To make sure you receive future emails,
please add {[EM-EMAIL ADDRESS]} to your address book or safe list.

Audit & Accounting Alert Newsletter

Issue 3 | March 2015


Gerry Herter

Last month we reported how big data is transforming the audit and accounting world. Accountants need to embrace continuing technological changes or face future irrelevance. In this issue, our first article focuses on related, and equally urgent, technological threats to the security of accounting information. A new report from COSO, the internal control agency, offers a structured approach for managing cyber risks.

Next, we turn to the landmark new standards that change the look and content of audit reports. The pronouncements of the International Auditing & Assurance Board (IAASB) call for unprecedented depth and transparency in the auditor’s report. Bearing similarities to standards already in place for the United Kingdom, and under consideration by the PCAOB, the new International Standards on Auditing (ISAs) will be implemented widely in 2016.

Finally, Canadian accountants are celebrating the new CPA Canada designation. For Canada, the CPA initials stand for Chartered Professional Accountant, and consolidate the three previously independent organizations known by the CA, CMA and CGA acronyms. Our third article describes the multi-year process that brought 40 regional and national jurisdictions into agreement with this forward-looking achievement. 

Editor Gerald E. Herter, CPA

In This Issue 

Is Your Accounting Data Secure?

New report, COSO in the Cyber Age, offers blueprint for bolstering cyber security

With almost daily reports of major new internet attacks and identity thefts, we live in a world paranoid as to when, not if, data precious to us will be stolen. Recently on 60 Minutes, a weekly US news program, a segment titled “DARPA: Nobody’s Safe on the Internet,” featured Dan Kaufman, former video game executive, who now heads up the information innovation division at DARPA, the Defense Advanced Research Projects Agency.

DARPA developed the internet back in the sixties, and is responsible for maintaining the US’s military technological superiority. Kaufman showcased a video board map of the world that displayed numerous continual flashes resembling meteor trails in the sky. He explained that each flash was a real time internet attack on a US installation somewhere around the world. More impressive was his remark that US technology was automatically detecting and responding to the attacks within microseconds. That information relieved my fears a little, but only a little.

Though we don’t have the sophistication of Mr. Kaufman’s video board in the accounting world, COSO (Committee of Sponsoring Organizations of the Treadway Commission) offers tools that can help address cyber security threats that we face. The new report, COSO in the Cyber Age, issued in January, 2015, applies the guidelines published in the 2013 COSO pronouncement, Internal Control — Integrated Framework (2013 Framework), to the technology realm of accounting.

The report opens describing the business world at the time the first version of the 2013 Framework was issued in 1992. The examples from that era are eye opening, in showing just how far technology has come in little more than 20 years. Back then:

  • There were less than 14 million Internet users worldwide in 1992, compared to nearly 3 billion today;
  • America Online (AOL) for Microsoft DOS had been recently released;
  • Microsoft Internet Explorer did not exist;
  • Some of the most popular cell phones were “bag phones”;
  • Telephone and fax were the predominant ways businesses communicated.

By contrast today, the report states:

  • Customers’ orders are now processed over electronic data interchanges on the Internet with little or no human intervention;
  • Business processes are often outsourced to service providers, who are enabled by interconnected networks;
  • More and more corporate personnel work remotely or from home, with little need to come into the office;
  • Inventory is tracked in warehouses through the use of radio-frequency identification (RFID) tags;
  • Online only banks exist, and nearly all banks offer Internet banking to customers.

As these examples show, business capabilities have made colossal advances. However, while savoring these gains, my fears started to rise again when I read the report’s profound statement: “The reality is that cyber risk is not something that can be avoided; instead, it must be managed.”

The 2013 Framework specifies the five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. The report considers the control environment and monitoring activities as foundational, without which “it is likely that an organization will be unable to understand cyber risks sufficiently, deploy effectively designed control activities, and respond appropriately to address the cyber risks.”

An effective control environment and monitoring activities in the technology arena are considered by the report to require:

  • Clear tone from the top regarding the importance of protecting information systems;
  • A program of ongoing and separate evaluations to assess the design and operating effectiveness of controls that are intended to reduce potential cyber exposures;
  • Assistance and involvement of qualified cyber risk professionals;
  • Appropriate monitoring of cyber risk and controls related to outsourced service providers;
  • Proper and timely communication of cyber deficiencies;
  • Holding control owners accountable to help protect information systems.

From the start, a proper attitude is needed that drives a continual systematic approach. Also, leaders need to recognize their own limitations and bring in the expertise that can competently address this highly technical area. Once appropriate measures are in place, consistent follow-up must occur that holds all participants responsible, to minimize damaging breaches.

In the risk assessment component, perpetrators of cyber-attacks are variously categorized as:

  • Nation-states and spies;
  • Organized criminals;
  • Terrorists;
  • Hacktivists;
  • Insiders.

A retailer, such as Target Corporation, was likely the “target” of organized criminals, while Sony Pictures may have been hit by the nation-state of North Korea, or possibly even disgruntled insiders. Identifying the potential threats helps to focus the type and scale of protections needed.

Control activities can be developed both to prevent and slow down attacks, while also detecting on a timely basis, breaches that get through. The report points out that while the 2013 Framework provides general guidelines, the following are examples of cyber-focused standards and frameworks with a more specific focus:

  1. COBIT - Control Objectives for Information and Related Technology is a framework created by ISACA (formerly Information Systems Audit and Control Association) that enables managers to bridge the gap between control requirements, technical issues and business risks;
  2. ISO 27000 – Standards developed by The International Organization for Standardization (ISO) to enable organizations to implement processes and controls that support the principles of information security;
  3. Framework for Improving Critical Infrastructure Cybersecurity is a framework released by National Institute of Standards and Technology of the U.S. Department of Commerce (NIST) that builds on existing standards, guidelines, and practices to guide organizations in practices that reduce the potential impacts of cyber risks.

With regards to the information/communication component, information must be relevant and of high quality, which is then communicated effectively both internally and externally. In last month’s Alert, we discussed the implications of Big Data to the accounting profession. In a cyber context, there needs to be a capability to deal with the massive quantities of data in order to filter out irrelevant and inaccurate data. In addition to internal efforts analysis and control of data, the report points to industrial, governmental and outsourced service providers as resources of other data warranting consideration.

With the challenges of cyber security so daunting, we all may wish we had a Dan Kaufman from DARPA on our team. Since that is a luxury most of us can only dream about, the next best thing may be to develop a robust, structured approach such as that outlined by COSO in the Cyber Age. If the cost or effort required appears too great, consider this ominous warning from the report:

“If being secure, vigilant, and resilient has not been a priority for your organization, it will be eventually. If cyber risks are addressed by reactive management, the damage from a cyber attack could potentially be so severe that the organization could cease to exist and operate. Cyber risk will only continue to be more difficult to manage as time passes, technology evolves, and hackers become more sophisticated. Invest now and make cyber risk management a priority that receives similar attention as other objectives that are strategic to the organization.” 

 For further information, see COSO in the Cyber Age.

Audit Reports to Have a New Look

International Board issues groundbreaking standards

The International Auditing & Assurance Board (IAASB) was founded by the International Federation of Accountants (IFAC) in 1978, as an independent body for the purpose of producing high quality auditing, quality control, and other related standards, and for facilitating the convergence of international and national standards around the world. Currently, over 100 countries are using IAASB’s International Standards on Auditing (ISA) or are committed to implementing them in the near future. The work of the IAASB is overseen by a group of 18 members from around the world, headed up by Chairman Arnold Schilder from the Netherlands, and Deputy Chair Charles Landes from the United States.

On January 15, 2015, the IAASB issued Reporting on Audited Financial Statements – New and Revised Auditor Reporting Standards and Related Conforming Amendments, which includes new ISA 701, Communicating Key Audit Matters in the Independent Auditor’s Report, and a number of revised ISAs, including ISA 700 (Revised), Forming an Opinion and Reporting on Financial Statements, and ISA 570 (Revised), Going Concern.

In a press release, Chairman Schilder stated: "These changes will reinvigorate the audit, as auditors substantively change their behavior and how they communicate about their work. Informed by extensive research and global outreach to investors, regulators, audit oversight bodies, national standard setters, auditors, preparers of financial statements, audit committee members, and others, the final International Standards on Auditing (ISAs) represent a momentous—and unprecedented—first step. Now, we must study, promote, and plan for the effective implementation of the new and revised standards.”

The new standards generally follow the points of the Exposure Draft issued in July, 2013, as reported in the October, 2013 Audit & Accounting Alert:

  1. Prominent placement of the auditor’s opinion and other entity-specific information in the auditor’s report;
  2. Auditor reporting on “Key Audit Matters;”
  3. Auditor reporting on going concern;
  4. An explicit statement that the auditor is independent of the entity and has fulfilled the auditor’s other relevant ethical responsibilities, with disclosure of the source(s) of those requirements;
  5. Disclosure of the name of the engagement partner;
  6. Improved description of the responsibilities of the auditor and key features of the audit.

 Further details in the final standard elaborate on these items:

  1. The opinion section is required to be presented first, followed by the basis for opinion section, unless law or regulation prescribe otherwise;
  2. Key Audit Matters (KAM) are those matters that, in the auditor’s judgment, were of most significance in the audit of the current period financial statements;
  3. Enhanced auditor reporting on going concern, including: a) Description of the respective responsibilities of management and the auditor for going concern; b) A separate section when a material uncertainty exists and is adequately disclosed, under the heading “Material Uncertainty Related to Going Concern.” If disclosures are inadequate, a modified opinion is to be rendered and placed at the front of the auditor’s report; c) New requirement to challenge adequacy of disclosures for “close calls“ in view of the applicable financial reporting framework when events or conditions are identified that may cast significant doubt on an entity’s ability to continue as a going concern.
  4. Affirmative statement about the auditor’s independence and fulfillment of relevant ethical responsibilities, with disclosure of the jurisdiction of origin of those requirements or reference to the International Ethics Standards Board for Accountants’ Code of Ethics for Professional Accountants;
  5. Disclosure of the name of the engagement partner;
  6. Certain components of the description of the auditor’s responsibilities may be presented in an appendix to the auditor’s report or, where law, regulation or national auditing standards expressly permit, by reference in the auditor’s report to a website of an appropriate authority.

The United Kingdom is ahead of the international community, with its Financial Reporting Council (FRC) already having put new audit report requirements in effect back in October, 2013. As we reported then, the FRC rules require auditors to:

  • Describe the risks that had the greatest effect on the overall audit strategy, the allocation of resources in the audit, and directing the efforts of the engagement team;
  • Provide an explanation of how they applied the concept of materiality in planning and performing the audit;
  • Provide an overview of the scope of the audit, showing how this addressed the risk and materiality considerations.

The FRC applauded the new IAASB standards, noting that “these changes are broadly consistent with the amendments to the FRC’s auditing standards to introduce extended auditor reporting, in 2012 and 2013, which responded to the same calls for change and have been widely welcomed.”

Melanie McLaren, FRC Executive Director, Codes and Standards added:

“The IAASB is to be congratulated on leading change to the international standards for auditor reporting. They represent the most significant changes to the auditor reporting model at international level for decades.  They have the potential to enhance investor engagement about the audit and to provide a catalyst for audit innovation in the interest of investors and the public. We hope they will be embraced enthusiastically by auditors and investors internationally, as our recent changes to auditor reporting have been in the UK and Ireland. If so, they should herald in an era of greater transparency about the audit for investors in many of the world’s largest capital markets.”

The PCAOB is still considering similar changes that were proposed in August, 2013. These would require:

  • The communication of critical audit matters as determined by the auditor;
  • The addition of new elements to the auditor's report related to auditor independence, auditor tenure, and the auditor's responsibilities for, and the results of, the auditor's evaluation of other information outside the financial statements; and,
  • Enhancements to existing language in the auditor's report related to the auditor's responsibilities for fraud and notes to the financial statements.

An updated proposal from the PCAOB is expected soon. While the details may differ from the IAASB and FRC pronouncements, the new standard should likewise call upon auditors to provide more in depth information in audit reports, and in the process to reexamine their audit approaches.

 For further information, see The New Auditor's Report

Canadian Accountants Unite

CAs, CMAs and CGAs join forces to become Canadian CPAs

Recognizing the importance of projecting a strong, united voice on the global stage, the Canadian accountancy profession this past year succeeded in combining its three diverse, yet overlapping, accounting bodies into the new Chartered Professional Accountants (CPA) organization, CPA Canada. No easy task considering that approvals were needed from 40 regional and national jurisdictions. Nevertheless, the Chartered Accountants (CAs), Certified Management Accountants (CMAs) and Certified General Accountants (CGAs) agreed that the timing and objectives were right, whereas previous efforts had failed.

Among the challenges faced along the way was finding a suitable name. The Chartered Accountant designation is used by the British Empire, a major player in Canada’s heritage. However, Canada’s American neighbor to the south employs the Certified Public Accountant title. In a conciliatory gesture drawing from both traditions, Chartered Professional Accountant (CPA) was chosen.

In a 2011 position paper, the Canadian CA and CMA organizations laid out a compelling case for the consolidation, while carefully specifying key practical steps necessary to gain support from the independent groups. Increasingly, international bodies are formulating accounting and auditing standards. Global trade is requiring more “inter-jurisdictional mobility,” giving rise to new “global accounting designations and strategic alliances among accounting organizations.” With a fragmented profession, Canada was not well positioned to have a credible voice and play an effective role on the world stage. Also, the overlapping bodies were causing further confusion and inefficiency within the country’s business community.

Eight guiding principles were laid out as the merger process was pursued, and now provide the framework for uniting the profession and achieving CPA Canada’s vision of being the pre-eminent, globally respected business and accounting designation:

  1. Continued use of existing designations – CA, CMA and CGA –along with the new designation;
  2. Evolution to a new single designation-CPA -over a period of time ending in 2022;
  3. Retention but no expansion of rights;
  4. Qualification - a new high-quality certification program;
  5. Merged operations and governance- of the existing bodies;
  6. Focus on the CPA brand – and away from the prior designations;
  7. Post qualification specialties - optional certifications;
  8. Regulation and licensing - a new uniform regulatory framework.

CPA Canada, with over 190,000 members, now takes its place internationally as one of the five largest national accounting organizations. The next few years will bring even more opportunities and challenges as the myriad of international organizations and jurisdictions strive to find ways to work more closely together, while at the same time jockeying for greater power in the standard setting arena.

In the near future, CPA Canada will work to consolidate the Mutual Recognition Agreements that the CA, CGA and CMA groups have with accounting bodies regionally and in various countries. Also, the CPA Canada certification program will be offered directly in the Caribbean and China.

 For further information, see CPA Canada.

Additional A&A News 

The following links provide a selection of current articles devoted to highlighting other A&A topics currently making news.

  1. FASB, IASB to propose clarifying revenue recognition guidance
  2. Clarified Auditing Standards: Quality Control—the Essential Points
  3. Pensions accounting: do we really need more change?
  4. SEC Ends Standoff With Big 4 China Affiliates
  5. India Moves Closer to IFRS Adoption
  6. The future of the accounting profession: It's all a matter of trust

Audit & Accounting Alert is a publication of Integra International intended to highlight emerging issues in the profession. The goal is to give Integra members an awareness of developments impacting the practice of Audit & Accounting, enabling them to stay on the forefront of industry trends.

Editor Gerald E. Herter  •  HMWC CPAs & Business Advisors, 17501 E. 17th Street, Suite 100, Tustin, CA 92780-7924
 •  Tel: 1 714 505-9000  •  Fax: 1 714 505-9200  •  Email: [email protected]