Evaluating internal controls and auditor independence under Sarbanes-Oxley.The issue of auditor independence has been in the spotlight for much of the past three years. Even before Enron Corp. and WorldCom Inc., the Securities and Exchange Commission (SEC) initiated major rule-making efforts focused in this area. The efforts resulted in significant modifications to its auditor independence rules, including severe restrictions on many non-audit services that an audit firm could provide to its audit clients.
However, those reforms have proven insufficient, as evidenced by the requirements of the Sarbanes-Oxley Act See SOX. of 2002. It's important to note that of Sarbanes-Oxley's numerous requirements, two relate to auditor independence and assessment of the effectiveness of internal controls.
Title II of Sarbanes-Oxley directs the SEC to undertake additional rule-making on auditor independence. In particular, it specifies that an auditor is legally prohibited from providing certain non-audit services to its audit clients, among which are internal audit outsourcing and information technology design and implementation.
The performance by an auditor of any of these functions for an audit client renders the auditor no longer independent with respect to that audit client and, thus, unable to issue an audit opinion on the company's financial statements.
As audit firms and audit clients implement these requirements, there are two additional considerations that play into the decision-making process. The first is the modifying condition that exists with respect to these prohibited services. The second is the concept that an auditor can "assist but not do."
Regarding the prohibited services: the SEC determined that an auditor could provide these services to an audit client where it is reasonable to conclude that the service will not be subject to audit procedures. While these are important concepts, they are difficult to implement, and recent anecdotal evidence anecdotal evidence,
n information obtained from personal accounts, examples, and observations. Usually not considered scientifically valid but may indicate areas for further investigation and research. indicates that they are not well understood.
So, what is 'reasonable to conclude?'
The SEC's auditor independence release notes that the auditor independence rules are based on three underlying principles: 1) an auditor should not audit his/her own work; 2) an auditor should not act in the role of management; and 3) an auditor should not serve as an advocate for his/her client.
Clearly, the provision of internal audit outsourcing and information technology design and implementation violate the first two principles. However, if those services will not be subject to audit, then the SEC concluded that the threats to independence are sufficiently mitigated.
Key to understanding the "reasonable to conclude" exception is the presumption A conclusion made as to the existence or nonexistence of a fact that must be drawn from other evidence that is admitted and proven to be true. A Rule of Law.
If certain facts are established, a judge or jury must assume another fact that the law recognizes as a logical established by the SEC. The presumption is that the prohibited services cause the auditor to no longer be independent with respect to the audit client. Therefore, the burden of demonstrating that the presumption has been overcome falls squarely square·ly
1. Mathematics At right angles: sawed the beam squarely.
2. In a square shape.
3. on the auditor. Not surprisingly, questions have been raised as to how the presumption can be overcome.
In the independence release, the SEC attempts to provide an example (in footnote Text that appears at the bottom of a page that adds explanation. It is often used to give credit to the source of information. When accumulated and printed at the end of a document, they are called "endnotes." 51) of when the presumption might be overcome.
More recently, the SEC staff issued frequently asked questions (FAQs) to address questions that had been raised about the independence rules. Of the 35 FAQs and responses, only Question 17 touches on the "reasonable to conclude" notion. That question and related staff response indicates that the rebuttable Re`but´ta`ble
a. 1. Capable of being rebutted. presumption--that the services are prohibited--cannot be overcome on the basis of materiality MATERIALITY. That which is important; that which is not merely of form but of substance.
2. When a bill for discovery has been filed, for example, the defendant must answer every material fact which is charged in the bill, and the test in these cases seems to . Which leaves the question: What are the circumstances under which the presumption can be overcome?
Using the guidance of footnote 51 of the release text and Question 17 of the FAQ (Frequently Asked Questions) A group of commonly asked questions about a subject along with the answers. Vendors often display them on their Web sites for use as troubleshooting guidelines. , we are left to conclude that there are two possible circumstances where the presumption might be overcome. The first is the one portrayed in footnote 51--a brother/sister relationship. As portrayed in the following schematic A graphical representation of a system. It often refers to electronic circuits on a printed circuit board or in an integrated circuit (chip). See logic gate and HDL. , the auditor of Company A could, possibly, provide prohibited non-audit services to Company B without impairing his/her independence with respect to Company A.
Parent Company Company A Company B
The other scenario is when the auditor is providing prohibited services "upstream." For example, using the same schematic, if the auditor of Company A is not the auditor for Company B, the Parent Company or the consolidated entity, it might be possible for the auditor of Company A to conclude that provision of prohibited services to the Parent Company would not impair im·pair
tr.v. im·paired, im·pair·ing, im·pairs
To cause to diminish, as in strength, value, or quality: an injury that impaired my hearing; a severe storm impairing communications. his/her independence related to Company A. Conversely con·verse 1
intr.v. con·versed, con·vers·ing, con·vers·es
1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak.
2. , based on the FAQ's Question 17, it would never be appropriate for the auditor of the Parent Company to conclude that provision of prohibited services to Company A--regardless of Company A's materiality to the consolidated entity--is permissible per·mis·si·ble
Permitted; allowable: permissible tax deductions; permissible behavior in school.
Internal Control Evaluations
Another key provision of Sarbanes-Oxley is in Section 404, which requires the SEC to adopt rules requiring management to make an annual assessment of the effectiveness of its internal controls and to include a statement by management of the effectiveness of the company's internal controls in its annual filing. Also, Section 404 requires that the auditor attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to management's assessment of the effectiveness of internal controls.
As required by Sarbanes-Oxley, the SEC adopted rules that will require accelerated filers and their auditors to begin providing this information for years ending on or after June 15, 2004. Others must begin providing the information for years ending on or after Apr. 15, 2005. Because the evaluation of internal controls has, historically, been the responsibility of the auditor, new questions have arisen regarding the role that auditors can play in assisting management to fulfill its responsibilities to assess and report on internal controls.
In that regard, the SEC's release does contain a "reminder" to auditors and management: " ... we remind issuers and their auditors that the Commission's rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client. Consistent with the provisions of those rules, it would be inappropriate for the independent auditor Independent Auditor
An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report.
These auditors aren't affiliated with the company being audited. to perform the documentation and testing on behalf of management. To do so, would place the auditor in a position of auditing his or her own work and, accordingly, would impair the auditor's independence. While we understand the need for coordination between management and the auditor, the Commission reminds issuers and auditors to management cannot delegate its responsibility to assess its internal controls over financial reporting to the auditor."
Thus, the SEC release does not provide any clear "bright-lines" to distinguish what an auditor can and cannot do to assist management. Furthermore, the staff's FAQ does not shed any additional light on the topic. Thus, practitioners are left to struggle with what the "assist but not do" principle means in this context. (See the box at left for this author's guidance.)
The questions listed touch just a few of those that have come to the surface, but they are some of the more prominent ones that management and auditors are currently wrestling with. Clearly, more guidance will be forthcoming as the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) moves forward with its plans to issue new standards governing the auditor's responsibility to attest to management's report on the effectiveness of internal controls.
While not authoritative, the following questions and responses may prove useful to management and auditors attempting to comply with the upcoming requirements.
Question: Can management instruct the auditor to document existing controls for management?
Response: No, management is required to document and assess its controls. The auditor can participate as a member of the "team" responsible for documenting controls.
Question: Can the auditor test the effectiveness of existing controls for management?
Response: No, again, management is responsible for testing the effectiveness of its controls. Participation in this process by the auditor likely constitutes an independence violation.
Question: Can the auditor provide its internal control software to management to help management structure the process of documenting existing controls?
Response: As long as it is "dumb" software and the auditor does not require, as a condition of performing the audit and attest services, that management use its software, this is permissible.
Paul Munter, Ph.D., CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. is KPMG KPMG Klynveld Peat Marwick Goerdeler (accounting firm)
KPMG Kaiser Permanente Medical Group
KPMG Keiner Prüft Mehr Genau (German)
KPMG Kommen Prüfen Meckern Gehen Professor and Chairman of the Department of Accounting at the University of Miami This article is about the university in Coral Gables, Florida. For the university in Oxford, Ohio, see Miami University.
The University of Miami (also known as Miami of Florida, UM, or just The U . He creates Auditing and Accounting Report, published by Bisk Education
Bisk Education, Inc. is a United States corporation, founded in 1971 to provide distance test preparation for accountants. . He can be reached at email@example.com.