I recently had the chance to visit with Joe Howell, the Executive Vice President (EVP) of Workiva LLC. Howell has been the Chief Financial Officer (CFO) of a number of public companies, mostly in the technology space, and some private companies, some of which went public. He is a co-founder of the SEC Professionals Group, which includes the folks who are actually drafting financial statements to submit to the SEC, and a newer group, the SOX and Internal Controls Professionals Group which focuses on the issues that are closely aligned with many of those that you address on a regular basis – compliance with control objectives.
One of the things I wanted to know from Howell was to garner a better understanding of the Public Companies Accounting Oversight Board (PCAOB) and what role it might play in anti-corruption compliance. Howell explained the PCAOB is a board that was quasi-governmental, was created by Congress, and is part of Sarbanes-Oxley Act of 2002 (SOX). It has two main functions, the first being the creation of the new audit standards for the auditing of public companies. It is also charged with auditing the auditors and issuing inspection reports to help auditors improve the quality of their work.
Howell believes that the audit standards set by the PCAOB have changed the way that companies perform and how their auditors audit them in significant ways, through their inspection reports. These audit inspection reports were not designed to test random audits. They were designed to test those audits that had the largest amount of audit judgment contained within them. These inspection reports issued by the PCAOB themselves have been, in many ways, damning and certainly embarrassing.
Howell noted that over the past few years, there has been about a 39% to 40% average failure rate for the Big Four. In some instances, one went up to nearly 50%, but the most recent report from BDO, an international network of public accounting, tax and advisory firms that perform professional services, issued recently found a 73% failure rate. Now, audit firms resent the term “failure” and they push back on it and they preferred to call it “deficiency”, but if one were to take one of those audit inspection reports and look at it and do a quick CTRL-F in Adobe Acrobat to see what the number frequency of the word “fail” is, you will find it hundreds of times.
Now does that mean mistakes or does that mean the failure of process or something different?
I asked Howell what might come up as a deficiency and he related that the number one thing the PCAOB finds is lack of sufficient competent audit evidence to support an opinion. Howell believes this means that auditors do not understand what the client was doing, so they were testing controls that were not functioning properly. While the auditors either found that the controls were effective, when you step back and look at it in the aggregate, it would not have done anything meaningful to assure the reader that the financial statements were prepared in accordance with General Accepted Accounting Principles (GAAP).
For the compliance professional, audit evidence is important. I asked Howell whether that means evidence that the auditor reviewed or evidence that the company created to support the control or the underlying control? He said that one of the problems is that when reading the audit report, it is not immediately obvious which it is; it could be that the auditor simply did not ask for the right evidence or that the auditor did not perform enough documentation of their own work. But both present problems.
But Howell did not simply level his criticism at the auditors, as he believes the auditor will never understand the client’s business or its controlled environment as well as the client. It is the responsibility of the audit client to understand their own controls so they can correctly explain their function to the auditors. This is a key insight for any Chief Compliance Officer (CCO) or compliance professional. You must know your compliance internal controls so that you can adequately explain them to your auditors.
From Howell’s perspective, “the audit client is the generator of the material, they are in the business, they have years of experience. The auditor may come and audit them, really one major time of year, but will be there three or four times a year talking to them, but they have other clients as well in other industries. They will never be as familiar with that client’s business as the client.” Yet this also means that when the PCAOB is speaking to the auditors, they are vicariously speaking to the audit clients, too.
Last week I wrote about internal controls and the Securities and Exchange Commission (SEC) focus on internal controls in Foreign Corrupt Practices Act (FCPA) civil enforcement actions. This brings up the issue of how robust internal compliance controls must be to pass SEC muster. In the context of the PCAOB, it relates to the issue of precision.
Howell said that precision is often involved in another area of audit failure. From reviewing auditor work papers, it might note the client reviewed something or did something, yet there would be no discussion of whether the internal control might detect this or that kind of error or an error of a certain size. As Howell put it, “What’s the precision of that control? Would it have missed a freight train or would it have found something that would have been as small as a drop?”
This leads to deficiencies of quantification of a problem. Howell provided the example of a management review of a signature control. Yet by simply signing something, the signature that documents the manager reviewed something does not tell you a thing about what the manager did for the review. For instance, was the review sufficient, did the person who was performing the review look at all the supporting calculations, was evidence actually what it was reported to be, and that it did in fact support the conclusion that the company was drawing?
Clearly all of the above has significant implications for the corporate compliance function. You name the compliance internal control and the key is what is the precision around the control? One of the most straightforward examples is around third parties. Many companies will not work to clear red flags raised in due diligence or appropriately document how those red flags may have been cleared. If an auditor does not make this determination and then document how this determination was made it translates to a lack of precision. So even if the company passes audit inspection around the compliance internal controls, this may not pass SEC inspection when it tests a company’s internal compliance controls or simply asks the company to present evidence of an effective control.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016