Di Th RihThiDoing The Right Thing— Even Especially!...

Dave Cotton, CPA, CFE, CGFM

Cotton & Company LLP

Alexandria, Virginia

www.cottoncpa.com

1

2011 Government & Not for Profit Conference

April 29, 2011

D i Th Ri h ThiDoing The Right Thing—Even Especially! When It’s

Not Easy

DAVID L. COTTON, CPA, CFE, CGFM COTTON & COMPANY LLP CHAIRMAN

Dave Cotton is chairman of Cotton & Company LLP, Certified Public Accountants. Cotton & Company is headquartered in Alexandria, Virginia. The firm was founded in 1981 and has a practice concentration in assist-ing United States Federal and State government agencies, inspectors general, and government grantees and contractors with a variety of government program-related assurance and advisory services. Cotton & Company has performed grant and contract, indirect cost rate, financial statement, financial related, and performance audits for more than two dozen Federal inspectors general (including the Department of State, the Department of Justice, the Drug Enforcement Administration, and the Department of Homeland Security) as well as numer-ous other Federal and State agencies and programs. Cotton & Company’s Federal agency audit clients have included the U.S. Government Accountability Office, the U.S. House of Representatives, the U.S. Small Business Administration, the U.S. Bureau of Prisons, the Millennium Challenge Corporation, and the U.S. Marshals Service. Cotton & Company also assists numerous Federal agencies in preparing financial statements and improving financial management, accounting, and internal control systems. Mr. Cotton received his BS in mechanical engineering (1971) and an MBA in management science and labor relations (1972) from Lehigh University in Bethlehem, PA. He also pursued graduate studies in accounting and auditing at the University of Chicago, Graduate School of Business (1977 to 1978). He is a Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), and Certified Government Financial Manager (CGFM). Mr. Cotton served on the Advisory Council on Government Auditing Standards (the Council advises the United States Comptroller General on promulgation of Government Auditing Standards—GAO’s yellow book—from 2006 to 2009. He served on the Institute of Internal Auditors (IIA) Anti-Fraud Programs and Controls Task Force and co-authored Managing the Business Risk of Fraud: A Practical Guide. He served on the American Institute of CPAs Anti-Fraud Task Force and co-authored Management Override: The Achilles Heel of Fraud Prevention. He is the past-chairman of the AICPA Federal Accounting and Auditing Subcommittee and has served on the AICPA Governmental Accounting and Auditing Committee and the Government Technical Standards Subcommittee of the AICPA Professional Ethics Executive Committee. Mr. Cotton served on the board of the Virginia Society of Certified Public Accountants (VSCPA) and on the VSCPA Litigation Services Committee, Professional Ethics Committee, Quality Review Committee, and Governmental Accounting and Auditing Committee. He is member of the Greater Washington Society of CPAs (GWSCPA) and is serving on the GWSCPA Professional Ethics Committee. He is a member of the Association of Government Accountants (AGA) and is past-advisory board chairman and past-president of the AGA Northern Virginia Chapter. He is also a member of the Institute of Internal Auditors and the Association of Certified Fraud Examiners. Mr. Cotton has directed hundreds of contract and grant financial and compliance audits on behalf of Federal and state agencies. These audits assess the allowability, allocability, realism, and reasonableness of costs claimed pursuant to applicable Federal Acquisition Regulation (FAR) cost principles. Mr. Cotton has testified as an expert in governmental accounting and auditing issues and fraud issues before the United States Court of Federal Claims and other administrative and judicial bodies. Mr. Cotton has spoken frequently on professional ethics and auditors’ fraud detection responsibilities under SAS 99, Consideration of Fraud in a Financial Statement Audit. He currently teaches at George Washington University (Fraud Examination and Forensic Accounting), and the George Mason University Small Business Development Center (Fundamentals of Accounting for Government Contracts).


[email protected] 1

Conceptual Framework for

Independence Rule 101

Guide for Complying with

Ethics Rules 102-505

Conceptual Framework for

Independence Rule 101


[email protected] 2

AICPA Independence Standards

• Code of Professional Conduct

ET S ti 101 I d d– ET Section 101 – Independence

– ET Section 100.01 – Conceptual Framework for AICPA Independence Standards

3

Conceptual Framework

• Issued by the Professional Ethics Executive Committee (PEEC) in April 2006 with an effective date of April 30,(PEEC) in April 2006 with an effective date of April 30, 2007

• A risk-based approach to analyzing independence matters

• Certain relationships continue to be prohibited/restricted even if risks are deemed to be at an acceptable level– i.e., having any direct financial interest in an attest clienti.e., having any direct financial interest in an attest client

• Client relationships should be evaluated to determine if they pose unacceptable risks

4


[email protected] 3

Unacceptable Risk

• Exists if the relationship would compromise the member’s professional judgment when rendering anmember s professional judgment when rendering an attest service to the client

• In addition, the risk is unacceptable if the relationship would be perceived as being compromising by an informed third party having knowledge of all the relevant information

• The risk must be reduced to acceptable level in order to conclude that the member is independent

5

Acceptable Level of Risk

Risk is at an acceptable level –

• If threats are at an acceptable level due to either the types of threats and their potential effect, or

• Because safeguards have sufficiently mitigated or eliminated the threats

6


[email protected] 4

Mitigated Threats

Threats are at an acceptable level when it is t bl t t th t th th tnot reasonable to expect that the threat

would compromise professional judgment

7

3 Steps for Risk-Based Approach

• Step #1 Identify and evaluate threats to independence• Step #1– Identify and evaluate threats to independence– Evaluate threats both individually and in the aggregate (due

to cumulative effect)

– If you identify threats but determine that they are at an acceptable level (either due to the types of threats or their potential effects) then you don’t have to consider safeguardsg

– But, if identified threats are not at an acceptable level, safeguards should be considered

8


[email protected] 5


• Step #2 Determining whether identified threats are• Step #2– Determining whether identified threats are already eliminated or sufficiently mitigated by safeguards or, if not, whether they can be eliminated or sufficiently mitigated by safeguards– The potential for a threat to compromise professional

judgment is reduced to an acceptable level when sufficiently mitigated by safeguardssufficiently mitigated by safeguards

– The threat is sufficiently mitigated if after application of safeguards it is not reasonable to expect that the threat would compromise professional judgment

9


• Step #3 Independence would be considered impaired if• Step #3– Independence would be considered impaired if no safeguards are available to eliminate an unacceptable threat or reduce it to an acceptable level – i.e., either eliminate the relationship causing the threat or don’t accept the engagement.

10


[email protected] 6

Independence Defined

• Independence of Mind

– State of mind that permits performance of an attest i ith t b i ff t d b i fl th tservice without being affected by influences that

compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism

• Independence in Appearance

– Avoidance of circumstances that would cause a reasonable and informed third party, having knowledge of all relevant information includingknowledge of all relevant information, including safeguards applied, to reasonably conclude that the integrity, objectivity, or professional skepticism of a firm or a member of the attest engagement team has been compromised

11

Impair Defined

• The Conceptual Framework defines Impair as effectively extinguish (independence)effectively extinguish (independence)

• In other words, when independence is impaired, the member or firm is not independent

12


[email protected] 7

Threats Defined

• Circumstances that could impair independence

• Not necessarily an impairment• Not necessarily an impairment

• Depends upon the nature of the threat, whether the threat could possibly compromise the member’s judgment, and, if so, the effectiveness of any specific safeguards applied.

• The Conceptual Framework lists seven broad threat categoriescategories

13

7 Categories of Threats

1.Self-review

2 Ad2.Advocacy

3.Adverse interest

4.Familiarity

5.Undue influence

6.Financial self-interest

7.Management participation

14


[email protected] 8

Types of Threats

I. Self-review threat

Member reviewing evidence created by the member– Member reviewing evidence created by the member performing a non-attest service as part of the attest engagement

– i.e., member prepares source documents used to generate the client’s financial statements

15

Types of Threats

II. Advocacy threat

Promoting an attest client’s interests or positions– Promoting an attest client s interests or positions

– i.e., representing an attest client in tax court

16


[email protected] 9

Types of Threats

III. Adverse interest threat

Litigation by or against a client– Litigation by or against a client

17

Types of Threats

IV. Familiarity threat

Members having a close or longstanding relationship– Members having a close or longstanding relationship with an attest client or knowing individuals or entities who performed non-attest services for the client

– Attest team member having a spouse in a key position with the client

– A partner in the firm that has performed the audit for a number of yearsnumber of years

– A friend of an attest team member that is in a key position with the client

18


[email protected] 10

Types of Threats

V. Undue influence threat

Attempted coercion of an attest team member or an– Attempted coercion of an attest team member or an attempt to exercise excessive influence over the member

– Threat to replace a member or the member’s firm over a disagreement

– Pressure to reduce audit procedures to reduce fees

– Gifts form a client, unless clearly insignificant

19

Types of Threats

VI. Financial self-interest threat

A potential benefit to a member from a financial– A potential benefit to a member from a financial interest in an attest client or some other financial relationship

– A direct financial interest

– A material indirect financial interest

– A loan from a client, one of its officers or directors, orA loan from a client, one of its officers or directors, or from an individual owning 10 percent or more of the company

– Being in a joint venture with an attest client

20



Types of Threats

VII. Management participation threat

Performing management functions on behalf of an– Performing management functions on behalf of an attest client

– Serving as an officer or director

– Establishing and maintaining the client’s internal controls

– Hiring, supervising, and/or terminating client employees

21

Safeguards

Three Broad Categories –

1 Created by the profession legislation or regulation1. Created by the profession, legislation, or regulation

2. Implemented by the attest client

3. Within the firm’s own systems and procedures

22



Safeguards Implemented by the Profession, Legislation or Regulation

Examples:

Professional standards- Professional standards

- Continuing professional education

- Peer review

- Professional licensing

23

Safeguards Implemented by the Attest Client

Examples:

A t t th t th t h i th li t’ it t- A tone at the top that emphasizes the client’s commitment to fair financial reporting

- A governance structure designed to ensure appropriate decision making, oversight and communications regarding a firm’s services

- Policies about the types of services the entity can hire the audit firm to perform without causing impairments to independence

- Having personnel with suitable skills to make management decisions regarding nonattest services by the member to the attest client

24



Safeguards Implemented by the Firm

Examples:

Firm leadership that stresses the importance of- Firm leadership that stresses the importance of independence

- Policies and procedures designed to implement and monitor quality control

- Documented policies to identify threats to independence, evaluate the significance, and implement safeguards to mitigatemitigate

- Training on firm policies and procedures

25

Guide for Complying with Ethics Rules 102-505



Important Non-authoritative Guidance

Guide for Complying with Rules 102-505

• Not to be confused with ET 100.01, Conceptual Framework for AICPA Independence Standards

• Non-Authoritative Guide pertains to:• Non-Authoritative Guide pertains to:– Rule 102, Integrity and Objectivity

– Rule 201, General Standards

– Rule 202, Compliance with Standards

– Rule 203, Accounting Principles

– Rule 301, Confidential Client Information

Rule 302 Contingent Fees– Rule 302, Contingent Fees

– Rule 501, Acts Discreditable

– Rule 502, Advertising and Other Forms of Solicitation

– Rule 503, Commissions and Referral Fees

– Rule 505, Forms of Organization and name



Threats and Safeguards Approach1. Identify threat to compliance with rules

2 E l t i ifi f th t


2. Evaluate significance of threat

• Is threat at an acceptable level?

– Yes; no further evaluation needed; perform service

– No; go to step 3

3. Identify and apply appropriate safeguards to reduce/mitigate/eliminate threatreduce/mitigate/eliminate threat

• Is threat reduced to an acceptable level?

– Yes; no further evaluation needed; perform service

– No; DO NOT PERFORM THE SERVICE

What is “an acceptable level”?


A threat has been reduced to an acceptable level by safeguards if, after application of the safeguards, a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that compliance with the rules is not compromised.



Threats:


Threats:1. Self-review

2. Advocacy

3. Adverse interest

4. Familiarity

5. Undue influence

6. Self-interest

Safeguards:


Safeguards:• Safeguards created by the profession,

legislation, or regulation (e.g. peer review, preapproval of non-audit services by an audit committee, quality control reviews by an OIG, etc.)reviews by an OIG, etc.)

• Safeguards in the work environment (e.g. strong internal control, strong tone at the top, etc.)



Ethical Conflict Resolution (5 steps):1 Consider the following:


1.Consider the following:

a) Relevant facts and circumstances, including applicable rules, laws, or regulations

b) Ethical issues involved

c) Established internal proceduresc) Established internal procedures

d) Alternative courses of action

2.Select course of action that will best enable you to comply with the rules

Ethical Conflict Resolution:


3. Consider consulting with appropriate persons in your organization

4. Consider obtaining advice from appropriate professional body or legal counsel

5. Consider disassociating from the service, client, employer



Resolving EthicalResolving Ethical Dilemmas:

Case Study

Fun, interactive, and educational activity …

Please read the case study in Attachment 1 and select

the best answer



Performance Audit of Construction Management at Slippery Slope Secondary School District

What must Carla and D&C do? Be ready to defend your answer.

[ ] A. Carla and D&C must either resign from the engagement or issue a disclaimer of opinion, because this situation creates an external impairment to D&C’s independence; and interpretation 101-6 is explicit.

[ ] B. Carla and D&C can proceed with the audit, b th th t f liti ti did t f thbecause the threat of litigation did not come from the management or employees of the audited entity (yellow book); nor did the threat come from the client(Interpretation 101-6).

Process for Ethical Decision Making



Process for Ethical Decision MakingIdentify Ethical Threat

Is Threat Significant?

YES

NO

Proceed with Professional

Service

Identify and Apply Appropriate Safeguard(s)

Is Threat Eliminated or Reduced to an Acceptable Level?

Consult with Other Experts Do Not Proceed

YES

YES

NO

Is Threat Eliminated or Reduced to an Acceptable Level?

Consult with Other Expertswith

Professional Service; Consider

Disassociating with Client of

Employer

YES

NO


April 29, 2011

Doing The Right Thing—Even Especially! When It’s

Not EasyNot EasyDave Cotton, CPA, CFE, CGFM

Cotton & Company LLP

Alexandria, Virginia

[email protected]

Attachment 1:

Performance Audit of Construction Management at

Slippery Slope Secondary School District

Case Study—2010, Page 1 of 2

Performance Audit of Construction Management at Slippery Slope Secondary School District

Carla Denim, CPA, Managing Partner of Denim & Company LLP (a CPA firm) is directing D&C’s engagement to conduct a performance audit (in accord with Government Auditing Standards) of construction management at Slippery Slope Secondary School District (SSSSD). D&C is conducting the audit under a contract with the state comptroller’s office (SCO). SSSSD spends about $150-200 million per year on construction. SSSSD outsourced its construction management to Chissel & Steele, Inc. (CSI), a large engineering firm. The performance audit objectives are to determine if construction management is effective and efficient and to identify any potential cost savings, as well as any potential fraud, waste, or abuse. During the first few months of the audit, D&C identifies numerous potential findings and recommendations related to weak internal controls, failure to adequately manage contracts, and over-delegation of authority to CSI. Many of these potential findings also indicate a high degree of fraud risk and possible waste and abuse. D&C’s audit protocol calls for issuance of draft findings to SSSSD so that SSSSD can provide comments and possibly implement early corrective actions. SSSSD and CSI have jointly reviewed the findings. When about half of the 50+ potential findings have been delivered to SSSSD, SCO receives a letter from CSI’s attorney. The letter accuses D&C of (a) failure to follow yellow book standards and (b) developing erroneous findings (that if made public will damage CSI’s reputation). The letter asserts that CSI will sue SCO if the findings are included in the audit report issued to the public. SCO shares a copy of the threatening letter with D&C, because D&C’s contract with SCO contains an indemnification clause (D&C must hold SCO harmless for actions arising from the audit). Carla considers the allegations baseless, but does a quick check of the yellow book and the Code of Professional Conduct to see if the threats have any impact on the audit scope and finds the following: GAGAS Paragraph 3.10 (External Impairment) states:

… External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. For example, under the following conditions, auditors may not have complete freedom to make an independent and objective judgment, thereby adversely affecting the audit:

a. external interference or influence that could improperly limit or modify the scope of an audit or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees; b. external interference with the selection or application of audit procedures or in the selection of transactions to be examined; …

Case Study—2010, Page 2 of 2

d. externally imposed restriction on access to records, government officials, or other individuals needed to conduct the audit; … g. authority to overrule or to inappropriately influence the auditors’ judgment as to the appropriate content of the report; …

Code of Professional Conduct Interpretation 101-6—The effect of actual or threatened litigation on independence, states:

In some circumstances, independence may be considered to be impaired as a result of litigation or the expressed intention to commence litigation as discussed below. Litigation between client and member … When the present management of a client company commences, or expresses an intention to commence, legal action against a covered member, the covered member and the client's management may be placed in adversarial positions in which the management's willingness to make complete disclosures and the covered member's objectivity may be affected by self-interest. For the reasons outlined above, independence may be impaired whenever the covered member and the covered member's client or its management are in threatened or actual positions of material adverse interests by reason of threatened or actual litigation. …

3. An expressed intention by the present management to commence litigation against the covered member alleging deficiencies in audit work for the client would be considered to impair independence if the auditor concludes that it is probable that such a claim will be filed.

… Effects of impairment of independence If the covered member believes that the circumstances would lead a reasonable person having knowledge of the facts to conclude that the actual or intended litigation poses an unacceptable threat to independence, the covered member should either (a) disengage himself or herself, or (b) disclaim an opinion because of lack of independence. Such disengagement may take the form of resignation or cessation of any attest engagement then in progress pending resolution of the issue between the parties. …

WHAT MUST CARLA AND D&C DO? SELECT THE BEST ANSWER AND BE READY TO DEFEND YOUR ANSWER. [ ] A. Carla and D&C must either resign from the engagement or issue a disclaimer of

opinion, because this situation creates an external impairment to D&C’s independence; and interpretation 101-6 is explicit.

[ ] B. Carla and D&C can proceed with the audit, because the threat of litigation did not

come from the management or employees of the audited entity (yellow book); nor did the threat come from the client (Interpretation 101-6).

Di Th RihThiDoing The Right Thing— Even Especially!...

Documents

Transcript of Di Th RihThiDoing The Right Thing— Even Especially!...