To make sure you receive future emails,
please add {[EM-EMAIL ADDRESS]} to your address book or safe list.

Audit & Accounting Alert Newsletter

Issue 10 | December 2013

At-A-Glance

Gerry Herter

The internal audit function affords a first line of defense to companies for evaluating adherence to and detecting deviations from established policies and procedures. The Institute of Internal Auditors (IIA) is the worldwide body that provides leadership and advocacy for this segment of the accounting profession. Our first article covers recent IIA surveys showcasing the increasing importance of the internal audit role in the corporate arena. Fraud detection is a concern of internal and external auditors alike. Our second article takes a look at five forms of cyber fraud that an AICPA white paper describes, along with preventative and remedial measures. Our final article voices the concern that adjusted profit numbers in corporate financial reports threaten the goal of comparability that international financial reporting standards strive to attain. 

Editor Gerald E. Herter, CPA

In This Issue 

Internal Auditors Look Ahead

IIA Survey Addresses the Affordable Care Act and COSO

The Audit Executive Center of the Institute of Internal Auditors conducts a semi-annual Pulse of the Profession survey, globally in April, and North America-based in October. The title of the global survey earlier this year, 2013: Time to Seize the Opportunity, reflected renewed optimism of the internal auditors. The majority 1) now report functionally to the board of directors or audit committee, 2) have more staff and budget resources, 3) are able to prioritize the audit focus increasingly on strategic risk, 4) seek out staff with more analytic, critical thinking and communication skills, and 5) can help strengthen the tone at the top.

The recent North American survey, Defining Our Role in a Changing Landscape, continues that optimism, projecting more diversity in audit coverage, with a “greater focus on compliance risks and less emphasis on Sarbanes-Oxley.” Special attention is given to requirements of the U.S. Affordable Care Act and preparedness for COSO 2013 Internal Control–Integrated Framework implementation. .

Compliance or regulatory audits are anticipated to be second only to operational audits. In that regard, the Affordable Care Act is expected to present challenges. While most respondents foresee an impact on their organizations, they are generally not well versed on what that impact may be. Many were not sure whether benefits would be dropped, and if they were, what risks may develop as a result of the toll on employee attitudes.  

There appears to be better preparation with regards the new COSO Framework, which makes sense, since the IIA is a supporting member of COSO, the Committee of Sponsoring Organizations of the Treadway Commission. First described as an Exposure Draft in the February 2012 inaugural issue of the Audit & Accounting, the new COSO Framework was formally issued in May 2013 with intentions for complete employment by December 2014. Fully 87% of survey responders plan to use the Framework.

The aim of the new Framework, which updates the original from 1992, is to clarify concepts, codify the principles and facilitate the development of internal controls in light of the current environment, while retaining the still pertinent core definition and five overall components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities.   

A large percentage of responders indicated that the internal audit department would have overall responsibility for the COSO Framework implementation. A caution was mentioned in this regard. Just as in the case of external auditing, the effectiveness and credibility of internal audit is predicated on a level of independence from the organization’s accounting function. Management needs to play the lead role in design and implementation of the internal control system, so that internal audit can maintain objectivity when testing that system. 

The majority of internal auditors with public companies expect to transition to the new COSO Framework by 2014 without significant difficulty. That response is not surprising considering the extensive attention paid to internal controls for compliance with the Sarbanes-Oxley law in recent years. Also, the SEC will be looking for companies to move to the new COSO Framework or explain why not.

Meanwhile, the UK’s Financial Reporting Council just issued a consultation paper, Risk Management, Internal Control and the Going Concern Basis of Accounting, that proposes a closer integration of a company’s risk management with the internal control function, and relates it to the process for evaluating going concern, as well.  

For further information, see IIA Pulse of the Profession Survey and FRC Consultation Paper: Risk Management, Internal Control and the Going Concern Basis of Accounting


Fraud Awareness an Ongoing Concern

Cyber fraud gets more sophisticated

With Bernie Madoff’s employees facing a jury trial this month, and International Fraud Awareness Week having recently taken place, the timing is good to focus on the latest fraud threats being discussed. Oftentimes, frauds can include basic low tech approaches. For instance, in the trial, Madoff was said to have hired employees with limited technical skills and no experience who then would create broker statements with false data by cutting and pasting. The employees contended that they trusted Madoff as a mentor and were unaware that they were doing anything wrong.

Accountants scratch their heads wondering how the SEC could have missed such basic shortcomings, especially considering that Madoff’s auditor was a one man shop, which would typically not have the trained resources to provide a valid audit opinion. Even so, looking out for low tech defalcations, while vitally critical, is not enough these days. The rapid advances of technology enable the creation of frauds at a pace that can be difficult to keep up with.

 Indeed, a recent Intuit study, the 2013 Future of Accountancy Report, states that “Business complexity will increase, making it even tougher for accounting firms and professionals to stay up to date and informed on key regulatory, compliance and business issues…The professionals of 2020 will understand data integrity, security and privacy concerns as well as the broader use of decision-support systems.” Accountants will need to persistently focus on enhancing their technical acumen in order to fulfill that prophecy. The benefit, the study proclaims, will be that “Technology consulting opportunities for accounting professionals will increase. Data management, compliance, security and privacy consulting opportunities will be particularly strong.”

To help, the AICPA in October produced a white paper, The Top Five Cybercrimes, to alert accountants in public practice as well as industry of cybercrimes currently of greatest concern, along with assistance in dealing with them. The cybercrimes covered are:

  1.  Tax-refund fraud
  2.  Corporate account takeover
  3.  Identity theft
  4.  Theft of sensitive data
  5.  Theft of intellectual property

A 2012 report of the Treasury Inspector General for Tax Administration estimated 1.5 million undetected tax returns with over $5 billion of tax refund fraud. Often these involve use of deceased taxpayers’ names and social security numbers. Those performing pension plan audits are also faced with this type of concern, and need to design procedures to validate that distribution payees are still living. Fraud of the Day, a feature highlighted on the International Fraud Awareness website, relates the story of a man that forged his dead mother’s signature on pension checks for several years after her death before being caught.

 Corporate account takeover can occur when a controller’s login credentials are illicitly acquired through email attachments web downloads or file transfers. Or a cybercriminal can hack into a computer, find the banking information, access the account online through the hijacked computer, and transfer funds.

With identity theft and theft of sensitive data, the key information is gained virtually, similar in fashion to corporate account takeover, or in low tech ways, such as dumpster diving or copying from credit card receipts. Fraud of the Day relates the use of a “Zapper,” software that modifies electronic cash register or point of sale networks, in order to skim funds. The Zapper is loaded from a memory stick or CD. In one case, the Zapper was employed on a hand held scanner used for inventory control. The scanner enabled access to a restaurant’s inventory control system, where sales and inventory date could be manipulated to cover up the skimming.

Intellectual property theft is facilitated by the easy access and copying of files, such as movies and music that can be purchased once and resold multiple times. Even more insidious is state-sponsored cyber theft, such as coming from China, where all kinds of proprietary data are stolen.

The Top Five Cybercrimes quotes a Verizon study that determined that 87% of security breaches could have been avoided had reasonable security controls been in place. Some strategies suggested by the AICPA white paper for dealing with cyber risks are 1) security audits and controls, 2) business insurance, and 3) an incident response plan.

Security audits are considered the best defense. The white paper suggests that “For optimal results, clients should ask their CPA to audit their privacy and security policies and controls.” Preventive control strategies to then consider include patching vulnerabilities, limiting access internally, building firewalls and intrusion detection systems for external threats, and putting monitoring systems in place.

Business insurance should be in place and reviewed periodically to cover losses from cybercrime, just as with any other insurable risk.

An incident response plan should be developed and ready for deployment, that identifies which of the five described cybercrimes are a threat, what types of losses could be incurred, and how to respond and achieve full recovery.

The whitepaper concludes “The proliferation of cybercrime does not require CPAs to assume the role of cyber security expert. However, by becoming and remaining informed and aware of the core elements of cybercrime, and seeking assistance from security professionals when necessary, CPAs can best identify preventive, detection and reparative measures.” Integra International is fortunate to have a depth of knowledge in this area within the association with members, such as Steve Ursillo, Jr. from Providence, R. I., who specialize in information system security, internal control assessments, fraud detection, data extraction and analysis, and information technology assurance services. 

For further information, see The Top Five Cybercrimes and International Fraud Awareness Week and 2013 Future of Accountancy Report


Nontraditional Profit Reporting Threatens Comparability

IFRS and GAAP often sidestepped for more attractive numbers

Recently, our Integra International member in New Zealand, John Cockcroft, shared with us an article from the New Zealand Herald raising concerns about a “loss of faith in accounting standards.” New Zealand has adopted International Financial Reporting Standards (IFRS), the goal of which is a standardized, comparable set of reporting standards worldwide. However, as the article by Brian Gaynor pointed out, companies are making all kinds of adjustments to their profit numbers to make them look better than the IFRS reported amounts do.

This sentiment was echoed in the USA in November when social media phenomenon Twitter launched its public stock offering. Under US GAAP, Twitter showed a loss of $134 million for the first nine months of the year. After some adjusting, a better looking non-GAAP net loss of $44 million appeared, and adjusted EBITDA actually reflected a positive $30 million. Twitter justifies the adjustments stating that “We are presenting the non-GAAP measures of Adjusted EBITDA and non-GAAP net loss to assist investors in seeing our operating results through the eyes of management, and because we believe that these measures provide an additional tool for investors to use in comparing our core business operating results over multiple periods with other companies in our industry.”

Interestingly, Michael Prada, IFRS Foundation Chairman, just spoke in Japan on the topic “À la carte accounting will not deliver globally consistent standards.” While trumpeting the success of IFRS, he deplores the persistence in some countries of hanging on to certain local standards while contending they are converging with IFRS. Prada notes that 85% of the 81 countries profiled thus far are already committed to full IFRS adoption. Unfortunately, as observed in the October Audit & Accounting Alert, those persisting in their old ways, including the US, make up half of the world’s population.

Experiences in New Zealand and the US show that even if a set of common standards are widely adopted, the goal of uniformity will be defeated if a more effective means of applying and enforcing the standards is not implemented. 

In the case of Twitter, knowledgeable accountants may understand the rationale of recasting profits in certain cases. The major adjustments related to stock-based compensation and amortization of acquired intangibles. While management may be justified in using nontraditional metrics which better suit their purposes, the average investor may not have the level of sophistication necessary to evaluate the differences and how they compare to other companies.

Companies in the US cannot be faulted for modifying results. The SEC established Regulation G which allows just such measures, as long as GAAP is presented alongside. Nevertheless, with either US GAAP or IFRS, more work needs to be done to find ways to reduce the confusion and potential deception, intentional or otherwise, that has arisen from the prevalence of alternative profit reporting. Of course, that may appear like an easy task compared to getting the US to finally adopt IFRS, considering the seemingly intractable differences witnessed between the FASB and IASB. 

TFor further information, see New Zealand: Good and bad news in reporting season and Twitter IPO - S-1 Amendment and À la carte accounting will not deliver globally consistent standards.


Additional A&A News

The following links provide a selection of current articles devoted to highlighting other A&A topics currently making news.

  1. UK governmental audit changes could undermine independences
  2. CPA Profession’s Journey of Greatness
  3. Why CFOs Must Become Chiefs of XBRLk
  4. The Great IFRS Swindle: Accountants Scamming Accountants
  5. Compromise for Lease Accounting Overhaul Starts to Fall Apart
  6. IASB Adjusts to Changing Relationship with FASB

 

Audit & Accounting Alert is a publication of Integra International intended to highlight emerging issues in the profession. The goal is to give Integra members an awareness of developments impacting the practice of Audit & Accounting, enabling them to stay on the forefront of industry trends.

Editor Gerald E. Herter  •  HMWC CPAs & Business Advisors, 17501 E. 17th Street, Suite 100, Tustin, CA 92780-7924
 •  Tel: 1 714 505-9000  •  Fax: 1 714 505-9200  •  Email: [email protected]