Failure to detect corruption, negligence in approving an accounting treatment, lack of professional skepticism, failure to unmask fraud, and inappropriate familiarity with the client. The Big Four have been accused of all of these transgressions, and more, in the past three years.
Material accounting mistakes resulting in restatements by U.S. public companies rose to 65 in the first six months of 2018, compared with 60 the year prior, found Audit Analytics. And the International Forum of Independent Regulators (IFIR) revealed this year that it had found problems in 40% of the audits of 918 listed public companies that it examined in 2017.
The deficiencies found in the audits of U.S. public companies don’t mean that the resulting financial statements can’t be trusted. Auditing in the United States has undeniably improved since the crackdown represented by the Sarbanes-Oxley Act of 2002 (SOX). But in the last few years, as lawsuit settlements from the financial crisis reveal what auditors missed and companies wrestle with rule changes like revenue recognition, allegations of auditor malpractice seem to be growing.
Where are the problems in public company auditing, whether real or just perceived? A lot of it boils down to the auditor-client relationship.
Much work has been done to try to ensure the objectivity and integrity of public accounting firms and their personnel. The Securities and Exchange Commission’s rules on audit independence prescribe prohibitions on non-audit services, partner rotations, and conflicts of interest. But some observers think CFOs and their companies’ auditors, especially the Big Four, are still too cozy for comfort.
SOX addressed the issue by outlawing the hiring of an accounting firm to perform an audit if a top finance or accounting executive at the client was employed by the audit firm during the preceding year. But a 2018 study of the willingness of Big Four firms to adopt a client’s position on a fairly subjective, even speculative accounting matter had an interesting result: 76% were inclined to do so if the client’s CFO was a former colleague at the same Big Four audit firm, while only 44% said they would do so otherwise.
This “alumni effect” occurred even if it had been two years since the CFO left the audit firm. “A one-year or two-year cooling-off period is not enough … particularly if it requires overcoming social bonds that colleagues often develop,” according to the study, “The Alumni Effect and Professional Skepticism: An Experimental Investigation.”
Most large auditing firms have policies, systems and controls to try to avoid independence violations. They require certain internal approvals and reviews of transactions and services that have independence implications.
But, retired Ernst & Young audit partners Jay Bornstein and Steve Blowers, writing on CFO.com, say that may not be enough. Finance chiefs have an obligation to develop their companies’ own independence policies and procedures and test their effectiveness, they write. Company-wide procedures concerning the relation of C-suite executives to the audit firm also need to be in place.
Lately, regulators seem to be hoping that audit committees can iron out any problems with auditor objectivity. That makes sense, since, officially, the audit committee oversees the financial reporting process, the audit process, and the systems of internal control.
Audit committees are better-equipped than a few years ago — in the Fortune 100, 66% of audit committee members are financial experts, up from 59% in 2012. More audit committees are also disclosing in public filings the factors that go into their assessments of the auditor’s qualifications and its work quality.
Indeed, audit committees have their limits — and their flaws. Audit committees have more tasks on their plates, which may be diluting “an audit committee’s ability to focus on its core responsibilities,” former SEC chair Mary Jo White declared in 2015. Surveys have found that many audit committee members have difficulty finding time to perform all their responsibilities, especially as they are called on to oversee major risks like cybersecurity and global compliance.
There’s no guarantee that an auditor committee is going to handle an audit responsibly, either. In September, WageWorks, a provider of employee benefit plans, opened an investigation into whether its audit committee withheld information from its outside auditor.
Even an expert audit committee of unquestionable integrity may have trouble addressing the issue of overlong client-auditor relationships, and many may not want to.
After the Carillion meltdown in the United Kingdom, members of parliament attacked the fact that KPMG had been Carillion’s auditor for the construction firm’s entire corporate life of 19 years. Parliament said that “such a long tenure inevitably calls into question whether [KPMG] could provide the independence and objectivity that is crucial to [a] high-quality audit.”
In response, Michelle Hinchliffe, KPMG’s U.K. head of audit, told Parliament that she did not believe 19 years was “too long to be impartial” and that “independence for me is a mindset. For myself and all my fellow partners, independence and integrity are absolutely critical to our profession.”
But would rotating a client’s external auditor make sense? In the European Union, issuers have to rotate auditors every 10 years (the KPMG-Carillion case was an exception). The only U.S. provision specifically targeting longstanding auditor-client relationships prohibits the lead audit partner, not the firm, from performing audit services for more than five consecutive fiscal years.
The Public Company Accounting Oversight Board (PCAOB) tried to institute mandatory auditor rotation five years ago but the opposition was vehement, from industry and even Congress. ExxonMobil’s controller at the time said the idea had been met with “universal rejection” from board audit committees, “as the proposal diminishes the audit committee’s role in hiring, assessing, and firing audit firms.”
This issue doesn’t seem to be going away, however. Earlier this year, proxy adviser Institutional Shareholder Services recommended that General Electric shareholders vote to dump KPMG after a surprise $6 billion-plus writedown. ISS says that for all companies saving time and keeping audit costs down need to be balanced against (1) the risk that a long-tenured auditor can become too close to a client and (2) the potential for a new auditor to uncover problems previously unidentified.
The one area that should comfort U.S. investors and anyone else interested in the quality of audited financials is the success of the PCAOB. The U.K.’s Financial Reporting Council received a tongue lashing from Parliament after the Carillion collapse and was described as “toothless.” But, as EY’s Bornstein wrote in 2015, “Through public release of inspection reports, to enforcement actions against firms and individuals, the PCAOB is laser-focused on audit quality and independence.” Wesley Bricker, the SEC’s former chief accountant, said in February 2018 that “the PCAOB has had a positive impact on [auditing] firms’ system[s] of quality controls.”
Indeed, a 2018 Protiviti study found that 75% of companies whose external auditors required them to significantly boost their SOX compliance activities attributed the initiative to heightened PCAOB requirements.
Not all is necessarily well at the PCAOB, though. In a Republican administration that is highly skeptical of the wisdom of tight government regulation, the PCAOB, now with a new chairman, may be back on its heels. This spring it kicked off a soul-searching survey project, asking the public’s help in figuring out how to enhance the PCAOB’s relevance to the capital markets.
With the success of the PCAOB and SOX, few would call for more regulation around the auditor-client relationship. But if anything akin to Corillian occurs in the United States, it wouldn’t be out of the question. One of the suggestions made in the United Kingdom, by none other than Grant Thornton, is to have a public body select the auditors for all U.K.-listed groups and authorize it to review and rotate audit contracts every five years.
For now, there are some things apart from regulation that could improve audit quality, or, at least, the optics on public accounting firms and their clients’ financials.
First, technology will be a help: artificial intelligence and advanced analytical tools, when applied in auditing, may allow for a wider sampling of data in audits and catch more fraud.
Second, the Big Four can help themselves by ensuring, if they haven’t already, that they have the right tone at the top. Wrote Bornstein: “Audit partners need to hear clearly from firm leadership that quality, including independence, is the most important part of their job; that no client is too big to lose; and that the partner has the firm’s full and unwavering support when he or she is appropriately challenging the client on accounting matters.”
Third, no matter how good a job auditors see themselves doing in the context of an audit’s natural limitations, the failure to catch corporate fraud and the attendant publicity will continue to sour firms’ reputations. That’s unless, of course, they find a way to address the expectation gap between what the general public wants from an audit and what an audit can really deliver.
The finance team has a crucial role in ensuring an effective audit.
Companies often make garden-variety mistakes when it comes to financial audits, says Rahul Sheth, a former director at Accordion Partners and now a corporate controller at DigitalOcean. The first, and perhaps most damaging one, is engaging the “wrong” auditor, or one who doesn’t have a nuanced understanding of the business.
With that comes the risk of auditors asking for unnecessary or incorrect information, increasing the number of adjustments and control deficiencies. That can result in a qualified audit report — not exactly a gold star for potential investors or lenders, Sheth says.
The right audit firm not only understands the business and industry, but also has years of experience auditing similar companies.
Equally important, says Sheth, is that the CFO and other executives understand the audit plan. That means ensuring that the auditor focuses on the high-risk areas and the businesses with more complex structures, including various revenue streams, locations, and segments.
Sheth recommends that finance team members meet with the auditor during the planning phase to discuss the engagement personnel’s understanding of high-risk areas. Finance should scrutinize the prepared-by-client list to identify items that are not applicable, Sheth recommends.
Sheth also advises that finance be forthcoming, raising potential issues as early as possible, and being available to answer questions throughout the audit.
Finally, Sheth emphasizes, year-end surprises should be avoided. If a company enters into any non-standard or unusual transactions (e.g. purchase or sale of business, change in segment reporting), it’s crucial that these transactions be audited when they occur. | V.R.