems because of the control deficiency definition IA must increase knowledge and skills in accounting, financial reporting, and mgmt’s FS assertions Sept. 16, 2004 John White, PhD, CPA