Auditor Responsibilities Related To The Year 2000 Issue
By Mark S. Beasley and
Frank A. Buckless
As the year 2000 fast approaches, companies all over the world are scrambling to update their computer systems to avoid the potential major difficulties due to the Y2K issue. As most are aware, the Y2K issue results from the fact that the majority of computer programs in use today have been designed to store dates in a format that only allows two digits for the year. While this type of programming format was initially developed to save costly memory space, this long-standing practice will cause many computers to interpret January 1, 2000, as January 1, 1900, unless those programs are modified. Without such modification, significant problems relating to the integrity of all information based on time may occur. While companies may be addressing the Y2K issue as it relates to internally based systems, the integrity of company information may also be affected by the computer systems of customers, vendors, or other third parties that may not have adequately addressed Y2K.
Potential effects of Y2K on company operations and financial reporting range from the minor to the catastrophic. As auditors approach the audits of company financial statements in the remaining time before the year 2000, they will want to consider how the Y2K issue affects audit planning and reporting responsibilities. To clarify the auditor's responsibilities, the Audit Issues Task Force (AITF) recently issued several auditing interpretations and one attestation interpretation that address the auditor's responsibilities related to the Y2K issue when conducting an audit in accordance with generally accepted auditing standards (GAAS). Additionally, FASB's Emerging Issues Task Force (EITF) and the staff of the SEC have issued guidance that auditors will want to consider.
Financial Statement Audit Issues
In 1998, the AITF issued two auditing interpretations related to Y2K that provide guidance concerning audit planning and consideration of an entity's ability to continue as a going concern. The first auditing interpretation, Audit Considerations for the Year 2000 Issue (AU Section 9311), relates to SAS No. 22, Planning and Supervision, and addresses three main issues:
The second auditing interpretation, Effect of the Year 2000 Issue on the Auditor's Consideration of an Entity's Ability to Continue as a Going Concern (AU 9341), relates to SAS No. 59, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern, and addresses three main issues:
Additionally, the Audit Risk Alert--1997/98 provides clarification on the auditor's planning and communication responsibility.
Auditor Responsibility. The interpretation of SAS No. 22 notes that the auditor is responsible for obtaining reasonable assurance that the financial statements are free of material misstatement caused by error or fraud. Thus, the auditor's responsibility relates only to the detection of material misstatements in the financial statements, whether caused by Y2K or by something else. An auditor is not responsible for detecting current or future effects of Y2K on operational matters that do not affect whether financial statements prepared by the entity are in accordance with generally accepted accounting principles. The audit risk alert confirms that an audit of financial statements conducted in accordance with GAAS is not designed to detect whether an entity's systems are Y2K compliant and that the auditor has no responsibility to make an entity's information systems Y2K compliant.
Planning Considerations. When considering the methods the entity uses to process accounting information, the interpretation of SAS No. 22 notes that the auditor may determine it necessary to consider whether data processing errors caused by Y2K could result in material misstatement of the financial statements. The result of that consideration may affect the auditor's assessment of control risk, testing of internal controls, and substantive procedures. The audit risk alert notes that the auditor may wish to specifically address the Y2K issue in connection with obtaining an understanding with the client and may consider adding language to the engagement letter explaining the auditor's responsibility. The extent to which the auditor considers the Y2K issue in a financial statement audit requires professional judgment.
Internal Control Considerations. During the course of an audit conducted prior to 2000, the auditor may become aware that, in some future period, the Y2K issue could "adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements." Should the potential future internal control deficiency be included as a reportable condition in the current year audit? The interpretation of SAS No. 22 states that such a situation does not represent a current year reportable condition because the potential deficiency is not currently affecting the entity's ability to prepare financial statements.
The audit risk alert does indicate that the auditor may wish to consider whether Y2K problems should be highlighted in a comment letter to senior management and the audit committee. As a matter of client service and prudence, a discussion of the Y2K issue in a management comment letter is advisable. The audit risk alert notes that auditors should be cautious that these communications do not imply an assumption of assuring Y2K compliance. In other words, the discussion has to be worded in a manner that avoids inadvertent acceptance of more responsibility than intended.
Going Concern Considerations. The interpretation of SAS No. 59 notes that Y2K can cause conditions and events that could indicate substantial doubt about the audit entity's ability to continue as a going concern. The interpretation notes that such conditions and events related to the Y2K problem include the following:
The interpretation of SAS No. 59 also describes the auditor's responsibility for identifying conditions and events related to Y2K. The interpretation notes that the auditor does not have a responsibility to design audit procedures to identify conditions and events, including those related to Y2K, that indicate substantial doubt about the audit entity's ability to continue as a going concern. Rather, the interpretation notes that it is the auditor's responsibility to consider whether the results of procedures performed during planning, gathering evidential matter relative to the various audit objectives, and completing the audit identify conditions and events related to Y2K that could create substantial doubt about the audit entity's ability to continue as a going concern.
In addition, the interpretation of SAS No. 59 notes that the possibility a mission-critical computer system will fail on January 1, 2000, and cause severe adverse financial consequences is not a condition or event subject to the auditor's SAS No. 59 consideration unless the effects of such failure will be significant within one year beyond the date of the financial statements being audited. This will be a concern for financial statements as of December 31, 1999, and thereafter. If such conditions or events are present and cause the auditor to have substantial doubt about the entity's ability to continue as a going concern, the auditor should consider management's plans related to Y2K remediation. If management does not have any Y2K remediation plans, the absence of such plans ordinarily results in the auditor concluding that such doubt is not eliminated. However, when remediation plans exist, the auditor should identify those elements of the plan that are particularly significant and gather evidence about those elements to consider the likelihood that those plans can be effectively implemented.
Finally, the interpretation of SAS No. 59 notes that the auditor may want to consider obtaining written representations related to the Y2K issue. These should address the following items:
Examinations of Service Organizations
In August 1998, the AICPA published an AITF auditing interpretation, Responsibilities of Service Organizations and Service Auditors with Respect to Information About the Year 2000 Issue in a Service Organization's Description of Controls (AU 9324). This auditing interpretation relates to SAS No. 70, Reports on the Processing of Transactions by Service Organizations.
The interpretation of SAS No. 70 notes that since service providers generally use computerized systems to provide services to user organizations, Y2K may affect a service organization's systems and the services it provides to such organizations. The interpretation notes that a service organization's description of controls is designed to provide user auditors with information that will enable them to obtain a sufficient understanding of a user organization's internal controls to plan the audit. If Y2K affects the services provided to user organizations during the period covered by the service auditor's examination in a manner that affects user organizations' abilities to record, process, summarize, and report financial data, that information would be considered relevant to user auditors and should be included in the service organization's description of controls. If the service organization's system is incorrectly processing user organization transactions because of Y2K, and the service organization omits this information from its description of controls, the service auditor should modify her opinion on the service organization's description of controls and, if applicable, modify her opinion on the suitability of the design of related controls.
This interpretation also notes that SAS No. 70 does not require the service auditor to identify, in her report, design deficiencies that do not affect processing during the period covered by the service auditor's examination, but may represent potential Y2K problems. However, the service auditor may choose to communicate such information to the management of the service provider.
In addition, the interpretation notes that the service organization should not include information about its plans to modify its system to address the Y2K issue in its description of controls because a plan does not represent an existing control that would affect a user organization's abilities to record, process, summarize, or report financial data.
Accounting and Disclosure Guidance
Proper Accounting Treatment for Y2K Related Costs. Auditors should consider whether the costs associated with their client's modifications of computer systems pursuant to Y2K have been properly accounted for. EITF Issue No. 96-14, Accounting for the Costs Associated with Modifying Computer Software for the Year 2000, addresses accounting issues related to the correction of the Y2K problem. The issue addresses accounting for external and internal costs specifically associated with the modification of internal-use computer software for the Year 2000. The EITF reached a consensus that external and internal costs specifically associated with modifying internal-use software for Y2K should be charged to expense as incurred. The SEC staff has agreed with the EITF consensus.
In some circumstances, the Y2K issue may render certain client assets (such as computer hardware and software) obsolete or inoperable. Accordingly, auditors may wish to consider whether the client has properly accounted for such events by appropriately adjusting useful lives, residual values, or both, or by recognizing impairment losses.
SEC Disclosure Requirements. Auditors of publicly traded companies should consider the SEC's disclosure requirements. In January 1998, the SEC staff issued a revision of Staff Legal Bulletin No. 5 (CF/IM) to provide more specific guidance about existing SEC rules and regulations due to the importance of the Y2K issue and uncertainty regarding disclosure. The bulletin notes that companies should review, on an ongoing basis, whether they need to disclose anticipated costs, problems, and uncertainties associated with Y2K consequences, particularly in their filings with the SEC. The bulletin notes that companies may need to disclose Y2K issues in their Description of Business or Management's Discussion and Analysis of Financial Condition and Results of Operations.
If Y2K issues are determined to materially affect a company's products, services, or competitive conditions, without regard to countervailing circumstances, then the nature and impact of Y2K and the countervailing circumstances should be disclosed in its Description of Business. The following topics should be addressed:
Y2K issues should be discussed in a company's Management's Discussion and Analysis of Financial Condition and Results of Operations if--
Y2K Issues and Attestation of Management's Discussion and Analysis. In August 1998, the AICPA published the AITF's attestation interpretation of AT Section 700. The interpretation, Consideration of the Year 2000 Issue When Examining or Reviewing Management's Discussion and Analysis, relates to the newly issued SSAE No. 8, Management's Discussion and Analysis.
This interpretation notes that Staff Legal Bulletin No. 5, issued by the SEC's Division of Corporation Finance and Investment, requires disclosures in management's discussion and analysis (MD&A) concerning Y2K matters in certain circumstances. The interpretation notes that in expressing an opinion on MD&A or providing the limited assurance in a review report, the practitioner is not reporting specifically on the Y2K disclosures; rather, she is considering whether such disclosures, in conjunction with all other disclosures, have been accurately derived, in all material respects, from the entity's financial statements and whether the underlying information, determination, estimates, and assumptions provide a reasonable basis for the disclosures contained therein. Accordingly, an examination or review of MD&A in accordance with AT Section 700 does not provide assurance that an entity is or will be Y2K compliant. The interpretation also notes that, when performing an examination of MD&A, the practitioner should consider whether the effects of Y2K have been appropriately disclosed in MD&A. If the entity chooses to make disclosures about its state of Y2K readiness or management's view of whether the entity will be compliant by the year 2000, the practitioner's procedures would ordinarily be limited to considering the process used by management to address the adverse effects of the Y2K issue and the progress of remediation efforts. *
Mark S. Beasley, PhD, CPA, is an assistant professor of accounting, and Frank A. Buckless, PhD, an associate professor of accounting, both at North Carolina State University.
Douglas R. Carmichael, PhD, CFE, CPA
Stan Ross Department of Accountancy,
Zicklin School of Business,
John F. Burke, CPA
The CPA Journal
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.