Auditing and Attestation Portion of the CPA Exam The Sarbanes-Oxley Act of 2002 and the Public Company Accounting Oversight Board (PCAOB). 1. The Sarbanes-Oxley Act of 2002 was passed by Congress as a major reform in independent auditing, but only in connection with the audit of publicly- traded companies. A. Created the Public Company Accounting Oversight Board (PCAOB) which is discussed in more detail below. B. Prohibits certain services from being provided by an independent auditor to an audit client. These prohibited services include a. Financial information system design and implementation b. Internal auditing c. Bookkeeping d. Valuation services e. Actuarial services f. Human resource functions g. Brokerage or investment services h. Legal and expert services unrelated to the audit C. Requires that the audit committee of the board of directors must be independent from management and must hold the responsibility for appointment, compensation, and retention of the company’s independent auditors. D. Requires the independent auditor to report to the audit committee rather than to the management of the reporting company. E. Requires the independent auditing firm to rotate the lead partner off each audit engagement at least every five years. F. Requires the CEO and the CFO of each publicly-traded company to sign a statement certifying the appropriateness of the financial statements and that those statements and disclosures fairly present, in all material respects, the operations and financial condition of the reporting company. G. Establishes that non-U.S. public accounting firms that prepare audit reports with respect to any U.S. public companies are subject to the rules of the PCAOB. H. Section 404 of the Act requires the management of each public company to report in each annual report its assessment of internal control over financial reporting. The independent auditor must attest to this assessment made by management and this attestation must also be included in the annual report 2. The Public Company Accounting Oversight Board (PCAOB) was created by the Sarbanes-Oxley Act to enforce auditing, quality control, and independence standards in connection with the independent audit of publicly-traded companies. A. The PCAOB is an independent, not-for-profit agency that was created to function under the authority of the Securities and Exchange Commission (SEC). B. The PCAOB is comprised of five members who are appointed by the SEC. Only two of the members can be CPAs. C. The PCAOB is funded by fees charged to the publicly-traded companies as well as their independent audit firms. D. An “issuer” is any company that issues securities to the public. (This is the same definition as that of the Securities Exchange Act of 1934.) Any auditing firm that prepares, issues, or participates in the preparation of an audit report for an issuer must register with the PCAOB. E. The PCAOB gathers considerable information through this registration process. a. All clients who are issuers b. All of the firm’s accountants who participant in the audit process of an issuer. c. Fees from each issuer to the audit firm, divided between audit services and non-audit services. d. Information about criminal, civil, or administrative actions that are pending. e. Disagreements with any issuer. F. The PCAOB periodically carries out an inspection of each registered auditing firm. a. An annual inspection is performed if the firm does 100 or more audits of issuers each year. b. Otherwise, the inspection is carried out every three years. c. Special inspections can be authorized by the PCAOB or requested by the SEC at any time if problems occur. G. The PCAOB has considerable power over the registered CPA firms. a. Can suspend or revoke their registration. b. Can assess fees of up to $15 million for registered firms and up to $750,000 for individuals c. Can require additional training or continuing professional education. d. Can make public deficiencies uncovered through inspection. 3. PCAOB – Auditing Standard No. 1. In the audit report for an issuer, the scope paragraph must indicate that the audit was conducted in accordance with the standards of the PCAOB. For a company that is not an issuer, the CPA will continue to state that the audit was conducted in accordance with generally accepted auditing standards. 4. PCAOB – Auditing Standard No. 2. In an audit of the financial statements of an issuer, the CPA must evaluate management’s assessment of internal control over financial reporting and also make an independent assessment of the effectiveness of this internal control. Thus, the auditor must express two opinions in all reports on internal control: one on the management’s assessment process and another on the actual effectiveness of the internal control over financial reporting. 5. PCAOB – Auditing Standard No. 3. In an audit, the documentation for what was done and what was uncovered should be able to stand on its own with no need for oral or written description. The documentation should indicate clearly the work that was performed, who carried out the work, when the work was completed, who reviewed the work, and the date that it was reviewed. All audit documentation must be completed within 45 days after the auditor’s report is issued. Any subsequent changes must be clearly explained and the original documentation retained. Audit documentation should be kept for a minimum of seven years. Questions for Illustration and Clarification 1. As a result of the Sarbanes-Oxley Act, the Public Company Accounting Oversight Board (PCAOB) has been created. Which of the following is not true? a. The PCAOB is a government agency b. The PCAOB comes under the oversight and enforcement authority of the SEC. c. The PCAOB will be funded by fees charged to all publicly traded companies. d. All public accounting firms that participate in the preparation of an audit report for a company that issues securities must register with the PCAOB. Answer: A The Sarbanes-Oxley Act was set up so that the PCAOB would not be a government agency but would be self-funded from charges to the companies being regulated. All firms must register with the PCAOB if they plan to work in any way with a company that issues securities. To enable a proper degree of government control, the PCAOB is under the oversight and the enforcement authority of the SEC. 2. In registering with the Public Company Accounting Oversight Board (PCAOB), a CPA firm must provide significant information. Which of the following is not a required disclosure? a. A list of all audit clients b. Information about any criminal actions pending against the firm. c. The annual fees from each client that is an issuer of securities, divided between audit and non-audit services. d. A list of all accountants participating in the audit of each client that is an issuer of securities. Answer: A The CPA firm only needs to provide a list of the audit clients who issue securities. If a company does not issue securities, it is not viewed as a public company and does not come under the jurisdiction of the PCAOB. 3. Any CPA firm that is registered with the Public Company Accounting Oversight Board (PCAOB) is subject to periodic inspections. Which of the following statements is true? a. These firms must undergo inspection by the PCAOB as well as peer review by an outside CPA firm. b. All firms will be inspected annually by the PCAOB c. All firms will be inspected every three years by the PCAOB. d. Larger firms will be inspected annually whereas all other firms will only be inspected every three years. Answer: D For firms working with companies that issue securities to the public, the inspection process by the PCAOB takes the place of peer review which, based on the number of accounting scandals that have occurred, was not working as intended. Firms that audit more than 100 companies that issue securities are inspected by the PCAOB annually. The rest of the CPA firms registered with the PCAOB will be inspected every three years. 4. According to the standards of the Public Company Accounting Oversight Board (PCAOB), the management of a company that issues securities must accept responsibility for the effectiveness of the company’s internal control over its financial reporting. Which of the following is not also a responsibility of the management? a. Must provide a written plan each year for updating the internal control over the financial reporting b. Must evaluate the actual effectiveness of internal control over the financial reporting. c. Must support the evaluation of internal control over the financial reporting with sufficient documented evidence. d. Must prepare a written assessment of internal control over the financial reporting. Answer: A The PCAOB requires management to accept responsibility for internal control, and then evaluate it each year, documenting the results. Based on that evaluation, the management must prepare a written assessment of the internal control. 5. According to the standards of the Public Company Accounting Oversight Board (PCAOB), the auditor of a company that issues securities must audit the company’s internal control as well as its financial statements. Which of the following statements is true about the reporting process? a. The two reports must be combined. b. The two reports must be separate. c. The report on internal control must be issued at least 45 days before the report on the financial statements. d. The two reports can be combined or can be separate. Answer: D The PCAOB leaves the decision about reporting to the parties involved. The CPA can issue one report to cover both audits or can issue separate reports. When the reports are separate, both reports must be included in the annual report of the company. 6. A CPA firm is issuing separate reports based on audits of an issuing company’s internal control over financial reporting and its financial statements. Which of the following statements is true according to the standards of the Public Company Accounting Oversight Board (PCAOB)? a. The report on internal control has to be dated as of the balance sheet date. b. The report on internal control has to be dated at least 21 days prior to the date of the report on the financial statements. c. Both reports have the same date: normally, the last day of audit field work. d. The reports might have the same date but they will often have different dates. Answer: C The date that is included indicates the last day of audit responsibility for the CPA. Consequently, the last day of field work is used for all audit work whether it is on the financial statements or the internal control. 7. According to the standards of the Public Company Accounting Oversight Board (PCAOB), the independent auditor must audit the internal control over the financial reporting of any company that issues securities. Assume that the company provides a written assessment that internal control is effective. Assume also that the auditor uncovers a material weakness in internal control that cannot be rectified before the end of the audit work. What action should be taken by the auditor? a. The auditor should resign from the engagement. b. The auditor should provide a disclaimer c. The auditor should modify the report being given. d. The auditor should issue an adverse opinion on the effectiveness of internal control. Answer: D The auditor is carrying out an audit and has discovered a material weakness. An adverse opinion should be rendered to properly alert the parties interested in the financial statements of the issuing company. 8. According to the standards of the Public Company Accounting Oversight Board (PCAOB), the auditor of a company that issues securities must audit the company’s internal control as well as its financial statements. What is the recommended timing of these two audits? a. The internal control audit should be performed first followed by the audit of the company’s financial statements. b. The financial statement audit should be performed first followed by the audit of the company’s internal control. c. The internal control audit should be performed first unless there is an adequate reason for doing the financial statement audit first. d. The two audits should be integrated. Answer: D The PCAOB has stated that to reduce time and cost the two audits should be integrated as much as possible rather than looking at them as two entirely separate engagements. 9. According to the standards of the Public Company Accounting Oversight Board (PCAOB), what is the general definition of a control deficiency? a. An internal control system that simply is not operating as intended. b. An internal control system that is not being monitored properly c. A situation where the design or operation of an internal control does not allow employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. d. A situation where an inherent limitation has been noted but no corrective action has been taken by the company or its officials. Answer: C The definition of a control deficiency established by the PCAOB is not particularly different than that which was previously being used. There is always a problem with internal control when misstatements will not be prevented or detected in a timely manner. Answers a and b are examples rather than serving as a definition. 10. An independent auditor is performing an audit of a company’s internal control in connection with its financial reporting under the standards of the Public Company Accounting Oversight Board (PCAOB). A control deficiency has been uncovered. What are the two possible types of control deficiencies? a. Current and noncurrent b. Design and operations c. Computer and manual d. General and application Answer: B When a control deficiency is discovered, it can relate to the way by which the system with its policies and procedures was designed. Perhaps the design did not accomplish what it was supposed to accomplish. There can also be a deficiency in the operation of one or more controls. The system can be designed perfectly but the people may be performing their tasks in a deficient manner. 11. According to the standards of the Public Company Accounting Oversight Board (PCAOB), what is the definition of a material weakness in internal control? a. A flaw in the design or operation of internal control that has allowed a material misstatement to be included in a set of financial statements. b. A significant deficiency (or a combination of significant deficiencies) in internal control that results in more than a remote likelihood that a material misstatement in the annual or interim financial statements will not be prevented or detected. c. The discovery of a problem in either the design of internal control or its operations that is so serious that the likelihood of problem is viewed as greater than reasonably possible. d. The uncovering of any aspect of internal control that requires modification before the company’s internal control can provide reasonable assurance that no material misstatements exist in the published financial statements. Answer: B This definition comes from paragraph number 10 of PCAOB Standard 2. It focuses on the existence of a significant deficiency in internal control so that material misstatements are neither prevented nor detected. 12. According to the standards of the Public Company Accounting Oversight Board (PCAOB), an independent auditor who issues an opinion on financial statements for a company that issues securities should include a scope (or second) paragraph. What is the problem with the following example of that scope paragraph? We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion. a. The statement about the Public Company Accounting Oversight Board is stated incorrectly. b. The statement about assurance is stated incorrectly. c. The statement about misstatements is stated incorrectly. d. The statement about estimations is stated incorrectly. Answer: B The audit report required in Standard 1 by the PCAOB is basically the same as the traditional standard audit report issued prior to the creation of the PCAOB except that the standards of the PCAOB are mentioned rather than U.S. generally accepted auditing standards. In the example given, the one mistake that is made is that “assurance” is mentioned without clarifying that the auditor only seeks “reasonable assurance.” 13. For how long does the Sarbanes-Oxley Act require registered CPA firms to maintain audit documentation generated to support an audit report? a. Three years b. Five years c. Seven years d. Ten years Answer: C The Sarbanes-Oxley Act wanted to ensure that CPA firms would not destroy audit documentation too quickly and, therefore, mandated this period of time for saving all working papers and other evidence gathered.