PCAOB and Compliance Violations, Part II
Today I want to revisit last week’s proposal from the Public Company Accounting Oversight Board that audit firms should look more aggressively for compliance and legal violations at their client companies. There are compelling arguments about why this might be a bad idea, which compliance and internal audit professionals need to consider closely.
To understand those issues we can thank PCAOB board member Christina Ho, who voted against the proposed standard. Ho is a certified public accountant by training and worked for years as an auditor, both at Deloitte and at private companies. In other words, Ho knows how auditors work at a practical level. So the statement she published outlining her objections to the PCAOB’s proposed standard is worth our time and analysis.
First let’s review exactly what the PCAOB is proposing to do here. The board wants to adopt a new standard for audit firms: AS 2405, Company’s Noncompliance With Laws and Regulations. As currently drafted, that proposed new standard would require audit firms to take three steps with their clients:
- To identify, through inquiry and other procedures, laws and regulations that are applicable to the company and where non-compliance could have a material effect on the financial statements.
- To evaluate whether any non-compliance has happened. For example, auditors would be required to consider whether any specialized skill is needed to assist the auditor in evaluating information about possible non-compliance.
- To communicate to the appropriate level of management and the audit committee as soon as the auditor believes that noncompliance might have happened.
The theory here, according to PCAOB chairman Erica Williams, is that “By catching and communicating noncompliance sooner, auditors can help companies course correct and better protect investors from risk.”
How might that noble idea unravel in practice? Ho raised three principal concerns, all of them strong enough to give compliance and internal audit professionals pause.
‘Breathtaking Expansion’ of Auditor Duties
First, Ho said, the proposal isn’t transparent about all the consequences that follow by eliminating the distinction between noncompliance that has a direct versus indirect effect on a company’s financial statements.
The proposed standard says auditors should only look for compliance violations that “could reasonably have a material effect” on the company’s financial statements. Why is that problematic? Because if the audit firm is only supposed to be concerned with laws and regulations where noncompliance might have a material effect, the audit firm must first identify all the laws and regulations applicable to the company; only then can the firm sort out which possible violations are worth worrying about.
Even the PCAOB’s own economic analysis of the proposal warns that auditors would likely need to expend “considerable additional audit effort to identify relevant laws and regulations under the proposed standard” and that “the costs associated with the proposed amendments… may be substantial.”
For example, audit firms might need to enlist specialists to help them understand their client company’s compliance obligations. Also, their analysis might disagree with your analysis; resolving those disputes would take time, and audit firm time is expensive. The people who ultimately pay those costs are investors. Are we sure the potential benefit they’ll receive here is worth the financial squeeze they’ll endure?
Second, Ho said, this proposal transforms the auditor’s role from one of providing reasonable assurance to one of performing a management function. This could be especially sticky for compliance officers.
Here’s how things are supposed to work: management prepares and discloses financial information; auditors provide an independent review of those disclosures; regulators provide oversight of the companies and the auditors. Except, Ho noted, federal securities rules do not require management to identify all the laws and regulations that the company is subject to. “This proposal seeks to fill that void by requiring auditors to do so,” she wrote.
Well, last time I checked, it was the compliance officer’s job to identify all those applicable laws and rules. So are we creating a scenario where the auditor could act as a shadow compliance function, wandering around the enterprise and deciding for itself which compliance violations may or may not be material?
Some people might say no, that won’t happen; management can just supply its own analysis of which laws and regulations are material, and the auditors can work from that. Not so fast, friends! Ho pushed back on that idea by citing Audit Standard 1105 — which says that when using information provided by the company, the auditor is presumptively required to perform procedures to test the accuracy and completeness of the information.
So we’re right back to audit firms not trusting a word you say about compliance risks and potential compliance violations, and billing you by the hour as they hire specialists to re-invent that wisdom for themselves.
Ho’s third objection was that this proposal doesn’t account for the differences between the few large audit firms that probably can handle this compliance work; and the many small firms that can’t. If the Big 4 and a handful of other large firms snap up all the compliance-savvy talent brave enough to work for an audit firm, that’s just going to concentrate expertise and raise prices among the biggest firms. That does not serve the interests of investors, who benefit from brisk, skilled competition among auditors.
A Solution That Needs a Better Problem
Ho raises persuasive arguments that cannot be ignored. The PCAOB may be setting the stage for much more contentious relationships between company and audit firm. Some extra contention might be welcome, because lord knows plenty of audit firms are just there to tick the 10-Q checklist and send you the bill; but this proposal might be a bridge too far.
For example, as part of this proposed standard, audit firms would be required to ask internal audit teams whether they know of any compliance violations. What if internal audit says no, and that answer turns out to be wrong? How does that strain your relationship with the audit committee? Plus, what if internal audit does know about a potential compliance violation — are they just supposed to admit that to the external auditor? Because I’m pretty sure that would cause both the general counsel and the chief compliance officer to need an immediate change of underwear.
On the other hand, we do see one corporate misconduct scandal after another where compliance violations lead to huge regulatory fines and legal costs. Investors pay those burdens too. It’s not wrong for them to demand that somebody somewhere — like, say, an auditor — do better at trying to raise those red flags before investors suffer harm.
On the third hand, however, do we even have a correct sense of the harm here? Because investors derive their value from the company’s share price. A financial misstatement can leave share price in ruins; that is harm where an auditor should be on the lookout. The harm from compliance violations is less clear. Plenty of companies settle major FCPA violations or privacy breaches and their share price is back in the clouds within a few months. So is the benefit of this PCAOB proposal really worth the cost?
Don’t just tell me. Tell the PCAOB. It’s accepting comments on its proposal for the next two months. I’d suggest speaking your mind.