Today let’s return to that proposal to have audit firms look more aggressively for compliance and legal violations at their client companies. One of my spies in the audit world recently provided me a glimpse into his firm’s preliminary discussions about this idea — and their concerns are well worth compliance and internal audit professionals’ attention.
The proposal itself comes from the Public Company Accounting Oversight Board. Essentially, audit firms would be under more pressure to look for potential fraud and other legal or compliance violations at their client companies, and then to report any such findings to the company’s board and senior management promptly. The proposed new standard is out for public comment until Aug. 7, after which the PCAOB will review the feedback it receives and then consider what to do next.
This is one of those ideas that sounds simple and sensible in theory, but quickly unravels in the real world. Indeed, PCAOB board member Christina Ho, herself a former auditor, published a lengthy statement picking apart numerous ways that the proposal could saddle audit firms with duties they can’t handle and send corporate audit fees soaring.
My spy in the audit world, a partner at a significant audit firm, is part of the team drafting his firm’s comments to the PCAOB proposal. He let me read his notes about the proposed new standard and agreed to let me pass along his key points here. Suffice to say, he has just as many concerns as Ho.
The basic problem here is that the PCAOB proposal (commonly known as the NOCLAR proposal, for non-compliance with laws and regulations) is overbroad. It would require audit firms to look for any legal and compliance violations that “could reasonably have a material effect” on the company’s operations. Well, for an audit firm to understand which compliance violations might have a material effect on operations, it would need to know all the laws and regulations that apply to a company, so the audit firm could then weed out the irrelevant ones.
For global companies, that’s an awful lot of laws and regulations. Now put yourself in the audit firm’s shoes and imagine the risk assessment you’d need to perform. How would an auditor gain familiarity with various laws and regulations? Would they need to consult lawyers, or bring legal counsel on staff? Who’s going to pay for that? (Rhetorical question; the answer is you, the audit firm client, in the form of higher audit fees.)
My spy also flagged language in the NOCLAR proposal that talked about investor harm from compliance violations that hurt the company’s reputation. For example, a retailer suffers a major data privacy breach and the share price promptly tanks. Is the audit firm supposed to anticipate that, and develop procedures relating to NOCLAR based on the potential harm to share price?
For the right amount of money, I have no doubt large audit firms could do it — but it’s a terribly subjective standard we’re asking audit firms to achieve. Moreover, this is what compliance functions are supposed to do. They’re supposed to be the ones studying compliance risks, evaluating the potential harm, and then recommending steps to keep those risks at acceptable levels.
If the PCOAB proceeds with this proposal as currently written, forcing audit firms to act as shadow compliance functions, then audit firms will be acting in a management role. Purists will say that threatens the audit firm’s independence; I simply say it’s going to make audits enormously more complicated and expensive.
All in all, my spy in the auditing world was quite dour on the NOCLAR proposal — and he works at a place that theoretically would stand to make a killing from all the extra work audit firms would do. If folks like him are this hesitant, corporate compliance and internal audit teams should take that under strong consideration.
The Real Issue Here
My friend also stressed that as expensive as compliance violations can be, none has ever led to a company restating its financial results. That is true, whether we’re talking about FCPA violations or environmental protection failures or data privacy breaches. But consider my friend’s implicit point: that compliance violations don’t lead to financial restatements, and financial frauds are what auditors worry about.
That is, whenever an auditor finds potentially fraudulent activity, one of the first questions asked is whether the amounts involved are quantitatively material. If not, then suddenly that issue becomes much less important, because it won’t result in a financial restatement.
The NOCLAR proposal is driving at corporate misconduct that’s qualitatively material: something that speaks ill of the company and might harm enterprise value, because people are so outraged. But that’s not the same as a financial fraud that invalidates prior performance already reported in financial statements.
Wells Fargo and its fake customer accounts scandal is a great example of this. That misconduct was extensive and egregious; it led to billions in additional costs as Wells tried to rectify its corporate compliance program. But it didn’t cause Wells Fargo to restate its financial results.
Ditto for Facebook and its massive data breach disclosed in 2018, relating to Cambridge Analytica and meddling in the 2016 presidential election. That news wiped out 20 percent of Facebook’s market cap in five days — but again, no financial restatement. So should Facebook’s financial auditor have been auditing its data privacy controls, and estimating potential investor harm?
We could give any number of other examples, from the FCPA world, or EPA enforcement actions, or other types of misconduct. They’re egregious and expensive; they suggest deeply flawed control environments and poor leadership. But they don’t suggest ineffective internal control over financial reporting, which is what auditors are paid to look for.
If we want to expand the role of auditors to look for compliance and legal violations too, we as a society can do that. The PCAOB isn’t wrong to point out that qualitatively material misconduct exists, and leaves investors worse off. I’m just not sure that the NOCLAR proposal — at least, this first version of it, stuffed with imprecise language and unanswered questions — is the right vehicle to address that problem.
My spy in the audit world isn’t convinced of it either. I’d suggest compliance and internal audit teams get up to speed on this proposal yourselves, and figure out what you want to say about it before we all end up violating the Law of Unintended Consequences too.