Have you been told your audit fee is going to increase because the audit team has to do more work due to PCAOB inspection findings or audit alerts? This seems to be a common refrain I hear from a lot of preparers when I talk about the COSO 2013 ICIF. If you reacted by blaming the PCAOB for this increased cost, you may be on the wrong track.
I am sure your auditor explained that the PCAOB sent out an inspection finding to their firm or an audit alert to all auditors and that is causing the increased work, but this is where a little knowledge can go a long way. Instead of wondering how the PCAOB can issue rules that increase costs without going through a formal rule-making process that requires a comprehensive cost/benefit analysis, you need to realize that inspection findings and audit alerts do not make new rules at all. These two documents instead explain cases where the auditor was not following the rules and standards already in place for auditors of public companies.
So, if the auditor is telling you that findings or alerts are resulting in increased fees, what they are really telling you is that they have not been performing an adequate audit of your internal controls in the past. That leads to two possibilities. One, your audit team did not understand the auditing standards and therefore completed a substandard audit or two, your audit team knew the rules and decided to cut corners in order to low-ball the bid for your work, or increase the firms margins on the work performed.
What do you do then if you are being told by your auditor that they need more money for increased work over testing internal controls? I think its time to have a little fun. Ask your auditor if they were cutting corners, deliberating doing a bait and switch with a bid they knew they could not meet, or just simply incompetent. You still might end up agreeing to pay a little more, but at least you can make your engagement partner sweat!
Last week I attended and presented at the AICPA SEC & PCAOB Developments Conference in Washington DC. At least I attended the second and presented on the third day in DC. Due to weather problems in both Dallas and Washington, my Sunday flight was cancelled and the earliest flight available was Monday evening. So instead of trying to figure out a way to get there for Monday I decided to spend a night in my own warm bed and attend the first day of the conference virtually on the internet. From what I heard from the speakers and the chats on the internet, I was one of many that had trouble getting to Washington from all over the country. Attending virtually was great. While you don’t have the networking opportunities of being there in person, the chat kept me interested and I was able to get a great feel for the tone of the conference.
While my opinion is biased (I served on a panel discussing the revised COSO Internal Control Integrated Framework), the theme of the conference this year was internal control over financial reporting. It wasn’t that the AICPA picked this theme. The speakers did it by mentioning internal control in presentation after presentation and panel after panel. I am not overstating fact when I say ever single SEC and PCAOB panel talked about internal control. From asking why companies don’t disclose internal control failures until after a restatement to questioning management’s positive assertions about internal control when the auditors are found not to have performed an appropriate audit over that assertion, the SEC is clearly looking to renew its interest in internal control reporting for the first time since in several years. Meanwhile the PCAOB’s recent report questions whether auditors are consistently complying with AS 5. Even without a revised internal control framework to deal with preparers should be spending more time documenting, testing and evaluating their internal controls over financial reporting.
I will spend more time talking about internal controls in my next blog. Meanwhile, here is a list of other quotes and notes from the three day conference:
- Keynote speaker David Walker – we’ve tripled the national debt to over $17 Trillion in 13 years, but that is only what is on the balance sheet; what is not on the balance sheet makes the debt number over $70 Trillion from “only” $20 Trillion 13 years ago.
- Paul Beswick, SEC Chief Accountant – IFRS took a back seat to the rule making requirement so Dodd-Frank and the JOBS Act; it was not a matter of lack of importance of IFRS, but simply a rule-making bandwidth issue that has kept IFRS on the back burner of the SEC for the last couple of years.
- OCA Panel/FASB-IASB Panel – the Chief Operating Decision Maker reporting package is increasingly irrelevant in determining which segments to report when CODM’s have drill down access to details that didn’t exist when the standard was written – this needs to be addressed when the FASB relooks at segment reporting.
- Enforcement Division Panel – Whistleblowers are increasingly important to the enforcement division; many of their cases are now starting from whistleblower action and the use of whistleblowers is changing the willingness of companies to self-report issues as well as increasing their willingness to cooperate with the SEC
If you want to know more check out the many articles and press releases that come out in conjunction with the conference
The PCAOB re-proposed including the name of the lead partner in the auditor report last week. The Board seemed split on the proposal when you read their comments. There are those that believe disclosing the partners name will make things more transparent to users of the audit report. They even envision data gathered over time on which individual partners are involved in restatements, lawsuits over financial reports and other issues (and of course which aren’t). The other point of view is that disclosing the partners name won’t do anything for audit quality and it actually might cause problems because auditors will do unnecessary work “just to be sure” and others won’t even consider becoming partners in the first place because of the increased scrutiny and liability such a requirement will create.
On the Industry front, this proposal could create some very interesting dynamics when combined with the existing requirement to change partners every few years. While management and the audit committee are always very interested in who the new partner will be, under the proposed rule that interest will take on more of a public relations bent rather than just caring about whether the person is a good auditor and will work well with the company. In theory companies don’t negotiate with their firm who the specific partner will be, but could you imagine a scenario where an excellent audit partner who was involved in a lawsuit that was settled in the last couple of years was suggested as the next partner for the audit. I could easily see an audit committee telling the firm that if that partner will be the lead partner on the audit, then the company may decide to tender the audit work and go with a different firm. Keep in mind, this decision has nothing to do with the actual audit skills of the partner involved. Instead it has everything to do with PR perceptions of the investors.
While this scenario might actually get rid of a few bad auditors, I think the more likely result is that many good auditors end up being blackballed and more and more young CPAs question why they would ever want to subject their livelihood to such a possibility in the first place.
The really backwards part of this scenario is that less experienced auditors who handle “easier” clients are more likely to have a clean record while more experienced auditors that are willing to take on the tough assignments will likely end up with a black mark or two. This may end up with companies seeking less experienced auditors with a history of not dealing with difficult situations – this is exactly the opposite of what would be considered the necessary ingredients for a better quality audit. Maybe I’m wrong and the scenario I laid out won’t happen, but it sure seems plausible to me. I just wonder if the cost of the potential for lower quality audits is truly outweighed by the benefit from possibly getting rid of a few bad auditors.
Remember that feeling of satisfaction when your auditor questioned your accounting for a large transaction and, after lots of discussion, fact finding and research, the auditor finally agreed you were presenting it correctly resulting in a pretty, clean audit opinion. Well, those days are over if the PCAOB gets it way. Even if you were right, the PCAOB proposal on revisions to the audit report will require the auditor to identify the “critical audit matter,” describe why it was critical and refer to the appropriate disclosures in the financial statements. This is beyond the old emphasis of matter paragraphs and is only one of several new requirements proposed by the PCAOB.
Normally, preparers don’t care much about PCAOB rule changes impacting the auditors, but this time they should take notice because it is going to significantly change that audit report attached to your financial statements. In fact, you might also need to plan on additional page(s) for your report because the audit report is likely to be much longer in the future.
In addition to a new statement on auditor independence and a required disclosure on when the auditor began serving as the company auditor, the new report will also require the auditor to “evaluate” “other information” previously not subject to the audit. “Other information” includes selected financial data and Management’s Discussion and Analysis (MD&A). While “evaluate” is something less than “audit,” it is also clearly more than the current requirement to review such information for inconsistencies with the audited financial statements.
In addition, this “evaluation” will be included in the auditor’s report. That would seem to open up the auditor to potential liability if there was something “wrong” in the MD&A so I think we will see significantly more work in that area, if only as a purely defensive measure, if the PCAOB proposal becomes a final rule. You can also bet that the auditors will ask for higher fees as a result of the additional work. We all remember how much the fees went up with the adoption of Sox 404 reporting. While this should not be on that scale, I think it will be more than insignificant (to borrow from our standard setter’s terminology in the leasing standard).
There of many out there that believe it’s about time the MD&A is subject to some audit procedures given its importance to investors, and there are others that feel just as strongly that the MD&A needs to stay out of the audit so it can be truly focused on forward looking information which is notoriously difficult to audit. Whatever your feelings, now is the time to let them be known by the PCAOB. The comment deadline in December 11 which will be here before you know it, so check out the most sweeping revision to the auditor’s report in years and let your voice be heard.
The Financial Reporting Council (FRC) in the U.K. (think of the PCAOB/SEC in the U.S.) has proposed rules that will require auditors to provide commentary on the “risks of material misstatement” as well as how they applied the concept of materiality in the audit and how the audit scope responded to company risks. These new requirements would be a huge departure from the current pass/fail auditor report model used by much of the world.
The PCAOB has also been looking at potential audit report modifications and had previously released a request for comments on potential changes to the report ranging from more information on how the audit was conducted to an auditor’s discussion and analysis. The FRC proposal seems to be somewhere between these two extremes, but it would definitely seem to not be in alignment with the comments from most preparers in U.S. that said information about the company should come from the preparers not the auditors.
If the PCAOB decides to go down this path as well, I can see several significant issues from a preparer perspective. First, in the U.S. management is required to provide an assessment of its system of internal controls to prevent material misstatements of the financial statements and the auditor then provides its opinion on that assessment. If the auditor were then required to also comment on specific risks and what they did about them in the audit would this lead to either (1) questioning of managements assessment about the effectiveness of its internal controls or (2) management feeling compelled to specifically address their response to those risks as well in their report on internal controls. And this doesn’t even address what might happen if management and the auditor have serious differences in opinion about what the risks really are in the first place.
I am also very concerned about the impact the required disclosure on how the concept of materiality was applied would have on the auditor’s evaluation of materiality. Will auditors feel compelled to use lower than necessary materiality levels to prevent lawsuits that say if they had only used a slightly lower level of materiality problems that lead to the investor losses in the stock market would have been discovered? If you don’t believe that would happen, then let me tell you about a recent development.
Previous to this audit cycle, most audit firms used a different dollar threshold of materiality for the income statement and the balance sheet. I can hear the purest out there saying materiality is a qualitative measure, not a quantitative measure and they are correct, but when it comes down to it we have to measure whether potential misstatements are material so we have to quantify materiality in order to measure. The PCAOB decided that the auditing literature did not support separate materialities for the balance sheet and income statement so all of the auditing firms started using the lower of the two materiality measures for their evaluations. This meant that many preparers had to change their controls to support a more precise measurement requirement – probably beyond the true cost-benefit trade off if materiality had been appropriately defined.
The point is that as firms lower materiality levels in defensive response to perceived threats, then the whole concept of materiality will be distorted as preparers find they must pay for more precise systems and controls then are necessary hurting the whole economy in the process. So let’s hope cooler heads prevail in the U.S. and we don’t follow the U.K. lead in this case.
I was reading a publication produced by our auditor, Ernst & Young on all of the standard setting activity for 2012 and I realized I have good reason to feel like I can’t keep up with everything going on.
The FASB only issued 3 final standards (now called ASUs for all of us who grew up with FAS’s for all those years). Of course, maybe it’s really 4 because they issued separate ASUs for technical corrections to the ASC in general and technical corrections to the SEC portion of the ASC, but who am I to quibble with my auditor on such things. Either way, not too bad so far, but the FASB also issued or worked actively on 12 exposure documents. Now were starting to get up in the numbers. Of course 12 documents would not be so bad if they covered specific topics related to different industries so everyone is not impacted by all 12, but that is not the case here. We’re talking about messing with revenue leases and impairment of customer receivable which means just about every business that exists will be impacted by many of these proposed standards. Of course it doesn’t stop there, the FASB launched the PCC to look into private company accounting issues and started two other projects on disclosures and going concern. The EITF was also busy reaching 3 consensus opinions and exposing documents on 4 other issues.
Not to be outdone, the SEC issued 3 final rules including rules on reporting on conflict minerals (if you think you are not impacted, you may need to think again as some reports expect that thousands of companies – public and private – will be impacted by the reporting requirements). The SEC also issued 16 proposed rules and other releases in 2012 and that doesn’t include any of the work on IFRS, XBRL or work to be done under the JOBS act. The PCAOB also started to get busy again and issued one final auditing standard as well as one audit practice alert document. The PCAOB also released 9 other documents outlining proposed rules or asking for input on concept releases. These include the now infamous release on mandatory auditor rotation as well as an equally important release on potentially significant changes to the auditor report.
Of course the ASB also issued a new standard as well as several other documents and the GASB issued 4 new standards, 2 exposure drafts and at least 3 other significant documents. The AICPA also issues its proposed framework for private company reporting and COSO issued 2 exposure drafts to revise its Internal Control framework which is the de facto internal control standard for 85% of public companies that have to comply with Sox section 404.
And that’s just the U.S. accounting and auditing standards. It doesn’t include all of the IRS changes, the new developments in the valuation world (didn’t you know the SEC expects all of you public company preparers to be valuation experts now), and international standards for accounting from the IASB and auditing from the IAASB. I must admit I have to laugh when people tell me they can’t get enough CPE done to maintain their license. You could spend 140 hours on CPE and not keep up let alone only the 40 required in most jurisdictions. I want to look at them and ask, then how do you plan to keep your job because you are expected to know about all of these changes and more!
One of the topics mentioned a number of times at the recent SEC/PCAOB developments conference by representatives from the PCAOB was the “alarming” increase in the number of audit failures that were being detected in their review process. If the number of audit failures they were referring to actually led to misstated financial statements then I would think we would being seeing a dramatic increase in the number of restatements required by the SEC, but that simply isn’t supported by the facts. The facts are that the number of restatements has been declining in recent years not increasing.
So that got me thinking, what really is an audit failure? Misstated financial statements are a clear indication of an audit failure, but I think most would agree just as it is possible to have a perfect audit and a misstatement goes undetected, it is even more possible to have a problem in the audit, but the financial statements are perfectly good. That is, there wasn’t a problem, but even if there had been one, the deficient audit would not have detected it.
On the other hand maybe the term audit failure is being used to broadly. Just because an audit deficiency occurred, does not necessarily mean an audit failure occurred. Maybe there was some problem in how the work was documented. That is, the right procedures and judgments were performed, but somehow it was not adequately documented in the workpapers. Auditing standards require documentation so the lack of documentation is a deficiency, but if the work was adequately done, can it really be considered an “audit failure.”
That leads me to the conclusion that an audit failure is somewhere between the publication of materially misstated financial statements and a minor error in the audit. That sounds simple, but it gets even more complicated when you consider the position of James Doty, PCAOB Chairman, on what are and are not misleading financial statements. He stated that “just because you comply with GAAP does not mean financial statements are not misleading.” I really don’t know where to go with that statement. One of the cornerstones of the audit opinion is that the financial statements “present fairly the financial position of the company in conformity with U.S. GAAP.” If auditors are being held to a standard higher than that, then no wonder we have so many audit failures that are not leading to restatements.
That leads me to one of three conclusions:
- The number of audit failures is being grossly overstated by the PCAOB (for some reason).
- We have an alarming number of audit failures, but it is the integrity, ethics, and objectivity of the professional accountants who prepare the financial statements that are keeping the financial statements from being misstated.
- The PCAOB is using the wrong measuring stick to determine an audit failure and they need to go back to the basics of the audit opinion to determine what an audit is intended to accomplish before proposing rules to fix a problem that may not exist.