VideoIn the area of auditor independence, much remains cloudy. The situation becomes especially unclear when an auditor performs a SAS 70 test on an outsourcing provider to distribute to the outsourcer's clients. If one of those clients has the same external auditor as the outsourcing provider, must it hire another external auditor to maintain an objective view of the service provider's audit?
The PCAOB could provide a great deal of clarity on the issue of auditor independence — and many other BPO-related conundrums — by finalizing its guidance for auditors on Section 404. The provision itself makes no mention of outsourcing. Nor have PCAOB officials expressed any intention of updating SAS 70 anytime soon. (Through a spokesperson, PCAOB chief auditor Douglas Carmichael declined to be interviewed for this story.)
With regulatory guidance in scant supply, many companies may well hold off for a while on business process outsourcing in India, China, and other emerging nations. As for companies and auditors already dealing with BPO providers overseas, they may soon find themselves up the Yangtze without a paddle.
Craig Schneider is an assistant editor at CFO.com.
Just What Does Section 404 Entail?
As directed by Section 404 of the Sarbanes-Oxley Act of 2002, in May 2003 the Securities and Exchange Commission (SEC) adopted rules regarding internal controls at public companies. Section 404 also requires that a company's independent auditors attest to and report on management's controls assessments, following standards established by the Public Company Accounting Oversight Board (PCAOB).
Under the SEC rules, management's annual internal-control report must contain:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company.
- A statement identifying management's framework for evaluating the effectiveness of internal controls.
- Management's assessment of the effectiveness of internal controls as of the end of the company's most recent fiscal year.
- A statement that the company's auditor has issued an attestation report on management's assessment.
Internal controls, according to the new rule, include assurances of accurate records maintenance, as well as financial reporting that complies with generally accepted accounting principles. The rule also stipulates that managers and directors sign off on receipts and payouts, and that publicly traded companies maintain adequate systems to prevent or detect unauthorized material transactions.
Management must disclose any material weakness in a company's internal-controls structure. If material weaknesses exist, senior executives "will be unable to conclude that the company's internal control over financial reporting is effective," according to the SEC.
The PCAOB, which proposed its standard for auditors in October 2003, must still finalize the standard, after which it must be approved by the SEC before taking effect.
The proposed auditing standard addresses both the work that is required to audit internal control over financial reporting and the relationship of that audit to the audit of the financial statements. The integrated audit results in two audit opinions: one on the internal controls and one on the financial statements.
The proposed standard requires the auditor to communicate in writing to the company's audit committee all significant deficiencies and material weaknesses of which the auditor is aware. The auditor also is required to communicate in writing to the company's management all internal control deficiencies, and to notify the audit committee that such communication has been made.
A number of circumstances are defined by the proposed standard as "significant deficiencies" that would be strong indicators of a material weakness. They include:
- Ineffective oversight of the company's external financial reporting and of internal control over financial reporting by the company's audit committee. The proposed standard requires the auditor to evaluate factors related to the effectiveness of the audit committee, including whether committee members act independently from management.
- Material misstatement in the financial statements not initially identified by the company's internal controls.
- Significant deficiencies that have been communicated to management and the audit committee but that remain uncorrected after a reasonable period of time.
Most senior managers will have to report on — and certify — their companies' internal financial controls starting with fiscal years ending on or after June 15, 2004. That reporting date applies to "accelerated filers" — U.S. companies with a market cap of over $75 million that have filed annual reports with the SEC.
Reader Comments» Post a comment