Problems and Warning Signs

1990 2000

During the economic boom of the late

1990s and the early 2000s, accounting
firms aggressively sought opportunities
to market a variety of high-margin
nonaudit services to their audit clients.
Problems and Warning Signs
An Explosion of Scandals

WorldCom
Enron

Tyco

Adelphia
Xerox
 Government Regulation
In July 2002, Congress passed the
Sarbanes-Oxley Public Company
Accounting Reform and Investor
Protection Act.

The Sarbanes-Oxley Act effectively

ended the profession’s era of “self-
regulation,” creating and transferring
authority to set and enforce standards
to the Public Company Accounting
Oversight Board (PCAOB).
A Model of Business
Business organizations exist to create
value for their stakeholders. Due to
the way resources are invested and
managed in the modern business
world, a system of corporate
governance is necessary, through
which managers are overseen and
supervised.

Board of Audit
Directors Committee
 Auditing Standards
Auditing standards serve as
guidelines for and measures of
the quality of the auditor’s
performance.

Auditing
PCAOB Standards
Board

Public Nonpublic
Companies Companies
GAAS
 Statements on Auditing Standards
(SAS)—Interpretations of GAAS

GAAS and SAS are considered to be minimum

standards of performance for auditors.

PCAOB adopted, on an
interim basis, GAAS and
SAS. Standards issued
by PCAOB are called
Auditing Standards (AS).
Organizations That Affect the
Public Accounting Profession
American Institute of Securities and
Certified Public Exchange
Accountants (AICPA) Commission (SEC)

Public Company Financial Accounting

Accounting Oversight Standards Board
Board (PCAOB) (FASB)
Legal Liability
 Historical Perspective
Due to a slump in the economy
Claims against in the early 1970’s and the The recession of
auditors were recession of the 1980’s, it 1990-1992 led to another
relatively uncommon became more common for upsurge in litigation against
before the 1970’s. auditors to be sued. auditors.

The profession pushed

1970 1980 1990 for litigation reform,
and in the 1990’s
Congress passed
litigation reform acts
that provided some
limits to auditor
liability and made it
more difficult to sue
auditors successfully.
 Historical Perspective
Due to a slump in the economy
Claims against in the early 1970’s and the
auditors were recession of the 1980’s, it The recession of 1990-1992
relatively uncommon became more common for led to another upsurge in
before the 1970’s. auditors to be sued. litigation against auditors.

1970 1980 1990 2002

Due to several
high-profile frauds,
Congress refocused
attention on auditors
in the Sarbanes-Oxley
Act of 2002.
Common Law—Third Parties
Four Legal
Standards for Third
Parties

Privity

Near Privity
Reasonably
Foreseen Foreseeable
3rd Parties 3rd Parties
 Common Law—Third Parties
Auditor's Liability to 3rd Parties for Negligence
Credit Alliance (1985)
Security Pacific
Ultramares Business Credit, Inc. Rusch Factors, H. Rosenblum,
(1931) (1992) Inc. (1968) Inc. (1983)

Privity Yes Yes Yes Yes

Near Privity No Yes Yes Yes
Foreseen Third Parties
(Restatement Standard) No No Yes Yes
Reasonably Foreseeable
Third Parties No No No Yes

Near Privity Foreseen 3rd Parties Reasonably

3rd parties whose 3rd parties whose
relationship with the reliance should be
CPA approaches foreseen, even if the
privity. specific person is
unknown to the auditor.
Foreseeable 3rd Parties
3rd parties whose
reliance should be
reasonably foreseeable,
even if the specific
person is unknown to
the auditor.
Common Law—Third Parties
Negligence
Third Party
Must Prove

1. The auditor had a duty to the plaintiff to exercise due care.

2. The auditor breached that duty and was negligent in not
following the professional standards.
3. The auditor’s breach of due care was the direct cause of the
3rd party’s injury.
4. The 3rd party suffered an actual loss as a result.
Common Law—Third Parties
Negligence
Auditor’s
Defense

1. No duty was owed to the 3rd party (level of duty required

depends on the case law followed by the courts).
2. The 3rd party was negligent.
3. The auditor’s work was performed in accordance with
professional standards.
4. The 3rd party suffered no loss.
5. Any loss was caused by other events.
6. The claim is invalid because the statute of limitations has
expired.
Fraud

If an auditor has
acted with
knowledge and
intent to deceive a
third party, he or
she can be held
liable for fraud.
 Fraud

Third Party
Must Prove

1. A false representation by the CPA.

2. Knowledge or belief by the CPA that the representation was
false.
3. The CPA intended to induce the 3rd party to rely on the false
representation.
4. The 3rd party relied on the false representation.
5. The 3rd party suffered damages.
 Statutory Liability

Three major statutes that provide

sources of liability for auditors:
The Securities
The Securities Act
Exchange Act of
of 1933
1934

Sarbanes-Oxley Act
of 2002
 Securities Act of 1933
Generally regulates the disclosure of
information in a registration statement for a new
public offering of securities.

Section 11 imposes a liability on issuers and others,

including auditors, for losses suffered by 3rd parties
when false or misleading information is included in a
registration statement.
 Securities Act of 1933

Third Party
Must Prove

1. The 3rd party suffered losses by investing in the registered

security.
2. The audited financial statements contained a material
omission or misstatement.
 Securities Exchange
Act of 1934
Concerned primarily with ongoing reporting by
companies whose securities are listed and
traded on a stock exchange.

Section 18 imposes liability on any person who makes a

material false or misleading statement in documents
filed with the SEC. Section 10(b) and Rule 10b-5 are the
greatest source of liability for auditors under this act.
 Securities Exchange
Act of 1934
Third Party
Must Prove

1. A material, factual misrepresentation or omission.

2. Reliance on the financial statements.
3. Damages suffered as a result of reliance on the financial
statements.
4. Scienter.
 Private Securities Litigation Reform
Act of 1995 and the Securities Litigation
Uniform Standards Act of 1998
Private Securities Securities Litigation
Litigation Reform Act Uniform Standards
of 1995 Act of 1998

Provides for Prevents plaintiffs

proportionate liability from seeking to evade
for defendants based the protections that
on percentage of Federal law provides
responsibility and a against abusive
specific statement of litigation by filing suit
fraud at the beginning in State, rather than
of the case Federal Court
Sarbanes-Oxley Act of 2002

Creation of PCAOB

Stricter independence Most sweeping

rules securities law
Audits of internal since 1934
controls
Increased reporting
responsibilities
SEC and PCAOB Sanctions
Suspend
Practicing
Privilege Impose
Fines
Remedial
Measures
 Foreign Corrupt Practices
Act (FCPA)
Passed in 1977 in response to the discovery of
bribery and other misconduct on the part of
more than 300 American companies.
An auditor may be
subject to
administrative
proceedings, civil
liability, and civil
penalties.
Racketeer Influenced and Corrupt
Organizations Act (RICO)
Passed in 1970 to combat the infiltration of
legitimate businesses by organized crime.

RICO provides
for civil and
criminal
sanctions for
certain illegal
acts.
 Criminal Liability

Auditors can be held criminally liable under

the laws discussed in the previous section.
Criminal prosecutions require that some
form of criminal intent be present, such as
gross negligence or fraud.

Gross
Fraud
Negligence
 Approaches to Minimizing
Legal Liability
Firm Level
Professional Level 1. Institute sound
1. Establish stronger quality control and
auditing and review procedures.
attestation standards. 2. Ensure
2. Update Code of independence.
Professional Conduct 3. Follow sound client
and sanction acceptance and
members who do not retention procedures.
comply. 4. Be alert to risk
3. Educate users. factors.
5. Perform and
document work
diligently.
Sarbanes-Oxley Act of 2002

Creation of PCAOB

Stricter independence Most sweeping

rules securities law
Audits of internal since 1934
controls
Increased reporting
responsibilities
 Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining
“adequate” internal control over financial reporting.
 Management Responsibilities
under Section 404
Management must comply with the following in order
for its public accounting firm to complete an audit of
internal control over financial reporting.
1. Accepts responsibility for the effectiveness of the entity’s
internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control
over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including
documentation.
4. Present a written assessment of the effectiveness of the
entity’s internal control over financial reporting as of the
end of the entity’s most recent fiscal year.
 Auditor Responsibilities under
Section 404
The entity’s independent auditor must audit and report
on management’s assertion about the effectiveness of
internal control. The auditor is required to conduct an
integrated audit of the entity’s internal control over
financial reporting and its financial statements.
 Internal Control over Financial
Reporting Defined
Internal control over financial reporting is defined as a
process designed to provide reasonable assurance
regarding the reliability of financial reporting and the
preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.
 Internal Control Deficiencies
Defined
A control deficiency exists when the design or operation
of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A significant deficiency is a control deficiency, or
combination of control deficiencies, that adversely affects
the entity’s ability to initiate, authorize, record, process,
or report external financial data reliably in accordance
with GAAP such that there is more than a remote
likelihood that a misstatement of the entity’s annual or
interim financial statements that is more than
inconsequential will not be prevented or detected (AS2,
¶9).
 Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a significant deficiency, or
combination of significant deficiencies, that results in
more than a remote likelihood that a material
misstatement of the annual or interim financial
statements will not be presented or detected (AS2, ¶10).
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
(remote or more than remote) and magnitude (material,
consequential, or inconsequential).
 Internal Control Deficiencies
Defined
M Material Material
A weakness
G
N Significant
I Consequential deficiency
T
U
D Control deficiency
E Inconsequential
Remote More than remote

LIKELIHOOD
 Management’s Assessment
Process
Management must:
1. Design and implement an effective system of internal control.
This process involves determining whether a necessary
control is missing or an existing control is not properly
designed.
2. Develop an ongoing assessment process for the internal
controls in place. Management must assess the likelihood
that failure of a control could result in a misstatement.
3. Management must decide which business units to include in
the assessment process.
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such as
paper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.
 LO# 7

Framework Used by Management

to Conduct Its Assessment
Most entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.

O S O
C
 Performing an Audit of Internal
Control over Financial Reporting

Plan the engagement.

Evaluate management’s
assessment process.
The auditor typically obtains his or her understanding of
management’s assessment process through inquiry of
management and others.
 Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.

Evaluate management’s
assessment process.

Obtain and document an

understanding of internal control.
As part of gaining this understanding the auditor must:
1. Understand and assess 5. Identify significant
company-level controls. processes and major
2. Evaluate the effectiveness of classes of transactions.
the audit committee. 6. Understand the period-end
3. Identify significant accounts. financial reporting process.
4. Identify relevant financial 7. Perform walkthroughs.
statement assertions. 8. Identify controls to test.
 Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.

Evaluate the management’s

assessment process.

Obtain and document an

understanding of internal control.

Evaluate the design effectiveness

of internal control.
Controls are effectively designed when they prevent or
detect errors or fraud that could result in material
misstatements in the financial statements.
 Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.

Evaluate the management’s

assessment process.

Obtain and document an

understanding of internal control.

Evaluate the design effectiveness

of internal control.

Test and evaluate the operating

effectiveness of internal control.
In testing the effectiveness of controls, the auditor needs to
consider the nature, timing, and extent of testing.
 Performing an Audit of Internal
Control over Financial Reporting
The auditor should Plan the engagement.
evaluate all evidence
Evaluate the management’s
before forming an opinion
assessment process.
on internal control,
including (1) the adequacy Obtain and document an
of management’s understanding of internal control.
assessment, (2) the results
of the auditor’s evaluation, Evaluate the design effectiveness
(3) the negative results of of internal control.
substantive procedures
performed, (4) any control Test and evaluate the operating
deficiencies. effectiveness of internal control.

Form an opinion of the

effectiveness of internal control.
 Special Consideration:
Using the Work of Others
AS2 requires the auditor to perform enough of the testing that
his or her own work provides the principal evidence for
the auditor’s opinion. However, a major consideration for
the external auditor is how much the work performed by others
(internal auditors or others working for management)
can be relied on in adjusting the nature, timing, or
extent of the auditor’s work. In determining the extent to which
the auditor may use the work of others, the auditor should:
(1) evaluate the nature of the controls subjected
to the work of others, (2) evaluate the competence
and objectivity of the individuals who performed the work,
and (3) test some of the work performed by others to evaluate
the quality and effectiveness of their work.
 Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of internal control over financial reporting.

Failure to obtain written

representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
 Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effective
internal control over financial
reporting, the auditor should
be able to perform sufficient
testing of controls to assess
control risk for all relevant
assertions at a low level.
 Reporting on Internal Control
Sarbanes-Oxley requires management’s description of
internal control to include:
1. A statement of management’s responsibility for establishing
and maintaining adequate internal control.
2. A statement identifying the framework used by management to
conduct the required assessment of the effectiveness of the
company’s internal control.
3. An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including
an explicit statement as to whether internal control is effective.
4. A statement that the public account firm that audited the
financial statements included in the annual report has issued
an attestation report on management’s assessment of internal
control.
The Auditor’s Report on Internal
Control over Financial Reporting
Once the auditor has completed the audit of internal
control, he or she must issue an appropriate report to
accompany management’s assessment, published in
the company’s annual report.
 Safeguarding of Assets
Safeguarding of assets is defined as policies
and procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or
disposition of the company’s assets that
could have a material effect on the financial
statements.”
 Sarbanes-Oxley Act of 2002
Its principal reforms pertain to:
– Creation of the Public Company Accounting
Oversight Board (PCAOB)
– Auditor independence—more separation between a
firm’s attestation and non-auditing activities
– Corporate governance and responsibility—audit
committee members must be independent and the
audit committee must oversee the external auditors
– Disclosure requirements—increase issuer and
management disclosure
– New federal crimes for the destruction of or
tampering with documents, securities fraud, and
actions against whistleblowers
 Five Internal Control
Components: SAS 78 / COSO
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
 1: The Control Environment
• Integrity and ethics of management
• Organizational structure
• Role of the board of directors and the audit
committee
• Management’s policies and philosophy
• Delegation of responsibility and authority
• Performance evaluation measures
• External influences—regulatory agencies
• Policies and practices managing human
resources
 2: Risk Assessment
• Identify, analyze and manage risks
relevant to financial reporting:
– changes in external environment
– risky foreign markets
– significant and rapid growth that strain
internal controls
– new product lines
– restructuring, downsizing
– changes in accounting policies
3: Information and Communication
• The AIS should produce high quality
information which:
– identifies and records all valid transactions
– provides timely information in appropriate
detail to permit proper classification and
financial reporting
– accurately measures the financial value of
transactions
– accurately records transactions in the time
period in which they occurred
Information and Communication
• Auditors must obtain sufficient knowledge of the IS to
understand:
– the classes of transactions that are material
• how these transactions are initiated
• the associated accounting records and accounts
used in processing
– the transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial
statements
– the financial reporting process used to compile
financial statements, disclosures, and estimates
 4: Monitoring
The process for assessing the quality of
internal control design and operation
• Separate procedures—test of controls by internal
auditors
• Ongoing monitoring:
– computer modules integrated into routine operations
– management reports which highlight trends and
exceptions from normal performance
 5: Control Activities
• Policies and procedures to ensure that the
appropriate actions are taken in response
to identified risks
• Fall into two distinct categories:
– IT controls—relate specifically to the computer
environment
– Physical controls—primarily pertain to human
activities
Six Types of Physical Controls
• Transaction Authorization
• Segregation of Duties
• Supervision
• Accounting Records
• Access Control
• Independent Verification
 Physical Controls

Transaction Authorization
• used to ensure that employees are
carrying out only authorized
transactions
• general (everyday procedures) or
specific (non-routine transactions)
authorizations
 Physical Controls

Segregation of Duties
• In manual systems, separation between:
– authorizing and processing a transaction
– custody and recordkeeping of the asset
– subtasks
• In computerized systems, separation between:
– program coding
– program processing
– program maintenance
 Physical Controls

Supervision
• a compensation for lack of segregation;
some may be built into computer
systems
Accounting Records
• provide an audit trail
 Physical Controls

Access Controls
• help to safeguard assets by restricting
physical access to them
Independent Verification
• reviewing batch totals or reconciling
subsidiary accounts with control
accounts
Physical Controls in IT Contexts
Transaction Authorization
• The rules are often embedded within
computer programs.
– EDI/JIT: automated re-ordering of inventory
without human intervention
 Physical Controls in IT Contexts
Segregation of Duties
• A computer program may perform many
tasks that are deemed incompatible.
• Thus the crucial need to separate program
development, program operations, and
program maintenance.
Physical Controls in IT Contexts
Supervision
• The ability to assess competent
employees becomes more challenging
due to the greater technical knowledge
required.
 Physical Controls in IT Contexts
Accounting Records
• ledger accounts and sometimes source
documents are kept magnetically
– no audit trail is readily apparent
 Physical Controls in IT Contexts
Access Control
• Data consolidation exposes the organization
to computer fraud and excessive losses from
disaster.
 Physical Controls in IT Contexts
Independent Verification
• When tasks are performed by the computer
rather than manually, the need for an
independent check is not necessary.
• However, the programs themselves are
checked.