Question

How does the Sarbanes-Oxley legislation as it relates to auditor independence restrict and/or enhance the ability of public accounting firms to move up the value chain?

Answer 1

The Sarbanes-Oxley Act of 2002 cracks down on corporate fraud. It created the Public Company Accounting Oversight Board to oversee the accounting industry. It banned company loans to executives and gave job protection to whistleblowers. The Act strengthens the independence and financial literacy of corporate boards. It holds CEOs personally responsible for errors in accounting audits. The Act is named after its sponsors, Senator Paul Sarbanes, D-Md., and Congressman Michael Oxley, R-Ohio.

Section 404 and Certification

Section 404 requires corporate executives to certify the accuracy of financial statements personally. If the SEC finds violations, CEOs could face 20 years in jail. The SEC used Section 404 to file more than 200 civil cases. But only a few CEOs have faced criminal charges.

Section 404 made managers maintain “adequate internal control structure and procedures for financial reporting." Companies' auditors had to “attest” to these controls and disclose “material weaknesses." (Source: "Sarbanes-Oxley," The Economist, July 26, 2007.)

Requirements

SOX created a new auditor watchdog, the Public Company Accounting Oversight Board. It set standards for audit reports. It requires all auditors of public companies to register with them. The PCAOB inspects, investigates and enforces compliance of these firms. It prohibits accounting firms from doing business consulting with the companies they are auditing.

They can still act as tax consultants. But the lead audit partners must rotate off the account after five years. (Source: "Analysis: A Decade On, Is Sarbanes-Oxley Working?," Kevin Drawbaugh and Dena Urbin, Reuters, July 29, 2012.)

But SOX hasn't increased the competition in the oligarchic accounting audit industry. It's still dominated by the so-called Big Four firms. They are Ernst & Young, PricewaterhouseCoopers, KPMG, and Deloitte.

Internal Controls

Public corporations must hire an independent auditor to review their accounting practices. It deferred this rule for small-cap companies, those with a market capitalization of less than $75 million. Most or 83 percent of large corporations agreed that SOX increased investor confidence. A third said it reduced fraud. (Source: "The Cost-Benefit of Sarbanes-Oxley," Julianna Hanna, Forbes, March 10, 2014.)

Whistleblower

SOX protects employees that report fraud and testify in court against their employers. Companies are not allowed to change the terms and conditions of their employment. They can't reprimand, fire or blacklist the employee. SOX also protects contractors. Whistleblowers can report any corporate retaliation to the SEC. (Source: National Whistleblower Center.)?

Effect on the U.S. Economy

Private companies must also adopt SOX-type governance and internal control structures. Otherwise, they face increased difficulties. They will have trouble raising capital. They will also face higher insurance premiums and greater civil liability. These would create a loss of status among potential customers, investors, and donors.

SOX increased audit costs. This was a greater burden for small companies than for large ones. It may have convinced some businesses to use private equity funding instead of using the stock market. (Source: "Do the Benefits Outweigh the Costs for Sarbanes-Oxley?," RAND Corporation.)

SARBANES-OXLEY WILL MEAN BIG CHANGES FOR BOTH auditors and the companies they audit. The former now will be required to certify a company’s internal controls and will no longer be able to use certain common audit strategies. Management faces the cost of implementing the new rules.

ACCORDING TO THE EXPOSURE DRAFT OF A NEW SAS , the understanding of internal controls required for CPAs to express an opinion on financial statements is not adequate for them to offer an opinion on the controls themselves. This means auditors will have to make changes to the audit process.

THE AUDITOR MUST ATTEST TO MANAGEMENT’S assessment of the effectiveness of an entity’s internal controls using standards the Public Company Accounting Oversight Board issues or adopts. The auditor will require management to identify, document and evaluate significant internal controls—management cannot delegate this function to the auditor.

AUDITORS SHOULD ADVISE COMPANIES TO BEGIN the process of assessing the effectiveness of controls as early as possible. The task will be time-consuming, requiring management to determine which locations or business units to include in its evaluation.

AUDITORS SHOULD NOT BE TOO CLOSELY INVOLVED with a company’s assessment of its controls or they risk impairing their objectivity. The auditor cannot accept management’s responsibility to reach conclusions on the effectiveness of the entity’s controls nor can management base its assertion about the controls design and operating effectiveness on the results of the auditor’s tests.

THE AUDITOR AND MANAGEMENT
The auditor must attest to management’s assessment of the effectiveness of its controls using standards for attestation engagements the PCAOB issues or adopts. Statement on Standards for Attestation Engagements no. 10, Reporting on an Entity’s Internal Control Over Financial Reporting, imposed requirements, substantively unchanged in the SSAE ED, on an auditor to examine the effectiveness of an entity’s internal controls. To fulfill its responsibilities, management must

Accept responsibility for the effectiveness of its internal controls.

Evaluate their effectiveness using suitable control criteria.

Support this evaluation with sufficient evidence.

Present a written assertion about their effectiveness in either a separate report accompanying the auditor’s report or a representation letter to the auditor.

The auditor will require management to identify, document and evaluate significant internal controls. Management cannot delegate these functions to the auditors, nor can it rely on the auditor’s testing to support its assertion. The SSAE ED says such controls include

Controls over initiating, recording, processing and reporting significant account balances, classes of transactions and disclosures and related assertions embodied in financial statements.

Antifraud programs and controls.

Controls, including general ones, on which other significant controls depend.

Each control in a group that functions with another one to achieve a control objective.

Controls over significant nonroutine and nonsystematic transactions.

Controls over the period-end financial reporting process.

Auditors are urging their clients to begin the controls-effectiveness assessment as early as possible. The task will be arduous and time-consuming, requiring management to determine which locations or business units it should include in its evaluation. (The SSAE ED has a chart to help make this decision.) Management also will have to evaluate the design and operating effectiveness of controls, determine whether identified deficiencies are significant (previously called reportable conditions) or are material weaknesses and document the results, including the procedures it performed. Management cannot use inquiry alone to adequately evaluate the operating effectiveness of controls. It also must correct any identified deficiencies early enough to allow sufficient time before yearend for the auditor to adequately assess design and operating effectiveness. How much time depends on the nature of the control and the frequency of operation. Management’s failure to allow sufficient lead time could result in a qualified opinion.

The Foreign Corrupt Practices Act of 1977 requires all public companies to devise and maintain a system of internal controls to provide reasonable assurance assets are safeguarded and transactions properly authorized and recorded. Consequently, many public companies already have various forms of controls documentation such as policy manuals, accounting manuals, memorandums, flowcharts, decision tables and questionnaires. However, few have comprehensively and consistently documented and evaluated controls to the extent necessary to provide an assertion about their effectiveness. Also, entities often put more emphasis on preventative than detective controls, as it is usually more efficient to prevent misstatements than to detect and correct them. However, the EDs admonish CPAs that a well-run system should have an appropriate mix of both preventative and detective controls.

T o ensure a comprehensive and consistent entitywide process, many auditors are recommending clients establish project teams reporting directly to the CEO or CFO in light of the task’s importance. Team leaders should be respected employees and have experience dealing with large-scale projects. Consequently, the CFO, controller or internal audit director should head the team, which should consist minimally of adequately trained personnel from accounting, internal audit, information systems, finance, operations, legal and human resources.

If asked to be involved in a client’s project, an auditor must be careful not to impair his or her independence and objectivity. The SSAE ED says auditors may help prepare or gather information as long as management directs and takes responsibility for documenting controls in the process, including determining which controls to document. Auditors can help clients understand the process and advise them on how to identify significant accounts, processes and reporting units, as well as how to evaluate controls’ effectiveness. Indeed some auditors give clients electronic templates to ensure entitywide consistency in assessing controls. However, the auditor cannot be the person to determine which accounts or processes are significant, nor accept management’s responsibility to reach conclusions on the effectiveness of the entity’s internal controls; the auditor’s role is to report on management’s conclusions. Similarly, management cannot base its assertion about design and operating effectiveness on the results of the auditor’s tests.

AUDITOR RESPONSIBILITIES
The SSAE ED says that in giving an opinion on the internal control over financial reporting, the auditor must be satisfied as to the effectiveness of an entity’s internal controls and that management’s written assertion about it is fairly stated in all material respects. The auditor’s opinion relates to the effectiveness of controls taken as a whole, not each individual COSO component. Therefore, the auditor must perform procedures to obtain sufficient evidence about the design and operation of internal controls, thereby reducing attestation risk to appropriately low levels. In doing the examination, the auditor must plan the engagement toThe auditor may consider the results of management’s tests of the operating effectiveness of controls, but never should rely on them as principal evidence. The same is true for testing by third parties or internal auditors. Contrary to guidance in SAS no. 65, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements, the SSAE ED proposes that when using internal auditor test results the external auditor must both reperform tests of controls and do independent tests for each significant account, class of transactions and disclosure. When using internal auditors for direct assistance, the external auditor should recognize that the former’s objectivity might be impaired where they routinely perform monitoring functions for management. The exhibit shows other key ED proposals on auditor tests of controls.