7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IMG_1259Today, I continue my exploration with Joe Howell about the Public Accounting Oversight Board (PCAOB), its scrutiny of public company auditors and how its work impacts the corporate compliance function. Yesterday, I ended with a discussion about goodwill, how hard it may be to calculate, its impairment and what that might mean for a Chief Compliance Officer (CCO) and how difficult it is to test for both goodwill and a proper impairment calculation. Today I want to continue to explore why any write-downs are significant for the compliance function as it might be a mechanism to hide money to fund bribes and engage in corruption.

I asked Howell about write-downs and how they might be used to hide monies generated to fund a bribe, in the context of an acquisition. Howell noted, “anytime you have to calculate what that original value is, if you have a spin-off, if you have some sort of massive write-down, then they’re going to want to take a look at that to see, How did you do that write-down? Did you do it to dress up your balance sheet, to make it a little prettier because you got rid of some intangibles because you didn’t want to have them anymore for other purposes? Or there was some sort of thing that was out of the ordinary that you did? Then they really want to look at that to make sure that there’s support for it.”

I then inquired about joint ventures (JVs) and asked if the same or similar rules would apply. Howell began by noting that an audit is focused on the external financial statements for the company taken as a whole as presented to financial statements. While that statement is in the context of what the final opinion focuses upon, it is important to recall that an audit builds up from its parts.

That means an auditor must build up from any JVs a company has and these areas that have the opportunity to create misstatements, mistakes, or completely fraudulent statements. The issues can go so far as to include Enron type of concerns where the company used fraudulent accounting to get “bad stuff” off of their balance sheet. I asked Howell if you have a JV that has engaged in transactions that were based on fraud and the profits from that JV roll up into the parents, i.e. the US Corporation’s balance sheet, that would be an appropriate inquiry for an external auditor? He said “Absolutely. If an auditor finds fraud that’s not material to the financial statements taken as a whole, their job is not over. They don’t pass on stuff because it’s immaterial. If they find fraud, they’re obligated to report it. Also, that they find fraud, then they’re obligated to explore to see if the weaknesses and the controls that permitted that fraud are found elsewhere.”

One of the key inquiries from a Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) investigation or enforcement action is around the issue of systemic failures of internal controls. Such failure is a sure remedy for the finding by the SEC for violation of the FCPA, even absent an affirmative finding of bribery. Howell said that a systemic inquiry from the auditing perspective is critical as well.

Howell said that if management is somehow involved in the colluding, then the auditors must “step back and take a hard look at what they’re going to be able to believe, if anything, that management has told them. If management is not involved and they have reason to believe that this is a bad actor somewhere in the organization, they’re not permitted to stop because it’s not material. They have to “move forward” with the inquiry.”

Interestingly, Howell not only draws a line from the FCPA to the Sarbanes-Oxley Act of 2002 (SOX) to the Dodd-Frank Act of 2010; but also draws a line from the PCAOB to corruption risk because of the pronouncements from the PCAOB about what the auditors have to look for in terms of risk. This is because he believes “every PCAOB inspection report to date has mentioned fraud. That the purpose of mentioning fraud is that the failures in the accounting control environment that permitted a transaction to go unreported or misreported are the kinds of things that undermine the entire credibility of the financial statements and mean that you’re not going to be able to rely on that control environment. Fraud is central to all of this.”

Howell went on to explain that fraud usually occurs because there are weaknesses in controls which are exploited by bad actors to get the money or the resources, if not money, to actually then pay a bribe that is the focus of the FCPA. The PCAOB’s focus on fraud is because the controls need to be in place and they focus on internal controls over financial reporting. Howell noted he has not seen any FCPA settlement that did not have a material impact on the company in one way or another. He concluded by stating, “how can you say that you’’re not dealing with material misstatements of the financial statements if you fail to report something that clearly is going to result in tens or hundreds of millions of dollars of penalties, disgorgement of profits, investigations, and tearing the company inside out in order to do the final remediation?”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

desk-and-suppliesToday we have Part II of my exploration with Joe Howell about the PCAOB and how its work with public company auditors impacts anti-corruption compliance.

I asked Howell about auditor rotation and what it means. Howell explained that the basic concept of auditor rotation is simply to keep fresh eyes on things because auditors may become complacent over time. Simply put auditors can get too familiar, too cozy with the clients. Yet the converse can also lead to problems as Howell noted, “almost every time there has been a fraud that has gone undetected or a major failure that has gone undetected for long periods of time, that has resulted from the fact that the auditors didn’t have enough experience to find the kinds of weaknesses that they’re talking about. That often happens when a new auditor is involved. That’s when things seem to go wrong.”

It is a loss of institutional knowledge that can cause problems. An auditor needs to be asking probing, independent questions and being independent in attitude as well as on paper. Howell noted the “other thing that you lose is that sense of deep understanding of the kinds of transactions, the history, and how things flow together. I think that balance is hard to draw, but it really points to the need that the client has to have a clear understanding of their processes themselves and how those processes are going to effect the controlled environment.”

For the compliance practitioner this can be where an auditor fails because there is fraud or some other form of collusion which could generate a pot of money to fund a bribe, there are going to be telltale signs or evidence somewhere, but those red flags might be missed because the client is not thinking clearly about how those red flags would be monitored and how they could detect them.

Inspection Focus is another area that the PCAOB is concerned about and while it may not immediately appear applicable to the compliance department I believe it can have a significant impact. This area focuses on judgments clients make, most generally around revenue recognition or more simply “rev rec”. Howell began by noting, the “number of mistakes are very high and often they’re challenging because when you somehow mischaracterize the top line, the rest of the financial statements change their character because of a number of things that have keyed off of what your revenue is. The other thing that’s true is that it also causes the rest of the financial statements to become questionable just because that most important number was not right.”

The rules that evolved in the 1990’s and early 2000’s made revenue recognition increasingly more complicated. Now companies are gearing up to transition to a new revenue recognition methodology that is a more principles-based practice that is going to affect all industries the same, meaning we no longer have separate revenue recognition approaches for different industries.

This transition is going to also create a lot of opportunities for mistakes and worse, fraudulent accounting to hide evidence of bribery and corruption. This could be through strategies as diverse as channel stuffing to evaluation of long-term contracts. Rev rec is an area that the compliance function needs to depend more highly on the auditing function to help detect either over-rides of internal controls or more simple failures.

This ties into Howell’s next point, which was accounting estimates. Typically, goodwill is perhaps the most challenging when you acquire a company and you have an excessive payment over what the assets that you identified as tangible assets. Howell said, “You end up with this intangible number goodwill, which needs to be tested for impairment. You can’t go judge the fair value of goodwill other than by an accounting estimate at one point in time when you made an acquisition, but the accounting rules now require that you go back and reassess that value from time to time and put an impairment charge against it if you feel that it’s not what you paid for to begin with.”

I found this analysis interesting as Matt Kelly raised this same issue in a blog post, entitled “Impairment Data Hints at Problems Ahead”, on his site, Radical Compliance. Matt and I also explored this issue in greater depth in our podcast “Compliance Into the Weeds – Episode 6”. Kelly’s basic thesis was that goodwill impairment would negatively impact compliance particularly after an acquisition, when the value of the acquired entity can drop significantly or even propitiously. Witness the HP goodwill impairment charge around its acquisition of Autonomy of nearly $5.5 billion.

This ties into Howell’s concerns from the auditing perspective because, “You can’t say what goodwill is based upon today without understanding that, “Hey, it’s based upon the value I’m going to receive over a period of time in the future.” That means that the auditors have to look to the work that’s being done by the people who prepare those projections and those are usually the Financial Planning and Analysis (FP&A) folks”, who typically do not have an appropriate level of documentation to support their analysis of goodwill value.

Moreover, FP&A is actually trying to drive behavior through these projections. Howell said they typically cannot provide either the specific documentation of analysis or even a history of results over time. This is because they “frequently are developing these projections to be aspirational. They’re trying to drive business behavior, not really trying to predict it. You end up with some issues that are creating strain in accounting organizations around the world.” Such an approach would certainly raise issues in a compliance realm.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016