Take a deeper look at the risks of auditing, and everyone will sleep better.
By Bill Hatton
What keeps your company’s auditor awake at night? Like most professionals, it’s most likely uncertainty–nagging concern that there isn’t quite enough evidence to support signing off on the audit.
What keeps company executives up? Probably something similar: The auditor might have missed something important, putting your company at risk of embarrassing re-statements—or worse.
Martin Baumann, chief auditor and director of professional standards, Office of the Chief Auditor, Public Company Accounting Oversight Board (PCAOB), says there are good reasons for everyone’s loss of sleep: Auditors may be too credulous.
“Lack of auditor skepticism is common,” Baumann says. “Due professional care requires professional skepticism; auditors need to find evidence that statements are free from material misstatements.”
In 2013, PCAOB inspected 60 audits:
- It found deficiencies in the audit in 57 of 60 cases, so PCAOB was almost always able to find something auditors missed.
- It found independence problems in 22 of 60 cases, e.g., the auditor was also preparing the financial statements.
- And most worrisome of all: “In half the audits we inspect, the evidence is not there to support the audit findings.”
Beyond that study, PCAOB consistently finds that in one- third of audits they inspect, there isn’t sufficient evidence to support the audit finding, Baumann says.
The federal government agrees there are reasons to worry. The SEC still gets calls from companies about auditor independence, especially in cases where auditors are also preparing the financial statements, says Brian Croteau, deputy chief accountant and head of professional practices group, Office of the Chief Accountant, U.S. Securities and Exchange Commission. That’s worrisome since the rules against that have been in place since 1970.
Along the same lines, one expert has been sounding the alarm for some time: Francine McKenna, a CPA, writer, speaker, and subject-matter expert on auditing matters. She frequently takes issue with Big 4 auditing practices and runs the Website, retheauditors.com. The standards writers such as PCAOB are “starting to get the point across to [auditing] professionals at all levels of the [big accounting] firms that what the investor public really needs is you doing your job and doing the right thing. Do the work according to the standards. In most cases the standards are not new,” she says.
Rapid changes and the global financial crisis also are pressuring companies and auditors to make tough judgment calls that require “backbone,” according to Arnold Schilder, chairman International Auditing and Assurance Standards Board (IAASB).
“The nature of financial reporting continues to evolve: now more complex, more areas of judgment, and more qualitative disclosures,” says Schilder. “There is changing demand from users, which can be summarized as ‘we want to hear more’—a call directed not only to preparers of financial statements but also to auditors and others involved in the financial reporting supply chain.
“Then, as a result of the global financial crisis, some key questions were raised: about the quality of auditing, its effectiveness, and the role of professional skepticism and judgment; and perhaps more fundamental, about the relevance of the audit. For example, if auditors did all that they were supposed to do, yet still did not warn of the risks leading to the financial crisis, what then is the relevance of the audit? I do not see this as a criticism per se. Rather, it is an important inquiry as to whether audit could deliver more – an essential question that must be considered in the wider context of trust in the profession.”
Schilder, McKenna, Baumann and Croteau were among those experts who spoke at “Ensuring Integrity: 8th Annual Auditing Conference” at Baruch College, City University of New York, New York.
Here are some of the experts’ take-home points for you to consider:
1. Partner Quality—do you know the track record? Which individuals will be handling your account? Who is
supervising them? And what are their track records?
McKenna explains: “I think partner quality is something we can get to a lot easier than overall general audit-firm quality, especially when you’re talking about the largest firms that have global networks. Those firms work for multi-nationals where there are a lot of hands involved.”
PCAOB, when assessing audits, looks at the partners assigned to the specific audits, according to McKenna, including:
- The history of their engagements—levels of experience and responsibility.
- Any history of discipline or sanction.
- Whether they’ve consistently been involved in problematic audits.
- Whether they’ve consistently been involved in audits requiring misstatements or restatements.
McKenna says some partners are “being moved around like pedophile priests from parish to parish … without the public, the capital investors, and the markets knowing that these problem people are still auditing.”
McKenna’s statements were connected with the idea this information should be publicly available for the sake of investors and capital markets. But she raises a point for any audited company regardless of the current disclosure standards and regs: Do you know the track record of the people on your account? And do you have a way to verify it?
“The partner on one particular firm, MF Global, I won’t say the name, was also the partner on Barings in the Nick Leeson era, was also the partner on Knight Capital when it ran into problems, was also the one the firm said to look in on Madoff and never opened any doors.”
To keep in mind: Ask the track-record questions as part of due diligence when hiring or rehiring auditors. Make sure the audit firm informs your company of any personnel- or track-record changes during a contract.
2. Audit quality—is there over-reliance on general standards and regulations instead of customized metrics?
SEC regulations and PCAOB and other relevant standards can offer some assurance about audit quality, but that only goes so far: Ultimately, your audit committee and auditors need to find the best set of metrics that are specific to your organization – and these may change.
“There isn’t a single magic formula that regulators ought to prescribe,” says the SEC’s Croteau. Audit quality is about “data points that together can be meaningful and useful in getting the right focus and attention on audit quality. They need to be updated and changed over time.”
If auditors don’t find existing metrics adequate for assurance, they’ll no doubt propose new ones to the audit committee. But the audit committee might find it useful to communicate important metrics the business uses to judge how it’s doing.
One example: When assessing management statements about how well the company is performing, one auditor for a large retailer looked at the return metrics. What did changing numbers of returns mean in comparison with previous years? Was there a problem with a new supplier? Did it represent increased sales? Key: Management can assist the auditor in understanding real performance indicators; similarly, execs can be open to auditors finding metrics that back up (or call into question) statements about the company’s performance on relevant SEC filings.
To keep in mind: Are the appropriate parties using business- specific metrics? Watch and see if the auditor comes up with their own metrics and initiates discussions that show an interest in confirming statements. Too many may just comply and that’s all, without digging deeper.
3. Auditor independence—management and audit committee’s role in asking the right questions
Auditor independence is trickier than one would think on first glance, and requires ongoing discussions. SEC’s Croteau says: “All parties need to work together to ensure appropriate auditor independence.”
A. Accepting spreadsheet services without considering impact on audit. “We [the SEC] became aware of a situation where an auditor was providing a service that involved providing electronic spreadsheets for tax preparation for financial reporting purposes and maintaining that spreadsheet for the client. This is a situation where the audit committee found themselves needing to engage another auditor and re-audit prior years.” These problems “influenced the ability of this company to raise capital,” Croteau says.
The issue could have been avoided had all three parties— audit committee, the auditor, and management—assessed the nature of the services before they were performed. This needed to be thought about and discussed in advance, he said.
B. Not identifying affiliates. “Auditors need to be independent not just of the company, but of the affiliates of the company,” says Croteau. Management, audit committees and auditors need to discuss who are the affiliates. “If I were management, I wouldn’t want to leave it to the auditor to make that assessment with a comparison to the company’s own assessment in that space,” says Croteau.
To keep in mind: How many discussions are you having with auditors about services offered (or legacy ones in the case of a new auditor), affiliates and other potential types of information that may impact their independence?
4. Auditor tenure—do you rotate or not?
One of the most controversial topics on auditing concerns rotating auditors. Baumann says some companies are voluntarily reporting auditor tenure. But there is no widespread agreement on whether rotating auditors was a good thing or a bad thing.
One auditor said reporting auditor tenure may needlessly raise questions, no standards or regulations are needed, and that any potential independence issues can best be dealt with by the company and auditors themselves.
The poles of the argument went like this:
- “The first audit is riskiest” because the auditor doesn’t know the company’s operations well enough, said one expert.
- “No one wants to lose the long-term, crown jewel account—so the 75th audit is risky,” said another.
To keep in mind: Management needs to periodically look at the relationship of the auditors to the company. Do you get a feeling that it’s “too cozy,” where something risky or wrong made pass through the audits and be discovered
later, requiring possible restatement, public embarrassment, market concern, or SEC action? At the very least, open up auditing to bids from other companies and avoid rolling over automatically.
5. Critical audit matters—do you know where the judgment calls are?
PCAOB is updating some of its reporting standards, specifically including “critical audit matters” and “other information.” Both of these involve important information judgment calls.
“Say the CEO letters says, ‘We are the fastest-growing company in our area of technology, but the auditor knows the CEO knows that they aren’t but are trying to get there, [under the PCAOB’s reporting model proposal], the auditor would have to say that’s a material misstatement and needs to be changed or I change the auditor’s reports to indicate there’s a material misstatement,’” Baumann says. That’s “other information” that the auditor needs to include.
Key for executives: Knowing where the auditor has to make the most critical, more subjective judgments. It will be audit items that are important enough to be included in the engagement-completion document, reviewed by engagement quality reviewers, and/or communicated to the audit committee. It will also involve matters that will be most difficult to find sufficient verifiable evidence and the most difficulty in deciding whether or not the financial statements are accurate.
To keep in mind: These will be the matters that keep auditors up at night, or reluctant to sign off on. What management can do is identify these matters with the auditor and see what can be done to either increase verification or minimize ambiguity—even though ambiguity is sometimes unavoidable.
Schilder sums up: “Communicating key audit matters is not a tick in the box. It requires (auditors’) professional judgment, and a careful consideration of what is unique about the specific entity and the specific audit undertaken—and therefore the matters of relevance to users of the auditor report and the entity’s financial statements. The required thought process is inherently no different than that the auditor would go through when preparing for discussion with the entity’s audit committee a focus on what is important and relevant.”
Auditing experts— including SEC officials, reps from several standard-making organizations, and industry observers— came together to discuss numerous challenges facing managers and auditors to reduce risks on all sides. Among their suggestions:
- Know who your auditor has assigned to your account and who is supervising your account. Their track records matter, because bad apples sometimes get passed around.
- You know the picture of your organization’s financial performance must be more specific than regulations and standards: One sign the audit committee and auditors are fully engaged is they are discussing/proposing company-specific metrics.
- Don’t take auditor independence for granted—ask about other services the audit company is providing and see if they are asking deeper questions, such as asking about your affiliates.
- Periodically review your organization’s attitudes toward rotating auditors. When the contract’s coming up for renewal, have some candid internal discussions about auditors’ level of “coziness” and see what competing vendors have to offer.
- Auditing involves judgment—do you trust it in the people assigned to your audit, and do they have the info they need to properly understand and sign off on financial statements?