Accounting regulators have published new guidance for audit firms about how to disclose Critical Audit Matters they find with corporate clients. Internal audit and compliance managers might want to give the document a read too, since it serves as a quasi-blueprint of how to anticipate delicate subjects in internal control and corporate accounting.
CAMs are part of the new and expanded auditor’s report, which audit firms will start publishing as soon as later this year. CAMs are any issue that relates to material accounts in the company’s financial statements, “and involved especially challenging, subjective, or complex auditor judgment.”
An audit firm is expected to discuss the CAMs it identifies with the audit committee, and to disclose its CAMs in the audit report. That has led to considerable chatter in the auditing and internal control communities about exactly what an auditor is supposed to disclose about a CAM, and how to talk with a client’s audit committee. Hence this latest guidance from the Public Company Accounting Oversight Board, published on Wednesday.
For example, a CAM might be the company’s process to evaluate goodwill and potential impairments, or how management estimates loss contingencies. Items like those can involve a lot of complex or subjective judgment (although not always), and if the numbers involved are material — blammo, you have a CAM on your hands.
CAMs are not necessarily bad. In fact, the PCAOB says almost all companies should expect to have at least one critical audit matter, and probably most companies will have several. Or they might have different CAMs over time, as their financial transactions and accounting policies change.
The issue for internal control professionals is whether you’ll have a CAM because the underlying issue is inherently complex, or because you have deficient internal controls around a certain financial process. If your auditor decides it’s the latter, that could lead to awkward conversations with your audit committee (or worse, your regulator) about how that CAM came to be and how you’re going to fix it.
So how an audit firms evaluates critical audit matters, and how it then discusses them with your bosses on the audit committee, is indeed an important issue.
The PCAOB guidance takes the form of seven frequently asked questions. While all seven are useful for auditors, two struck me as more useful for internal control and compliance professionals looking for clues about CAMs.
Where CAMS Come From
First, how should auditors describe the principal considerations that led them to determine a matter is a CAM? According to the guidance, that description should…
…provide a clear, concise, and understandable discussion of why the matter is a CAM, including the especially challenging, subjective, or complex auditor judgments made in the context of the particular audit. The “why” is intended to provide information appropriately tailored to the audit and the matter that helps financial statement users understand the aspects of the audit that stood out from the auditor’s perspective.
This might be the most important passage in the whole document, because it tells auditors how to explain where a CAM comes from. That may well include internal controls that the auditor deems deficient for the risk in question — which is how you could get pulled into the conversation.
Ideally, corporate controllers and internal auditors have already been talking with your audit firms about potential CAMs, and if deficient controls are the sore point, what a reasonable solution might be.
Things could get particularly awkward when you have financial processes that rely heavily on management estimates. Time and again we’ve seen the SEC or other regulators sanction companies for weak controls that allow managers to abuse estimates, such as by inflating the value of assets on the books, or lowering estimates of doubtful accounts.
The FAQ here talks about valuation models a firm uses, assumptions that might not be based on much evidence, and so forth. That’s what the audit firm will be looking for as it ponders possible CAMs. Internal control teams should plan accordingly.
Second, if describing audit procedures as part of communicating how a CAM was addressed in the audit, what considerations apply? Auditors do not need to report how they audited a CAM, but if they do…
… it is expected that the procedures described would be specific to the CAM and to the audit. General statements about procedures that would likely be performed in most audits… such as “testing the operating effectiveness of the company’s controls” in the case of an integrated audit, typically do not, by themselves, provide useful information to a reader about how the auditor addressed the particular CAM.
The guidance goes on to say that any description of the audit procedures for a CAM should connect back to why the auditor decided something was a CAM in the first place.
Call me cynical, but that strikes me as a lot of information an auditor might disclose, which could give auditors leverage to pressure you to change controls they don’t like. In the past I’ve called this “weaponized CAMs,” where an auditor might say: “That internal control over there, I don’t like it. Change it, or else I declare it a CAM and it gets disclosed.”
My friends in auditing insist this won’t happen; and if it does, I suspect corporations will lean heavily on the PCAOB and SEC to tell audit firms to knock it off. Nevertheless, the potential is there. So the more you can design your internal controls to reduce the occurrence of CAMs entirely, the better.
A Word on Anti-Corruption
So how does the CAM revolution affect corporate ethics and compliance officers, so worried about anti-bribery offenses stemming from weak internal controls? After all, we’ve seen the SEC enforce FCPA sanctions numerous times over the last two years specifically for weak internal controls, even where the Justice Department doesn’t press any criminal prosecution.
It’s possible that CAMs won’t change your life at all. Foremost, CAMs relate to accounts that are material to financial statements. If an account that might typically cause FCPA trouble — say, revenue from international sales — isn’t material, then it can’t create a critical audit matter. It’s just not critical enough.
On the other hand, if the account somehow is material, and a CAM emerges, the company might decide to change its internal controls to resolve the issue. That could lead to follow-on changes in accounting policies around rebates, cash advances, and the like. Your anti-corruption compliance program would need to adjust to those changes.
Then again, there is no materiality threshold for FCPA risk. So even if international sales aren’t a material line item to your business, poor internal controls still leave you vulnerable to FCPA violations. So call it a critical anti-corruption matter instead, and address it anyway.