To make sure you receive future emails,
please add {[EM-EMAIL ADDRESS]} to your address book or safe list.

Audit & Accounting Alert Newsletter

Issue 6 | August 2012

At-A-Glance

Gerry Herter

The road to acceptance for international financial reporting standards (IFRS) has been a long one, dating back to 1973. But for the United States, the formal process began in 2002, when the Financial Accounting Standards Board started to work with the International Accounting Standards Board toward global convergence. A decade has past, and while over 120 countries now require or permit IFRS, the US is not one of them. For that reason, the world had high expectations when the SEC report on the future of IFRS in the United States was recently released. Unfortunately, the report’s lack of a definitive recommendation on IFRS for the US was greeted with mixed reviews, as we discuss in our first article. While movement in financial reporting standards may be slow, technology changes will not wait. Our second article addresses risks already upon us with cloud computing. Meanwhile, investors are looking for added assurances from auditors on current and future report disclosures, as our third article illustrates.

Editor Gerald E. Herter, CPA

In This Issue 

SEC Releases Long-Awaited Report on IFRS

Lack of recommendation draws strong comments

The SEC Final Staff Report, Work Plan for the Consideration of Incorporating International Financial Reporting Standards into the Financial Reporting System for U.S. Issuers, was finally released on July 13. However, the comprehensive 127 page document came with no decision or recommendation as to whether IFRS would be adopted in the United States. Sensing that the world financial community was expecting such a decision, SEC spokesman John Nester announced a couple days beforehand that the report would be coming without the anticipated decision.

Nevertheless, reaction was quick and strong. Two days later, Michel Prada, chairman of the IFRS Foundation Trustees, remarked “While recognizing the right of the SEC to determine the method and timing for incorporation of IFRSs in the United States, we regret that the staff report is not accompanied by a recommended action plan for the SEC. Given the achievements of the convergence program inspired by repeated calls of the G20 for global accounting standards, a clear action plan would be welcome.” Looking ahead, IASB chairman Hans Hoogervorst conveyed his frustration as well, stating “IFRSs have already achieved critical mass as international standards…The IASB has started working on a new agenda. The era of convergence is coming to an end…This is the right timing to come on board and participate in shaping the future of global accounting."

Adding to this vexation has been a confusing series of plans and dates. In a 2008 timetable, the SEC contemplated being in position to make a decision in 2011. Then when the Work Plan was put in motion in 2010 to evaluate the issues and implications, the expectation was that the recommendation would come with the completion of that Work Plan.

Voices in the US were more understanding. “The American Institute of CPAs commends the staff of the Securities and Exchange Commission for its thoughtful analysis and the preparation of a comprehensive report regarding incorporation of International Financial Reporting Standards into the financial reporting system for U.S. public companies,” said Barry C. Melancon, AICPA president. Similar comments came from FAF president, Terri Polley. “The Financial Accounting Foundation and the Financial Accounting Standards Board commend the SEC staff for producing a detailed report that carefully outlines the history, progress and challenges of the effort to move toward greater comparability in accounting standards across national borders.”

While also showing support, Center for Audit Quality Executive Director, Cindy Fornelli added her desire, shared by Melancon and others, that “while staff recommendations of specific approaches or dates for the possible incorporation of IFRS into the U.S. financial reporting system was beyond the scope of the staff’s Work Plan, we hope the information in the report will facilitate an SEC determination on incorporation of IFRS in the near future. The CAQ remains supportive of the adoption and universal application of a single set of high quality global accounting standards. IFRS are best positioned to be that single set of standards.”

Steve Austin, Integra International AAA President, warned that this latest action by the SEC “has the potential of unwinding other country commitment, e. g. Japan.” Other large players like India and China are also a concern. Stefaan De Rynck, European Commission spokesman, goes so far as to question the U.S. seat on the IASB: “The lack of a clear vision from the U.S. creates uncertainty and hampers the IFRS from becoming a truly global accounting language. It is also becoming more difficult to justify the representation of jurisdictions not applying IFRS in the IASB governance framework."

Here is a brief summary of the report’s findings:

  1. Development of IFRS – The IASB has made significant progress, the standards issued are perceived to be high quality, but there continue to be areas that are underdeveloped, such as for specialized industries.
  2. Interpretive Process – There needs to be more timely guidance interpreting current standards.
  3. IASB’s Use of National Standard Setters – IASB needs to understand the intricacies of various national systems, and consider greater reliance on national standard setters.
  4. Global Application and Enforcement – More consistent global application of IFRS is needed, along with greater emphasis on inter-jurisdictional cooperation and enforcement.
  5. Governance of the IASB – To protect US investors and capital markets, a mechanism, such as a FASB endorsement process, may be needed.
  6. Status of Funding – For adequacy and to maintain independence, broader based funding of the non-profit IFRS Foundation is needed, and less dependence on large public accounting firms.
  7. Investor Understanding – Investor education on accounting issues and changes in the accounting standards is not uniform.

While impatience with the hesitancy of the SEC to move forward is understandable, the issues raised in the report underscore the tremendous challenges facing the US in adopting IFRS. The implementation costs and complexities alone envision a systematic, yet gradual approach that allows flexibility for needed refinements along the way. But even for that to happen, a decision needs to be made, so that the journey to the ultimate goal can at least begin.

For further information, see SEC Final Staff Report on IFRS in the US


Accounting and Auditing in the Cloud

COSO provides guidelines for managing risks of cloud computing

When the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Enterprise Risk Management – Integrated Framework (ERM-IF) in 2004, the cloud to most of us was just a fluffy white castle in the air. Published in the aftermath of Enron and related debacles, ERM-IF expanded on COSO’s landmark 1992 industry standard, Internal Control – Integrated Framework (IC-IF), which is currently being updated, as discussed in our February issue. Assimilating the principles of IC-IF, ERM-IF broadened the discussion to encompass the whole of enterprise risk management, strategically as well as operationally.

The rapid emergence of cloud computing in the last several years has added a new layer of complexity to the realm of risk management, both for organizations and auditors. Using ERM-IF as the foundation, COSO recently released Enterprise Risk Management for Cloud Computing (ERM-CC), offering guidelines for identifying and responding to the unique risks introduced by this proliferating technology platform.

ERM-CC defines cloud computing as “a computing resource deployment and procurement model that enables an organization to obtain its computing resources and applications from any location via an Internet connection.” There are various possible permutations depending on where an entity’s hardware, software and data are located, and who controls each. While ERM-CC acknowledges the cloud’s potential benefits of cost savings, speed of deployment, scalability, lessened management and environmental factors, the publication’s focus is on raising awareness of the related risks, and approaches to addressing those risks.

ERM-CC lays out the cloud computing environment and the interrelationships of the Enterprise Risk Management Framework components as they apply to the internal organization and the cloud service provider (CSP). Then the following cloud-related risks are presented along with recommended responses:

Risk Risk Response
Unauthorized cloud activity Cloud policies and controls
Lack of transparency Assessments of the CSP control environment, independent audit reports
Security, compliance, data leakage, and data jurisdiction
Data classification policies and processes to protect sensitive and restricted data
Transparency and relinquishing direct control
Management oversight and operations monitoring controls
Reliability, performance, high-value cyber-attack target
 
Incident management, and safeguards such as alternative CSP providers and encryption of data
Noncompliance with regulations
Monitoring of the external environment
Vendor lock-in
Preparation of an exit strategy
Noncompliance with disclosure requirements New disclosures in financial reporting

For organizations and auditors alike, the ease of data entering the cloud can result in unintended exposure before there is even recognition of the situation. Acknowledgment of and training in cloud opportunities and exposures should start with board of director oversight and sound management decisions in this regard. As the enumerated risks indicate, management needs to know where its systems and data reside, what security and accessibility measures are in place, what jurisdictions and related laws and standards need to be complied with, and how well internal and external collaborators are informed of the implications of the cloud environment.

In the audit arena, the AICPA in June 2011 put into effect SSAE 16, to replace SAS 70 , which had served as the standard since 1992 for attesting to service organization internal controls for financial reporting (ICFR). SSAE 16 established the Service Organization Control 1 report (SOC1) for user entities and their auditors. Since SOC1 reported only on ICFR, separate SOC2 and SOC3 reports were established to address the additional non-financial areas of security, availability, processing integrity, confidentiality and privacy, that cover the cloud based issues with which ERM-CC is concerned. SOC2 and SOC3 are of a similar nature, except that SOC3 is presented in summary format acceptable for public use.

In performing future risk assessments for audits, auditors will need to weigh whether an SOC1 report is sufficient, or if the additional risks considered in SOC2 dictate the need for that level of assurance. Just as ERM-CC points out the need for more awareness and education with regards to cloud computing opportunities and risks, the attest and audit standards behind the SOC reports are indicative of the need for auditors to become more familiar with this growing area of exposure.

 

For further information, see COSO Committee of Sponsoring Organizations of the Treadway Commission and AICPA Service Organization Control Reports


Audit Report Changes are Coming

Investors and regulators want more from auditors

The basic audit report has not changed much in many years. Users have come to view the contents as boilerplate and often look only to see if there is a “clean opinion.” If there is, some users may mistakenly conclude that the auditor is guaranteeing the accuracy of the financial statements and the integrity of the organization, despite the limiting fine print contained within the report. If the opinion is other than “clean,” further details will explain the reason.

With the current environment of unparalleled complexities, crises and uncertainties in the global business community, investors and other stakeholders are calling for better means of assessing organizational credibility and viability. Despite their own instances of imperfection, auditors are still looked upon as trustworthy sources for more input in this regard. Several powers within the profession are directing attention at the audit report as a place to address the need, while at the same time further delineating the auditor’s limits.

The audit clarity standards, promulgated by the Audit Standards Board and set to come on line at the end of the year for private companies in the United States, go a long way to aligning with international audit standards. However, the changes related to the standard audit report are mainly of a cosmetic and formatting nature. In contrast, the proposals suggested by the IAASB in their June 2012 Invitation to Comment: Improving the Auditor’s Report, are far reaching and significant. The IAASB proposal process parallels efforts by the PCAOB and European Commission to broaden the audit reporting scope.

Following a May 2011 consultation paper and subsequent interactions with a wide range of stakeholders, the IAASB discerned the following areas of improvement for consideration in its latest offering:

  1. “Auditor Commentary” – an added section to highlight areas the auditor feels are most important to the understanding of the financial statements or audit,
  2. Going concern – an opinion on management’s presumption of going concern, and disclosure of uncertainties,
  3. Material inconsistencies – disclosure comparing the consistency of other information that is included in addition to the audit report,
  4. Auditor’s Opinion – placement at the beginning of the audit report,
  5. Transparency – clarification of management and auditor responsibilities, and description of essential audit elements

The goal of the Auditor Commentary is to assist users in determining areas on which to focus their attention. Also, since audited financial statements are often included with annual reports and other documents, the user would have clarity as to the auditor’s consideration of such information.

The PCAOB’s June 2011 Concept Release on the Auditor’s Reporting Model, while bearing some similarities to the IAASB suggestions, presented four alternatives for changing the audit report:

  1. Supplemental auditor’s discussion and analysis report (AD&A),
  2. Required and expanded use of emphasis paragraphs,
  3. Auditor assurance on other information outside the financial statements,
  4. Clarification of language in the standard auditor’s report.

An eventual ruling from the PCAOB could potentially include any permutation of the various components of these or other alternatives. The first and second alternatives are similar to the IAASB’s Auditor Commentary, but the first alternative could also include description of auditor items covered in the IAASB’s Transparency area. The third alternative takes the IAASB’s Material Inconsistencies area a step further requiring an audit opinion on it.

Comment letters received on the PCAOB release recommended retaining the current “pass/fail” (unqualified/qualified) opinion, while also generally supporting the idea of changes to the report under appropriate circumstances. The investor community generally favored some form of the first two alternatives, while preparers and auditors did not. There was greater support for having more auditor information related to the financial statements than to other outside information.

The European Commission legislative proposal issued in November 2011 calls for in depth description of audit methodology, key risk factors, proportions of substantive versus system testing, and materiality levels in the published audit report. An even more comprehensive report would be provided to the audit committee, laying out work done, with key findings, explanations and the organization’s overall state of affairs.

While the Audit Standards Board clarity standards are issued and effective at the end of 2012, the proposals of the other governing bodies have a longer timeline. At a November 2011 meeting, the PCAOB indicated that a formal proposal was anticipated for the second quarter of 2012, which has now passed. The European Commission legislation is currently under debate with possibly a vote in early 2013. The IAASB comment period ends on October 8, 2012, with a planned exposure draft to be issued in June 2013 and finalized in June 2014.

For further information see PCAOB Concept Release on Audit Reports and IAASB Invitation to Comment: Improving the Audit Report and European Commission: Reform of the Audit Market


Additional A&A News

The following links provide a selection of current articles devoted to highlighting other A&A topics currently making news.

  1. FASB Splits with IASB on Impairment Standards
  2. Equipment Leasing Plan Could Make Lessees Losers
  3. Accounting Détente Delayed 
  4. Audit Data Standard Exposure Draft Issued
  5. Mandatory RFP, Not Mandatory rotation
  6. Institutes told to improve audit monitoring visits

Audit & Accounting Alert is a publication of Integra International intended to highlight emerging issues in the profession. The goal is to give Integra members an awareness of developments impacting the practice of Audit & Accounting, enabling them to stay on the forefront of industry trends.

Editor Gerald E. Herter  •  HMWC CPAs & Business Advisors, 17501 E. 17th Street, Suite 100, Tustin, CA 92780-7924
 •  Tel: 1 714 505-9000  •  Fax: 1 714 505-9200  •  Email: gerry@hmwccpa.com