What does it take for an auditor to admit failure? Public Company Accounting Oversight Board (PCAOB) member Jay Hanson, a former audit partner from next-tier firm McGladrey LLP, is suddenly acting like the agency’s go-to accounting industry apologist. In a recent speech, Hanson said he was “troubled” by the PCAOB’s use of the term “audit failure” in its inspection reports. He thinks the term confuses users of the auditor’s opinion. As if there are any…
“…calling every such deficiency an “audit failure” appears to have caused confusion among investors, audit committees and others, some of whom have interpreted our findings as meaning that the financial statements are misstated or that there is a problem in the company’s accounting or internal controls. In fact, however, only very few of our inspection findings ultimately can be linked to a problem in the company’s financial statements, and restatements arising out of our inspection process are rare, although they do occur.”
Should audit and auditor failure be solely defined by identified material misstatements that result in restatements, and internal control failures? The PCAOB considers auditors’ failure to audit internal controls over financial reporting a big enough problem in October 2013 it issued Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting. The PCAOB inspectors have been citing significant deficiencies in audits of internal controls over financial reporting during the last three years.
The deficiencies include the failure to:
- Identify and sufficiently test controls that are intended to address the risks of material misstatement
- Sufficiently test the design and operating effectiveness of management review controls that are used to monitor the results of operations
- Obtain sufficient evidence to update the results of testing of controls from an interim date to the company’s year end (i.e., the roll-forward period)
- Sufficiently test controls over the system-generated data and reports that support important controls
- Sufficiently perform procedures regarding the use of the work of others
- Sufficiently evaluate identified control deficiencies.
We know that formal restatements are way down, after hitting highs right after the passage of the Sarbanes-Oxley Act in 2002. Research firm Audit Analytics keeps telling us so. But are restatements down because there is less corporate accounting and disclosure fraud? Many thinkle peep so but I definitely don’t. The SEC agrees with me and reinstated its Accounting Fraud and Disclosure Task Force last year. That’s the team dismantled by former SEC Enforcement Director Robert Khuzami who used the deceptively low formal restatement numbers as his excuse. Not so fast, I wrote in Forbes in October 2012 right before Khuzami resigned.
A study by two University of Connecticut accounting professors found auditors have waved the weakness flag in advance of a small and declining share of earnings restatements–just 25% in 2008 and 14% in 2009, the last year studied. There was no auditor warning before Lehman Brothers’ 2008 collapse, even though a bankruptcy examiner later concluded it used improper accounting gimmicks to dress up its balance sheet. And no warning before Citigroup lowballed its subprime mortgage exposure in 2007. (It paid a $75 million SEC fine.)
Instead, companies and auditors flag material weaknesses as they’re restating earnings–that’s what JPMorgan did in August when it revised first-quarter earnings to show $459 million more in losses from “the London Whale’s” trading bets than it first reported.
Yet another Sarbox provision, absent vigorous SEC enforcement, may even be leading, perversely, to less disclosure of accounting problems. It provides that a year of performance-based pay can be “clawed back” from a CEO or CFO who signed off on earnings that have to be restated. Thus executives have a financial incentive to handle problems they discover quietly–either internally or with an “earnings revision” instead of a restatement. Last year revisions (as opposed to formal restatements) accounted for 57% of 727 earnings fixes, up from 33% of 1,384 fixes in 2005, Audit Analytics reports.
Never heard of a “revision”? Companies and auditors like it that way. With a formal restatement, a company must file a special form, 8-K, calling attention to its corrections. With a revision it can fix flawed accounting without filing an 8-K or formally restating old earnings, since the change supposedly isn’t “material.” With a revision executives’ prior pay isn’t at risk, auditors don’t have to retract their approval of earlier statements, and there’s usually little impact on the stock and so no investor lawsuits.
The SEC has also established another initiative, Operation Broken Gate, targeting auditors, lawyers and directors who enable corporate accounting and disclosure fraud. In addition, in fiscal 2013 accounting and disclosure fraud was the largest percentage of the SEC’s Dodd-Frank whistleblower tips, the second year in a row. So, maybe the SEC and PCAOB need to question the increase in characterization of misstatements as non-material and fixes made only on a go-forward basis.
Why are restatements declining?
- Auditors make the final call on the necessity of a restatement under pressure from executives and their lawyers. It’s in all parties’ best interest to minimize restatements.
- Making fewer restatements reduces the likelihood auditors will be named as a defendant in a shareholder lawsuit.
- Compromising on the requirement for a restatement by downgrading the materiality of errors or misstatements reduces the likelihood auditors will irk executives by setting them up for SOx or Dodd-Frank clawbacks claims. A restatement is required to force reimbursement under both laws.
- Fewer restatements means auditors can argue with PCAOB that a significant inspection deficiency didn’t result in “restatement” and therefore can be left out of its public inspection report. Likelihood of additional follow-up by the SEC resulting in sanctions or fines is also minimized.
How many recent material misstatements and civil charges and criminal indictments for fraud and other illegal activities have been viewed as “auditor failure”? How often does the auditor keep its job in spite of what Jay Hanson and the industry claim are true “audit failures”, material misstatements resulting in restatements?
JPM: JPM gets credit for booking the largest financial restatement of 2012, $21 billion in fines for illegal activities in 2013 alone including the “whale” fraud and $13 billion in criminal penalties by the Justice Department for mortgage related fraud and PwC is still the auditor, on the job since 1965.
AIG: Multiple material restatements over the last ten years, lawsuits against executives and PwC as auditor for frauds and a takeover by the federal government during the most recent financial crisis. PwC is still the auditor, on the job since 1980.
Dell: In 2007 Dell said it would restate its financials for fiscal 2003 through fiscal 2006, and for the first quarter of fiscal 2007. The restatements were the result of a yearlong investigation by Dell’s audit committee, which found evidence of manipulation that was made to hit financial targets. The SEC charged Dell chairman and CEO Michael Dell, former CEO Kevin Rollins, and former CFO James Schneider for their roles in the disclosure violations but no Section 304 clawbacks were required. PwC was a defendant in shareholder lawsuits because of the restatements but the claims were dismissed. PwC has been Dell’s auditor since 1986.
GE: GE has made multiple restatements for accounting fraud and manipulation, been sued by shareholders and had an adverse opinion on its internal controls. GE’s restatement for 2007 was the largest one that year. Other large fines and penalties for civil and criminal activities have been imposed over the years, and now an SEC investigation for auditor independence violations over multiple years. KPMG has been GE’s auditor one hundred years. (More examples of bullet proof auditors at the end of the post.)
When fraud and significant misstatements occur, what is the typical auditor response?
- We weren’t there. Financial statements are responsibility of management.
- We can’t see. When executives collude even the best audit won’t uncover the fraud.
- We were duped. If we get bad information from management we can’t be held responsible.
- We can’t afford to do more. More extensive testing to go beyond the “reasonable assurance” standard means more time and more money. Companies and investors won’t pay for it.
- We’re not perfect. Look at all the things we catch and deter that you’ll never know about.
Let’s refresh our memory about the role and responsibility of an auditor on a public company audit. From the standard auditor’s opinion:
These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.
So, the PCAOB finds, during an inspection, “that it appeared that the Firm, at the time it issued its audit report, had failed to obtain sufficient appropriate audit evidence to support its audit opinion” on either the financial statements or the effectiveness of internal control over financial reporting.
Did the audit firm fail to fulfill its public duty? Uh huh.
Is that an “auditor” failure? Yes.
Is it an “audit” failure? You betcha, if you believe, as I do that an audit opinion delivered without sufficient evidence to support it is a failure to deliver the required audit services.
In a sane world, a professional services vendor that, via a third-party objective quality review, falls significantly short of the contractual requirements to deliver a service under required legal standards and practices would be liable for malpractice and breach of contract. But in the world of the too few to fail Big Four audit oligopoly, the interests of the paying customers and the vendor to deliver minimum service at lowest cost and with the lowest common denominator of quality are aligned. Neither company executives nor the audit firm makes friends by publicizing substandard or illegal accounting and incomplete or misleading disclosure to investors. The likelihood of getting caught and being held liable is too low for both, especially on an individual basis, to make a good, thorough audit worthwhile.
Jay Hanson wasn’t always allergic to the word “failure”. He frequently reminds us in speeches why auditors are lately under so much scrutiny. He did so most recently in November of 2013 for an FEI conference in New York:
In the wake of the recent financial crisis, involving the failures or near-failures of systemically important entities that had received unqualified audit reports just months earlier, investors raised questions about whether more communication by auditors focusing on what they learn during audits could provide investors with important insight into the risks associated with the audit clients.
Auditors failed to warn investors of insolvent banks, some of which failed or were effectively nationalized shortly after receiving unqualified opinions on their financial statements. Audit failures? I vote yes. A month before that, in October of 2013 at Brigham Young University, he reminds us about the regulator’s responsibility to enforce the law when failures occur.
While many of our cases to date have involved audit failures of varying degrees, the Board also has imposed sanctions for failures to cooperate with the PCAOB, including failure to produce documents and the alteration of documents in connection with inspections or investigations. And just this week, for the first time, the Board censured and imposed a $2 Million fine on a large audit firm for permitting one of its auditors, who previously had been suspended by the Board, to continue to engage in activities that were not permitted by the Board’s suspension order.
In June of 2012, Hanson isn’t afraid to characterize repeated deficiencies in auditing of valuations and fair value measurements as failures:
For example, inspectors have identified deficiencies that included auditors’ failures to evaluate, or evaluate sufficiently, the reasonableness of significant assumptions used by issuers to estimate the fair value of reporting units in their goodwill impairment assessments or in measuring fair value for other intangible assets and other long-lived assets acquired in business combinations. So what can preparers, valuation specialists and auditors do to avoid audit failures that can lead to the erosion of investor confidence?
In August of 2011, in comments made at an open board meeting at PCAOB headquarters, Hanson uses the word “failure” and the board’s definition of audit failure over and over, with few qualifications:
As noted in the Release, the Board’s inspection activities have resulted in findings that include situations we define as audit failures. PCAOB inspections are designed to focus on high-risk audits and audit issues. They are designed to identify and focus on weaknesses and deficiencies, and our reports are not intended to serve as balanced public report cards or overall rating tools. Thus, our findings may not constitute a representative sample for purposes of drawing conclusions about actual trends. However, in order to determine whether, and how such failures can be prevented by enhancing auditor independence, we need to take a close look at the audit failures to determine what the trends are. Is audit quality is improving or declining? Is the significance of audit failures increasing or decreasing? How significant were the audit failures? How many of the failures resulted in a restatement, and how many restatements were related to Fortune 500 companies, systemically important banks, banks that received TARP funds, or companies that ultimately filed for bankruptcy or were provided a bail-out?
It’s enough to make you wonder who or what got to Hanson. More bullet-proof auditors.
GM: Multiple material restatements and shareholder lawsuits including auditor Deloitte as a defendant, a bankruptcy and takeover by the Federal government during the financial crisis, and an adverse opinion on its internal controls that persisted even after the governments re-IPO of shares to the public. Deloitte has been GM’s auditor for nearly one hundred years.
Citigroup: KPMG has served as Citigroup’s auditor since 1969. Citigroup lowballed its subprime mortgage exposure in 2007 and paid a $75 million SEC fine. Fees to KPMG for audit, audit related and tax compliance work at Citi were more or less flat from 2007-2009. KPMG, as auditor, is supposed to assess the additional risk of fraud and material misstatement associated with events like a global economic crisis, taking on taxpayers as significant shareholders (November 2008) and the credit chaos in industry and sovereign capital markets. But the US Treasury voted to retain KPMG as Citi auditor in 2010, in spite of having a chance, as majority owner, to demand fresh eyes.
Walmart: Reuters reported at the end of 2013 that Walmart has spent more than $300 million investigating alleged bribes to government officials paid by its Mexican subsidiary and is paying the legal fees of a number of executives that are involved. Ernst & Young, its auditor in Mexico and at headquarters in Bentonville, Arkansas, is still on the job in spite of having seen, heard, and done nothing to prevent, identify, or mitigate the alleged illegal bribery activity.
Huron Consulting: Multiple year restatements for “misplaced costs” related to an acquisition. PwC is still the auditor.