In 1899, Cator and Guy Woodford established a new business, the Retail Credit Company, in downtown Atlanta. The two brothers realized that local grocery stores suffered large losses each year because they extended credit to customers who did not have the ability or intent to pay their bills. After convincing a large number of grocers to provide access to their customers' credit histories-without those consumers' prior knowledge or approval-the Woodfords developed a bound book documenting those histories in an alphabetic format. The brothers then sold access to the book for an annual fee to Atlanta groceries and other retail businesses.Over the next few decades, the Retail Credit Company's revenues and profits waxed and waned as the entrepreneurial Woodfords used their growing database of consumer credit information to launch other business ventures, principally in the insurance industry. By the 1930s, the company had refocused its operations almost exclusively on selling credit reports to retail and wholesale businesses.Persistent allegations of abusive business practices by Retail Credit Company and its major competitors convinced Congress to pass the Fair Credit Reporting Act of 1970. That federal statute requires credit agencies to establish mechanisms to protect the privacy and accuracy of consumers' credit data. Retail Credit Company was one of the first companies prosecuted for violating the Fair Credit Reporting Act. The charges filed against the company included using deceptive means to collect information from consumers, compensating employees based upon the volume of negative credit information they collected, and including false and fabricated information in consumers' credit files. In 1979, Retail Credit Company reincorporated as Equifax Inc.,1 reportedly, to distance itself from its prior indiscretions.By the early 1990s, Equifax reigned as the largest credit reporting agency in the United States. Despite the company's size and prominence, Equifax continued to be hounded by critics who claimed the company routinely violated consumers' privacy and other civil rights. Among the most common complaints facing Equifax was that it sold consumers’ personal information to direct marketing companies, which then bombarded those consumers with unwanted advertising paraphernalia via the mail and unsolicited telephone calls.

Questions

1. "Risk factors" disclosures included in a Form 10-K are generally outside the scope of the given company's annual independent audit. Despite that fact, does a public company's auditors have any responsibility to consider or review those disclosures? Explain.

2. The PCAOB auditing standards require auditors to apply a "top-down approach" during an audit of ICFR. Explain whether this top-down approach mandates that auditors test IT general controls.

3. Identify a recent material weakness in ICFR reported by a public company auditor. Explain the nature of the material weakness and whether it has any connection to the company's IT general controls. How is the material weakness relevant to the company's control environment?

4. Suppose during a financial statement or ICFR audit that the auditors identify cybersecurity risks not having direct financial statement or ICFR implications. What should the audit team do in such circumstances?

Transcribed Image Text:

In the ordinary course of business, we rely upon information technology networks and systems, some of which are managed by third parties to process, transmit and store electronic information, and to manage or support a variety of business processes and activities, including business-to-business and business-to-consumer electronic commerce and internal accounting and financial reporting systems. Additionally, we collect and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of our customers, employees, consumers and suppliers, in data centers and on information technology networks. The secure operation of these networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in security measures and business continuity plans, our information technology networks and infrastructure or those of our third-party vendors and other service providers could be vulnerable to damage, disruptions or shutdowns due to attacks by hackers or breaches due to employee error or malfeasance, or other disruptions during the process of upgrading or replacing computer software or hardware, power outages, computer viruses, telecommunication or utility failures or natural disasters or other catastrophic events. We are regularly the target of attempted cyber and other security threats and must continuously monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses and other events that could have a security impact. Although we have not experienced any material breach of cybersecurity, if one or more of such events occur, this potentially could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could subject us to litigation, significant losses, regulatory fines, penalties or reputational damage, any of which could have a material effect on our cash flows, competitive position, financial condition or results of operation. Our property and business interruption coverage may not be adequate to compensate us for all losses or failures that may occur. Also, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention. Editorial Note: Additional narrative added in response to SEC inquiry is underlined. Source: Equifax, 2012 Form 10-K.