Which of the following is true regarding the principle of auditor independence

Independence in external auditing

Auditor independence—meaning independence of both the firm engaged to perform external audits and the individual auditors who conduct the audits–is a central facet of external auditing. The previous chapter emphasized the importance of auditor independence and objectivity to internal auditing and noted the challenge to achieve true independence in internal auditing when the auditors are employees of the organization being audited. Aside from the contractual and financial relationship between an organization and its external auditors, maintaining the independence of external auditors is a strict requirement in most legal and regulatory forms of auditing, especially when the subject organization is a publicly traded entity. The lack of auditor independence in the accounting scandals and subsequent bankruptcy of major corporations including Enron and WorldCom, coupled with the subsequent dissolution of accounting firm Arthur Andersen, significantly influenced the inclusion of more stringent independence requirements in the Sarbanes–Oxley Act and subsequent rule-making by the SEC and the Public Company Accounting Oversight Board (PCAOB). The European Commission proposed and adopted similar rules in the wake of both major US corporate problems and similar scandals among European companies including Italian food producer Parmalat and Dutch retailer Ahold. The net result of these major corporate audit and accounting failures is a current regulatory environment in which auditor independence is considered absolutely essential.

The Enron scandal that came to light in 2001 involved audit failures at many levels by multiple parties, including several members of the executive management team at Enron and partners, auditors, and other employees at Arthur Andersen. Although the accounting fraud and collusion between Enron and its auditors was primarily financial, the case provides a clear example of the potential results when significant conflicts of interest exist between organizations and their auditors. It also illustrates much of the rationale behind provisions included in the Sarbanes–Oxley legislation enacted as a response to Enron and several other large-scale corporate accounting and auditing cases that the US Congress believed undermined confidence in American securities markets. Changes in many international legal and regulatory auditing requirements were similarly influenced by Enron and other American company scandals and the role of what was at the time one of the five largest external auditing and accounting firms.

Independence is not a recently introduced requirement; the Securities Exchange Act of 1934 explicitly mandates that members of the audit committee, comprising members from the board of directors, be independent and that the work of auditors (including the delivery of reports containing their findings) be submitted directly to the audit committee [6]. The Sarbanes–Oxley Act greatly expanded the definition of independence by specifying nine types of nonaudit activities that firms engaged to perform external audits are prohibited from performing while under contract to conduct audits. Prohibited activities comprise business and information technology services including:

“bookkeeping or other services related to the accounting records or financial statements of the audit client;

financial information systems design and implementation;

appraisal or valuation services, fairness opinions, or contribution-in-kind reports;

actuarial services;

internal audit outsourcing services;

management functions or human resources;

broker or dealer, investment adviser, or investment banking services;

legal services and expert services unrelated to the audit;

any other service that the Board determines, by regulation, is impermissible” [5].

The SEC issued new rules updating its auditor independent requirements in a manner consistent with provisions in the Sarbanes–Oxley Act, including prohibitions on nonaudit services; the need for audit committees to preapprove any nonaudit services or exemptions to prohibitions; mandatory rotation of the lead audit partner at least every 5 years; and additional conflict of interest protections that preclude audit firms from auditing organizations whose management team includes members previously employed by the audit firm [7]. The PCAOB, a governing body established by the Sarbanes–Oxley Act, also mandates ethics and independence rules for firms registered with the Board to conduct audits of public companies. Outside the United States, the European Commission Directive on statutory audits [5] and the International Standards on Auditing mandated for use in that Directive both require independence between auditors and audit firms and the listed entities they audit [8].

Sarbanes-Oxley 2002

At the beginning of the new century, a plethora of informal recommendations came down from the Securities and Exchange Commission (SEC) about auditor independence after a number of well-publicized cases of false reporting. With the full extent of the Enron case coming to light, the Sarbanes-Oxley Act was introduced.

As an instrument for accounting reform and investor protection, this legislation was intended to reestablish investor confidence. It also was intended to reduce the stranglehold that the Big Six accounting firms had on professional services in larger corporations. Unfortunately, the law resulted in so much process design work, the Big Six didn’t notice any revenue loss.

Key sections of the act include Sections 201, 302, and 404.

SOX

SOX is the Sarbanes-Oxley Act. SOX is a government act enacted in 2002. SOX came about because of the number of corporate accounting scandals that had surfaced. The intent of SOX is to set financial guidelines for publicly traded companies. These guidelines are intended to help ensure that companies are being forthright and meeting their financial obligations to investors. The main goals of SOX are to increase transparency and force accountability.

SOX has 11 titles that define regulations for financial reporting and auditing. They are as follows:

Title I: Public Company Accounting Oversight Board This title establishes an independent board to oversee auditors and auditing.

Title II: Auditor Independence The purpose of this title is to prevent third-party auditors from having conflicts of interests.

Title III: Corporate Responsibility This title assigns corporate executives responsibility for financial documents.

Title IV: Enhanced Financial Disclosures This title establishes enhanced requirements for financial reports.

Title V: Analyst Conflicts of Interest This title defines a code of conduct for financial analysts.

Title VI: Commission Resources and Authority This title gives the Securities and Exchange Commission (SEC) the ability to censure securities professionals.

Title VII: Studies and Reports This title requires the Comptroller General and the SEC to perform various studies related to accounting and financial reporting.

Title VIII: Corporate and Criminal Fraud Accountability This title describes the penalties for altering or destroying financial records.

Title IX: White-Collar Crime Penalty Enhancement This title recommends stronger sentences for white-collar crimes.

Title X: Corporate Tax Returns This title says that the company CEO has to sign the company's tax return.

Title XI: Corporate Fraud Accountability This title states that corporate fraud and records tampering are criminal offenses and specifies penalties for these offenses.

7.7 Sarbanes-Oxley or SOX

Virtually everyone in IT has heard of the Sarbanes-Oxley Act of 2002 or SOX as it is commonly referred to, but relatively few know exactly how it works. Since SOX has an impact on so many applications it’s being briefly covered here. For a complete understanding of the provisions of the Sarbanes-Oxley act there are numerous books on the topic. Chapter 22 will provide additional information on SOX and other ways that the government impacts your application.

The stated purpose of the SOX act is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.” Among the many provisions included are:

Higher level of auditor independence

SOX compliance is limited to publicly traded companies

Requires executives of public corporations to sign the auditor report attesting to its accuracy

Increases penalties, both civil and criminal, for securities violations

Works to ensure that financial reporting is done with full disclosure

How does SOX impact IT personnel, specifically Application Administrators? If your application contains financial information for the organization, then you will be affected. Some ways in which an Application Administrator can be impacted include:

Authentication of users

Separations of duties, e.g., the same person can’t change the code and also install the change

Audit trails of who changed what, when a change was made, etc., need to be maintained

Access to the application must be controlled and documented

Activity by IT personnel outside of standardized business practices needs to be monitored

SOX provides a broad overview of what must be achieved, i.e., transparency in account practices, but leaves the details to individual organizations. This is especially true when it comes to how IT technologies are affected. SOX doesn’t dictate that you have to do anything specifically. What it does say is that once you establish an SOX process then you have to adhere to it.

As an Application Administrator you won’t have designed the SOX policies for your organization. The policies will already be in place and it’s your responsibility to follow them. The best advice that I can give you is to get used to them from the beginning. You may not like these policies, they may seem time consuming and pointless to you, but they are the law. Resistance is futile.

IT audit characteristics

Definitions, standards, methodologies, and guidance agree on key characteristics associated with IT audits and derived from Generally Accepted Auditing Standards (GAAS) and international standards and codes of practice. These characteristics include the need for auditors to be proficient in conducting the types of audits they perform; adherence by auditors and the organizations they represent to ethical and professional codes of conduct; and an insistence on auditor independence[7,8]. Proficiency in general principles, procedures, standards, and expectations cuts across all types of auditing and is equally applicable to IT auditing contexts. Depending on the complexity and the particular characteristics of the IT controls or the operating environment undergoing an audit, auditors may require specialized knowledge or expertise to be able to correctly and effectively examine the controls included in the IT audit scope. Codes of conduct, practice, and ethical behavior are, like proficiency, common across all auditing domains, emphasizing principles and objectives such as integrity, objectivity, competency, confidentiality, and adherence to appropriate standards and guidance [9,10]. Auditor independence—a principle applicable to both internal and external audits and auditors—means that the individuals who conduct audits and the organizations they represent have no financial interest in and are otherwise free from conflicts of interest regarding the organizations they audit so as to remain objective and impartial. While auditor independence is a central tenet in GAAS and international auditing standards, auditor independence provisions mandated in the Sarbanes–Oxley Act and enforced by the Securities and Exchange Commission (SEC) legally require independence for audits of publicly traded corporations.

Sarbanes-Oxley (SOX)—2002

The Sarbanes-Oxley Act (SOX)—Public Law 107-204, 116 Statute 745, passed July 2002. This act sets in place the revised standards for risk, operations and accounting reporting, compliance, and governance standards for all US public company boards of directors, management, and public accounting firms. The SOX Act was enacted as a result of several major corporate scandals during the late 1990s including Enron, Tyco, and WorldCom. As a result of SOX, top management must now individually certify the accuracy of financial information. Additionally, penalties for fraudulent financial activity are much more severe, and there is now a requirement for increased oversight by the corporate boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.

SOX contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. The SOX Act also created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The SOX Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure as follows:

Addressed specific areas such as:

Top management must individually certify the accuracy of financial information.

It provided for penalties for fraudulent financial activity, which are much more severe than previously listed and legalized.

It increased the independence of the outside auditors who review the accuracy of corporate financial statements.

It increased the oversight role of boards of directors.

SOX Reporting Criteria

Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;

Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise;

Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;

Perform a fraud risk assessment;

Evaluate controls designed to prevent or detect fraud, including management override of controls;

Evaluate controls over the period-end financial reporting process;

Scale the assessment based on the size and complexity of the company;

Rely on management's work based on factors such as competency, objectivity, and risk; and

Conclude on the adequacy of internal control over financial reporting.

Sarbanes–Oxley – 2002

The Sarbanes–Oxley Act (SOX) – Public Law 107-204, 116 Statute 745 – was passed in July 2002. This Act set in place the revised standards for risk, operations, accounting and reporting, compliance, and governance for all US public company boards of directors, management, and public accounting firms. The SOX was enacted as a result of several major corporate scandals during the late 1990s including Enron, Tyco, and WorldCom. As a result of SOX, top management must now individually certify the accuracy of financial information. Additionally, penalties for fraudulent financial activity are much more severe and there is now a requirement for increased oversight by the corporate boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.

The SOX contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. The SOX also created a new, quasi-public agency, the Public Company Accounting Oversight Board (PCAOB), which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The SOX also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure as follows:

Addressed specific areas such as:

Top management must individually certify the accuracy of financial information.

Provided for penalties for fraudulent financial activity which are much more severe than previously listed and legalized.

Increased the independence of the outside auditors who review the accuracy of corporate financial statements.

Increased the oversight role of boards of directors.

SOX reporting criteria:

Assess both the design and the operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks.

Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise.

Evaluate company-level (entity-level) controls, which correspond to the components of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.

Perform a fraud risk assessment.

Evaluate controls designed to prevent or detect fraud, including management override of controls.

Evaluate controls over the period-end financial reporting process.

Scale the assessment based on the size and complexity of the company.

Rely on management’s work based on factors such as competency, objectivity, and risk.

Conclude on the adequacy of internal control over financial reporting.