Evaluating internal controls and auditor independence under Sarbanes-Oxley.
However, those reforms have proven insufficient, as evidenced by the requirements of the Sarbanes-Oxley Act of 2002. It's important to note that of Sarbanes-Oxley's numerous requirements, two relate to auditor independence and assessment of the effectiveness of internal controls.
Title II of Sarbanes-Oxley directs the SEC to undertake additional rule-making on auditor independence. In particular, it specifies that an auditor is legally prohibited from providing certain non-audit services to its audit clients, among which are internal audit outsourcing and information technology design and implementation.
The performance by an auditor of any of these functions for an audit client renders the auditor no longer independent with respect to that audit client and, thus, unable to issue an audit opinion on the company's financial statements.
As audit firms and audit clients implement these requirements, there are two additional considerations that play into the decision-making process. The first is the modifying condition that exists with respect to these prohibited services. The second is the concept that an auditor can "assist but not do."
Regarding the prohibited services: the SEC determined that an auditor could provide these services to an audit client where it is reasonable to conclude that the service will not be subject to audit procedures. While these are important concepts, they are difficult to implement, and recent anecdotal evidence indicates that they are not well understood.
So, what is 'reasonable to conclude?'
The SEC's auditor independence release notes that the auditor independence rules are based on three underlying principles: 1) an auditor should not audit his/her own work; 2) an auditor should not act in the role of management; and 3) an auditor should not serve as an advocate for his/her client.
Clearly, the provision of internal audit outsourcing and information technology design and implementation violate the first two principles. However, if those services will not be subject to audit, then the SEC concluded that the threats to independence are sufficiently mitigated.
Key to understanding the "reasonable to conclude" exception is the presumption established by the SEC. The presumption is that the prohibited services cause the auditor to no longer be independent with respect to the audit client. Therefore, the burden of demonstrating that the presumption has been overcome falls squarely on the auditor. Not surprisingly, questions have been raised as to how the presumption can be overcome.
In the independence release, the SEC attempts to provide an example (in footnote 51) of when the presumption might be overcome.
More recently, the SEC staff issued frequently asked questions (FAQs) to address questions that had been raised about the independence rules. Of the 35 FAQs and responses, only Question 17 touches on the "reasonable to conclude" notion. That question and related staff response indicates that the rebuttable presumption--that the services are prohibited--cannot be overcome on the basis of materiality. Which leaves the question: What are the circumstances under which the presumption can be overcome?
Using the guidance of footnote 51 of the release text and Question 17 of the FAQ, we are left to conclude that there are two possible circumstances where the presumption might be overcome. The first is the one portrayed in footnote 51--a brother/sister relationship. As portrayed in the following schematic, the auditor of Company A could, possibly, provide prohibited non-audit services to Company B without impairing his/her independence with respect to Company A.
Parent Company Company A Company B
The other scenario is when the auditor is providing prohibited services "upstream." For example, using the same schematic, if the auditor of Company A is not the auditor for Company B, the Parent Company or the consolidated entity, it might be possible for the auditor of Company A to conclude that provision of prohibited services to the Parent Company would not impair his/her independence related to Company A. Conversely, based on the FAQ's Question 17, it would never be appropriate for the auditor of the Parent Company to conclude that provision of prohibited services to Company A--regardless of Company A's materiality to the consolidated entity--is permissible.
Internal Control Evaluations
Another key provision of Sarbanes-Oxley is in Section 404, which requires the SEC to adopt rules requiring management to make an annual assessment of the effectiveness of its internal controls and to include a statement by management of the effectiveness of the company's internal controls in its annual filing. Also, Section 404 requires that the auditor attest to management's assessment of the effectiveness of internal controls.
As required by Sarbanes-Oxley, the SEC adopted rules that will require accelerated filers and their auditors to begin providing this information for years ending on or after June 15, 2004. Others must begin providing the information for years ending on or after Apr. 15, 2005. Because the evaluation of internal controls has, historically, been the responsibility of the auditor, new questions have arisen regarding the role that auditors can play in assisting management to fulfill its responsibilities to assess and report on internal controls.
In that regard, the SEC's release does contain a "reminder" to auditors and management: " ... we remind issuers and their auditors that the Commission's rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client. Consistent with the provisions of those rules, it would be inappropriate for the independent auditor to perform the documentation and testing on behalf of management. To do so, would place the auditor in a position of auditing his or her own work and, accordingly, would impair the auditor's independence. While we understand the need for coordination between management and the auditor, the Commission reminds issuers and auditors to management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor."
Thus, the SEC release does not provide any clear "bright-lines" to distinguish what an auditor can and cannot do to assist management. Furthermore, the staff's FAQ does not shed any additional light on the topic. Thus, practitioners are left to struggle with what the "assist but not do" principle means in this context. (See the box at left for this author's guidance.)
The questions listed touch just a few of those that have come to the surface, but they are some of the more prominent ones that management and auditors are currently wrestling with. Clearly, more guidance will be forthcoming as the Public Company Accounting Oversight Board (PCAOB) moves forward with its plans to issue new standards governing the auditor's responsibility to attest to management's report on the effectiveness of internal controls.
While not authoritative, the following questions and responses may prove useful to management and auditors attempting to comply with the upcoming requirements.
Question: Can management instruct the auditor to document existing controls for management?
Response: No, management is required to document and assess its controls. The auditor can participate as a member of the "team" responsible for documenting controls.
Question: Can the auditor test the effectiveness of existing controls for management?
Response: No, again, management is responsible for testing the effectiveness of its controls. Participation in this process by the auditor likely constitutes an independence violation.
Question: Can the auditor provide its internal control software to management to help management structure the process of documenting existing controls?
Response: As long as it is "dumb" software and the auditor does not require, as a condition of performing the audit and attest services, that management use its software, this is permissible.
Paul Munter, Ph.D., CPA is KPMG Professor and Chairman of the Department of Accounting at the University of Miami. He creates Auditing and Accounting Report, published by Bisk Education. He can be reached at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 1, 2003|
|Previous Article:||Communicating with stakeholders in a crisis : it's not enough to formulate a plan for survival when a crisis comes. A company needs to communicate...|
|Next Article:||Consolidation buffets BI market.|