t has been said that “it takes a great person to deal with catastrophe, and an even greater one to prevent it.” Revelation of an accounting irregularity or fraud, with its inevitable impact on a company’s stock price and reputation—as well as the “follow-on” shareholder lawsuits and SEC problems—can be disastrous for a company. It’s a catastrophe no business wants to suffer—and no outside auditor wishes to be involved in.
The outside auditor has a key role to play in fraud prevention even though companies, regulators such as the SEC and courts alike recognize they can’t rely only on the outside auditor to prevent accounting irregularity or fraud. This is even more true in today’s environment in which audit committees are being charged with more financial reporting oversight than ever before (see “The Audit Committee’s Roadmap,” JofA , Jan.99, page 47 ).
But what should the role of the outside auditor be? Working within the new audit committee framework—as laid out in the report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees and the report of the Panel on Audit Effectiveness (the O’Malley panel)—the outside auditor can serve as a valuable resource in preventing and detecting accounting fraud. For more information, see “The State of Audit Committees.”
MAKE THE TOOLS WORK
Having the right kind of relationship with an audit committee is critical to the independent auditor’s role. To structure an effective relationship, the outside auditor should consider the following guidance.
Let the audit committee be the fulcrum of the financial reporting function. View the audit committee as the keystone to a successful financial reporting system. Understand that the audit committee, in its oversight role of the financial reporting function, should also oversee the outside auditor relationship and have a clear understanding of the terms of the engagement. The audit committee, not company management, should take responsibility for the selection, compensation terms and, if necessary, replacement of the outside auditor. According to New York Stock Exchange and NASD audit committee rules, their charters must specify that “the outside auditor for the company is ultimately accountable to the board of directors and the audit committee of the company” (as representatives of the shareholders).
Meet regularly with the audit committee. The outside auditor and audit committee should meet no less than once a quarter. More frequent meetings are desirable, and the auditor should feel free to call the audit committee chair if material issues arise between scheduled meetings.
Meet privately and directly. Auditors and audit committees need to have a frank dialogue about the company’s financial reporting function. Focus on actual or potential holes in the system and provide, as necessary, constructive criticism of company management and even senior executives. One way auditors and audit committees can ensure a candid and open discussion is to meet privately, without company management present—perhaps at the end of regularly scheduled committee meetings or on a separate occasion.
Encourage the audit committee to avoid the checklist mentality. Don’t assume a checklist will have all the answers. Lots of professionals draft checklists for audit committees to use in their discussions with auditors, but they should be used carefully. More important, a list tends to drive discussions. One can imagine a scheduled one-hour call and a 30-item list: That’s 2 minutes per item—start the timer! People will be preoccupied with checking boxes, instead of discussing the critical issues and specific areas of potential breakdown. There is also the litigation risk. Lawyers could later use these lists in shareholder suits as evidence of what the audit committee and auditors did or did not do.
Don’t swamp the audit committee with too much paper. Minimize the use of paper. Some professionals recommend extensive written documentation between the outside auditor and audit committee, and suggest the dialogue between them should be principally in writing. This may not be a good idea. It undoubtedly will stifle the flow of information, as most people find it more difficult to be candid on paper. Another reason to avoid paper is, again, concern about its use in litigation.
Charge the client what the audit is worth. Auditors should be properly compensated. Quality audits and auditors aren’t cheap. A competent audit, simply put, is an investment every public company ought to make. An audit committee should appreciate what a diligently performed audit by competent staff is worth to a company: Public knowledge of even a minor accounting irregularity can cause a company to lose overnight a substantial portion of its share value. And how does a company even begin to measure the damage arising from the harm to its reputation, the loss of access to financial markets and disruption of activity, let alone the distractions of the inevitable shareholders’ suits?
Once the external auditor has established an effective, structured relationship with the audit committee, his or her next step is to make that relationship a genuine part of the company’s fraud-prevention efforts. Specifically, an auditor should engage in a candid, probing dialogue with the audit committee to address the aspects of the financial reporting function that are most susceptible to improper activity. There are a number of points the auditor might regularly discuss with the audit committee.
The financial environment. The outside auditor, first and foremost, should seek out and candidly report on the nature of the company’s financial reporting environment. Is management under too much pressure? Is there a reluctance to report bad news? Is there a danger management will tweak results to meet quarterly earnings expectations? These are the types of questions auditors and audit committees must ask—they are fundamental to the prevention and early detection of financial fraud.
Both the law and good business sense require a company to maintain its books and records in a manner that fairly reflects corporate transactions and events. An auditor’s inquiry should include the extent of computerization, its sophistication, any software inadequacies and overall staffing. This will help the auditor in other ways as well, as accounting system problems only make an audit more difficult.
Managerial bias in applying GAAP. Another area the auditor should discuss is the management’s bias in applying GAAP. How GAAP is applied depends on management’s judgment. What are the areas of subjectivity? Is management overly aggressive? Overly conservative? Trying to get it right?
Recent amendments to Statements on Auditing Standards nos. 61, Communication with Audit Committees, and 71, Interim Financial Information, require the auditor to share his or her view on how that judgment is being exercised with the audit committee. The amendments say the auditor should discuss with the committee judgments about the quality, not just the acceptability, of the company’s accounting principles as applied in its financial reporting. The amendments also specify this discussion include the consistency of the company’s accounting policies and the clarity and completeness of the company’s financial statements.
Cooperation from company management. The outside auditor should address with the audit committee management’s level of cooperation during the audit or review of quarterly financial information and any difficulty the auditor encountered. Frequently, a lack of cooperation and the presence of difficult issues will go hand in hand. Individually or together, they can be telltale signs of a broader problem. In particular, a lack of cooperation can suggest an attitude toward financial reporting that is inconsistent with an open and obvious environment.
Unusual revenue or reserve activity. Financial statement fraud frequently originates in revenue manipulation. The auditor should look for revenue recognition patterns that do not match the ebb and flow of the company’s normal business cycle. Revenue spikes toward the end of a quarter or other financial reporting period may be a warning of something out of the ordinary (see “Timing is of the Essence” ).
The auditor also should focus on the level of reserves, not only at yearend but during the course of the year, to see if there are any unjustified or unexplained changes. Reserves that are established or modified almost entirely based on management’s judgment may warrant particular scrutiny. The auditor should also review other aspects of the application of GAAP in which management judgment plays an important role. The overall goal is for the auditor and the audit committee to satisfy themselves that any unusual patterns and deviations flow from business activity and not from a desire to meet internal reporting targets or analysts’ expectations.
DIGGING FOR INFORMATION
Outside auditors have not had it easy in attempting to uncover accounting irregularities. This is because:
Accounting irregularities often start out small, falling below the radar screen of materiality thresholds upon which auditors traditionally have focused.
Irregularities frequently involve allocations over a three-month period, and auditors historically have had little or no involvement with quarterly financial statements.
Auditors typically are on the client’s site only once a year and junior staff members usually perform the audit—hardly an adequate opportunity to fully understand a particular corporate environment.
Irregularities tend to arise in areas of financial reporting that are somewhat hazy to begin with.
Management is undoubtedly aware of the testing and inquiry auditors will undertake and may design activities specifically to avoid auditor detection.
Given these impediments, how can the outside auditor effectively work with a company to prevent accounting irregularities? The renewed focus on audit committee oversight, arising from the reports of the blue ribbon committee and the O’Malley panel, should help. The auditor is now charged with developing a relationship with the audit committee that promotes more frank communication in a way the auditor’s traditional relationship with management did not. And the kinds of matters the audit committee and auditor now are required to discuss, such as the effectiveness of internal accounting controls, also facilitate fraud prevention (see “New Rules, New Responsibilities,” JofA, Aug.00, page 53).
EXTRA STEPS MAKE A BETTER AUDIT
Every conscientious outside auditor will conduct an audit according to GAAS. But is that enough? The auditor may want to explore with the audit committee other steps he or she might take, such as meeting privately with members of management to gain extra insight into the corporate environment and identify potential causes of financial misstatements. Are people reluctant to report bad news?
The SEC requires registered companies to have an outside auditor review before filing financial statements included with their quarterly forms 10-Q. Amended SAS no. 71 established a level of auditor scrutiny of quarterly information beyond the quick once-over that historically had been the convention. In conducting a review under SAS no. 71, the auditor must consider such matters as significant changes in the internal control structure, items that appear to be unusual (like revenue changes that deviate from the company’s historical trends), changes in accounting practices and changes in business activities. Although a SAS no. 71 review is not an audit, it is much more than many companies had been asking their outside auditors to do. These new requirements are helpful in preventing fraud.
Also, GAAS now requires discussion of SAS no. 61 items in conjunction with the auditor’s quarterly review—not just at yearend. SAS no. 61, as amended, places the burden on the auditor to communicate with the audit committee concerning certain specified items, and under SEC rules implementing the blue ribbon committee recommendations, the audit committee is required to disclose whether such discussion occurred. The list of items to be discussed is extensive. It includes the auditor’s responsibility under GAAS, significant accounting policies, management judgments about accounting estimates, significant audit adjustments, disagreements with management, difficulties encountered in performing the audit and the quality—not just the acceptability—of the company’s application of accounting principles. In the embellished relationship discussed above, the audit committee and the outside auditor may find they already have more than adequately addressed all, or virtually all, the SAS no. 61 items. To the extent they have not, they should make sure they have considered any remaining items.
No discussion of the audit committee’s interaction with the outside auditor is complete without at least some acknowledgment of the auditor independence issue. In 1999 the Independence Standards Board issued ISB Standard no. 1, Independence Discussion with Audit Committees, requiring the auditor to apprise the audit committee of all relationships that may bear on independence. The new rule requires a disclosure in the company’s proxy statement between the auditor and the audit committee regarding whether this dialogue has occurred. Accordingly, the audit committee will be asked to make an informed judgment as to whether, in the context of a particular audit, the outside auditor’s independence was adequately preserved.
At the moment, a collection of ad hoc rules embodied in GAAS, the AICPA Code of Professional Conduct, exchange rules and SEC regulations define “auditor independence.” The definition undoubtedly will continue to evolve. (For more on this topic, see “A Framework for Auditor Independence,” JofA, Jan.01, page 39. ) At this juncture the audit committee will have to use its own good judgment to determine whether the outside auditor can and will speak openly and without influence from senior management.
As long as the company retains and pays the auditor, he or she will, at some level, be sensitive to its wants and needs. Both the auditor and audit committee must understand that thoroughness, candor and zeal are the best criteria by which to measure audit performance.
Investors rely on outside auditors to provide an unbiased examination of numbers to ensure their credibility and gauge a company’s performance. Outside auditors are one of the cornerstones in the corporate governance triad charged with the quality of companies’ financial reporting and accounting controls. When auditors and audit committees embrace best practices to fulfill their responsibilities, the quality of public companies’ information and reporting improves—not just the audit process.