All The Auditors Are Above Average: Jay Hanson Allergic To “Audit Failure”
What does it take for an auditor to admit failure? Public Company Accounting Oversight Board (PCAOB) member Jay Hanson, a former audit partner from next-tier firm McGladrey LLP, is suddenly acting like the agency’s go-to accounting industry apologist. In a recent speech, Hanson said he was “troubled” by the PCAOB’s use of the term “audit failure” in its inspection reports. He thinks the term confuses users of the auditor’s opinion. As if there are any…
“…calling every such deficiency an “audit failure” appears to have caused confusion among investors, audit committees and others, some of whom have interpreted our findings as meaning that the financial statements are misstated or that there is a problem in the company’s accounting or internal controls. In fact, however, only very few of our inspection findings ultimately can be linked to a problem in the company’s financial statements, and restatements arising out of our inspection process are rare, although they do occur.”
Should audit and auditor failure be solely defined by identified material misstatements that result in restatements, and internal control failures? The PCAOB considers auditors’ failure to audit internal controls over financial reporting a big enough problem in October 2013 it issued Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control Over Financial Reporting. The PCAOB inspectors have been citing significant deficiencies in audits of internal controls over financial reporting during the last three years.
The deficiencies include the failure to:
- Identify and sufficiently test controls that are intended to address the risks of material misstatement
- Sufficiently test the design and operating effectiveness of management review controls that are used to monitor the results of operations
- Obtain sufficient evidence to update the results of testing of controls from an interim date to the company’s year end (i.e., the roll-forward period)
- Sufficiently test controls over the system-generated data and reports that support important controls
- Sufficiently perform procedures regarding the use of the work of others
- Sufficiently evaluate identified control deficiencies.
We know that formal restatements are way down, after hitting highs right after the passage of the Sarbanes-Oxley Act in 2002. Research firm Audit Analytics keeps telling us so. But are restatements down because there is less corporate accounting and disclosure fraud? Many thinkle peep so but I definitely don’t. The SEC agrees with me and reinstated its Accounting Fraud and Disclosure Task Force last year. That’s the team dismantled by former SEC Enforcement Director Robert Khuzami who used the deceptively low formal restatement numbers as his excuse. Not so fast, I wrote in Forbes in October 2012 right before Khuzami resigned.
A study by two University of Connecticut accounting professors found auditors have waved the weakness flag in advance of a small and declining share of earnings restatements–just 25% in 2008 and 14% in 2009, the last year studied. There was no auditor warning before Lehman Brothers’ 2008 collapse, even though a bankruptcy examiner later concluded it used improper accounting gimmicks to dress up its balance sheet. And no warning before Citigroup lowballed its subprime mortgage exposure in 2007. (It paid a $75 million SEC fine.)
Instead, companies and auditors flag material weaknesses as they’re restating earnings–that’s what JPMorgan did in August when it revised first-quarter earnings to show $459 million more in losses from “the London Whale’s” trading bets than it first reported.
Yet another Sarbox provision, absent vigorous SEC enforcement, may even be leading, perversely, to less disclosure of accounting problems. It provides that a year of performance-based pay can be “clawed back” from a CEO or CFO who signed off on earnings that have to be restated. Thus executives have a financial incentive to handle problems they discover quietly–either internally or with an “earnings revision” instead of a restatement. Last year revisions (as opposed to formal restatements) accounted for 57% of 727 earnings fixes, up from 33% of 1,384 fixes in 2005, Audit Analytics reports.
Never heard of a “revision”? Companies and auditors like it that way. With a formal restatement, a company must file a special form, 8-K, calling attention to its corrections. With a revision it can fix flawed accounting without filing an 8-K or formally restating old earnings, since the change supposedly isn’t “material.” With a revision executives’ prior pay isn’t at risk, auditors don’t have to retract their approval of earlier statements, and there’s usually little impact on the stock and so no investor lawsuits.
The SEC has also established another initiative, Operation Broken Gate, targeting auditors, lawyers and directors who enable corporate accounting and disclosure fraud. In addition, in fiscal 2013 accounting and disclosure fraud was the largest percentage of the SEC’s Dodd-Frank whistleblower tips, the second year in a row. So, maybe the SEC and PCAOB need to question the increase in characterization of misstatements as non-material and fixes made only on a go-forward basis.
Why are restatements declining?
- Auditors make the final call on the necessity of a restatement under pressure from executives and their lawyers. It’s in all parties’ best interest to minimize restatements.
- Making fewer restatements reduces the likelihood auditors will be named as a defendant in a shareholder lawsuit.
- Compromising on the requirement for a restatement by downgrading the materiality of errors or misstatements reduces the likelihood auditors will irk executives by setting them up for SOx or Dodd-Frank clawbacks claims. A restatement is required to force reimbursement under both laws.
- Fewer restatements means auditors can argue with PCAOB that a significant inspection deficiency didn’t result in “restatement” and therefore can be left out of its public inspection report. Likelihood of additional follow-up by the SEC resulting in sanctions or fines is also minimized.
How many recent material misstatements and civil charges and criminal indictments for fraud and other illegal activities have been viewed as “auditor failure”? How often does the auditor keep its job in spite of what Jay Hanson and the industry claim are true “audit failures”, material misstatements resulting in restatements?
JPM: JPM gets credit for booking the largest financial restatement of 2012, $21 billion in fines for illegal activities in 2013 alone including the “whale” fraud and $13 billion in criminal penalties by the Justice Department for mortgage related fraud and PwC is still the auditor, on the job since 1965.
AIG: Multiple material restatements over the last ten years, lawsuits against executives and PwC as auditor for frauds and a takeover by the federal government during the most recent financial crisis. PwC is still the auditor, on the job since 1980.
Dell: In 2007 Dell said it would restate its financials for fiscal 2003 through fiscal 2006, and for the first quarter of fiscal 2007. The restatements were the result of a yearlong investigation by Dell’s audit committee, which found evidence of manipulation that was made to hit financial targets. The SEC charged Dell chairman and CEO Michael Dell, former CEO Kevin Rollins, and former CFO James Schneider for their roles in the disclosure violations but no Section 304 clawbacks were required. PwC was a defendant in shareholder lawsuits because of the restatements but the claims were dismissed. PwC has been Dell’s auditor since 1986.
GE: GE has made multiple restatements for accounting fraud and manipulation, been sued by shareholders and had an adverse opinion on its internal controls. GE’s restatement for 2007 was the largest one that year. Other large fines and penalties for civil and criminal activities have been imposed over the years, and now an SEC investigation for auditor independence violations over multiple years. KPMG has been GE’s auditor one hundred years. (More examples of bullet proof auditors at the end of the post.)
When fraud and significant misstatements occur, what is the typical auditor response?
- We weren’t there. Financial statements are responsibility of management.
- We can’t see. When executives collude even the best audit won’t uncover the fraud.
- We were duped. If we get bad information from management we can’t be held responsible.
- We can’t afford to do more. More extensive testing to go beyond the “reasonable assurance” standard means more time and more money. Companies and investors won’t pay for it.
- We’re not perfect. Look at all the things we catch and deter that you’ll never know about.
Let’s refresh our memory about the role and responsibility of an auditor on a public company audit. From the standard auditor’s opinion:
These financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on these financial statements based on our audits. We conducted our audits in accordance with the standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.
So, the PCAOB finds, during an inspection, “that it appeared that the Firm, at the time it issued its audit report, had failed to obtain sufficient appropriate audit evidence to support its audit opinion” on either the financial statements or the effectiveness of internal control over financial reporting.
Did the audit firm fail to fulfill its public duty? Uh huh.
Is that an “auditor” failure? Yes.
Is it an “audit” failure? You betcha, if you believe, as I do that an audit opinion delivered without sufficient evidence to support it is a failure to deliver the required audit services.
In a sane world, a professional services vendor that, via a third-party objective quality review, falls significantly short of the contractual requirements to deliver a service under required legal standards and practices would be liable for malpractice and breach of contract. But in the world of the too few to fail Big Four audit oligopoly, the interests of the paying customers and the vendor to deliver minimum service at lowest cost and with the lowest common denominator of quality are aligned. Neither company executives nor the audit firm makes friends by publicizing substandard or illegal accounting and incomplete or misleading disclosure to investors. The likelihood of getting caught and being held liable is too low for both, especially on an individual basis, to make a good, thorough audit worthwhile.
Jay Hanson wasn’t always allergic to the word “failure”. He frequently reminds us in speeches why auditors are lately under so much scrutiny. He did so most recently in November of 2013 for an FEI conference in New York:
In the wake of the recent financial crisis, involving the failures or near-failures of systemically important entities that had received unqualified audit reports just months earlier, investors raised questions about whether more communication by auditors focusing on what they learn during audits could provide investors with important insight into the risks associated with the audit clients.
Auditors failed to warn investors of insolvent banks, some of which failed or were effectively nationalized shortly after receiving unqualified opinions on their financial statements. Audit failures? I vote yes. A month before that, in October of 2013 at Brigham Young University, he reminds us about the regulator’s responsibility to enforce the law when failures occur.
While many of our cases to date have involved audit failures of varying degrees, the Board also has imposed sanctions for failures to cooperate with the PCAOB, including failure to produce documents and the alteration of documents in connection with inspections or investigations. And just this week, for the first time, the Board censured and imposed a $2 Million fine on a large audit firm for permitting one of its auditors, who previously had been suspended by the Board, to continue to engage in activities that were not permitted by the Board’s suspension order.
In June of 2012, Hanson isn’t afraid to characterize repeated deficiencies in auditing of valuations and fair value measurements as failures:
For example, inspectors have identified deficiencies that included auditors’ failures to evaluate, or evaluate sufficiently, the reasonableness of significant assumptions used by issuers to estimate the fair value of reporting units in their goodwill impairment assessments or in measuring fair value for other intangible assets and other long-lived assets acquired in business combinations. So what can preparers, valuation specialists and auditors do to avoid audit failures that can lead to the erosion of investor confidence?
In August of 2011, in comments made at an open board meeting at PCAOB headquarters, Hanson uses the word “failure” and the board’s definition of audit failure over and over, with few qualifications:
As noted in the Release, the Board’s inspection activities have resulted in findings that include situations we define as audit failures. PCAOB inspections are designed to focus on high-risk audits and audit issues. They are designed to identify and focus on weaknesses and deficiencies, and our reports are not intended to serve as balanced public report cards or overall rating tools. Thus, our findings may not constitute a representative sample for purposes of drawing conclusions about actual trends. However, in order to determine whether, and how such failures can be prevented by enhancing auditor independence, we need to take a close look at the audit failures to determine what the trends are. Is audit quality is improving or declining? Is the significance of audit failures increasing or decreasing? How significant were the audit failures? How many of the failures resulted in a restatement, and how many restatements were related to Fortune 500 companies, systemically important banks, banks that received TARP funds, or companies that ultimately filed for bankruptcy or were provided a bail-out?
It’s enough to make you wonder who or what got to Hanson. More bullet-proof auditors.
GM: Multiple material restatements and shareholder lawsuits including auditor Deloitte as a defendant, a bankruptcy and takeover by the Federal government during the financial crisis, and an adverse opinion on its internal controls that persisted even after the governments re-IPO of shares to the public. Deloitte has been GM’s auditor for nearly one hundred years.
Citigroup: KPMG has served as Citigroup’s auditor since 1969. Citigroup lowballed its subprime mortgage exposure in 2007 and paid a $75 million SEC fine. Fees to KPMG for audit, audit related and tax compliance work at Citi were more or less flat from 2007-2009. KPMG, as auditor, is supposed to assess the additional risk of fraud and material misstatement associated with events like a global economic crisis, taking on taxpayers as significant shareholders (November 2008) and the credit chaos in industry and sovereign capital markets. But the US Treasury voted to retain KPMG as Citi auditor in 2010, in spite of having a chance, as majority owner, to demand fresh eyes.
Walmart: Reuters reported at the end of 2013 that Walmart has spent more than $300 million investigating alleged bribes to government officials paid by its Mexican subsidiary and is paying the legal fees of a number of executives that are involved. Ernst & Young, its auditor in Mexico and at headquarters in Bentonville, Arkansas, is still on the job in spite of having seen, heard, and done nothing to prevent, identify, or mitigate the alleged illegal bribery activity.
Huron Consulting: Multiple year restatements for “misplaced costs” related to an acquisition. PwC is still the auditor.
“Many thinkle peep so but I definitely don’t.”?
Once again you have assumed PCAOB is all knowing, and act like their inspection findings are not debatable or subject to judgement….everything they call “audit failure” is very likely not “audit failure”
Just some fun for me. It’s something my dad says….
I do give the benefit of the doubt to the PCAOB when it comes to what finally gets published in an inspection report. That’s because I know the long drawn-out, contentious process of negotiation that takes place between the firms and the inspection team (or the enforcement team) every time a report is ready. (I saw it from the inside when I was at PwC.) The firms delay via threatened litigation and an automatic appeal they get to the SEC for everything. So if something makes it to public report, you can betcha it’s run the gauntlet and the firms are just whining, being obstinate, trying to cover-up, and displaying unbounded ego and arrogance when they respond that “it’s a matter of judgment”. In fact, they used to openly disagree with PCAOB in their responses and say that professional judgment and differences are to be expected while dismissing the findings. But not anymore since their 3/4 of the private reports have been published, one of them, Deloitte, twice for stubbornly refusing to take heed of a regulator’s recommendations for improvement. Whether you like it or not PCAOB is the regulator. It’s disgraceful the way the firms, and many professionals, disrespect it.
Just a general observation: For all the outrage that the recent $1MM NJ governor BridgeGate report is kicking up, it really isn’t too different from attestation reports on publicly traded companies, is it? Maybe at lower billing rates and not with taxpayer dollars, but close enough.
1. I find it a bit unfair to pick one of the statements that Hanson made in his speech, and then quibble about the wording, while ignoring other valid points he’s making.
However, in addressing the “what is an audit failure” question, you make it sound like there’s not a colloquial understanding of the term besides what the PCAOB has defined. In fact, there is plenty of evidence that past accounting professionals have defined audit failure to mean a misstatement in the fairness of the financial statements or a deficiency in its ICOFR.
“Audit failure occurs when there is a serious distortion of the financial statements that is not reflected in the audit report, and the auditor has made a
serious error in the conduct of the audit (Arens, 2002)”
From Sarbanes-Oxley and audit failure: A critical examination
And there are various other examples out there in the Journal of accountancy, accounting research, etc. where an audit failure is commonly referred to a material misstatement due to inappropriate audit activities. To me, it’s not a stretch that many investors also have come to understand “audit failure” in this context. Finally, you quote a report from 2013. Is there any previous mention of this definition? If not, it’d be reasonable to assume that one year is hardly enough time to get used to the new term of “audit failure”.
It doesn’t mean, Jay or many other practitioner’s are right of course. Hell, neither he or the PCAOB have provided evidence that investors are confused one way or another. So it’s basically ” he said she said”. But your argument is persuasive, and makes me think you and the Peekaboo might be right on this.
My main issue is not that you’re wrong, but that you make Jay sound like he’s completely out in left field for assuming that audit failure means A, when it really means B. If it’s been defined as A or years, a paragraph in a few inspection reports calling it B is not going to change perceptions overnight.
2. By focusing solely on the whole “audit failure” nonsense, you’re missing the main overarching point of Jay’s speech: The PCAOB is using its clout as a regulator and semi-provocative language in order to make their case and get the public’s attention in a misleading way.
Besides arguing about audit failure, he mentions that,
“we include language in our inspection reports explaining that audits are selected for review based on risk and that our reports are not ‘balanced scorecards’ with respect to any particular firm, much less across firms. The risks associated with each audit, and each firm’s audit practice, are unique. Presenting ‘rates’ of audit failures, then, which inevitably will be utilized to compare one firm to another, may be misleading at best and harmful at worst.”
To me this is a bigger case of misleading than the “audit failure” issue. The PCAOB must have gotten some PR training because it’s your typical, “give the mob simple numbers they think they understand and they’ll believe it” tactic. It’s a sneaky move, and they know it. However, it’s been effective, so why change right?
Let’s not be naive and think investor’s read the inspections themselves. I’d assume most of them will get it second hand from a media outlet and focus on simple charts, graphs, or easy-to-understand statements. The nuances of risk-based approach are hard to understand when you publish audit failure rates which have no real applicable purpose other than to make things seem worse than they are.
Again, not a bad tactic, and if I were the PCAOB I wouldn’t change either. Doesn’t mean I’m not misleading.
3. Finally, Jay mentions,
“I also believe that our inspection reports would be more meaningful if we provided more context about the severity of each finding. Currently, each inspection finding in the public portion of a PCAOB inspection report must meet the threshold I just described — that the audit firm did not gather sufficient evidence to render an opinion — but the reports provide no information about which of the deficiencies are relatively minor or involved only a portion of a disclosure, and which indicate a much more significant problem with the audit.”
Again, we as the public are forced to take the PCAOB’s word that these are truly “failures”. Again, as cynical as I am, I tend to believe this information is intentionally left out in order to decrease any challenge against their opinions. And sorry, but I don’t buy this:
“That’s because I know the long drawn-out, contentious process of negotiation that takes place between the firms and the inspection team (or the enforcement team) every time a report is ready. ”
Why would there be a negotiation? Like you said, the PCAOB is the regulator. What they say goes. The firms can try and complain (they sure have), but if it was truly effective to do so then they wouldn’t be in the position they are in (basically complying with the PCAOB’s requests). Plus, this also flies in direct contradiction to what I’ve heard my colleagues go through recently. It’s possible the firms had more power before, but to me it seems now that the PCAOB is playing hardball pretty well.
I hope it’s not too much of a rant that no one reads, but I just found Jay’s speech to have some very valid points, which should be up for debate rather than taken out of context to further your point of view. Again, not disagreeing with your view, just saying there’s more than meets the eye here.
Hi, I appreciate your extensive comments.
You say the PCAOB is playing hardball “pretty well” but I would say they are playing a bit better but not that hard at all. Hanson is the last of the true big audit firm supporters on the board. Even Lew Ferguson will criticize the firms but Hanson always sounds like he’s been sent out of central casting, mouthing the almost exact words you hear in the firms’ letters to the regulator on the same issues. He’s a nice guy but he comes form McGladrey so he’s vulnerable especially to the Big Four gravitas.
There are two recent issues where the PCAOB has been an utter failure and caved under the lobbying influence of the largest audit firms. Whether you agree with the proposal or not —and I didn’t— the firms completely did an end run around the regulator on auditor rotation, getting the House to pass a bill banning the PCAOB from passing such a rule. The firms have also been effective at lobbying Congress and the Senate to keep all PCAOB disciplinary proceedings secret. That’s something the PCAOB board has begged for to put it on a level playing field with the SEC to no avail.
Add to that the impotent effect on investors and anyone else, including the Federal government who still hires them, of even multiple disclosures of Part II quality reports for Deloitte and EY, and the result is impunity. The PCAOB goes through the motions, flapping more aggressively and more loudly now, but still, like an ostrich with it’s head in the sand, not getting off the ground.