Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.
Auditing, quality control, and independence standards and rules.
The Sarbanes-Oxley Act was one of major change for internal and external auditors, executives and boards of directors. Internal auditors have greater responsibilities to their audit committees and external auditors. Internal auditing can create ethics programs and perform proper internal control to assess risk as well as be instrumental in detecting and preventing fraud. Auditors cannot accept management’s responsibility to reach conclusions on the effectiveness of the company’s internal controls. Management cannot base its assertions about design and operating effectiveness on the results of the auditor’s tests. Ultimately, auditors and management work together but independently to determine the internal controls process is accurately balanced. The company ensuring better control processes could reduce fraud.
Auditing, Quality Control, and Independence
Standards and Rules
Business fraud is a major concern in the accounting profession and in the business community. The current audit process emphasizes the independent auditor’s responsibility for detecting and deterring fraud. Executives of public companies are subject to new fraud prevention measures enacted under the Sarbanes-Oxley Act of 2002 and administered by the Securities and Exchange Commission (SEC). Congress enacted the Sarbanes-Oxley Act of 2002 in response to highly publicized business failures, allegations of corporate fraud and financial statements restatements. “It is the most extensive overhaul of securities law since the 1930’s, and was the result of corporate and accounting scandals, including, Enron, Worldcom, Tyco, Xerox, Sunbeam, Adelphia and Arthur Anderson” (Linsley, 2003). If management has the ability to manipulate the financials in order to affect stock prices, then opportunities give them the incentive to do so. Large grants of stock options give large incentives to management and the risk of manipulation increases. The interest of management in their own personal wealth was more intense and lead to manipulating the financials to ensure their own profit was maximized.
Cynthia Glassman, Commissioner of the Security and Exchange Commission, in a speech given in Washington D.C., on September 27, 2002 specifically includes the requirement that the CEO and the Board put in place procedures to “ensure that they hear bad news,” and “not to create an environment in which senior officials are afraid to discuss or act on potentially serious misconduct that comes to their attention.” (Linsley, 2003).
The law changes the behavior of those in charge to reduce risk exposure in a number of ways. One of the most important ways is the risk that is created directly by their behavior; basically, the management, the board, and the auditors could themselves be a major source of the risk.
There is no doubt thatthe Sarbanes-Oxley Act was one of the major changes for internal and external auditors as well as the board of directors and executives of companies. The corporate world is dependent on high-quality and high-functioning Chief Financial Officers; The reports that Chief Financial Officers are now required to prepare and submit will take time and effort and a fair amount of cost. A company that has proper internal controls in place will ultimately say that it is worth every penny due to the rules and regulations that are now required for the Sarbanes-Oxley Act. Internal auditors are in the best position to alert senior management to potential issues before they become larger problems. Sarbanes-Oxley Act has ensured that the Chief Financial Officer is either more knowledgeable or at the very least wants to be more knowledgeable about the internal controls within the company. If there is a particular control that is not gaining the needed result then a change can be made prior to the end of the year when a negative opinion from an outside auditor could make things worse. Many companies started out by taking a short-term approach to the compliance standards and now are struggling to maintain compliance with the regulations. “Meeting these regulatory requirements is the new reality, but the running of a better business over the long-term should be the objective” (Heffes, 2004).
Another issue that Chief Financial Officers are tasked with is achieving lean operations through aggressive cost-cutting, which sometimes means that cutting costs may jeopardize compliance or cause a material breakdown in controls and can result in the company’s competitiveness being diminished. One approach to this issue is to identify the most effective and efficient controls that are needed to achieve compliance. Risk-based considerations are used to drive efficiently and realizes that not all accounts, transaction and risks are equally important. Another approach would be a balanced control design and basically treat each control as an equal regardless of the risk consideration. However, both of these approaches are a continuous process and should be integrated into the regular routines of the business.
The Sarbanes-Oxley internal control provisions impose significant responsibilities on both the management and the auditor. Management will be forced to take ownership of the process of identifying, documenting, and evaluating significant controls. Management will also need to determine the areas of the company that need to be evaluated. Auditors providing an opinion on the effectiveness of the company’s internal controls is a significant responsibility. Both management and auditors recognize that the internal control process will be valuable for several reasons. The Sarbanes-Oxley Act places legal restraints on certain behaviors, makes responsibilities more obvious, and requires that certain information be made public. Some of this affects external auditors; however, the majority affects both internal and external auditors. Thus, auditors have been drawn into a greater risk management role as a result of Sarbanes-Oxley. Basically, the management designs and implements the system of internal controls and the auditor review and make suggestions for improving the controls and process. Strong internal controls make fraud difficult to commit and make fraud discovery likely. However, managers who are intent on committing fraud have an incentive to design weaknesses into the system of controls because the benefits to fraud are more enticing to dishonest managers when the system of controls is weak. The possibility of management override potentially alters the auditor’s testing and evaluation because the evaluation of internal controls provide information about the manager’s incentives and opportunity to commit fraud because a weaker system of internal control makes fraud less difficult to commit.
Certified Public Accountants who audit public companies, usually as an external auditor, jobs have been significantly impacted due to the Sarbanes-Oxley Act. There are now specific rules for key proposals on responsibilities to test controls and evaluate internal control deficiencies and the extent that auditors can be involved. Other areas of concern for external auditors include their role to detect fraud, the retention of records, registering with the PCAOB, audit partner rotation to ensure objectiveness, and the restrictions on non-audit services that the auditor can provide to the company. One of the goals of Sarbanes-Oxley is to remove the conflict of interest where revenue from non-audit services may provide an incentive to give unjustified assertions for fear of losing the revenue. According to Heffes and Gimpert, internal auditors should be able to define and identify errors, omissions and/or process failures before they get out of hand and no area of the business should be exempt from some sort of independent assessment; while, external auditors are looking at materiality and processes that are financial statement-related (2006). Internal auditors are mostly concerned with operational activities which are the real risk to the company; while, external auditors are more concerned with financial risks which are also important to a company. Internal audit departments vary in size from five to 10 people for a Fortune 500 company to possibly 50 internal auditors at a Fortune 100 company.
The lack of sufficient internal controls can cause companies to be exposed to fraud, error and even misappropriation of company funds. These issues could potentially represent a substantial cost to the company. Internal auditors should use their knowledge to help put into place the kinds of policies and procedures that are going to drive employees to the right kinds of behaviors. Oftentimes the internal auditors assist in training about risk assessment and ethical behavior leading to getting involved and helping to structure the training. However, the internal auditor is an independent, objective assessor of the results, activities and processes of the company and should be an excellent source of information to the audit committee and management. As the audit committee and management are required to take more responsibility and to provide more documentation with limited time, they will want more assurance from the internal auditors that their statements are free of misstatements and that internal controls are suitable. The auditor must attest to management’s assessment of the effectiveness of a company’s internal controls using standards that the Public Company Accounting Oversight Board (PCAOB) issued. The auditor’s assessment and management’s assertion should be kept separate and should not be based upon each other to ensure that the audit is objective. Auditors must determine whether the control is properly designed to prevent or detect material misstatements on a timely basis, see how the control was applied and who applied it, and form an opinion of the effectiveness of the company’s internal controls. The auditor may consider the results of management’s tests of controls but should never rely on them solely. Third parties and internal auditors should adhere to this method as well.
The auditor incurs costs for performing audit work and could also face potential litigation and reputation harm if fraud occurs and is not detected during the audit process. The auditor chooses the amount of control tests and the amount of substantive tests to minimize total costs, which include the cost to perform the audit work and the expected cost of an audit failure. The costs of performing audit work are the costs of internal control testing and the substantive testing. If the manager commits a fraud that goes undetected by the auditor, the auditor suffers a penalty comparable to the amount of the fraud which could be substantial.
The IRS revised Schedule M-3 form for C corporations to increase the transparency between financial statement income and tax return income and ultimately to help the IRS identify tax returns for examination. This was the beginning of the tax form revisions-the IRS has now revised similar forms for partnerships, S corporations and other tax payers that do not use Form 1120. The majority of tax payers are now facing similar reporting burdens to ensure that the company meets compliance standards set forth from the Sarbanes-Oxley Act.
According to the article in the Journal of Accountancy, cycle rotation was used as a way to test controls prior to Sarbanes-Oxley Act; this involved testing controls in several of a company’s transaction cycles while doing a sample transaction to confirm the absence of control changes in the remaining cycles (2003). Now auditors must report on the effect of internal control over financial reporting. Auditors will need to obtain more evidence about the effectiveness of controls and perform substantive procedures due to the limitations of internal controls and risk of management override.
Regardless of the reason, numerous or repeated deficits may lead to a significant issue; although, individually insignificant, numerous control deficits having a common feature or aspect may also lead to significant issue. A large misstatement that the auditor finds, but the company does not find, usually is a material weakness in controls. A material weakness prevents an unqualified opinion that controls are effective. Inadequate company documentation of controls could result in a material weakness. According to the article in Practical Accountant, the Public Company Accounting Oversight Board’s (PCAOB) monitoring revealed that some audits performed under certain circumstances were not as effective or efficient as intended, and as the board expects they can be in the future given the benefits of experience, adequate time, and resources (2006).
According to Epps and Messier, engagement quality review is an important part of the audit process that is designed to provide quality control for audit engagements and to serve as an evaluation of the performance of the audit engagement partner and engagement team (2007). The Securities and Exchange Commission (SEC) has stated frustration with the performance of engagement quality reviewers on audit engagements. The SEC has increased the responsibility level on the engagement quality reviewer where financial statements have been issued with material misstatements.
The importance of engagement quality reviews is identified in Section 103 of the
Sarbanes-Oxley Act of 2002 which mandated that the Public Company Accounting
Oversight Board (PCAOB) develop an auditing standard to address engagement quality
review. The PCAOB noted that inclusion of Section 103 in SOX “signals Congressional
intent that existing requirements for such reviews be evaluated” (PCAOB 2004, 2).
One of the objectives of this research is to determine the consistency of engagement quality partner guidance included in the audit manuals of the major public accounting firms. This analysis will be helpful to the PCAOB and the auditing profession moving forward with developing and auditing standard for engagement quality review. Another objective is to conduct a task analysis of engagement quality reviews in order to develop a series of questions and concerns for future research. Better task descriptions will provide improvement for judgement research and increased understanding of the profession. There are differences between firms in the assignment of engagement auditors, the level of participation of the concurring partner in audit planning, the content and comprehensiveness of the audit, and the level of involvement of the concurring partners during the audit engagement.
In the past, the SEC allows companies to establish their own policies and procedures related to the qualifications of the concurrent reviewers; the nature, extent and timing of the review; and the required documentation to evidence compliance with company policy and procedures for engagement quality reviews. However, now the SEC has established guidance on the responsibilities of the concurring partner as an objective reviewer of the audit engagement. This guidance states that the concurring partner should provide negative assurance to the firm that audit complies with generally accepted accounting principles (GAAP) and generally accepted auditing standards (GAAS). Therefore, the concurring partner serves as a final quality control instrument.
Independence Standards and Rules
Prior to the Sarbanes-Oxley Act, risk management was considered to be an optional business activity, which a company could implement if it thought that the benefits outweighed the cost. It is the responsibility of the company to set expectations by policies and procedures that drive people to do the right thing, communicate to ensure that expectations are known throughout the company, proper training to ensure that employees are comfortable with their day-to-day tasks, and being able to hold people accountable for meeting the expectations that have been set forth. Most companies have several forms of controls documentation such as policy and accounting manuals, flowcharts and decision tables to ensure proper authorization. Companies often believe that it is usually more efficient to prevent rather than to detect and correct a material misstatement. However, a well-run control system should have a good mix of both controls. “To ensure a comprehensive and consistent process, many auditors are recommending clients establish project teams reporting directly to the Chief Executive Officer or Chief Financial Officer; The Chief Financial Officer, Controller or Internal Audit Director should head the team, which should consist minimally of adequately trained personnel from accounting, internal audit, information systems, finance, operations, legal and human resources” (McConnell, Banks, 2003).
The auditor’s assessment and management’s assertion should be kept separate and should not be based upon each other to ensure that the audit is objective. Auditors may help to gather or prepare information, but management is responsible for documenting controls. Auditors may also help clients evaluate controls effectively. Management must accept responsibility for the effectiveness of its internal controls, support this evaluation with sufficient evidence and present a written assertion about the effectiveness to be included with the auditor’s findings report as a representation letter or as a separate report to accompany the auditor’s report. Management must also document antifraud programs and controls over significant non-routine and non-systematic transactions, as well as, controls over the period-end financial reporting process. Management’s failure to allow the auditor enough time to properly assess any changes that have been made in the control process could lead to a negative opinion being listed in the auditor’s report. “Management has the responsibility to catch their own frauds, and if they don’t catch themselves they are culpable because they didn’t catch themselves” (Linsley, 2003).
Many companies have complained about that the extraordinary requirements of Sarbanes-Oxley involving documentation and testing of internal controls. Prior to Sarbanes-Oxley, documentation was typically not extensive and neither the company nor the auditor was required to test controls. With the implementation of Sarbanes-Oxley many companies were forced to put into place new controls, provide a narrative about all controls, indicate in written form anytime a control is performed and then test whether the controls are working. However, Sarbanes-Oxley was enacted to reduce fraud and audit failures related to fraud and directly affects three audit performance measures: expected fraud, audit risk, and expected undetected fraud. Expected fraud is the amount of fraud multiplied by the probability that the manager is dishonest. Audit risk is the probability that a material misstatement occurs and is not detected by the audit process. Expected undetected fraud is the amount of fraud committed in balance multiplied by audit risk. For the same reason that expected fraud decreases, audit risk increases. Sarbanes-Oxley affects the amount of expected undetected fraud only if there is a corresponding increase in the auditor’s liability parameter. If the auditor’s liability increases under Sarbanes-Oxley, the probability of undetected fraud goes up while the amount of fraud goes down at a greater rate.
- Messier, J. . W. F., Kozloski, T. M., & Kochetova-Kozloski, N. (2010). An Analysis of SEC and PCAOB Enforcement Actions against Engagement Quality Reviewers. Auditing: A Journal of Practice & Theory, 29(2), 233–252.
- Epps, K. K., & Messier, J. . W. F. (2007). Engagement Quality Reviews: A Comparison of Audit Firm Practices. Auditing: A Journal of Practice & Theory, 26(2), 167–181.
- Report on Internal Control; Action by PCAOB Chair. (2006). Practical Accountant, 39(1), 26.
- Patterson, E. R., & Smith, J. R. (2007). The Effects of Sarbanes-Oxley on Auditing and Internal Control Strength. Accounting Review, 82(2), 427–455.
- Arens, A. A., & Elder, R. J. (2006). Perspectives on Auditing Education after Sarbanes-Oxley. Issues in Accounting Education, 21(4), 345–362.
- Linsley, C. (2003). Auditing, Risk Management and a Post Sarbanes-Oxley World. Review of Business, 24(3), 21–25.
- Heffes, E. M. (2004). Continuous Monitoring, Auditing Needed For Sarbanes-Oxley. Financial Executive, 20(6), 19.
- Heffes, E. M., & Gimpert, J. (2006). IIA Chief: Sarbanes-Oxley Puts Internal Auditing “In the Limelight.” Financial Executive, 22(4), 15–17.
- Moeller, Robert. (2004). SOX and audit rules. Accounting Today, 18(4), 26.
- Tanyi, P., & Litt, B. (2017). The Unintended Consequences of the Frequency of PCAOB Inspection. Journal of Business Finance & Accounting, 44(1/2), 116–153.
- McConnell, Jr. D. K., & Banks, G. Y. (2003). How Sarbanes-Oxley Will Change the Audit Process. Journal of Accountancy, 196(3), 49–55.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please: