Thursday, June 30, 2011
The CPA Exam Goes Abroad
In August 2011, the U.S. CPA exam will be offered outside of the U.S. for the first time. The countries in which the exam will be offered include Japan, Bahrain, the United Arab Emirates, Kuwait, and Lebanon. Given the accelerating demand by foreign nationals for taking the exam, the American Institute of CPAs (AICPA), the National Association of State Boards of Accountancy (NASBA), and Prometric have agreed to offer the same CPA exam in the aforementioned countries during a one month window each calendar-year quarter. The exam will be offered in English, and will be open to citizens, permanent residents, and long-term residents of the host countries that have satisfied the requirements to sit for the U.S. CPA exam. International exam candidates will need to select and apply to a U.S. state board of accountancy to validate that they have satisfied the requirements to sit for the exam in their chosen state of jurisdiction. The NASBA is now accepting applications for international exam candidates. For more information, visit the AICPA’s website at http://www.aicpa.org/BecomeACPA/CPAExam/Pages/CPAExam.aspx.
Tuesday, June 28, 2011
PCAOB Releases Potential Changes to Auditor's Report
Last week, the PCAOB issued a concept release presenting four potential changes to the auditor's report on public company financial statements. The changes, open for public comment, include the following:
Given that investors feel they have been duped by public companies, auditors, and hedge funds when so much market capitalization evaporated in the recent recession, I understand the legal concerns of the auditing profession and their regulators. If we audit more and disclose more, how could investors ever be duped again? They would have no excuse for making bad investments, right? The information was all there in front of them. Unfortunately, a clean audit opinion is not equivalent to an analyst's recommendation to buy or hold a security. Perhaps auditors do have it a little too easy only having to issue a pass/fail audit report right now, but I fear that the addition of some of the information suggested by the PCAOB, particularly the AD&A, would confuse investors into thinking that an auditor was making an investment recommendation. We need to be careful not to overwhelm investors. It is not the volume of information, but the relevance of it that investors are in need of.
- Auditor's Discussion and Analysis (AD&A) - Presented as a narrative intended to "facilitate an understanding of the auditor's opinion of the financial statements taken as a whole," according to the PCAOB. This section might include a discussion of audit risks identified, significant management judgments, and critical accounting policies.
- Expanded and requisite use of emphasis paragraphs - While emphasis paragraphs are currently optional, they might be required in a standard auditor's report to point the reader's attention to where significant financial statement items can be found in the financials and related footnotes.
- Auditor assurance on information outside the financial statements - Auditor's may be required to issue an opinion on information such as the management discussion and analysis (MD&A), press releases, or other published financial information.
- Clarification of standard language in the auditor's report - The auditor's report might also clarify the auditor's role and concepts mentioned in a standard auditor's report, such as reasonable assurance, and auditor's responsibilities vs. management's responsibilities.
Given that investors feel they have been duped by public companies, auditors, and hedge funds when so much market capitalization evaporated in the recent recession, I understand the legal concerns of the auditing profession and their regulators. If we audit more and disclose more, how could investors ever be duped again? They would have no excuse for making bad investments, right? The information was all there in front of them. Unfortunately, a clean audit opinion is not equivalent to an analyst's recommendation to buy or hold a security. Perhaps auditors do have it a little too easy only having to issue a pass/fail audit report right now, but I fear that the addition of some of the information suggested by the PCAOB, particularly the AD&A, would confuse investors into thinking that an auditor was making an investment recommendation. We need to be careful not to overwhelm investors. It is not the volume of information, but the relevance of it that investors are in need of.
Friday, June 3, 2011
An Overview of the New Service Organization Control Reports
Organizations that collect, retain, or process information on behalf of other organizations are known as service organizations. Some of the most familiar types of service organizations widely used by companies are payroll processors, employee benefit plan administrators, and asset custodians. In recent years, there is also a growing reliance on providers of software as a service and cloud computing. Over the past decades, firms conducting audits of companies who use service organizations would rely on the organizations’ production of a Statement of Auditing Standard (SAS) 70 report. These reports would be prepared by the service organizations’ independent auditors and provided to any clients who relied on the service organizations’ information in preparing their own financial statements.
Beginning June 15, 2011, SAS 70 will be superseded by SSAE 16 for U.S. service organizations, which is similar to ISAE 3402 under IFRS. The new reports are commonly referred to as Service Organization Control (SOC) Reports. There will be three types of SOC reports for companies to consider for issuance, summarized below:
SOC 1 Report – A review of user controls having an impact on clients’ financial reporting, SOC 1 reports will evaluate what is commonly known as ICOFR (internal controls over financial reporting).
SOC 2 Report – Controls tested in a SOC 2 report will not be linked to financial reporting or financial statement assertions. Instead, SOC 2 reports will evaluate controls that fall under the AICPA Trust Services Principles and Criteria which include security, availability, processing integrity, confidentiality, and privacy.
Both SOC 1 and SOC 2 reports are similar to the former SAS 70 reports in that they list the service organization’s controls, how the auditor tested them, and the results of those tests. They will also include management’s assertions related to the controls tested. They are intended for restricted distribution to clients of the service organization.
SOC 3 Report – The audit work performed for a SOC 3 report is identical to that in a SOC 2, however the report issued merely summarizes management’s assertions and the auditor’s opinion, leaving out the detailed control descriptions and audit procedures. SOC 3 reports are intended to have unrestricted distribution, and those organizations receiving an unqualified opinion are permitted to display a seal on their website indicating the results of their SOC 3 report.
As more and more organizations rely on service organizations for critical IT functions and processing of financial information, auditors should be familiar with the content of the new SOC reports and how they will impact their clients’ audits.
Subscribe to:
Posts (Atom)