Have you been told your audit fee is going to increase because the audit team has to do more work due to PCAOB inspection findings or audit alerts? This seems to be a common refrain I hear from a lot of preparers when I talk about the COSO 2013 ICIF. If you reacted by blaming the PCAOB for this increased cost, you may be on the wrong track.
I am sure your auditor explained that the PCAOB sent out an inspection finding to their firm or an audit alert to all auditors and that is causing the increased work, but this is where a little knowledge can go a long way. Instead of wondering how the PCAOB can issue rules that increase costs without going through a formal rule-making process that requires a comprehensive cost/benefit analysis, you need to realize that inspection findings and audit alerts do not make new rules at all. These two documents instead explain cases where the auditor was not following the rules and standards already in place for auditors of public companies.
So, if the auditor is telling you that findings or alerts are resulting in increased fees, what they are really telling you is that they have not been performing an adequate audit of your internal controls in the past. That leads to two possibilities. One, your audit team did not understand the auditing standards and therefore completed a substandard audit or two, your audit team knew the rules and decided to cut corners in order to low-ball the bid for your work, or increase the firms margins on the work performed.
What do you do then if you are being told by your auditor that they need more money for increased work over testing internal controls? I think its time to have a little fun. Ask your auditor if they were cutting corners, deliberating doing a bait and switch with a bid they knew they could not meet, or just simply incompetent. You still might end up agreeing to pay a little more, but at least you can make your engagement partner sweat!
Last week I attended and presented at the AICPA SEC & PCAOB Developments Conference in Washington DC. At least I attended the second and presented on the third day in DC. Due to weather problems in both Dallas and Washington, my Sunday flight was cancelled and the earliest flight available was Monday evening. So instead of trying to figure out a way to get there for Monday I decided to spend a night in my own warm bed and attend the first day of the conference virtually on the internet. From what I heard from the speakers and the chats on the internet, I was one of many that had trouble getting to Washington from all over the country. Attending virtually was great. While you don’t have the networking opportunities of being there in person, the chat kept me interested and I was able to get a great feel for the tone of the conference.
While my opinion is biased (I served on a panel discussing the revised COSO Internal Control Integrated Framework), the theme of the conference this year was internal control over financial reporting. It wasn’t that the AICPA picked this theme. The speakers did it by mentioning internal control in presentation after presentation and panel after panel. I am not overstating fact when I say ever single SEC and PCAOB panel talked about internal control. From asking why companies don’t disclose internal control failures until after a restatement to questioning management’s positive assertions about internal control when the auditors are found not to have performed an appropriate audit over that assertion, the SEC is clearly looking to renew its interest in internal control reporting for the first time since in several years. Meanwhile the PCAOB’s recent report questions whether auditors are consistently complying with AS 5. Even without a revised internal control framework to deal with preparers should be spending more time documenting, testing and evaluating their internal controls over financial reporting.
I will spend more time talking about internal controls in my next blog. Meanwhile, here is a list of other quotes and notes from the three day conference:
- Keynote speaker David Walker – we’ve tripled the national debt to over $17 Trillion in 13 years, but that is only what is on the balance sheet; what is not on the balance sheet makes the debt number over $70 Trillion from “only” $20 Trillion 13 years ago.
- Paul Beswick, SEC Chief Accountant – IFRS took a back seat to the rule making requirement so Dodd-Frank and the JOBS Act; it was not a matter of lack of importance of IFRS, but simply a rule-making bandwidth issue that has kept IFRS on the back burner of the SEC for the last couple of years.
- OCA Panel/FASB-IASB Panel – the Chief Operating Decision Maker reporting package is increasingly irrelevant in determining which segments to report when CODM’s have drill down access to details that didn’t exist when the standard was written – this needs to be addressed when the FASB relooks at segment reporting.
- Enforcement Division Panel – Whistleblowers are increasingly important to the enforcement division; many of their cases are now starting from whistleblower action and the use of whistleblowers is changing the willingness of companies to self-report issues as well as increasing their willingness to cooperate with the SEC
If you want to know more check out the many articles and press releases that come out in conjunction with the conference
The PCAOB re-proposed including the name of the lead partner in the auditor report last week. The Board seemed split on the proposal when you read their comments. There are those that believe disclosing the partners name will make things more transparent to users of the audit report. They even envision data gathered over time on which individual partners are involved in restatements, lawsuits over financial reports and other issues (and of course which aren’t). The other point of view is that disclosing the partners name won’t do anything for audit quality and it actually might cause problems because auditors will do unnecessary work “just to be sure” and others won’t even consider becoming partners in the first place because of the increased scrutiny and liability such a requirement will create.
On the Industry front, this proposal could create some very interesting dynamics when combined with the existing requirement to change partners every few years. While management and the audit committee are always very interested in who the new partner will be, under the proposed rule that interest will take on more of a public relations bent rather than just caring about whether the person is a good auditor and will work well with the company. In theory companies don’t negotiate with their firm who the specific partner will be, but could you imagine a scenario where an excellent audit partner who was involved in a lawsuit that was settled in the last couple of years was suggested as the next partner for the audit. I could easily see an audit committee telling the firm that if that partner will be the lead partner on the audit, then the company may decide to tender the audit work and go with a different firm. Keep in mind, this decision has nothing to do with the actual audit skills of the partner involved. Instead it has everything to do with PR perceptions of the investors.
While this scenario might actually get rid of a few bad auditors, I think the more likely result is that many good auditors end up being blackballed and more and more young CPAs question why they would ever want to subject their livelihood to such a possibility in the first place.
The really backwards part of this scenario is that less experienced auditors who handle “easier” clients are more likely to have a clean record while more experienced auditors that are willing to take on the tough assignments will likely end up with a black mark or two. This may end up with companies seeking less experienced auditors with a history of not dealing with difficult situations – this is exactly the opposite of what would be considered the necessary ingredients for a better quality audit. Maybe I’m wrong and the scenario I laid out won’t happen, but it sure seems plausible to me. I just wonder if the cost of the potential for lower quality audits is truly outweighed by the benefit from possibly getting rid of a few bad auditors.
Remember that feeling of satisfaction when your auditor questioned your accounting for a large transaction and, after lots of discussion, fact finding and research, the auditor finally agreed you were presenting it correctly resulting in a pretty, clean audit opinion. Well, those days are over if the PCAOB gets it way. Even if you were right, the PCAOB proposal on revisions to the audit report will require the auditor to identify the “critical audit matter,” describe why it was critical and refer to the appropriate disclosures in the financial statements. This is beyond the old emphasis of matter paragraphs and is only one of several new requirements proposed by the PCAOB.
Normally, preparers don’t care much about PCAOB rule changes impacting the auditors, but this time they should take notice because it is going to significantly change that audit report attached to your financial statements. In fact, you might also need to plan on additional page(s) for your report because the audit report is likely to be much longer in the future.
In addition to a new statement on auditor independence and a required disclosure on when the auditor began serving as the company auditor, the new report will also require the auditor to “evaluate” “other information” previously not subject to the audit. “Other information” includes selected financial data and Management’s Discussion and Analysis (MD&A). While “evaluate” is something less than “audit,” it is also clearly more than the current requirement to review such information for inconsistencies with the audited financial statements.
In addition, this “evaluation” will be included in the auditor’s report. That would seem to open up the auditor to potential liability if there was something “wrong” in the MD&A so I think we will see significantly more work in that area, if only as a purely defensive measure, if the PCAOB proposal becomes a final rule. You can also bet that the auditors will ask for higher fees as a result of the additional work. We all remember how much the fees went up with the adoption of Sox 404 reporting. While this should not be on that scale, I think it will be more than insignificant (to borrow from our standard setter’s terminology in the leasing standard).
There of many out there that believe it’s about time the MD&A is subject to some audit procedures given its importance to investors, and there are others that feel just as strongly that the MD&A needs to stay out of the audit so it can be truly focused on forward looking information which is notoriously difficult to audit. Whatever your feelings, now is the time to let them be known by the PCAOB. The comment deadline in December 11 which will be here before you know it, so check out the most sweeping revision to the auditor’s report in years and let your voice be heard.
The Financial Reporting Council (FRC) in the U.K. (think of the PCAOB/SEC in the U.S.) has proposed rules that will require auditors to provide commentary on the “risks of material misstatement” as well as how they applied the concept of materiality in the audit and how the audit scope responded to company risks. These new requirements would be a huge departure from the current pass/fail auditor report model used by much of the world.
The PCAOB has also been looking at potential audit report modifications and had previously released a request for comments on potential changes to the report ranging from more information on how the audit was conducted to an auditor’s discussion and analysis. The FRC proposal seems to be somewhere between these two extremes, but it would definitely seem to not be in alignment with the comments from most preparers in U.S. that said information about the company should come from the preparers not the auditors.
If the PCAOB decides to go down this path as well, I can see several significant issues from a preparer perspective. First, in the U.S. management is required to provide an assessment of its system of internal controls to prevent material misstatements of the financial statements and the auditor then provides its opinion on that assessment. If the auditor were then required to also comment on specific risks and what they did about them in the audit would this lead to either (1) questioning of managements assessment about the effectiveness of its internal controls or (2) management feeling compelled to specifically address their response to those risks as well in their report on internal controls. And this doesn’t even address what might happen if management and the auditor have serious differences in opinion about what the risks really are in the first place.
I am also very concerned about the impact the required disclosure on how the concept of materiality was applied would have on the auditor’s evaluation of materiality. Will auditors feel compelled to use lower than necessary materiality levels to prevent lawsuits that say if they had only used a slightly lower level of materiality problems that lead to the investor losses in the stock market would have been discovered? If you don’t believe that would happen, then let me tell you about a recent development.
Previous to this audit cycle, most audit firms used a different dollar threshold of materiality for the income statement and the balance sheet. I can hear the purest out there saying materiality is a qualitative measure, not a quantitative measure and they are correct, but when it comes down to it we have to measure whether potential misstatements are material so we have to quantify materiality in order to measure. The PCAOB decided that the auditing literature did not support separate materialities for the balance sheet and income statement so all of the auditing firms started using the lower of the two materiality measures for their evaluations. This meant that many preparers had to change their controls to support a more precise measurement requirement – probably beyond the true cost-benefit trade off if materiality had been appropriately defined.
The point is that as firms lower materiality levels in defensive response to perceived threats, then the whole concept of materiality will be distorted as preparers find they must pay for more precise systems and controls then are necessary hurting the whole economy in the process. So let’s hope cooler heads prevail in the U.S. and we don’t follow the U.K. lead in this case.
I was reading a publication produced by our auditor, Ernst & Young on all of the standard setting activity for 2012 and I realized I have good reason to feel like I can’t keep up with everything going on.
The FASB only issued 3 final standards (now called ASUs for all of us who grew up with FAS’s for all those years). Of course, maybe it’s really 4 because they issued separate ASUs for technical corrections to the ASC in general and technical corrections to the SEC portion of the ASC, but who am I to quibble with my auditor on such things. Either way, not too bad so far, but the FASB also issued or worked actively on 12 exposure documents. Now were starting to get up in the numbers. Of course 12 documents would not be so bad if they covered specific topics related to different industries so everyone is not impacted by all 12, but that is not the case here. We’re talking about messing with revenue leases and impairment of customer receivable which means just about every business that exists will be impacted by many of these proposed standards. Of course it doesn’t stop there, the FASB launched the PCC to look into private company accounting issues and started two other projects on disclosures and going concern. The EITF was also busy reaching 3 consensus opinions and exposing documents on 4 other issues.
Not to be outdone, the SEC issued 3 final rules including rules on reporting on conflict minerals (if you think you are not impacted, you may need to think again as some reports expect that thousands of companies – public and private – will be impacted by the reporting requirements). The SEC also issued 16 proposed rules and other releases in 2012 and that doesn’t include any of the work on IFRS, XBRL or work to be done under the JOBS act. The PCAOB also started to get busy again and issued one final auditing standard as well as one audit practice alert document. The PCAOB also released 9 other documents outlining proposed rules or asking for input on concept releases. These include the now infamous release on mandatory auditor rotation as well as an equally important release on potentially significant changes to the auditor report.
Of course the ASB also issued a new standard as well as several other documents and the GASB issued 4 new standards, 2 exposure drafts and at least 3 other significant documents. The AICPA also issues its proposed framework for private company reporting and COSO issued 2 exposure drafts to revise its Internal Control framework which is the de facto internal control standard for 85% of public companies that have to comply with Sox section 404.
And that’s just the U.S. accounting and auditing standards. It doesn’t include all of the IRS changes, the new developments in the valuation world (didn’t you know the SEC expects all of you public company preparers to be valuation experts now), and international standards for accounting from the IASB and auditing from the IAASB. I must admit I have to laugh when people tell me they can’t get enough CPE done to maintain their license. You could spend 140 hours on CPE and not keep up let alone only the 40 required in most jurisdictions. I want to look at them and ask, then how do you plan to keep your job because you are expected to know about all of these changes and more!
One of the topics mentioned a number of times at the recent SEC/PCAOB developments conference by representatives from the PCAOB was the “alarming” increase in the number of audit failures that were being detected in their review process. If the number of audit failures they were referring to actually led to misstated financial statements then I would think we would being seeing a dramatic increase in the number of restatements required by the SEC, but that simply isn’t supported by the facts. The facts are that the number of restatements has been declining in recent years not increasing.
So that got me thinking, what really is an audit failure? Misstated financial statements are a clear indication of an audit failure, but I think most would agree just as it is possible to have a perfect audit and a misstatement goes undetected, it is even more possible to have a problem in the audit, but the financial statements are perfectly good. That is, there wasn’t a problem, but even if there had been one, the deficient audit would not have detected it.
On the other hand maybe the term audit failure is being used to broadly. Just because an audit deficiency occurred, does not necessarily mean an audit failure occurred. Maybe there was some problem in how the work was documented. That is, the right procedures and judgments were performed, but somehow it was not adequately documented in the workpapers. Auditing standards require documentation so the lack of documentation is a deficiency, but if the work was adequately done, can it really be considered an “audit failure.”
That leads me to the conclusion that an audit failure is somewhere between the publication of materially misstated financial statements and a minor error in the audit. That sounds simple, but it gets even more complicated when you consider the position of James Doty, PCAOB Chairman, on what are and are not misleading financial statements. He stated that “just because you comply with GAAP does not mean financial statements are not misleading.” I really don’t know where to go with that statement. One of the cornerstones of the audit opinion is that the financial statements “present fairly the financial position of the company in conformity with U.S. GAAP.” If auditors are being held to a standard higher than that, then no wonder we have so many audit failures that are not leading to restatements.
That leads me to one of three conclusions:
- The number of audit failures is being grossly overstated by the PCAOB (for some reason).
- We have an alarming number of audit failures, but it is the integrity, ethics, and objectivity of the professional accountants who prepare the financial statements that are keeping the financial statements from being misstated.
- The PCAOB is using the wrong measuring stick to determine an audit failure and they need to go back to the basics of the audit opinion to determine what an audit is intended to accomplish before proposing rules to fix a problem that may not exist.
It hit me as I was preparing for this Board meeting that this was my next to last meeting in New York with the Board. My three year term is nearly up. It has been a great three years, and I am looking forward to the last meeting in August and my final act of making the audit committee presentation at the October AICPA Council meeting. Of course this just marks the end on one stage of my involvement with the profession. I will continue to serve on the AICPA council for two more years as I was nominated to complete the remaining two years of an unexpired term as a member at large. I will also continue to serve through the end of 2014 as the AICPA representative on the IFAC Professional Accountants in Business committee as well as the TSCPA Business and Industry Issues committee. Even though my term on the Board is nearing an end, there are plenty of issues that the Board will have to deal with this year and beyond. Some of them are highlighted in the remainder of this blog.
Mandatory Auditor Rotation – a big topic of discussion was the PCAOB and EU proposals around mandatory auditor rotation for public companies. We had a specific agenda item covering the results of the recent PCAOB roundtables on the subject, but it was also discussed within several other agenda items including the report from the CEO, the report from the Center for Audit Quality (CAQ), and the report on what is happening in Washington. The PCAOB proposals were seriously questioned by members of Congress (both Democrats and Republicans) at recent congressional hearings. The focus of the questions was on what issue is mandatory rotation trying to solve and are there better, less invasive ways to solve those issues. The PCAOB has made it clear they will be discussing this for a while before they even consider proposing any actual rule changes, so we all need to keep up with this issue as it continues to develop.
Cyber Security – If you weren’t aware, the AICPA was the subject of a spoofing attack recently. Over 90 Millions emails were sent out under a spoofed AICPA address stating that the AICPA was canceling your license. Putting aside the fact that the ACIPA has no authority to cancel your CPA license, the incident had many impacts. Clicking on the link in the email resulted in an attempt to install malware on your computer that would potentially send key financial information to the people who launched the spoof. In addition, millions of the emails had bad addresses, so the AICPA email system was temporarily brought down by getting hit with millions non-delivery email responses in less than 15 minutes. Keep in mind, this email didn’t come from AICPA systems – they simply sent out emails from other systems that made it look like they came from the AICPA. The costs of dealing with this attack were significant, but not nearly as much as they would have been had the AICPA systems been actually breached. And this goes beyond just the immediate costs as shown by these statistics.
- 25% of businesses have had a merger, acquisition or new product roll-out stopped or delayed by a Cyber breach per a McAfee/SIAC study
- 20% of victims who have had data compromised cut ties with the institutions that compromised their privacy.
Like all businesses, the AICPA takes security and privacy very seriously and we have extensive controls and procedures to protect your personal information, but as always the controls start with you. If you get an email that looks or sounds strange, don’t be afraid to question it. Did it really come from the purported sender? Is this legitimate? Always ask those questions, no matter who the email is from and don’t be afraid to call the sender to make sure it is real.
Total Tax Insights – the last thing I want to do is mention a tool that will soon be introduced by the AICPA in conjunction with its 125th anniversary in May. This tool will enable people to determine their total tax burden from all taxes (income, property, sales, gasoline, telephone, electricity, alcohol, cigarette, etc.) they pay down to the county level – all 3,035 of them. It will be a great way for people to understand the full tax burden incurred by different people at different income and wealth levels across the country. Be on the look-out for the launch of this fantastic tool.
The AICPA Spring Council meeting and 125th anniversary will take place in mid-May and I will update you on what happened at that meeting and other items impacting our great profession in the coming weeks.
I had the opportunity to attend the AICPA National Conference on Current SEC and PCAOB Developments recently. If you work in the public company reporting or auditing world and didn’t attend this conference, you missed a great opportunity to get caught up on the latest developments and areas of focus from the IASB, FASB, FinREC, SEC Division of Corporate Finance, SEC, Office of Chief Accountant, SEC Enforcement Division, and the PCAOB. And the updates aren’t by some low level staff member. They are presented by Board Chairmen and Division Chiefs. The best part is the extensive question and answer sessions throughout the conference. Most speakers answer questions at the end of each of their sessions, but, in addition, at the end of each of the first two days of the conference, key speakers from the day spend over an hour just answering questions. There is no way to give the conference justice in a short blog, but I did want to highlight a few things I found interesting. For the ninth time the SEC Division of Corporate Finance spent time talking about the requirements around segment disclosures. If you have not received a comment letter from the SEC on your segment reporting, just wait, you will. In addition, you better have your reasons for your segments well documented and they better align with the reports your Chief Operating Decision Maker is using. One interesting point was made by a member of the SEC Office of Chief Accountant related to the PCAOB release on independence and mandatory auditor rotation. He raised the question “does the growth of consulting practices at audit forms represent a greater risk to audit quality (and independence) than tenure of the auditor?“ It’s an interesting point and one that my auditor colleagues should think about as they consider where the PCAOB may go in developing proposed rules based on the feedback received on the concept release. Another area of emphasis that was brought up several times by the SEC representatives was the use of pricing services to develop level 2 fair value information. While there is nothing wrong with using the services, if management and the company auditors do not understand the assumptions and models used by the services, the SEC and PCAOB are of the opinion that a control deficiency and an audit deficiency is likely to exist. I guess the days of saying we are CPAs, not valuation specialists are over. Like it or not, accounting standard setters have embraced fair value and if you are not proficient in the language and techniques of valuation, then you no longer have adequate knowledge to be a preparer or auditor of financial statements in the modern world. There is so much more I could talk about like the SEC views on IFRS and the fact that any word for the SEC on adoption of IFRS by the U.S. is not likely to come until well into 2012 or the stated desire to frame the “audit” requirement around conflict minerals certification so that it won’t be limited to CPAs, but I only have room for so much. If you regret not attending this year and don’t want to be left behind by the over 2,000 of your colleagues that attended this year, but sure leave a reminder to yourself to attend the 2012 conference next year. I’m sure it will be another great one.
As I was starting to write this Blog I realized there was very little to write about. Congress was on recess most of August so not much has happened in Washington since their return. Europe traditionally takes a summer break in August so the IASB does too. As a result, the FASB focused on non-convergence issues which meant that its agenda was much lighter than normal for the past few weeks. Third quarter doesn’t end until September 30, so there is no reporting crunch, and the squeeze everything in before the Holiday’s rush of November and December are still too far in the distance to cause worry. What is a normally busy CPA to do?
I do feel sorry for all my tax brethren with the September 15 and October 15 deadlines bearing down on them, but not too sorry. I mean, they’ve had eight or nine months to get everything done. I don’t hear a lot of pity from them when we CPAs in business and audit are killing ourselves to get the year-end financials done in twenty days or so before the press release is issued. You say you thought it was sixty days before the reports are due to the SEC, well; I would like to see you explain to the CEO and Board why the numbers they issued in the press release would have to be revised. It would probably be your first and last time doing so.
So while our tax brethren are struggling through these final self-inflected weeks of overwork and under-sleep, the rest of us are enjoying a break. Football season is new and all the games mean something because no one is out of the bowl or post season hunt yet. Baseball season is just getting to the good part with the Braves and Rangers in the thick of it once again this year. The miserable heat of the summer is giving way to cool Fall mornings, just perfect for taking the dogs for a walk – in the neighborhood or along your favorite trail. The leaves (at least on the trees that are still alive after the drought) will be turning bright colors soon to make those hikes even more enjoyable.
The Texas state fair is ready to open with its cacophony of new fried foods ready to destroy your diet. Six flags is still open on the weekends with those ghouls and ghosts ready to entertain you and your children at their annual Fright Fest. The ocean water is still warm enough for a trip to remember (as long as you can avoid the occasional hurricane). The mountains are beckoning and its cool enough to enjoy that evening fire and make a s’more over the glowing red coals.
Yes, it’s time to take a break. Congress will start making noise soon enough. The IASB and FASB will be issuing the re-exposed EDs on Revenue Recognition and Leases. The PCAOB will continue in its efforts to fix all that is not broken about our audit process. The IRS will begin its quest to fingerprint everyone in the U.S. – I mean everyone who prepares a tax return. And before you know it we’ll be ringing in 2012 and putting the finishing touches on the press release about the financial results for the year that was 2011. So take that break now before it’s too late!