McKenna Speaks At 2013 AAA Audit Section Midyear Conference

I was in New Orleans this past long Martin Luther King Day weekend to speak at the American Accounting Association Auditing Section Midyear Conference and Doctoral Consortium.

I was proud to be one of two keynoters. Jeanette Franzel, PCAOB Board Member, spoke on Friday morning to the crowd – more than 500 attendees – on the PCAOB’s recently updated strategic plan.

The Board’s recently updated strategic plan reflects this. Its near term priorities for 2013 include:

• Audit Quality: identifying audit quality measures, with a longer term goal of tracking such measures for domestic global network firms and reporting changes in these measures over time;

• Inspection Findings: enhancing the PCAOB’s processes and systems to refine the analysis of PCAOB inspection findings, including comparative analysis across firms over time, to further inform the investing public and PCAOB’s standard-setting and other regulatory activities;

• Inspection Reports: improving the timeliness, content and readability of inspection reports;

• Remediation Determinations: improving the timeliness of remediation determinations and providing additional information on the PCAOB’s remediation process;

• Standard Setting: enhancing the framework for the PCAOB’s standard-setting process and the related project-tracking information provided to the investing public; and

• Audit Committees: enhancing the PCAOB’s outreach to, and interaction with, audit committees to constructively engage in areas of common interest, including auditor independence and audit quality.

I asked Ms. Franzel about why “enforcement” is missing from the list. I think “carrots” are nice but a regulator should always carry the big “stick” too, especially for an industry that’s used to self-regulation. Franzel reiterated the Board’s commitment to enforcement to reinforce standard setting and inspection remediation but to also act as a sufficient deterrent to others.

It would be nice, in my opinion, if enforcement actions, like inspection reporting, could be delivered on a more timely basis.

My remarks were entitled, “Auditors’ Obligations Regarding Fraud And Illegal Acts.”  My spoken remarks are below and some slides that support my remarks are here.

One fun part was when the last questioner – there’s always someone trying to be funny and throw you off – asked what I thought about the Lance Armstrong scandal.

My sis, who was there with my niece to bring news to my family about who in the world is truly interested in someone who never shuts up about the auditors, captured the moment in a tweet.

Thanks to Professor Roger Martin of the University of Virginia and the program committee for the invitation.

Here are my remarks:

It’s so nice to see so many familiar faces in the crowd. Many of you also sent emails, LinkedIn messages and tweets and stopped me yesterday as I was attending the sessions to give encouragement. That’s much appreciated. I want to thank Roger Martin and the program committee and especially Scott Showalter, for the invitation.
Since Jeanette Franzel gave a disclaimer yesterday, I should also give a short one written when I first started in late 2006.  If you want to read the whole thing it’s on re: The Auditors.com.

The views on my blog are mine alone and not the views of any of the various plain vanilla white guys that I have worked for over the years.  I expressly abdicate responsibility for any liability of any kind or nature with respect to any act or omission based wholly or in part in reliance on anything contained on this blog or in any audit reports I have ever written.
Just like my heroes, the Big 4 partners.
I am not licensed to render advice, personal or professional, except in the state of intoxication that results from too many margaritas made with Herradura Añejo tequila.
All photo illustration and videos are intended to confuse, confound, and flabbergast you, while occasionally also encouraging a chuckle or a knowing smirk.
Comments or feedback are welcome, encouraged, and, most often acknowledged lickety-split.  Unless, of course, they make me feel sad.
Then they are, of course, deleted.
Because it’s my blog.

I’m more serious now that I write for others, for money, since it’s money that makes the world go around, pays for my Rottweiler’s enormous appetite, and forces one to compromise, Don Quixote-style, all idealistic principles.

My interest in writing for the public comes from my desire to raise awareness of our profession and our roles and responsibilities to the capital markets. I’m very proud of being both a writer and a source for other journalists. You all have the same choices and I’m glad to help those who want to expand their horizons.

It may surprise some of you who have read my writing to hear I rarely, if ever, dissuade a young professional who’s mapped out a detailed life plan, worked their tail off, and ran towards the light at the end of the tunnel that is a job in the Big 4 at graduation, from taking a positions at a Big 4 firm. I may counsel them about a particular firm or office at a particular point in time. I may insure they know what they want and have asked the right questions. I may encourage open dialogue with a sponsor or mentor early in the process in order to insure that they have the benefit of the knowledgeable and generous career and personal support I had in my first job at one of the audit firms when I joined KPMG Consulting in 1993.

I’ve been going out to schools, talking to students and their professors quite a bit.  If you want me to visit your school, I only need a burger, a beer and a place to bunk.

In spite of my profound enthusiasm for the profession, most accounting students and young auditors look at me like I’m an alien – not Sigourney Weaver but definitely something green from another planet – when I talk about the auditors’ “public duty.” I have to constantly remind them, and some of their professors, that the external auditor’s true client is the shareholder, not a company’s executives or even the Audit Committee.  The Audit Committee is the stand in for investors and if the Audit Committee is not doing their job the auditor has a duty to point that out, up and out.

“But the CFO pays the bill,” the young folks respond. “We have to make the CEO and CFO happy or we’ll lose the engagement.  How will I ever get promoted to partner if I follow your advice and make everyone look bad by raising objections and pointing out errors? Audit partners are entrepreneurs that invest their own capital in the business. Why are you against them making a profit? Are you some kind of communist?”

If this is how our next generation is being educated – notice I did not say trained – another bubble is inevitable.

My PwC tenure was a capstone course in professional services, the state of the audit industry post-SOx. (Insert PwC anecdote where, after asking some questions at my first all hands meeting of the Internal Audit practice in Orlando, a partner tells me: “We don’t raise our hands at PwC, we wait to be called on.”)

There are so many subjects I could have talked about.

Independence is hot. I’m thrilled that everyone else seems to be catching on, even when there’s not a big case like Enron smushing our nose in it. But I think that lax enforcement by the SEC and PCAOB of pre-SOx and SOx auditor independence requirements means finding obvious examples these violations is like stealing candy from a baby.

Reuters did some great work recently on Ernst & Young’s tax lobbying for audit clients. Here’s a little secret, EY was not the only firm that did this. It’s been reported the SEC is looking into EY.  They’re looking into the other firms, too.

We could have spent a whole day talking about the HP-Autonomy fraud alllegations or the OCC/Fed foreclosure reviews. They are both great case studies of all the roles the modern post-Sarbanes-Oxley global audit firm can play within the capital markets system.  They are also great examples of how any large litigation or dispute these days will likely touch more than one of the four largest audit firms.

The four largest firms have common industry interests represented by the AICPA and CAQ and that they individually and jointly advocate to legislators via millions of dollars directed at lobbying. The firms also compete with each other and are often paid by clients to perform services adverse to each other and at cross-purposes with overall industry interests.

Which side are they on? Which regulator makes sure that the consulting side of the firms upholds the same professional standards we expect from the audit side? Is that an unrealistic expectation? Maybe that’s left to private litigation? What do we do if we, and the public, can’t quite discern what role the firm is playing or if they are playing more than one role for a client? How do we separate all of the tangled alliances and business interests wrapped up in Deloitte’s relationships to both HP and Autonomy or of the audit firms marketing of governace, risk, and compliance software and services?

I’ve reported on some independence issues recently. One, KPMG loaned tax staff to GE, stopped after I reported it. Since the SEC doesn’t usually whisper in my ear I have to lure them outside and tie them to a patio chair at Ebenezer’s, the café around the corner from SEC HQ in DC, to make them talk.

I can’t know for sure if the SEC is investigating my reports about PwC’s software integration partnership with audit client Thomson Reuters. But since SEC staff read my site for more than an hour each day and I can see which columns they’re studying, I’m pretty comfortable someone there is learning a lot about AICPA 101 and Rule 2-01 of Regulation S-X and Item 9 of Schedule 14A under the Securities Exchange Act of 1934.

We could have talked about Sarbanes-Oxley and whether it’s meeting its goals “to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud”.

I said in a Financial Times OpEd for the SOx anniversary that the law has failed. Most importantly, Sarbanes-Oxley did not restore investor confidence in auditors after Arthur Andersen’s failure to mitigate the fraud at Enron.  In fact, I think we are worse off now than before because the law gave some a false sense of confidence that has not been backed up by civil and criminal enforcement of SOx violations.

We could have talked about the SEC’s poor record of enforcement since Sarbanes-Oxley of all of the provisions related to auditors and all of the provisions that would have made CEOs and CFOs scared witless of the consequences of poor internal controls such as Section 302.

We could have talked about all the cases where auditors look the other way at poor internal audit functions, poor internal controls, and worthless fair value and valuation controls such as at JP Morgan Chase. We could have talked about whether JPM will continue cite a management assessment of a material weakness in internal controls over financial reporting in the 4^th quarter 10Q, following up on management’ assessment of that material weakness in the 2^nd Quarter Q after the “whale trade “ fiasco. Or has the mission already been accomplished?

By the time we get the annual report, will PwC say the material weakeness has been remediated in spite of the severe criticism of the bank’s internal controls and risk management by the OCC in its recent administrative order against the bank? Maybe our discussion would have also helped me find a way to explain to my readers why PwC and auditors have a role in this process and should be doing something, should have said something, since I’m the only one mentioning the auditor when these things happen.

We could have talked about the national, certified class action overtime lawsuits that all of the Big Four firms are facing. Some cases only cover unlicensed audit associates. Some are targeting the consulting side.  The implications to the firms and to your business of preparing future auditors to be recruited if any of these cases are successful at trial are legion. The firms’ business model will definitely change.

More work produced for less pay is both tolerated by our profession and a business model that rewards firms with higher profitability. But can the regulators continue to allow audit firms – who play a role as critical regulatory cogs in the financial system wheel – to delegate so much judgment and decision making to the lowest level of staff just because they are the per-hour cheapest resources?

Finally, we could have talked about audit quality, how it’s defined, how it’s measured, how it’s viewed by investors and companies, and how it’s judged by regulators.  However, Jeanette confirmed we have neither a consensus on how audit quality is defined nor how it’s measured. So what’s the point of me beating that dead horse?

So I’ve chosen to talk about a very useful, and I think very brave, Appendix published by the PCAOB this past November. It was attached for private reading to a discussion document distributed at the last PCAOB Standing Advisory Group meeting. The agenda item for the meeting was, “Consideration of Outreach and Research Regarding the Auditor’s Approach to Detecting Fraud”.

When I saw the topic on the agenda before the live meeting, I was really excited. But I had missed the words “outreach and research” and thought we were finally going to discuss the auditors’ obligations under PCAOB standards and securities laws with respect to fraud and illegal acts.

The public discussion and the breakout groups, unfortunately, focused on whether the Public Company Accounting Oversight Board (“PCAOB” or the “Board”) should conduct outreach or research regarding the auditor’s approach to the detection of material misstatements of financial statements due to fraud (“financial statement fraud”). I think that’s part of the PCAOB’s mission already with regard to standard setting, inspections, and enforcement of the standards.

The public and the media didn’t see or hear discuss the famous “expectations gap”.
The Big 4 audit firm’s public relations professionals are very good at explaining their position on the “expectations gap”. Set the bar low, tell us what you can’t do, won’t do, or want to make us believe you have no responsibility to do, and maybe everyone will leave the firms alone. Then audit firms can go back to making money the old fashioned way – via a government-sanctioned franchise operating as an oligopoly.

The “We were duped” defense is used over and over again by the audit firms when frauds occur. For example, PwC used it in the firm’s initial reaction to the Satyam scandal.

Sam DiPiazza, Global Chairman on the job when the Satyam scam hit in early 2009 told the Times of India that March:

“What we understand is that this was a massive fraud conducted by the (then) management, and we are as much a victim as anyone.  Our partners were clearly misled.”

PwC begged our indulgence again when in a rambling, incoherent interview with an Indian journalist in the summer of 2010 – more than a year after the fraud was uncovered by the Satyam CEO not PwC, PwC Global Chairman Dennis Nally stated:

“Many times there is an expectation from the investor community that the auditor is in fact fully responsible for the detection of fraud. Now that is not our job, today.”

Just when PwC thought they had a handle on Satyam, the Huron Consulting debacle hit. PwC is the auditor of the largest worldwide family of feeder funds to Bernie Madoff’s Ponzi scheme, the Fairfield Greenwich Group. PwC was the auditor of failed broker-dealer MF Global, run by Jon Corzine and still audits nationalized AIG and Freddie Mac now under a conservatorship. PwC has the ignominious honor of being the first audit firm sued by the FDIC for a bank that failed during the financial crisis, Colonial Bank of Alabama. PwC is also auditor of domestic and foreign banks accused of multiple frauds and illegal acts such as securities fraud, foreclosure fraud, Libor manipulation, foreign bribery under the FCPA and anti-money laundering like Goldman Sachs, JP Morgan Chase, Bank of America, and Barclays. PwC is busy overseas, too. The record breaking settlement for Centro in Australia became necessary after the firm ignominiously told the court that the audit partner who signed the opinion was responsible for the engagement, not the firm.

In June of 2011, the Financial Times produced a hagiographic profile of Dennis Nally that asked a few questions about the icky stuff but Nally is still singing the same tune in spite of the financial crisis, in spite of Satyam, in spite of growing issues at MF Global, in spite of Barclays…

Journalist Helen Thomas asked Nally diplomatically: What about fraud or disingenuous bookkeeping? Surely auditors should rightly find themselves in the line of fire when a case slips through on their watch?

Thomas says Nally crossed his arms across his monogrammed shirt, for the first time looking a touch defensive.

“There are professional standards out there [and] an audit is not designed under those standards to detect fraud,” he says, pointing out that detecting fraudulent behaviour rests on other indications including a company’s governance, management tone and control systems.

“The reasons it has been done that way is because, while we always hear and read about the high-profile fraud, the number of those situations that you actually encounter in practice is very de minimis.

“You’re not designing an audit for ‘the exception’ because, quite frankly, the cost itself would be prohibitive to all of the capital markets and . . . who wants to pay or that if the benefit isn’t there?” he adds.

Lest you worry I’m giving PwC a harder time than the others on this issue, rest assured I am.  But here’s another example.

In April of 2010, soon-to-be retired CEO of Deloitte Bill Parrett – whose post-retirement gig on the board of Deloitte audit client Blackstone Group was announced before his retirement was final – told a reporter at the Toronto Globe and Mail:

“…there are limits to what an auditor can detect – and those limits often fall far short of what investors expect from the process.  “We’ve always had this expectation gap between what the auditor really can do and what the investing public wants the auditor to do, or wants the audit to represent,” he said.

This is the same Deloitte that was, at that time defending itself against several lawsuits, including their own version of the global network challenge related to the Parmalat fraud, as well as experiencing declining revenues and loss of clients for the first time in several years. Of the Big 4, Deloitte, I think, lost the most Fortune 100 audit business as a result the financial crisis – Bear Stearns, Washington Mutual, Fannie Mae, Taylor Bean & Whitaker, Merrill Lynch, American Home Mortgage, and Royal Bank of Scotland, are a few of the major financial institutions audited by Deloitte that failed or were bailed out via forced acquisitions or nationalizations during the crisis.

Deloitte is the same audit firm at the center of the Chinese reverse merger fraud scandal and the dispute between the firms and the SEC over access to auditor workpapers in China.  This is the same firm that was the first Big Four ever to receive a “pass with deficiency” grade on a peer review and to have its Part II report publicized by the PCAOB because of stubborn intransigence over acknowledging, let alone fixing, audit quality issues cited by the regulator during the crisis period.

I don’t mean to leave Ernst & Young, infamous for Lehman’s failure, multiple crimes at UBS on its watch, and a record settlement in Canada for the fraud at its Chinese reverse merger nightmare Sino-Forest off the list. (Heck, you can make a long list for each of the Big Four of criminal enterprises they audit while declaring clean opinions and no going concern warnings. The list of financial institution civil and criminal violators alone is a long one, let alone the industrial companies accused of illegal acts like tax evasion and bribery under the foreign corrupt practices act like Wal-Mart (EY), News Corp (EY) and Eli Lilly (EY).

Don’t let me forget KPMG, auditor to many clients who are now settling private, civil and criminal litigation for frauds and illegal acts during the financial crisis. KPMG audits Citigroup (which ended up majority owned by the taxpayers), Standard Chartered, Deutsche Bank – recently subject of whistleblower claims about fair value accounting lapses, and HSBC. KPMG also audited Bank of America’s acquisition nightmare Countrywide and failed mortgage originator New Century Financial.

The PCAOB says that over the years “a variety of views” have been expressed by auditors and others about the auditor’s responsibilities with respect to fraud in an audit and that some parties “may not fully understand the auditor’s existing responsibilities under PCAOB standards.”

That’s hilarious.

I was encouraged in March of 2011 when the PCAOB’s Investor Advisory Group held their first meeting and the auditors’ role in the financial crisis was discussed. (The next meeting of this group wasn’t until March of 2012.  We’ll see if one is scheduled for this March.)

(As an aside, I’ve been writing re: The Auditors since the end of 2006 – You’re never too old to change and grow. It wasn’t until Jenner & Block Chairman and former federal prosecutor Tony Valukas, the Lehman Bankruptcy examiner, introduced the word “fraud” into the discussion, that many outside of our profession paid much attention to me. Ernst & Young was mentioned in the report and characterized as a big part of the problem instead of the solution to what went wrong at Lehman.)

The Investor Advisory Group reported in March of 2011 that the recent financial crisis had presented auditors, and by extension the Sarbanes-Oxley Act reforms, with their first big test.

It was the conclusion of this working group that both auditors and the reforms under Sox had,  “by any objective measure”, failed that test.

What did the working group say?

• Dozens of the world’s leading financial institutions failed, were sold in fire sales, or were prevented from failing only through a massive government intervention – all without a hint of advance warning on their financial statements that anything might be amiss.

• Investors suffered devastating losses. Millions of Americans lost their homes or their jobs, and $11 trillion in household wealth has vanished, according to the Financial Crisis Inquiry Commission.

• As a result, serious questions have been raised both about the quality of these financial institutions’ financial reporting practices and about the quality of audits that permitted those reporting practices to go unchecked.

The report quoted two journalists, Jonathan Weil of Bloomberg and me, under a heading “The Expectations Gap”.

“The public accounting firms and their hundreds of thousands of auditors should be an investor’s first line of independent defense. But these firms turned a blind eye to the excesses, mismanagement, and fraud of executives managing their client firms. The public accounting firms issued clean financial opinions for all of the firms that eventually, most less than a year later, failed, were taken over, or nationalized. And the regulators slept.”
— Francine McKenna, blogger

“Here we had the greatest banking industry meltdown since the Great Depression. Hundreds of lenders failed. And yet the number of banks correcting accounting errors declined while the collapse was unfolding. There were no restatements by the likes of IndyMac, Washington Mutual or Lehman Brothers, for example. The obvious conclusion is the government has been giving lots of banks a free pass, as have their auditors.”
— Jonathan Weil, columnist

The appendix that the PCAOB provided to SAG members and interested public last November provides an overview of the auditor’s responsibilities under existing PCAOB standards regarding the consideration of fraud in an audit.
This document should be the last word on the auditors’ responsibility for fraud and illegal acts at their audit clients.

In fact, I have jokingly – NOT – suggested to the SEC and PCAOB that a “curse jar” should be established to fine any audit firm, or its spokesperson, who ever again responds, “We were victims too, we were duped, it’s not our job, man”, when a court or the media ask how fraud happened on its watch.

Regulators could impose an automatic $1,000,000 fine any time those words are used to deflect attention from the auditor’s public duty. The fines can go towards scholarships for accounting students who agree to devote their career to public service at the SEC, PCAOB and other financial regulators.

I’d like to hit some of the highlights of this document and then we can open it up for discussion. I wish we had discussed the Appendix instead at the live meeting.  I’ve sent it to journalists, to plaintiffs’ attorneys and to some academics who act as expert witnesses. The document should be taught in all Audit classes. Please make sure your curriculum and your mindset is adjusted.

(At this point I follow the slides and go through the highlights of the PCAOB Appendix document, pointing out the citations, discussing Section 10A a bit, and then opening it to questions.)