CH-19-21 Professional Conduct, Independence, and Quality Control – Auditing and Assurance Services: A Systematic Approach : Book Guide

This Document Contains Chapters 19 to 21 Chapter 19 Professional Conduct, Independence, and Quality Control Answers to Review Questions 19-1 The three theories of ethical behavior are (1) utilitarian approach, (2) rights-based approach, and (3) justice-based approach. Utilitarian theory recognizes that decision making involves trade-offs between the benefits and burdens of alternative actions, and it focuses on the consequences of an action on the individuals affected. The theory proposes that the interests of all parties affected, not just one's self-interest, should be considered. The rights-based theory assumes that individuals have certain rights and that other individuals have a duty to respect those rights. Thus, a decision maker who follows a theory of rights should undertake an action only if it does not violate the rights of any individual. The justice-based theory is concerned with issues such as equity, fairness, and impartiality. Decisions made within this theory should lead to a fair and equitable distribution of resources among those individuals or groups affected. There may be difficulty in trying to apply this theory in practice because the rights of one or more individuals or groups may be affected when a better distribution of benefits is provided to others. 19-2 Kmart has physical assets and trades in physical goods, but Arthur Andersen’s primary asset was a reputation for competence, professionalism, and integrity. While Kmart could file for bankruptcy and reorganize its business, Andersen’s loss of reputation, its most important operating asset, could not be repaired, resulting in the loss of its clients. Andersen’s fate was essentially sealed long before the firm was convicted on obstruction of justice charges. Interestingly, Andersen’s conviction was later overturned on appeal, but it was too late for the accounting firm. It is also interesting to note that no major professional services firm has ever survived a federal indictment, much less a conviction, in the U.S. 19-3 The AICPA establishes auditing standards for nonpublic-company audits (through the ASB) and maintains a Code of Professional Conduct, mapping out the primary areas in which ethical conduct is expected of public accountants. The SEC has the legal authority to oversee the public accounting profession but has generally allowed private-sector entities such as the FASB and AICPA to set accounting and auditing standards. However, in 2003 the PCAOB was established to set auditing standards for the audits of public companies. The SEC and PCAOB have set rules regarding conduct and independence of public-company auditors, which differ from the AICPA rules and standards, but at present the Code of Professional Conduct maintained by the PCAOB is still very similar in most respects to that established by the AICPA in 2003 with the exception of the PCAOB’s and SEC’s additional independence requirements for auditors of public companies. 19-4 The AICPA Code of Professional Conduct consists of four major sections: a preface that is applicable to all CPAs, and three “Parts”: • Preface: Applies to all CPAs; defines ideal Principles of Professional Conduct that are This Document Contains Chapters 19 to 21 expected of all CPAs. • Part 1: Applies to CPAs in public practice, including auditors practicing in public accounting firms and government auditors who issue audit and other assurance reports on government entities. Part 1 requires the CPA to be independent on the entities on which he or she is providing assurance. • Part 2: Applies to CPAs who are working in business but who are not working as auditors that issue assurance reports on which the public will rely. Part 2 of the Code does not require independence but does require integrity and objectivity on the part of CPAs working in any business capacity. • Part 3: Applies to CPAs who are neither functioning as an auditor nor in business. In such cases, the profession expects that CPAs will behave in certain ways and not engage in any act that would be discreditable to the profession. Guidance for applying the Rules of Conduct is provided by the Interpretations of Rules of Conduct by the Professional Ethics Executive Committee (PEEC). 19-5 The six Principles of Professional Conduct are: Responsibilities: In carrying out their responsibilities as professionals, members should exercise sensitive professional and moral judgments in all their activities. This is the responsibility of all CPAs. The public interest: Members should accept the obligation to act in a way that will serve the public interest, honor the public trust, and demonstrate commitment to professionalism. This is the responsibility of all CPAs. Integrity: To maintain and broaden public confidence, members should perform all professional responsibilities with the highest sense of integrity. This is the responsibility of all CPAs. Objectivity and independence: A member should maintain objectivity and be free of conflicts of interest in discharging professional responsibilities. A member in public practice should be independent in fact and appearance when providing auditing and other attestation services. Independence is the responsibility of “Part 1” CPAs, but objectivity is the responsibility of all CPAs. Due care: A member should observe the profession's technical and ethical standards, strive continually to improve competence and the quality of services, and discharge professional responsibility to the best of the member's ability. This is the responsibility of all CPAs. Scope and nature of services: A member in public practice should observe the Principles of the Code of Professional Conduct in determining the scope and nature of services to be provided. This is the responsibility of all CPAs. 19-6 The eleven major sections of the Rules of Conduct in Part 1 of the Professional Code of Conduct are: • Integrity and Objectivity. • Independence • General Standards • Compliance with Standards • Accounting principles • Acts discreditable • Contingent fees • Commissions and referral fees • Advertising and other forms of solicitation • Confidential client information • Form of organization and name 19-7 Interpretation 1.260 permits the following types of personal loans from a financial institution: • Automobile loans and leases collateralized by the automobile. • Loans fully collateralized by the cash surrender value of an insurance policy. • Loans fully collateralized by cash deposits at the same financial institution. • Credit cards and cash advances on checking accounts where the aggregate outstanding balance is reduced to $10,000 or less by the payment due date. Normal lending procedures, terms, and requirements are defined as lending procedures, terms, and requirements that are reasonably comparable to those relating to loans of a similar character given to other borrowers during the period in which the loan to the member is given. 19-8 While most of the SEC’s independence rules are very similar to the AICPA’s, the SEC has added some important restrictions in the following areas: Provision of other professional services • The SEC prohibits several types of professional services by accounting firms for public company audit and review entities “unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the entity’s financial statements.” The rules do not limit the scope of nonaudit services provided by accounting firms to nonpublic companies or to public companies that are not audit entities. Additionally, accounting firms are allowed to provide certain types of tax services to their audit entities. Specific categories of nonaudit services that are considered to impair independence if provided to a public company audit entity are: o Bookkeeping or other services related to the accounting records or financial statements of the audit entity o Financial information systems design and implementation o Appraisal or valuation services, fairness opinions, or contribution-in-kind reports o Actuarial services o Internal audit outsourcing services o Management functions or human resources o Broker or dealer, investment adviser, or investment banking services o Legal services o Expert services Handling of human resource and compensation-related issues • Lead and engagement quality review partners of public company audit firms are required to “roll off” their clients every five years so that there is a fresh perspective given to the audit on a regular basis. They cannot return to those clients until after a five-year “time-out” period. • If any client employee with a “financial reporting oversight role” was previously an audit team member within a one-year “cooling-off period,” the firm is prohibited from auditing the client. • Audit partners must not receive compensation based on selling engagements to the client for services other than audit, review, and attest services, if they are to be considered independent. Required communications • The auditor of a public company must report to the company’s audit committee all “critical accounting policies" used by the company, all alternative treatments within GAAP related to material items discussed with management, and other material written communications between the auditor and management. • The audit committee must be responsible for the appointment, compensation, and oversight of the external auditor’s work. • Proxy statements and annual reports issued by public companies must disclose 1) audit fees, 2) audit-related fees, 3) tax fees, and 4) all other fees billed during the prior two fiscal years by the principal auditor. Many of the independence restrictions for public company auditors were in response to specific circumstances that came to light in the frauds of the early 2000s. The changes, many of which were required by the Sarbanes-Oxley Act, are designed to correct these circumstances. 19-9 Section 1.700 specifies five situations when a CPA can disclose confidential information without the client's consent: (1) to meet disclosure and performance requirements under GAAP and GAAS, (2) to comply with a valid subpoena, (3) to allow a review of a member’s professional practice under the authority of the AICPA, a state CPA society, or a state board of accountancy, (4) to comply with an investigative or disciplinary proceeding, and (5) to allow a review of a CPA’s professional practice in conjunction with the purchase, sale, or merger of the practice. 19-10 The following acts are considered discreditable under Section 1.400: • Discrimination and harassment in employment practices (.010). • Solicitation or disclosure of CPA examination questions and answers (.020) • Failure to file tax return or pay tax liability (.030) • Negligence in the preparation of financial statements or records (.040) • Failure to follow requirements of governmental bodies, commissions, or other regulatory agencies (.050) • Confidential information obtained from employment or volunteer activities (.070) • False, misleading, or deceptive acts in promoting or marketing professional services (.080) • Improper use of the CPA credential (.100) • Failure to comply with records requests (.200) 19-11 The following are examples of advertising activities that are prohibited by the Rules of Conduct, as outlined in Interpretation 1.600: • Creating false or unjustifiable expectations of favorable results. • Implying an ability to influence any court, tribunal, regulatory agency, or similar body or official. • Claiming that specific professional services in current or future periods will be performed for a stated fee, estimated fee, or fee range when it is likely at the time of representation that such fees will be substantially increased and the prospective client was not advised of that likelihood. • Making any other representations that would be likely to cause a reasonable person to misunderstand or be deceived. These acts are of concern to the profession because of the central role that reputation plays to a CPAs service. Deceitful advertising will seriously damage the reputation of the CPAs involved as well as negatively affect the reputation of the profession as a whole. Just as with Arthur Andersen, if CPAs are not seen as credible, competent professionals, the demand for a CPA’s services will disappear. 19-12 A firm’s system of quality control should be designed to provide the firm with reasonable assurance that the firm and its personnel comply with professional, legal, and regulatory requirements and that the partners issue appropriate reports (SQCS 8.12). The six elements of quality control and examples of policies or procedures that can be used to fulfill each element are: Leadership responsibilities for quality within the firm (“tone at the top”): • Assign management responsibilities so that commercial considerations do not over- ride the quality of the work performed. • Provide sufficient and appropriate resources for the development, documentation, and support of the firm’s quality control policies and procedures. Relevant ethical requirements: • Communicate the firm’s independence requirements to its personnel and, when applicable, others subject to them. • Require personnel to promptly notify the firm of circumstances and relationships that create a threat to independence so that appropriate action can be taken. Acceptance and continuance of client relationships and specific engagements: • Require the firm to obtain such information as it considers necessary in the circumstances before accepting an engagement with a new client, when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client. • Establish policies and procedures that provide for obtaining an understanding with the client regarding the nature, scope, and limitations of the services to be performed. Human resources: • Ensure that the engagement partner has the appropriate competence, capabilities, and authority to perform his role. • Establish policies and procedures to assign appropriate personnel with the necessary competence and capabilities to perform engagements in accordance with professional standards and applicable legal and regulatory requirements. Engagement performance: • Establish policies and procedures setting out the nature, timing, and extent of an engagement quality control review. Such policies and procedures should require that the engagement quality control review be completed before the report is released. • Establish policies and procedures for addressing and resolving differences of opinion within the engagement team; with those consulted; and, when applicable, between the engagement partner and the engagement quality control reviewer. Monitoring: • Communicate to relevant engagement partners, and other appropriate personnel, deficiencies noted as a result of the monitoring process and recommendations for appropriate remedial action. • Establish policies and procedures designed to provide reasonable assurance that complaints and allegations that the work performed by the firm fails to comply with professional standards and applicable legal and regulatory requirements and allegations of noncompliance with the firm’s system of quality control are appropriately dealt with. 19-13 AICPA and PCAOB quality control reviews are similar in that they both aim to ensure that firms comply with relevant quality control standards. Both involve reviewing selected audit and review engagements of the firm. The AICPA’s Peer Review Program (PRP) is designed to review and evaluate those portions of firms’ accounting and auditing practices that are not subject to inspection by the PCAOB. Reviews are performed by firms and individuals approved by the Peer Review Board. PCAOB inspections are conducted by the PCAOB’s own inspection teams. The PCAOB is only required to inspect firms that audit public U.S. companies, while any firm that is a member of the AICPA participates in the AICPA’s PRP. Answers to Multiple-Choice Questions 19-14 c 19-21 a 19-15 d 19-22 c 19-16 c 19-23 b 19-17 b 19-24 b 19-18 b 19-25 a 19-19 c 19-26 a 19-20 c Solutions to Problems 19-27 1. The client would clearly benefit from the following nonaudit services: • Developing an automated accounting system. • Providing tax-planning advice. • Outsourcing the internal audit function. • Developing projections and/or forecasts for the company’s new products. However, because the client is a public company audit client, the firm would be prohibited from helping the client design or implement a software system and from providing internal audit outsourcing. Provision of tax-planning advice is allowed by SEC independence rules. Assisting the client to develop projections and/or forecasts for the company’s new products and other non-audit work would be subject to approval by the audit committee and would be strictly limited by the principles of not performing a management function, not auditing one’s own work, and not performing an advocacy role. 2. Most of the above non-audit services would not be prohibited if the client were not publicly held, though there are restrictions to be observed. For example, see the discussion relating to the AICPA’s restrictions regarding financial information systems design and implementation for a non-public client. Also, auditors would have to make sure that they didn’t make managerial decisions or audit their own work when deciding the nature of the services that they could provide. 19-28 a. A CPA may provide such advisory services to an audit client and not impair independence because the member's role is advisory in nature and because the client is a privately held entity (see Section 1.295). b. The CPA’s independence is not impaired under these circumstances provided the client makes all significant management decisions related to the hiring of new personnel and the implementation of the system. The auditor must also limit his or her supervisory activities to initial instruction and training of personnel and should avoid direct supervision of the actual operation of the system or related activities that would constitute undue involvement in or identification with management functions. The auditor would be prohibited from providing these services for a public company audit client (see Section 1.295). c. The independence of the auditor, according to section 1.245 of the Code, would be considered impaired whether or not the financial interest is placed in a blind trust. d. Section 1.270 of the Code indicates that an auditor's independence would be considered impaired if a close relative (e.g., a parent) has a material financial interest in an enterprise of which the auditor is participating in the engagement and has knowledge of the financial interest. e. Saad’s independence is impaired by his acceptance of payment for the audit fee in stock of the audited entity. Independence is impaired if a member has a direct financial interest in a client during the period of the professional engagement or at the time of expressing an opinion. The period of professional engagement starts when the member begins to perform professional services requiring independence and ends with the client's or member's notification of that relationship's termination (see section 1.240). f. Independence is impaired under section 1.230 of the Code because the note is a prohibited loan from the member to the client. 19-29 a. Yes b. No c. Yes d. No 19-30 a. Yes. Signing such a letter would be a known misrepresentation of fact in violation of section 2.130 of the Code. b. Yes. This would be a violation of section 2.110 of the Code because McDermott's employer is the source of the revenues for the entities being audited. c. Yes. If a member in industry uses confidential information obtained from an employer for his or her personal benefit, disclosure of the information is considered an act discreditable to the profession in violation of section 2.400 of the Code. c. No. Section 2.400 states that if a member in industry concludes that the financial statements or records could be materially misstated and do not comply with professional standards, the member should consider whether any responsibility exists to communicate the problem to third parties, such as regulators. However, the CPA should consult his attorney prior to any disclosure. e. Yes. Under 2.400, a member who, through his or her negligence, makes or permits another to make false and misleading entries in the financial statements has committed an act discreditable to the profession. 19-31 Services that Perez may perform: • Counsel on potential expansion plans. • Search for and interview new personnel. • Train personnel. Services that Perez may not perform: • Hire new personnel. • Supervise the operation of the system. • Monitor client-prepared source documents and make changes in basic IT-generated data without the concurrence of the client. Solutions to Discussion Cases 19-32 a. If Pina, Johnson & Associates audited one of the entities that received one of the large loans, it would not be appropriate for Johnson to seek financial information about that entity from the other auditors in his firm. Release of such information would violate section 1.700.001 of the Code, even if the information were provided to Johnson without his asking for it. The right of confidentiality for that entity would be violated. The possible costs of using the information would be lawsuits and disciplinary actions taken by the AICPA, as well as possible lawsuits filed by Sun City or its stakeholders. The benefit would be that Johnson could gather more reliable evidence, Sun City’s financial statements would be more accurate, and Pina, Johnson & Associates might avoid potential shareholder lawsuits. b. If Johnson had obtained the information about the possible violations of environmental laws from appropriate sources, such as public records, etc., it would not be unethical to use such information in determining the fair value of the loan to Sun City Savings & Loan. The auditor has an obligation to use such information in assessing the entity's ability to repay the loan. The auditor should consider the rights of the parties involved and the source of the information. 19-33 The Code of Professional Conduct applies to all parties who are members of the AICPA or have CPA licenses, whether or not they are practicing public accounting. There are, however, a number of interpretations of the Code of Professional Conduct that are directed specifically toward individual CPAs working outside of public accounting (see Part 2 of the Code). 19-34 a. No, the independence rule is not violated because Adrian does not occupy a “financial reporting oversight role” for Swiss Precision Tooling; therefore, the one-year “cooling- off” period is not necessary. b. Yes, the independence rule is violated because Susana did audit work during the 2017 audit engagement period, which ended on April 14, 2018. To fulfill the SEC requirement for a one-year “cooling off” period, she needed to “sit out” the 2018 audit engagement period, which ran from April 15, 2018 to March 12, 2019. However, Susana took the controllership of Unigate on February 10, 2019, prior to the end of the 2018 audit engagement period. In order to preserve BDB’s independence, Susana would have had to start her financial reporting oversight role with Unigate no sooner than March 13, 2019, assuming Unigate files its 2018 financial report with the SEC on March 12. c. As long as Janay is not providing the appraisal service for the client, but only as part of the audit to verify the valuation assertion, no violation has been committed. If the appraisal service were performed on behalf of the client, and not strictly for the purposes of verifying the client’s estimates for audit purposes, then this would violate independence standards. d. No violation exists as long as all of the services are performed in accordance with the SEC’s independence rules, were accepted by the client’s audit committee, and the audit partner does not receive compensation based on selling engagements for nonaudit services. 19-35 1. a. If the auditor records the “social” time, she may suffer some consequences from her supervisor. She may also cause the team to go over budget. On the other hand, the auditor may be helping the other auditors that work with this client in the future. Further, healthy personal interaction is an important aspect of a healthy business environment. If the auditor doesn’t record the “social” time, she will not suffer any immediate personal consequences and the team will stay on budget, but past a reasonable amount of time, the auditor may be compromising her integrity. The auditor may also hurt the other auditors that work with this client in the future by establishing unreasonable expectations. b. The auditor has the right to not have to work on her own time when she is at home. Future auditors that also work with this client have the same right to not have to work on their own time. c. It is not fair for the supervisor to ask the auditor to give up her personal time to do work that is not going to be recorded. On the other hand, it is not fair for one auditor to affect the performance evaluation of the entire team by making it go over budget. 2. Student answers will vary, depending on their individual viewpoint. 19-36 1. a. If the auditor signs off on the exception without examining the underlying documents, he will save his and the client’s time. The downside is that if the exception really is a problem, it will go undetected and could cause serious problems for the firm. b. The client has the right to use his time as he sees fit but also has the right to a properly performed audit. Financial statement users have the right to know about any control problems or to have the problems identified and corrected. c. It’s not fair for the auditor to deceive those who read the auditor’s report by failing to properly investigate the exception. It’s also not fair for the in-charge senior to ask the auditor to give up his integrity by not looking into the exception. 2. Student answers will vary, depending on their individual viewpoint. Solution to Internet Assignment 19-37 a. If a covered member belongs to a trade association that is an attest client, management participation or self review threats to the covered member’s compliance with the Independence rule may exist. Such threats might be effectively mitigated, however, as long as the member did not serve as an officer, director, or in any management capacity See Interpretation 1.280.020 of the Code. b. Independence would not be impaired if, as indicated in the problem, the member’s role is strictly advisory in nature. If any of the activities listed were to cross the line to constitute performance of management activities, independence would be impaired whether or not the company was a private or a public entity. (section 1.275.015) c. Independence is impaired because the member is performing a management function. This is covered by section 1.295.120. d. The designation by itself would not impair independence, but if a member served in such a capacity then independence would be considered impaired. The member would have to refuse to serve in order to maintain his or her independence. (section 1.245.010). e. Independence would be considered to be impaired if any partner or professional employee of the firm served as a director or officer of the organization and the organization exercised managerial control over the local charities. If the member believes that professional service can be performed objectively and the service is disclosed to and consent is obtained from the involved parties, then the service would be allowed. Otherwise independence is impaired (Interpretation section 1.275.010). f. If fees pertaining to services provided more than one year prior to the date of the audit report remain unpaid, the auditor’s independence is impaired with respect to that client. However, unpaid fees from a client that is in bankruptcy do not impair the auditor’s independence. This is addressed in section 1.230.010. Because this constitutes a financial interest in the client (it is basically a loan) it also relates to Interpretation 1.260.010. Chapter 20 Legal Liability Answers to Review Questions 20-1 The four general stages in the initiation and disposition of audit-related disputes are: (1) the occurrence of events that result in losses for users of the financial statements, (2) the investigation by plaintiff attorneys before filing suit to link the user losses with allegations of material omissions or misstatements of financial statements, (3) the legal process which commences with the filing of the suit, and (4) the final resolution of the dispute. The first stage includes the events that resulted in the losses; for example, bankruptcy, financial distress, fraudulent financial reporting, and misappropriation of assets. The second stage, pre-suit investigation, may involve investigation activities by plaintiffs and their attorneys before initiating legal proceedings. The third stage involves activities such as filing of complaints, discovery, trial preparation, and the trial. The last stage involves the resolution of the dispute, which may include a summary judgment, a settlement to avoid or discontinue litigation, or a court decision on appeal after a trial. 20-2 Proportionate liability is where each defendant is liable solely for the portion of the damages that correspond to the percentage of responsibility of that defendant. Under the doctrine of joint and several liability, each defendant is held fully liable for all assessed damages, regardless of the extent to which they contributed to the injury. 20-3 Under common law, an auditor can be held liable to clients for breach of contract, negligence, gross negligence/constructive fraud, and fraud. A client would prefer to sue an auditor for a tort action because larger amounts for damages can be assessed than for a breach of contract. 20-4 The elements required for establishing an auditor's liability for negligence to clients are (1) the duty to conform to a required standard of care, (2) failure to act in accordance with that duty, (3) a causal connection between the auditor's negligence and the client's damage, and (4) actual loss or damage to the client. 20-5 The four standards that have evolved for defining the extent of the auditor's liability to third parties are (1) privity, (2) near privity, (3) foreseen persons or classes, and (4) reasonably foreseeable third parties. The traditional view held that auditors had no liability under common law to third parties who did not have a privity relationship with the auditor. Privity here means that the obligations that exist under a contract are between the original parties to the contract, and failure to perform with due care results in a breach of that duty only to those parties. Near privity does not require strict privity of contract, but that the third party be known to the auditor and that the auditor has directly conveyed the audit report or acted to induce reliance on the audit report. Many courts have reexamined the privity notion and substituted the concept of public responsibility. Under the foreseen persons or classes approach, Section 522 of the Restatement (Second) of the Law of Torts is applied to an accountant's third-party liability suit. The Restatement is a compendium of common law prepared by legal scholars and presents an alternative view to the traditional Ultramares doctrine or rule. Finally, a small number of states have adopted a more expansive view of auditors' liability to third parties: the reasonably foreseeable third parties approach. The reasons cited for extending auditors' liability beyond privity include auditors' ability to spread the risk through the use of liability insurance. Auditors' liability to third parties under common law is complex because court rulings are not consistent across federal and state jurisdictions. 20-6 The Securities Act of 1933 generally regulates the disclosure of material facts in a registration statement for a new public offering of securities. The Securities Exchange Act of 1934 is concerned primarily with ongoing reporting by companies whose securities are listed and traded on a stock exchange or who meet certain other statutory requirements. It is easier for a plaintiff to sue an auditor under the Securities Act of 1933, because the plaintiff does not have to prove negligence or fraud, reliance on the auditor's opinion, a causal relationship, or a contractual relationship; the plaintiff need only prove that a loss was suffered by investing in the registered security and that the audited financial statements contained a material omission or misstatement. The misstatement can be the result of mere ordinary negligence. Thus, this act, and in particular Section 11, is more favorable for plaintiffs than common law since the auditor must prove that he or she was not negligent. 20-7 Under Rule 10b-5 of the Securities Exchange Act of 1934, the following elements must be proved by a plaintiff: (1) the existence of a material, factual misrepresentation or omission, (2) reliance by the plaintiff on the financial statements, (3) damages suffered as a result of reliance on the financial statements, and (4) scienter. The Ernst & Ernst v. Hochfelder case was significant because the Supreme Court ruled that an action under Rule 10b-5 may not be maintained by showing that the defendant was negligent but that scienter, or intent to deceive, had to be present. The Supreme Court did not decide whether gross negligence or reckless behavior was sufficient for liability under Section 10(b) or Rule 10b-5, but several courts have since determined that gross negligence or reckless behavior satisfies the scienter requirement of Rule 10b-5. 20-8 Prior to the passage of the Private Securities Litigation Reform Act of 1995, auditors sued under federal statutory law were held to the legal doctrine of joint and several liability. The Act of 1995 limits the legal responsibility to proportionate liability, where each defendant is liable solely for the portion of the damages that corresponds to each defendant. The act also raises the pleading requirement at the beginning of a case. No longer can plaintiffs plead a general claim of fraud, rather the plaintiff must state the time, place, and contents of the allegedly false representations, the identity of the person making them, and what he or she obtained as a results of the fraud. In 1998, Congress passed the Securities Litigation Uniform Standards Act in response to concerns that plaintiff lawyers would circumvent the federal legislation and protections brought by the 1995 Act by bringing class action suits involving nationally traded securities to state court. As a result of the 1998 Act, most large class actions against auditors alleging securities fraud must be brought to federal court. The Tellabs, Inc. v. Makor Issues & Rights, Ltd case made it harder for prosecutors to hold auditors liable for fraud. In this case, the Supreme Court ruled that in determining whether the plaintiff’s complaint provides evidence of scienter, a court must consider both fraudulent and nonfraudulent plausible causes and the plaintiff “must demonstrate that it is more likely than not that the defendant acted with scienter.” In other words, the courts determine whether a reasonable person would deem the inference of fraudulent intent to be at least as compelling as any inference of nonfraudulent intent. This helps avoid determining the strength of inference in a vacuum. GAAS violations alone are not adequate evidence of scienter. Rather, plaintiffs must meet the “more likely than not” burden of proof. The increased pleading requirements may discourage trivial or baseless lawsuits where plaintiff hopes to pressure “deep pockets” defendants to settle out of court as the plaintiffs have a higher pleading requirement. 20-9 Numerous sections of the Sarbanes-Oxley Act include criminal provisions. The Act enhances prosecutorial tools available in major fraud cases by expanding statutory prohibitions against fraud and obstruction of justice, increasing criminal penalties for traditional fraud and cover-up crimes, and strengthening sentencing guidelines applicable to large-scale financial frauds. The Act adds a new securities fraud offense and increases authorized penalties for securities and financial reporting fraud (e.g., up to 25 years in prison). It is expected that the Act’s increased penalties will result in longer prison terms because of the corresponding changes in the federal sentencing guidelines. The Sarbanes-Oxley Act increases penalties for impeding official investigations, and because most frauds are discovered by employees rather than external auditors, the Act strengthens the legal protections accorded whistleblowers. It is common for employers to retaliate against informants by demoting or firing them. The Act makes it a felony punishable by 10-year imprisonment to retaliate against anyone who voluntarily comes forward to report suspected violations of any federal laws. 20-10 Rule 2(e) of the Rules of Practice empowers the SEC to suspend for any person the privilege of appearing and practicing before it. These sanctions can be applied not only to an individual auditor but also to an entire accounting firm. Typically, if a firm is faced with suspension, it will agree to some type of consent agreement in which the firm does not admit guilt but agrees to lesser sanctions. These sanctions may include not taking on new SEC clients for a specified period of time and submitting to special reviews to ensure that the alleged problems have been corrected. The sanctions can also include substantial fines. The Sarbanes-Oxley Act grants the PCAOB broad investigative and disciplinary authority over registered public accounting firms and persons associated with such firms. When violations are detected, the PCAOB can impose sanctions such as revoking a firm’s registration, barring a person from participating in audits of public companies, monetary penalties and requirements for remedial measures, such as training, new quality control procedures, and the appointment of an independent monitor. 20-11 The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 has a primary mission “To promote the financial stability of the United States by improving the accountability and transparency in the financial system.” The Dodd-Frank act impacts the auditing profession in several ways. Specifically mentioned in the chapter are • The Act gives the PCAOB authorization to share its inspection and investigation reports with non-US regulators, which will greatly improve the PCAOB’s ability to inspect registered foreign accounting firms. • Revises whistleblower compensation, whereby a whistleblower that brings violations of securities law or FCPA to the attention of the SEC or U.S. Department of Justice is entitled to 10 to 30 percent of any government recovery in excess of $1 million. While not specifically mentioned in the chapter, the Act also authorizes the PCAOB to create a program through which it can monitor the auditors of non-public broker-dealers. 20-12 The external auditor may detect activities that violate the FCPA including violations of codes of conduct that prohibit bribery, insufficient detail to accurately reflect transactions, inadequate systems of internal control, and other violations of the record-keeping and internal control requirements for public companies under the FCPA. Any such violations should be communicated to management immediately. 20-13 Auditors can be held criminally liable under various statutes and regulations. Criminal prosecutions require that some form of criminal intent be present, although many of the laws described in this chapter contain provisions for criminal penalties if the auditor's actions reflect gross negligence or fraud. Answers to Multiple-Choice Questions 20-14 d 20-20 c 20-15 c 20-21 c 20-16 b 20-22 a 20-17 d 20-23 b 20-18 b 20-24 d 20-19 d 20-25 d Solutions to Problems 20-26 City Bank is not likely to prevail against Salam based on ordinary negligence. In order to establish a cause of action for negligence against Salam, City must prove that: • Salam owed a legal duty to protect City. • Salam breached that legal duty by failing to perform the audit with the due care or competence expected of members of the profession. • City suffered actual losses or damages. • Salam's failure to exercise due care proximately caused City to suffer damages. The facts of this case establish that Salam was negligent by not detecting the overstatement of accounts receivable because of his failure to follow the audit program. However, Salam will not be liable to City for negligence because Salam owed no duty to City. This is the case because Salam was not in privity of contract with City, and the financial statements were neither audited by Salam for the primary benefit of City, nor was City within a foreseen (known and intended) class of third-party beneficiaries who were to receive the audited financial statements. City Bank is likely to prevail against Salam based on constructive fraud. To establish a cause of action for constructive fraud, City must prove that: • Salam made a materially false statement of fact. • Salam lacked a reasonable ground for belief that the statement was true. Constructive fraud may be inferred from evidence of gross negligence or recklessness. • Salam intended another to rely on the false statement. • City justifiably relied on the false statement. • Such reliance resulted in damages or injury. Under the facts of this case, Salam is likely to be liable to City based on constructive fraud. Salam made a materially false statement of fact by rendering an unqualified opinion on Bell's financial statements. Salam lacked a reasonable ground for belief that the financial statements were fairly presented by recklessly departing from the standards of due care in that it failed to investigate other embezzlements, despite having knowledge of at least one embezzlement, and did not notify Bell's management of the matter. Salam intended that others rely on the audited financial statements. City justifiably relied on the audited financial statements in deciding to loan Becker $600,000 and damages resulted evidenced by Becker's default on the City loan. 20-27 a. The elements necessary to establish negligence are: • A legal duty to protect the plaintiff (Musk) from unreasonable risk. • A failure by the defendant (Apple) to perform or report on an engagement with the due care or competence expected of members of its profession. • A causal relationship, (i.e., that the failure to exercise due care resulted in the plaintiff's loss). • Actual damage or loss resulting from the failure to exercise due care. b. The elements necessary to establish a violation of Rule 10b-5 include: • A material misstatement or omission. • The material misstatement or omission made by the defendant (Apple) with knowledge (scienter). Reckless disregard for the truth may constitute scienter. • Justifiable reliance on the misstatement or omission. • The reliance being in connection with the purchase or sale of a security. c. Apple is not in privity of contract with Musk because there is no direct contractual relationship between them. Therefore, in the absence of other factors, Apple would not be liable to Musk for Apple's alleged negligence based on the Ultramares decision. However, the privity defense would not protect Apple if Musk could prove that Apple had committed actual or constructive fraud (that is, Apple owes a duty to all parties, including third parties, to practice its profession in a nonfraudulent manner). 20-28 a. 1. Union Bank will be successful in its negligence suit against Meng. To be successful in a lawsuit for accountant's negligence, there must be: • Duty. • Breach. • Reliance. • Loss. Meng had a duty because it knew that Union would receive the financial statements and was thereby an intended user. Meng was negligent in performing the audit by failing to confirm accounts receivable, which resulted in failing to discover the overstatement of accounts receivable. Meng's failure to confirm accounts receivable was a violation of Meng's duty to comply with generally accepted auditing standards. Union relied on Meng's opinion in granting the loan and, as a result, suffered a loss. 2. Union Bank will be successful in its common-law fraud suit against Meng. To be successful in a lawsuit for common-law fraud, there must be: • An intentional material misstatement or omission. • Reliance. • Loss. Meng was grossly negligent for failing to qualify its opinion after being advised of Butler's potential material losses from the product liability lawsuit by legal counsel. Meng will be liable to anyone who relied on Meng's opinion and suffered a loss as a result of this fraudulent omission. b. Butler's stockholders who purchased stock will also be successful in their suit against Meng under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934. Under the act, stock purchasers must show: • Intentional material misstatement or omission (scienter). • Reliance. • Loss. Meng's failure to qualify its opinion for Butler's potential legal liability was material and done intentionally (scienter). Meng will be liable for losses sustained by the purchasers who relied on Meng's opinion. 20-29 a. Knox would recover from Garson for fraud. The elements of fraud are: the misrepresentation of a material fact (because Garson issued an unqualified opinion on misleading financial statements; Garson's opinion did not include adjustments for or disclosures about the embezzlements and insider stock transactions); knowledge or scienter (because Garson was aware of the embezzlements and insider stock transactions); and a loss sustained by Knox (because of Sleek's default on the loan). b. 1. The general-public purchasers of Sleek's stock offerings would recover from Garson under the liability provisions of Section 11 of the Securities Act of 1933. Section 11 of the Act provides that anyone, such as an accountant, who submits or contributes to a registration statement or allows material misrepresentations or omissions to appear in a registration statement is liable to anyone purchasing the security who sustains a loss. Under the facts presented, Garson could not establish a "due diligence" defense to a Section 11 action because it knew that the registration statement failed to disclose material facts. 2. The general-public purchasers of Sleek's stock offerings would also recover from Garson under the antifraud provisions of Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934. Under Rule 10b-5, Garson's knowledge that the registration statement failed to disclose a material fact, such as the insider trading and the embezzlements, is considered a fraudulent action. The omission was material. Garson's action was intentional or, at a minimum, a result of gross negligence or recklessness (scienter). These purchasers relied on Garson's opinion on the financial statements and incurred a loss. Solutions to Discussion Cases 20-30 a. The bases for shareholders' and creditors' suits against CD&A under state common law include: • Breach of contract: The relationship between CD&A and Lestrad is contractual and requires that the CPAs' performance be rendered in a competent manner. The shareholders and creditors may claim breach of contract as third-party beneficiaries of the contract between the CPAs and Lestrad, since it could be held that the contract was entered into for their benefit and therefore they are in privity with the CPAs. • Negligence: The shareholders and creditors could assert an independent claim of negligence in addition to the action for breach of contract. Negligence will be established when the CPAs fail to exercise reasonable care, taking into account such superior skill and knowledge the CPAs have or hold themselves out as having. Despite their lack of contractual privity, the shareholders and creditors will probably be able to successfully assert this action if they can show that they are members of a class of persons intended to benefit from the services performed by the CPAs and that this was reasonably foreseen by the CPAs. • Actual fraud or constructive fraud: Recent court decisions have substantially eroded the privity barrier faced by third parties. CD&A may be held liable for actual fraud if it can be shown that they intentionally deceived the shareholders and creditors. CD&A may be held liable for constructive fraud if there are deficiencies or lapses in their professional work of such a magnitude that they constitute gross negligence or a reckless disregard for the truth. b. The bases for shareholders’ and creditors’ suits against Conan Doyle & Associates (CD&A) under the federal Securities Acts include: • That a violation of the 1933 act has occurred as a result of misstatements or omissions in the prospectus or elsewhere in the registration statement required in order to "sell" the securities. The Securities and Exchange Commission has ruled that the issuance and exchange of stock pursuant to a merger constitutes a "sale" within the meaning of the Securities Act of 1933. • That a violation of the antifraud provisions of the 1934 act and of Rule 10b-5 issued pursuant thereto has occurred since misstatements and omissions of material facts may be fraudulent. Additionally, the antifraud provision (Sec. 17) of the 1933 act could be asserted. • That a violation of the reporting requirements of the Securities Exchange Act of 1934 has occurred to the extent that false or misleading statements were included or material facts were omitted in the reports or other documents relating to the merger that were filed with the SEC. • That a violation of the proxy rules of the Securities Exchange Act of 1934 resulted from misstatements in or omissions from the merger proxy statement used in soliciting shareholder approval. 20-31 Students will form their own opinions. Possible arguments for and against include: Yes SOX Will Deter Fraud • By requiring top executives to certify the fairness of financial statements and the effectiveness of internal controls, SOX will deter fraud because top executives will take their responsibility for financial reporting more seriously. • SOX improves corporate governance and tone at the top as well as other controls, which will reduce the opportunities for fraud. • SOX clarifies and increases criminal liability for corporate officers. • SOX increases punishment for corporate fraud to better fit the damages caused. • SOX has raised the level of performance of internal and external auditors, which will reduce the incentive and opportunity to commit fraud. No SOX Will Not Deter Fraud • Honesty and ethical behavior cannot be legislated. • Fraudsters seem to stay one step ahead of the rules, laws, and audit tests. • There is limited evidence that white collar crime will not continue to pay well (huge financial rewards, small financial costs, and some limited time in a comfortable correctional facility). • Most corporate fraud involves management override of controls and collusion, at the same time auditors will be relying more on controls due to AS2 (Section 404) related work. • Internal and external auditors are so busy just trying to comply with the new requirements related to AS2 (Section 404) that they may be less effective at detecting fraud. • The legislation does not increase the ability for law enforcement to find and detect fraud. Chapter 21 Assurance, Attestation, and Internal Auditing Services Answers to Review Questions 21-1 Assurance services are independent professional services that improve the quality of information, or its context, for decision makers. The definition focuses on decision-making because good decision-making requires quality information that can be financial or nonfinancial. An assurance service engagement can aid the decision maker in searching through the available information in order to identify which pieces of information are relevant for the required decision and in improving the quality of the information or its context. An assurance service engagement can also improve quality through increasing confidence in the information’s reliability and relevance. 21-2 SSAE No. 18 says an attest engagement occurs when a practitioner is engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or an assertion about subject matter, that is the responsibility of another party. Attestation engagements are a subset of assurance services (see Figure 21-1) but they focus specifically on performing and reporting on engagements that enable practitioners to report on subject matter other than financial statements. Assurance services that are not attest services do not necessarily involve issuance of a report by the auditor with respect to subject matter or an assertion about subject matter that is the responsibility of another party. Non-attest assurance services provide clarity around information or the context of the information to help clients make decisions, but the practitioner does not “attest to” that information. 21-3 Attestation standards provide for three types of engagements: (1) examination, (2) review, and (3) agreed-upon procedures. However, an individual SSAE may prohibit one or more of these types of engagements relating to specific subject matter. For example, in reporting on a nonpublic entity’s internal control, the auditor may perform either an examination or an agreed-upon procedures engagement, but may not perform a review engagement. Examples of attestation engagements are (1) reporting on an entity's internal control over financial reporting, (2) providing assurance on financial forecasts and projections, and (3) providing assurance on compliance with the requirements of specified laws, regulations, rules, contracts, or grants. 21-4 The accountant can satisfy the requirement that the specified users take responsibility for the sufficiency of the procedures to be performed by doing one of the following: • Comparing the procedures to be applied to written requirements of the specified users. • Discussing the procedures to be applied with an appropriate representative of the specified users. • Reviewing relevant contracts with or correspondence from the specified users. 21-5 Many companies are now required by law to report on internal control. The Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991 requires that the management of large financial institutions, whether publicly or privately held, issue a report on the effectiveness of internal control and that these institutions engage accountants to attest to the report. The Sarbanes-Oxley Act of 2002 imposes similar requirements on all publicly traded companies. While an audit of internal control is not a legal requirement for privately held companies (other than certain financial institutions covered by FDICIA), some such companies may choose to engage accountants to provide attestation services regarding internal control if deemed necessary to better evaluate internal control over financial reporting or to provide additional assurance to third parties. 21-6 Prospective financial statements are either financial forecasts or financial projections. Financial forecasts are prospective financial statements that present an entity's expected financial position, results of operations, and cash flows. They are based on assumptions reflecting conditions the responsible party expects to exist and the course of action it expects to take. Financial projections are prospective financial statements that present, given one or more hypothetical assumptions, an entity's expected financial position, results of operations, and cash flows. The primary difference between the two is that the financial projection is based on hypothetical assumptions and is intended to respond to a question such as "What would happen if...?" A financial projection is sometimes prepared to present one or more hypothetical courses of action for evaluation. Additionally, financial projections can be used only for limited distribution to specified parties, while forecasts can be generally distributed. 21-7 Three types of services can be performed under SSARS: (1) preparation of financial statements, (2) compilation of financial statements, and (3) review of financial statements. 21-8 In conducting a compilation, the accountant must have the following knowledge about the entity: • The accounting principles and practices of the industry in which the entity operates. • A general understanding of the entity’s organization; its operating characteristics; and the nature of its assets, liabilities, revenues, and expenses. • An understanding of the accounting principles and practices used by the client. In conducting a review, the accountant must possess the following knowledge about the entity: • The accounting principles and practices of the industry in which the entity operates. • A general understanding of the entity's organization; its operating characteristics; and the nature of its assets, liabilities, revenues, and expenses. • An understanding of the accounting principles and practices used by the entity in measuring, recognizing, recording, and disclosing all significant accounts and disclosures in the financial statements. 21-9 Corporate governance entails all management-administered policies and procedures to control risk and oversee operations within a company. The IAF can help management and the board identify and manage risk, and can help ensure the compliance of the organization with applicable laws, rules, and regulations. In addition, if reporting responsibilities are properly defined, the internal audit function can assist the audit committee in ensuring that executive management is exercising responsible and appropriate stewardship over the entity’s resources for the benefit of the entity’s stakeholders. 21-10 Internal auditors play a direct role in helping management comply with at least two sections of the Sarbanes-Oxley Act. By testing internal control over financial reporting, the internal audit function directly assists management to certify the effectiveness of internal controls as per Section 404. In so doing, internal auditors provide a degree of assurance that internal controls over the reliability of financial reporting are working as planned. This assurance facilitates senior management’s responsibility to certify to the accuracy of the financial statements as required by Section 302. 21-11 The AICPA Special Committee on Assurance Services developed the following six assurance services: Risk assessment-assurance that the entity’s profile of business risks is comprehensive and evaluation of whether the entity has appropriate systems in place to effectively manage those risks. Business performance measurement-assurance that an entity’s performance measurement system contains relevant and reliable measures for assessing the degree to which the entity’s goals and objectives are achieved or how its performance compares to competitors. Information system reliability-assurance that an entity’s internal information systems provide reliable information for operating and financial decisions. Electronic commerce-assurance that systems and tools used in electronic commerce provide appropriate data integrity, security, privacy, and reliability. Health care performance measurement-assurance about the effectiveness of health care services provided by HMOs, hospitals, doctors, and other providers. PrimePlus-assurance that specified goals regarding the elderly are being met by various caregivers. 21-12 There are three broad categories of risks associated with electronic commerce: business practices, transaction integrity, and information protection. As seen in Table 21–7, Trust Services are built on five criteria: Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. Availability: Information and systems are available for operation and use to meet the entity’s objectives. Processing Integrity: System processing is complete, accurate, timely, and authorized to meet the entity’s objectives. Confidentiality: Information designated as confidential is protected to meet the entity’s objectives. Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. 21-13 A Trust Services engagement is performed as an examination under the attestation standards. In performing a Trust Services engagement, the practitioner uses guidance provided in SSAE No. 18 and COSO’s Internal Control—Integrated Framework. In such an examination, the practitioner expresses a positive opinion as to whether the presentation of assertions conforms to the AICPA’s Trust Services principles and criteria. An e-commerce company might consider purchasing this service because threats exist to the safety of electronic business. Users of the company’s services might worry whether the entity is legitimate or whether it follows good business practices and won’t defraud them. Similarly, they might want assurance that electronic transactions will not be changed, lost, duplicated, or processed incorrectly, and that private information will be protected. 21-14 A SOC 2 report provides detailed information for management’s use to ensure that the organization’s system controls are effective with respect to Trust Services criteria, such as security and availability. A company doing a large amount of online business may want to provide assurance to specified users that all online resources are secure and working effectively. A SOC 3 report contains a high-level overview of information generally contained in SOC 2 and is for a broad group of external users. A company doing business online might want a SOC 3 report in order to assure website users that information stored with them will be kept confidential and private. A SOC for Cybersecurity would also be extremely beneficial to address issues regarding data breaches and additional online security threats. Answers to Multiple-Choice Questions 21-15 d 21-23 d 21-16 b 21-24 c 21-17 d 21-25 a 21-18 c 21-26 c 21-19 b 21-27 b 21-20 a 21-28 c 21-21 c 21-29 d 21-22 b Solutions to Problems 21-30 A compilation is defined as presenting, in the form of financial statements, prospective financial information, pro-forma financial information, or other historical financial information, information that is the representation of management or owners without the accountant expressing any assurance on the statements. A review is defined as the performance of inquiry and analytical procedures to provide the accountant with a reasonable basis for expressing limited assurance that no material modifications should be made to the financial statements in order for them to conform to GAAP or another comprehensive basis of accounting. An audit is defined as a process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria. An audit provides the most assurance, followed by a review, and finally a compilation. 21-31 a. A compilation of prospective financial statements involves • Assembling, to the extent necessary, the prospective financial statements based on the responsible party's assumptions. • Performing the required compilation procedures, which include reading the prospective financial statements with their summaries of significant assumptions and accounting policies and considering whether they appear to be (1) presented in conformity with the attestation standards and (2) not obviously inappropriate. • Issuing a compilation report. b. Independent Accountant's Report Board of Directors Cheaney Rental Properties We have compiled the accompanying forecasted balance sheet, statements of income, retained earnings, and cash flows of Cheaney Rental Properties as of December 31, 2018, and for the year then ending, in accordance with attestation standards established by the American Institute of Certified Public Accountants. A compilation is limited to presenting, in the form of a forecast, information that is the representation of management and does not include evaluation of the support for the assumptions underlying the forecast. We have not examined the forecast and, accordingly, do not express an opinion or any other form of assurance on the accompanying statements or assumptions. Furthermore, there will usually be differences between the forecasted and actual results, because events and circumstances frequently do not occur as expected, and those differences may be material. We have no responsibility to update this report for events and circumstances occurring after the date of this report. 21-32 The following deficiencies were noted in Currie's draft: • The report does not contain the heading "Independent Accountant's Report." • The report is not dated. • standards established by the American Institute of Certified Public Accountants." • The last word in the paragraph should be followed by "in the preparation and presentation of the projection." • The report should state that management is responsible for the projection. • The report should state who the examination was prepared for and for what purpose. • The report should state the auditor’s responsibility to express an opinion on the examination. Second paragraph: • The information is the second paragraph is correct, but it should normally be in the third paragraph. The second paragraph should state the standards according to which the examination is performed. • The report should state the practitioner’s belief that the examination provides a reasonable basis for his opinion. Third paragraph: • The third paragraph, which is missing, should include the sentence "We have no responsibility to update this report for events and circumstances occurring after the date of the report." Fourth paragraph: • The fourth paragraph, which is missing, limits the use of the projection to those for whom it was intended. 21-33 Deficiencies in the report on the compiled financial statements are as follows: First paragraph: • The financial statements are not properly identified. • The expression "to obtain limited assurance" should not be used. • The practitioner should not claim that the financial statements are free of material misstatements. Second paragraph: • No problems. Third paragraph: • The sentence about the compilation’s scope being less than that of an audit is inappropriate. • Reference to the objective of a compilation is omitted. • Reference to the financial statements not being reviewed is omitted. • Reference to not providing "any assurance" is omitted. Fourth paragraph: • Reference to the omission of the statement of cash flows is omitted. • There should be a statement that the financial statements are not designed for those uninformed about the omitted disclosures. Fifth paragraph: • There is no problem with the accountant describing the reason for the lack of independence, provided that all reasons are included in the description. Inclusion of the sixth paragraph is inappropriate. The accountant's compilation report is not dated October 25, 2018. 21-34 1. C 8. C 2. I 9. C 3. I 10. I 4. I 11. C 5. I 12. C 6. I 13. C 7. C 21-35 a. Consumers are reluctant to engage in electronic commerce for several reasons. First, consumers want to know that the entity behind the website is “real.” In other words, how can the consumers be sure that the entity follows good business practices and that they will not be defrauded? Second, consumers are worried that electronic transactions will be changed, lost, duplicated, or processed incorrectly. Lastly, consumers are concerned that private information will be stolen. b. Your firm can provide a SOC 2 report to provide assurances about Park Corporation’s security, availability, processing integrity, online privacy, and confidentiality by completing a Trust Services engagement. This report would be most useful as it focuses on conveying information to members of management, such as HeeSoo Park, who desire to gain assurance regarding Trust Services Criteria. c. In addition to a SOC 2 report for management, the firm can also provide a SOC 3 report for Park Corporation’s customers. A SOC 3 report is typically a higher-level overview of the detailed information that would ordinarily be found in a SOC 2 report, and it is intended for general use. Topics included in the report would include items such as efforts taken by the Company to ensure customer information is kept private and secure along with availability of information on the website regarding the Company’s sporting goods business. Solution to Discussion Case 21-36 a. A practitioner may perform an agreed-upon procedures engagement to evaluate an entity's written assertion that it was in compliance with its state's environmental laws and regulation provided that • The practitioner is independent. • The responsible party will provide the assertion in writing to the practitioner prior to the issuance of his or her report. • The practitioner and specified users agree upon the procedures performed or to be performed. • The specified users take responsibility for the sufficiency of the agreed-upon procedures for their purposes. • The specific subject matter to which the procedures are to be applied is subject to reasonably consistent estimation or measurement. • The criteria to be used in the determination of findings are agreed upon between the practitioner and the specified users. • The procedures to be applied to the specific subject matter are expected to result in reasonably consistent findings using the criteria. • Evidential matter related to the specific subject matter to which the procedures are applied is expected to provide a reasonable basis for expressing the findings in the practitioner's report. • Where applicable, the practitioner and the specified users agree on any materiality limits for reporting purposes. • Use of the report is restricted to the specified users. In addition, the practitioner should obtain an understanding of the specified compliance requirements by considering the following: • Laws, regulations, rules, contracts, and grants that pertain to the specified compliance requirements, including published requirements. • Knowledge about the specified compliance requirements obtained through prior engagements and regulatory reports. • Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals within the entity (e.g., the chief financial officer, internal auditors, legal counsel, compliance officer, or grant or contract administrators). • Knowledge about the specified compliance requirements obtained through discussions with appropriate individuals outside the entity (e.g., a regulator or third- party specialist). b. If the entity maintained an internal control system which monitored the entity's compliance with its state environmental laws and regulations, the practitioner would evaluate the effectiveness of the system as follows: • Obtain an understanding of the relevant portions of the internal control system over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. • Obtain an understanding of the design of specific internal controls by performing inquiries of appropriate management, supervisory, and staff personnel; inspection of the entity's documents; and observation of the entity's activities and operations. • If control risk is to be assessed below the maximum, perform tests of controls to support the assessed level of control risk. Solutions to Internet Problems 21-37 a. The mission is stated as follows: Internal Auditor’s mission is to arm practitioners with the cutting-edge information and practices they need to do their jobs today and tomorrow. b. From the homepage, under the “Certification” tab, click on the “Why Become Certified?” link. There, the IIA’s website indicates that there are many reasons to obtain an official IIA certification designation. Whether it's the Certified Internal Auditor® (CIA) designation or one of the IIA’s three specialty industry certifications, obtaining a certification signals professionalism. On the task bar on the left of the page you will find a link titled: “Six Steps to Certification.” This link provides information on the exam and suggests that the (CIA) designation is “the only globally accepted certification for internal auditors and remains the standard by which individuals demonstrate their competency and professionalism in the internal auditing field.” The site also indicates that those who complete the program are “enriched with educational experience, information, and business tools that can be applied immediately in any organization or business environment.” 21-38 a. The five broad areas in which Trust Services Criteria are organized are as follows: Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives. Availability: Information and systems are available for operation and use to meet the entity’s objectives. Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. Confidentiality: Information designated as confidential is protected to meet the entity’s objectives. Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. b. A SOC 1 report is obtained by a service organization that provides outsourced accounting or other data/information services (e.g., payroll) and desires to provide assurance that the controls relevant to financial reporting of the service organization are in place. A type 1 SOC 1 report covers the design effectiveness of the controls of the service organization and a type 2 SOC 1 report covers both the design and operating effectiveness of controls at the service organization. A SOC 2 report is limited for use by either the management of the organization or to specified users with detailed knowledge and understanding of the organization and its system. A SOC 2 engagement will vary depending on the circumstances and the information system being examined, but the report will typically consist of at least four sections: (1) management’s description of the information system relevant to the Trust Services criteria (or criterion) being reported upon; (2) management’s assertion(s) relating to (a) the accuracy of the description of its system and relevant controls, (b) the effectiveness of the design of relevant controls, and (c) the operating effectiveness of relevant controls (if the report is a Type 2 SOC 2 report); (3) the practitioner’s restricted-use report, which provides an opinion relative to each of management’s assertions; and (4) a description of the applicable Trust Services criteria as well as a description of the controls that were tested, how they were tested, and the results of the tests. Exhibit 21-9 shows an example of a practitioner’s report. A SOC 3 engagement is similar to a SOC 2 engagement in that the practitioner assesses whether (a) management has provided an accurate description of its information system, and (b) the controls within a system were effective in accordance with the applicable Trust Services criteria. A SOC 3 report is ordinarily intended for general use to provide assurance to a broad group of external users. SOC 3 reports typically provide a higher-level overview of the detailed information that would ordinarily be found in a SOC 2 report. 21-39 Answers to this question may vary based on the year for which the SOC 3 report is pulled. a. For the period ending 30 April 2017, EY was the accounting firm that performed the attestation engagement. References to Trust Services Principles and Criteria of security, availability, processing integrity, confidentiality, and privacy are all noted under the “Approach” section of the report. b. Due to the high traffic of users that Google experiences daily, the company has an incentive to have a CPA firm provide a SOC 3 report to ensure all users that the Cloud Platform System is reliable and satisfies Trust Services Criteria. Users may be wary of using a cloud service to store personal information that is unverified by an outside party. Solution Manual for Auditing and Assurance Services: A Systematic Approach William F. Messier, Steven M. Glover, Douglas F. Prawitt 9781260687637, 9780077732509, 9780077732509, 9781259162312