Another Take on Auditors and Compliance Violations

Occasionally strange things happen. So when an auditor friend of mine called me to say he believes this proposal for auditors to look for compliance violations is actually easier than most people suspect, I started taking notes — because an auditor defending this idea is a rare thing indeed.

The proposal, from the Public Company Accounting Oversight Board, seems to be the most contentious debate that audit and compliance professionals are having these days. Compliance officers generally support it, although they’re lobbying the PCAOB to include a provision that audit firms must consult with the chief compliance officer. Auditors are almost uniformly against it, warning that the proposal would push audit fees into the stratosphere with no significant benefit to the client company.

The auditor friend who called me last week is the reason I added the word “almost” in the previous sentence. He believes audit firms can look for legal and compliance violations without the rigamarole of audit teams hiring legal help and behaving like a shadow compliance function. 

First, a recap of what the PCAOB has proposed. The agency has circulated a proposed  new standard (the “NOCLAR” proposal, for non-compliance with laws and regulations) that would require audit firms to:

  • Identify laws and regulations that are applicable to the company and where non-compliance could have a material effect on the financial statements;
  • Evaluate whether any non-compliance actually has happened;
  • Communicate to the appropriate level of management and the audit committee as soon as the auditor believes that noncompliance might have happened. 

That seems like it could be a complicated mess for auditors, and the arguments against this proposed new standard are compelling. My auditor friend, however, disagrees.

“I don’t think this is as hard as people think it’s going to be,” he said. “The reason they think this is hard is that they’re either incompetent or lacking enough imagination.” 

That’s a bold claim. Let’s consider my friend’s theory of the case. 

It’s All About Access Control

The most common compliance concerns, my friend said, are (a) Sarbanes-Oxley requirements for effective internal control over financial reporting; (b) cybersecurity; and (c) data privacy. 

I agree with that statement. Yes, many companies also have other compliance concerns, and we’ll get to those shortly; but every public company has those three compliance risks he outlined above.

“And what’s the common thread among SOX, cybersecurity, and privacy? Access control.” my friend said.

He’s not wrong. When you suffer a privacy violation, that is someone gaining inappropriate access to data, which is just another way of saying poor access control. When someone is cooking the books thanks to poor segregation of duties, that’s inappropriate access to systems. When someone hacks into your SAP system to cause lord knows what kind of mischief, that’s inappropriate access to, well, everything.

But the root of all that is poor access control. So maybe, in our modern world where IT systems run every transaction a company has, internal and external auditors alike should be poring over access control all the time. 

If someone taps into your ERP software system inappropriately, my friend said, “Pull on that thread. Maybe the way you scoped SOX procedures was insufficient. Maybe someone used unpatched software.” Either way, those are issues an auditor can address, through better audit planning or more rigorous testing. 

Hmmm. When you look at the issue that way, the PCAOB’s proposal does seem less scary. An audit firm wouldn’t need to hire outside legal expertise to assess the client’s exposure to privacy regulations around the world, because when you can assure strong access control to confidential data, you’re complying with just about all those privacy rules by default. 

Except, if we follow my friend’s logic, we trip over a rather important point: some compliance violations are substantively different from others. His access control mantra might work well for some compliance violations. What would he say about other types of violations, such as (everyone’s favorite example) the Foreign Corrupt Practices Act?

Thinking ‘Qualitatively’

The problem I have with my friend’s argument is that he is dwelling too much on internal controls that might prevent a compliance violation. I’m more concerned about the risk assessments that auditors will need to perform before they even get to those internal controls. 

Thanks to the broad language used in the NOCLAR proposal, auditors will need to assess every possible legal or regulatory risk their client company might face, so the auditors can determine which regulations might have a “material impact” on the company. So how would my auditor friend approach that challenge? 

His first instinct was to say the auditor could look at how the company’s second-line risk management functions address compliance risks; that would give the auditor a roadmap of where to look for material risks as well. 

That’s a good idea in theory, but in practice the PCAOB just published a blistering assessment of audit firm deficiencies that expressly told audit firms they need to be more skeptical of their clients, which means relying less on those companies’ judgments about what is or isn’t a material compliance risk. So we’re right back to the audit firm re-inventing the wheel and charging you higher audit fees while it does so. 

Then I asked about a case like Wells Fargo, where employees were opening unauthorized customer accounts to hit sales goals. That misconduct led to billions in penalties for Wells Fargo, but never to a restatement of financial results. So how would an auditor try to identify misconduct like that — something that’s clearly material to investors, but not likely to be uncovered in a financial audit because it isn’t financial statement fraud? 

My friend stumped me there. Sales commissions are likely to be material for any company, he said, so audit procedures should include review of the commission plan and what is being paid out. Audit firms, he said, “Look at the plans with a little more qualitative eye rather than a quantitative eye.” 

That answer gave me pause. My friend wasn’t wrong to say commissions are a line item that should catch the auditor’s eye. Plus, auditors should be looking for evidence of prior misconduct; in Wells Fargo’s case, state banking regulators had been rapping it for unauthorized accounts as far back as 2011. 

But how well would his approach fit an FCPA violation, where in many instances the amounts of money involved aren’t quantitatively material? The auditor would, as my friend said, “need to think a bit more qualitatively” about compliance violations. 

That is, the auditor would need to think of compliance violations as acts so egregious they would qualify as a fraud against investors. Therefore those violations would be something the auditor should jump all over (because auditors are always supposed to look for fraud) even if the dollar amounts involved are relatively small. And that justifies the auditor paying more attention to, say, payment controls for vendors in high-risk countries; or documentation requirements to approve sales discounts. 

I see where my friend is going with his arguments; I’m just not sure I can go along with him. NOCLAR still seems like a sweeping reinterpretation of what auditors are supposed to do, and I’m not sure the rest of the world is ready for that. 

Leave a Comment

You must be logged in to post a comment.