Print this article | Return to Article | Return to CFO.com
New rules would require auditors to speak up about possible problems, and describe in more detail what they do and don't look at.
Sarah Johnson, CFO Magazine
October 1, 2011
The succinctness of an audit opinion belies the many hours of review, reconciliations, and judgments that are required for an auditor to produce it. Despite all that work, the public audit opinion ultimately amounts to little more than a thumbs up or down regarding whether a company's numbers are presented in accordance with generally accepted accounting principles.
That could change. A movement has been underway for the past several years to push auditors to narrow the gap between what they do and what investors would like them to do, particularly when it comes to detecting fraud. At the least, some experts believe that auditors should expand their opinions to better explain their role and any limitations they face in expanding that role. "We were getting a lot of information from a lot of different sources that the standard form of the auditor report, with its simple pass/fail verdict on the company's financial reporting, was becoming less useful," says James Doty, chairman of the Public Company Accounting Oversight Board (PCAOB), which recently issued a concept release exploring the issue.
For the most part, finance executives would be fine with auditors adding more description about their responsibilities, as the PCAOB has proposed. "I can see a case being made that auditors should describe more of what they're doing," says Gary Kabureck, chief accounting officer at Xerox.
But how detailed auditors will get, and whether additional verbiage in the audit report will require more actual audit work, is another matter. Auditors' workloads could significantly increase if some rule changes contemplated by the PCAOB move forward, and that, in turn, would have a direct effect on finance departments in terms of time and costs.
In addition to expanding the way in which auditors approach financial statements, the PCAOB is also contemplating whether auditors' assurances should extend to new domains, including management's discussion and analysis (MD&A) and earnings releases. The regulator is also toying with mandatory auditor rotation, which could require companies to switch auditing firms every 10 years.
At the heart of these and other possible changes is a desire on the part of the regulator to bolster the credibility of audits, which has faltered in recent years, and to make them as relevant and independent as possible. According to a board document, some of this new information "would increase the scope of the auditor's responsibilities [and] require the development of new auditing standards." Most likely, it would also require the Securities and Exchange Commission to tweak the reporting requirements it imposes on companies.
If some of these proposals survive the inevitable battles that changes to standards entail, as accounting firms and business interests push back, finance departments will feel some of the pain, even though they're not the target of the PCAOB rules.
Indeed, finance departments could find themselves spending more time and money on audits, not to mention having to answer more-pressing questions than they do now, especially during the crunch time at the tail end of the financial-reporting cycle. If auditors have to produce more-detailed and customized reports, that could lead to an "administrative nightmare in trying to wrap up the audit," says Dennis Beresford, a University of Georgia accounting professor and audit-committee chairman of Legg Mason and Fannie Mae.
Repairing the Damage
The PCAOB was created by the Sarbanes-Oxley Act under the belief that a designated watchdog would better keep the accounting industry in check than the self-reviews the accounting firms had been practicing. Likewise, its existence would help repair the credibility problems of the industry following well-publicized audit failures (Enron, WorldCom).
But eight years after the PCAOB was launched, the accounting industry is again in "self-examining mode," according to chairman Doty, following the most recent financial crisis and investors' questions about why auditors didn't — or couldn't — send up more red flags that something was amiss at some of the institutions they reviewed.
"Where were the auditors?" became a common refrain. At the very least, the argument goes, auditors could have given hints that, perhaps, fraud or serious mismanagement was occurring. Investors have told the PCAOB that auditors seemed to have held back information they collected during their evaluations, and that if that did happen, rules need to be changed so that investors can know more in the future.
Auditors do have an avenue for relaying troubling information, via their talks with companies' audit committees, but those discussions are not shared publicly. (In fact, the nature of those conversations is the subject of another possible rule that would emphasize auditors are beholden to audit committees and not to management.)
Doty has repeatedly been questioned about the accounting industry's business model: How can auditors maintain their independence and provide skeptical reviews when they are paid by the clients they are reviewing — and whose business they want to keep?
One possible answer to the coziness that creeps up between these two parties is mandatory rotation. The PCAOB has suggested (in yet another concept release) that accounting firms should switch off clients every few years. (Some companies have kept the same accounting firm for more than 50 years.) But that idea was rejected by Sarbox lawmakers nearly a decade ago. Instead, the 2002 law requires the lead audit partner to move off an account after 5 consecutive years.
The PCAOB will be challenged over the details of the proposed changes. One likely objection from companies is that getting new auditors up to speed on their business is too time-consuming. (For those who want to speak up, the comment period ends in December.) "It's a huge hurdle for management as well as auditors," says Gail Hanson, CFO of Aurora Health Care. Moreover, for larger companies that have tended to limit their pool of would-be auditors to the Big Four, mandatory rotation won't give them many options, particularly since many companies give their audit work to one Big Four firm and related consulting work to another.
Commentators will also want to know how the regulator will determine what types of information auditors should scrutinize (forward-looking statements can't exactly be audited, for example) and how much additional verbiage should be devoted to such matters in financial reports, particularly for information a company has decided to withhold.
"If auditors think they see something that is a problem that the board and management doesn't, what do you do?" says Xerox's Kabureck. "Auditors don't know more about the client than the client knows itself."
One idea floated by the PCAOB is to give auditors their own discussion-and-analysis section in financial reports. Auditors would use the space to express their thoughts on management's judgments and estimates, accounting policies and practices, and — most controversial — management's "close calls," or debatable estimates.
It's important to note that, as of now, all of these proposals are in flux. The auditor-rotation idea, for instance, "is a long shot," predicts Beresford, who as a former chairman of the Financial Accounting Standards Board has seen his share of proposals amount to nothing. Still, the level of activity at the PCAOB suggests that some changes are imminent (see chart, above).
While CFOs certainly would not welcome higher audit bills, they might like what those higher fees will, in theory, buy. If more auditor-verified information improves the confidence of investors, so much the better for the capital markets, says Hanson of Aurora Health Care. "Companies pay a lot to get an audit," she says. "The hope is that by having those audits go beyond a pass/fail grade, the audit will communicate something to investors that will warrant the higher fees."
Sarah Johnson is senior editor for risk & compliance at CFO.
Mum's the Word
Currently, auditors' reports do not mention the word fraud, nor do they discuss the auditors' responsibility to detect it. That's despite the fact that accounting firms are expected, under the Public Company Accounting Oversight Board's rules, to decide whether a company's financial statements are free of material misstatement, "whether [it be] caused by error or fraud." The PCAOB now wants auditors to spell out this responsibility in their audit opinions.
But even if they do so, that may not provide much confidence that fraud has been vanquished. Because auditors can't look at every transaction a company makes, they focus on risky areas. Clever fraudsters know that. "It's very difficult for auditors to uncover fraud if the people committing the fraud really want to hide it," says Luis Ramos, chief executive officer of The Network, a governance, risk, and compliance consultancy.
Even if audit reports explicitly describe how the external auditor attempts to ferret out fraud, the bulk of responsibility is likely to rest with internal staff and policies. External audits are "one piece of the puzzle to fraud prevention," says Erik Skramstad, a partner and U.S. forensic services practice leader at PricewaterhouseCoopers. "[But] it's ultimately the company's and the board of directors's responsibility to ensure corporate integrity." — S.J.