The New Rules of Engagement

With the passing of Sarbanes-Oxley -- and the advent of the PCAOB -- audits may never be the same again.
Craig Schneider and David KatzJune 11, 2003

Douglas Carmichael can be a hard man to track down these days.

Shuttling between New York and Washington, the newly named chief auditor of the Public Company Accounting Oversight Board (PCAOB) has been busy making the switch from the academic world to the regulatory one.

Carmichael, who’s taking a leave of absence from his Baruch College accounting professorship, has been occupied with moving into a new apartment, getting onto the PCAOB payroll, and dealing with a controversy about his role as an expert witness in cases involving auditors.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

But if the move to Washington is causing changes in Carmichael’s personal life, it’s producing equal upset in other circles. In fact, some Washington watchers say Carmichael’s hiring is a clear signal that the accounting industry oversight board is actually committed to overseeing the accounting industry. And a rigorous PCAOB, experts say, will likely lead to a real toughening up of external corporate audits.

The changes PCAOB plans to enact are indeed formidable. Among them: the replacement of peer review with government inspection. By year’s end, the board plans to hire a cadre of at least 100 accountants to do the inspections.

An even more dramatic power shift has already happened in Carmichael’s own area, that of audit standards. For a while, it looked as if the PCAOB might delegate standards development to the American Institute of Certified Public Accountants (AICPA), the lobbying group/trade association that’s long been a supporter of accounting industry self-rule.

In a move that could be seen as a regime change, however, the board voted in April not “to designate or recognize any professional group of accountants to propose standards.”

Translation: Auditors won’t be the only ones calling the shots about audit standards. Instead, the PCAOB, a non-profit organization set up under the Sarbanes-Oxley Act to oversee the audit industry, intends to name an advisory group consisting of finance executives, investors, auditors, and other folks.

No one group will represent more than a third of the advisory group. What’s more, the PCAOB says any group — or individual, for that matter — will be allowed to propose new accounting standards and treatments.

How drastically audit standards may change under the PCAOB is unclear. For the moment, the standards-setting group has adopted AICPA’s generally accepted auditing standards (GAAS) while board members deliberate on what the final rules will be.

Whatever happens, Carmichael is likely to have a strong say in the matter. And given his reputation as a stern critic of the accounting industry, that likely means more stringent audit standards.

Ironically, Carmichael actually spent a good deal of time working for the association representing the profession he now helps oversee. From 1969 through 1982, Carmichael worked in various AICPA staff posts, including auditing vice president. In those positions, and afterward as a hired consultant, he helped write many standards for the AICPA. Considering Carmichael’s earlier AICPA connection, Bruce Rosen, an executive committee member for the trade association, doesn’t expect drastic changes in the nature of corporate audits.

Maybe so. But if Carmichael seems likely to retain a fair number of existing standards, he isn’t quite the industry insider he once was. Example: Before 1997, Carmichael was heavily involved in writing two AICPA anti-fraud standards, SAS 16 and SAS 53. But by the time association members began writing a new standard (SAS 82), “they were keeping me out of standard-setting.” Why? “Because I had testified against some major CPAs [charged with auditor malpractice],” Carmichael claims.

AICPA staff executives deny that members methodically shut Carmichael out of standards setting. “I don’t think that’s a fair characterization of our process,” says Linda Dunbar, director of public relations. “A couple of people can’t just get together in a room and make a decision like that.”

But with the advent of the PCAOB, several people will get together in a room — an office, actually — and make decisions. Already, Carmichael says he’s keen to put more teeth into many existing audit standards, including those involving fraud detection and risk assessment. “I’d like the standards to be more definitive and specific than they’ve been in the past,” he says, and more focused “on what auditors are really required to do.”

What auditors are really required to do is going to change. And not solely because of the advent of the PCAOB, either. Auditors and their clients say they’re still coming to grips with Section 404 of Sarbanes-Oxley. The section, which deals with internal-controls assessment and reporting, requires companies to inject operating information into their financial reports. It also requires a company’s independent auditor to sign off on the client’s internal controls — a new wrinkle in the audit process.

Moreover, the seeds sown by Arthur Andersen’s sudden and dramatic collapse have already borne regulatory fruit — and thorny auditor-client relations, as well. In the wake of the Andersen demise, not to mention an increasing number of lawsuits filed by businesses against their accountants, the auditor-client relationship has turned decidedly chilly of late. “There’s no question that when you see one of the largest auditing companies fail, it heightens people’s sensitivity to those issues,” says Mike Starr, a managing partner for strategic services at Grant Thornton in Chicago.

Indeed, some auditors, regulators, and CFOs expect the external corporate audit — long a mainstay of corporate financial reporting — to be altered and deepened over the next few years. Some say they’re seeing changes already. Below, we look at five of the most striking shifts on the audit horizon.

1. Closer Scrutiny of Internal Controls

The first shoe dropped last August 29, when CEOs and CFOs at selected public companies certified that their financial statements were adequate. Since then, senior executives have been signing off on internal controls on a quarterly basis.

Now auditors will join their clients at a signing party involving annual reports. Under Section 404, auditors must OK management’s yearly controls assessments. In a rule proposed last October by the Securities and Exchange Commission, the annual signoff would have started to apply to companies whose fiscal years end on or after September 15. But when the commission got around to issuing its final rules, many senior managers got a breather: The internal-controls signoffs will actually start at companies with fiscal years ending on or after June 15, 2004.

Still, while some of the pressure’s been relieved, there’s a whole lot of work to do at companies both large and small in what amounts to a little over a year. Managers at pharmaceuticals giant Eli Lilly, for instance, are toiling to make sure that checks and balances are in place and well documented at all the company’s subsidiaries, says Arnie Hanish, Lilly’s chief accounting officer.

Similarly, executives at Exponential Inc., a small company that owns 26 pawn shops, are struggling to find ways to restructure tasks among employees, says Bob Schleizer, a Tatum Partners consultant who’s Exponential’s acting CFO. It’s a challenge to keep duties separate, since Exponential has just ten home-office employees among which to divvy up the tasks.

What’s more, some finance executives and auditors are befuddled about how to test internal controls — and are likely to be befuddled for quite a few months more. That’s because the PCAOB hasn’t yet issued a rule on the matter or set a timetable for doing so.

Still, the committee’s audit chief knows the general direction he’d like the rule to take. Carmichael wants “greater specificity” in the controls guidance, he says, “but not as much as in other cases, because what AICPA has done is relatively thorough.” (In March, the accounting institute, which already had a standard in place, issued an exposure draft of a new standard on internal-control reporting.)

In hatching the new guidance, Carmichael says he will focus on “major policy issues.” He expects to retain much of the nuts and bolts of the AICPA’s work, such as details about how to choose which locations to visit for internal-controls checks.

Absent a PCAOB guidance, however, accounting firms have been auditing at least partly in the dark. “We’re in a time warp, with people waiting for the rules,” says Ellen Masterson, global leader of audit methodology at PricewaterhouseCoopers. “And we’re stating, ‘you can’t be waiting for the rules.’ “

Nevertheless, it’s clear that Section 404 has spawned a real change in audit priorities. With the buildup in accounting complexity over the last two decades, auditors have been spending much more time on corporate compliance with generally accepted accounting principles, according to Masterson. “I’m not saying we’re going to reduce that amount of time,” she says. “But if we had to shave time out, sometimes it was the time [involved] with understanding the controls within the company.”

Not anymore. Now, auditors are demanding densely detailed flow charts and narratives describing control activities. Even executives at companies with decent controls are finding it a pain to document them. The result? A pile of mostly unexpected work to be done in a New York minute. “You’re talking culture shock for a lot of them,” Rosen, the partner in charge of auditing and accounting at Eisner LLP, says of his clients. “I don’t think they grasp the amount of work that needs to be done for Section 404.”

Take a relatively simple example: making sure that employees who true up company bank accounts don’t have access to cash records. Such a procedure can help make sure that a worker “can’t steal cash and then cover it up,” Rosen notes.

But that’s only the beginning. Once the control is set up, management must check that it works, document it, and see that a high-level executive monitors it regularly. “Multiply that by every aspect of business purchasing, sales, payroll, inventory,” and you get an idea what needs to be done at many companies, Rosen notes.

On top of all that, management’s got to amass internal-controls data so that auditors can see and understand it. At Eaton Corp., a diversified manufacturer, internal controls have long been handled locally, and “without visibility on the part of the corporate office or the engagement partner’s line of sight,” says Billie Rawot, the company’s controller.

Now Eaton executives plan to assemble a massive controls database that Ernst & Young, the company’s external auditor, can tap into. Eaton has hired another accounting firm to piece together a “formal, centralized, systematic repository of internal control information,” Rawot says.

Anyway you slice it, it’s a lot of work.

2. Increased Forensics

Auditors appear to be a bit uncertain about how much they should broaden the scope of their audits in the search for fraud. On one hand, says Carmichael, “the auditor’s job is to give people rather high levels of assurance that financial statements are not materially misstated.”

That suggests a big anti-fraud role in the future. On the other hand, auditors can’t be expected to go looking for fraud in every audit. The fact is, auditors (at least in the past) have been hired to make sure that a company’s accounting treatments are proper — not to ferret out fraud. Smoking out that kind of information has generally involved a forensic audit — a whole different kind of audit animal.

Striking a balance between the two could prove difficult. Even Carmichael concedes that “articulating [what the proper] response is in that range has been a problem.”

AICPA tried to provide a solution last year in issuing its Statement on Auditing Standards No. 99, “Consideration of Fraud in a Financial Statement Audit.” Among other things, the standard advises auditors to be skeptical about their clients’ honesty, to perform unpredictable audit tests, and to be alert to management overrides of journal entries.

The standard’s a step in the right direction, says PwC’s Masterson. But auditors need more guidance on how to define fraud, as well as how to detect and deter it. “Sometimes, there’s just that fine line between fraud and error,” she says. “In the past, as long as we corrected the error, it’s [been] OK.”

Then there’s the question of materiality. “Do people think that auditors will look within every type of fraud, or just those that would result in a material misstatement to financials?” Masterson asks.

Answers — in the form of new rules — appear to be on the way. While providing auditors with an internal-controls standard remains the top priority for the PCAOB, Carmichael says fraud detection is high on PCAOB’s agenda as well. The reason? The board’s inspectors and investigators need fodder for their own fraud probes.

Scrutiny of management overrides of accounting controls — via bogus journal entries — will be the focus of new rulemaking. Despite “sophisticated accounting systems and elaborate routines,” says Carmichael, some senior managers have been able to commit fraud by making large reporting entries manually. Indeed, manual entries into an accounts-receivable ledger seems to be at the heart of the HealthSouth scandal.

One way SAS 99 addresses fraudulent management overrides is by requiring auditors to pore over reporting adjustments for material misstatements. That positive move, however, is undercut in the standard by wordy discussions of the risks of journal entries being improper, he says. “The amount of work the auditor would have to do on journal entries is very unclear.”

To Carmichael, the issue is simple. “You’d better always review all the journal entries made during the end of the accounting [period],” he says.

To make their new detection work easier, auditors are likely to develop new software — or get use out of existing systems. Deloitte & Touche, for instance, is developing an automated way to access client computer files, says Greg Weaver, a managing partner.

The software, which D&T auditors are using for a few clients, can pick out duplicate payments, duplicate employees, and other “specific types of characteristics that might be fraud indicators,” says Weaver. He expects it to be used in most of the firm’s audits within the next year and a half.

Similarly, PwC plans to make some of its software amenable to fraud detection. One problem, however, is that anti-fraud software can be too predictable, Masterson notes. Designers have to find ways to block would-be frauds from working their way around the system, she adds.

Either way, corporate audit clients can expect more sniffing around by their independent auditors.

3. Skyrocketing Prices

The one-two punch of internal-controls and fraud-detection work is driving audit costs into the stratosphere, auditors say. New anti-fraud work alone has jacked up PwC audit fees by 15 percent to 20 percent, says Masterson. But add in internal-controls work, and the increases can be well over 50 percent.

Obviously, some hikes can stem simply from a rise in billable hours. But auditors are likely to add a premium for the new internal-controls and forensics work, which is uncharted terrain for many of them. For instance, while the controls testing for a tightly run company could bump up overall audit hours by 20 percent to 25 percent, total audit fees could jump 30 percent to 40 percent, predicts Deloitte’s Weaver.

Indeed, average annual audit fees should jump by more than 35 percent to cover auditor testing of corporate internal controls, according to a survey of 83 executives at public companies with annual sales revenue averaging $3.27 billion done last month by Financial Executives International (FEI).

Start-up investments in Section 404 compliance will doubtless spur increases. The respondents to the FEI survey expect their companies to average a $480,000 spending boost for such things as evaluation software, consulting, and worker training. Mostly, however, “it’s not a one-time hit on the part of the auditor, because the auditor will have to opine on a continual basis,” notes Eaton’s Billie Rawot.

The altered economics for public accounting firms is also likely to launch audit fees into low-earth orbit. Sarbox, after all, bars auditors from offering a slew of non-audit services, including bookkeeping, financial-information-systems design, and internal auditing. Because they can no longer rely on the fees for those services, accounting firms who offer them are likely to charge more for audits, says Eisner LLP’s Rosen.

Under Sarbox, accountants can still do tax work for audit clients. Since the PCAOB can bar auditors from performing “any other service,” however, the board could choose to curb tax services, thinks David Hardesty, a tax specialist with Wilson, Markle, Stuckey, Hardesty, and Bott.

Given the current taste for auditor independence, many company managers are likely to seek separate tax consulting and audit vendors — even if auditors aren’t banned outright from tax consulting. “The loss of those tax services is going to kick up the price of the audit,” predicts Hardesty.

Firms have long sold audit services at a discount or even at a loss because such business gave them an inside track in selling more lucrative tax services, he explains. Without that incentive, audit firms will have to make a profit off their audit services. Upshot? A big jump in audit fees.

4. Greater Skepticism

Expect the shift from self-rule to government inspection to inject friction into a clubby world. “When it was firm on firm, the premise was that [a review] was to be to everybody’s benefit, not like an IRS-type audit, in which you’re guilty until proven innocent,” says Rosen. Now, however, “the pressure might be to find issues.”

Still, auditors agree that the inspections should yield better audits. “If somebody knows his work will be subject to oversight, that makes them [audit] with a greater sense of skepticism and diligence, especially if it’s a government body,” says Wayne Kolins, national director of accounting and auditing at BDO Seidman. “But that’s not to say there won’t be frauds, because you can’t legislate morality.”

Still, given PCAOB’s powers, regulators can do a lot. If an accounting scandal breaks, for instance, board inspectors can go on with their work even if lawsuits ensue, Carmichael notes, adding that peer reviews shut down if there’s litigation. Also new: inspections will include a look at audit-partner pay incentives.

Firms can expect some confusion at first. After all, conducting a peer review of a Big Four firm is typically a “massive effort,” taking as many as 10,000 hours to finish, says Kolins. And the inspections are expected to be much more rigorous.

Peer reviews aren’t completely vanishing yet, however. They might continue to exist side-by-side with board inspections, since 39 states currently require audit firms to undergo peer review every three years. “Unless all 39 of those states decide to go with a PCAOB review, we may be subject to our tri-annual peer-to-peer review, plus the PCAOB,” says PwC’s Masterson. The firm’s tactic: Continue with peer reviews until further notice.

5. Adversarial Relations

The new rules of audit engagement have already started to drive wedges between auditors and clients. While relations aren’t quite hostile yet, corporate executives and CPAs are “getting less chummy,” says Stephen Giusto, CFO of Resources Connection, a professional services firm. One shining example: “It’s hard for a partner in a public accounting firm to refer to their client as a ‘partner’ ” any more, Giusto says.

That small change indicates a drastic shift in how auditors view clients. Clients may also have a different view of auditors after enduring incessant requests from them. Guided by SAS 99, for example, auditors might ask for numbers for each subsidiary — rather than for an aggregate figure — says Rosen. “The audit is an imposition on most companies,” he adds. “The more you’re there and bothering them, the more problems for the company.”

One way senior mangers can relieve some of the pressure is to share lots of information with auditors and share it early. For example, Eli Lilly executives let Ernst & Young accountants know as soon as the company embarks on a significant business development, like licensing or selling a compound, says Hanish.

The intent is to avoid putting auditors in a bind. If they learn about questionable transactions too late, they could feel compelled to compromise their principles and let smaller miscues go because they don’t seem material, Hanish claims.

If auditors are brought in early, however, “they don’t have to opine based on materiality. They opine based on the facts and circumstance of a situation,” Hanish asserts.

Even with such precautions, tempers are sure to fray. “Trying to help companies understand the meaning of unproven mandates is frustrating,” says Jim Powers, a partner at Crowe, Chizek and Company. “We certainly have had spirited discussions with our clients on some of these subjects.”

Expect more of the same.

4 Powerful Communication Strategies for Your Next Board Meeting