Posted on

Adopting the new revenue recognition standard…are you ready?

As we move closer to 2018, more and more companies are facing challenges in adopting the new revenue recognition accounting standard, codified as ASC 606, Revenue from Contracts with Customers.  As a refresher, the adoption date of ASC 606 for publicly traded companies is for annual reporting periods beginning after December 15, 2017, including interim periods within that reporting period.  The effective date for all other entities is for annual reporting periods beginning after December 15, 2018, and interim periods within annual periods beginning after December 15, 2019.

As the deadline to adopt ASC 606 approaches, in accordance with SEC SAB Topic 11-M, Disclosure Of The Impact That Recently Issued Accounting Standards Will Have On The Financial Statements Of The Registrant When Adopted In A Future Period, the SEC expects to see disclosures regarding both qualitative and quantitative information.  Following are examples of disclosure items to consider:

  • What is the potential impact of adopting the new standard?
  • Is adoption of the new standard expected to result in a material change or not to the financial statements?
  • What are the expected changes to existing accounting policies?
  • Where is the registrant in the implementation process?
  • Are there any significant issues not yet addressed by the registrant?
  • If it can be reasonably estimated, disclose the potential quantitative impact on the registrant’s financial statements.

Many companies may not be able to intelligently answer these questions and, for this reason, they will need to accelerate their preparations for adopting the new standard.

As I explained in a previous post, internal coordination among the various departments is a must in order to effectively assess the impact that ASC 606 will have on a registrant’s financial reporting.

 

Posted on

Researching the future of public company audits — part two

Last week I discussed interesting research papers presented at the PCAOB’s Center for Economic Analysis third annual Economic Conference on Auditing and Capital Markets.  In order to make this topic a little more enjoyable, I have divided up the presented papers into two posts.  Today’s post, part two, will focus on the remaining three research papers presented at the conference.

Research presented

Following is the abstract from each research paper:

1. Assessing Initiatives to Improve the Quality of Group Audits Involving Other Auditors

One of the major current concerns of regulators internationally is the quality of the auditing of multinational groups, particularly those involving the coordination by the principal auditor of other auditors.  These concerns resulted in changes to the international auditing standard on group audits, International Standards on Auditing (ISA) No. 600, which are consistent with current initiatives being considered by the PCAOB.  The researchers examined audit quality pre and post-ISA 600 to help inform the International Auditing and Assurance Standards Board (IAASB) as to the efficacy of the ISA 600 amendments and inform the PCAOB with regard their similar initiatives under consideration.  The researchers made use of unique Australian disclosures which allowed them to identify the nature and extent of involvement of other auditors in group audits.  They found that the revisions to ISA 600 have contributed to an improvement in audit quality, specifically for clients of non-Big N (e.g., Big 4) auditors.  Further, they found that the quality of multi-national enterprise (MNE) group audits involving other auditors from the same network is lower, and this appears not to be affected by the ISA 600 revisions.  Consistent with regulatory concerns, the researchers also examined whether there are any incremental costs for group audits involving other auditors.  While the researchers found that group audits involving other auditors are more costly, they did not find evidence of an increase in audit fees associated with these regulatory initiatives.

2. The benefits and costs of Sarbanes-Oxley Section 404(b) exemption: Evidence from small firms’ internal control disclosures

The authors investigated the benefits and costs of exempting firms from auditor oversight of internal control effectiveness disclosures (Section 404(b) of the Sarbanes-Oxley Act of 2002), which I touched on in a previous post.  They measured the benefit of exemption with audit fee savings, which the authors estimated to be an aggregate $388 million from 2007 to 2014 for their sample of exempt firms.  The key concern of exemption is internal control misreporting (i.e., firms with ineffective internal controls disclose effective internal controls).  Misreporting imposes at least two measurable costs on current and prospective shareholders: lower operating performance due to non-remediation, and market values that fail to reflect a firm’s underlying internal control status.  The authors calculated the cost of 404(b) exemption from 2007 to 2014 to be an aggregate $856 million in lower future earnings due to non-remediation, and a $935 million delay in aggregate market value decline due to untimely internal control disclosure. Although the aggregate costs of exemption exceed the benefits, the costs are borne by shareholders of only a fraction of exempt firms, whereas the audit fee savings are shared by all.

In addition to yielding evidence on the benefits and costs of internal control disclosure regulation, their study provides a prediction model for identifying the firms most at risk of inaccurately disclosing internal controls.  The prediction model predicts that approximately 20.2% of exempt firms should disclose ineffective internal controls, whereas only 10.9% do so.  Thus, the authors infer that 46% of exempt firms that maintain ineffective internal controls fail to discover or disclose it.

3. Tell Me More: A Content Analysis of Expanded Auditor Reporting in the United Kingdom

This study examined the effect of expanded audit disclosures required by ISA 700 (UK and Ireland), The Independent Auditor’s Report on Financial Statements, on the communication value of the audit report.  Using content analysis measures, readability and tone, as proxies for communication value, the author found that in the post-ISA 700 period: 1) audit report readability improves and 2) audit report tone changes with a higher occurrence of negative and uncertain words.  The author also evaluated analyst behavior in response to the ISA 700 audit report and found that analyst forecast dispersion decreased in the post-ISA 700 period.  In additional analyses, the author showed that Big N and industry expert auditors wrote audit reports that are more readable.  The author also found that domain-specific word dictionaries, generated from SEC Form-10K’s and earnings press releases, have a lower frequency in audit reports in both the pre and post-ISA 700 period.

With the heightened global interest in improving the historical pass/fail audit report, these results show that expanded audit disclosures can be communicated in a manner that is accessible and meaningful to the financial statement user.

In summary

Again, we find similar take-aways from these academic papers, which shed light on the impact that professional standards have on audit firms and their clients.

Photo credit

Posted on

Researching the future of public company audits

A few weeks ago the PCAOB’s Center for Economic Analysis (CEA) held its third annual Economic Conference on Auditing and Capital Markets.  Some readers may be yawning by now.  In reality, this conference is an important way that the PCAOB brings together academic researchers and audit policymakers to look at the effectiveness of audit standards and practices.  Moreover, the academic research prepared for and presented at this conference helps to identify the economic impact of auditing on the capital markets.

Of interest is that there were six research papers presented at the conference, selected from a total of 83 papers submitted.  These six papers were selected for presentation following a review by a committee of leading academics assembled by the editorial board of the Journal of Accounting Research and Luigi Zingales, the Center’s Founding Director and the Robert C. McCormack Professor of Entrepreneurship and Finance and the David G. Booth Faculty Fellow at the University of Chicago Booth School of Business.

Today’s post will discuss some interesting research findings from three of these six research papers along with what this research might mean for the future auditing and audit standards.  In a future post I will discuss interesting findings from the remaining three research papers presented to make it a little more palatable.

Research presented

The authors of the following research papers include university professors both within and outside of the United States.  Following is the abstract from each research paper:

1. Is Audit Behavior Contagious? Teamwork Experience and Audit Quality by Individual Auditors

This paper discussed how bad audit behavior is transmitted through the teamwork experience of individual auditors.  The researchers found that auditors who have previously worked in a team (team auditors) with those who are sanctioned by the regulators for audit failure (contagious auditors) are more likely to issue lenient audit opinions, and their audited accounting numbers are more likely to be downward restated in the future, compared to those who have no overlap with contagious auditors in their teamwork experience.  This contagion effect is, however, absent among auditors who previously worked in the same audit firm but not in the same team (colleague auditors) as contagious auditors.  The researchers’ findings highlight the importance of analyzing social learning via teamwork experience in understanding how audit quality at the individual level is shaped.  To note is that the research populations were associated with Chinese individuals and businesses, including stock market activity of publicly traded firms listed in the Shanghai or Shenzhen Stock Exchanges and sanctions imposed by the China Securities Regulatory Commission.

Certainly, this research puts back in the spotlight the recently adopted PCAOB rule requiring audit firms to disclose the name of the engagement partner, among other things.  This PCAOB rule takes effect in 2017.

2. Do Auditors Correctly Identify and Assess Internal Control Deficiencies? Evidence from the PCAOB Data

The researchers found that auditors routinely fail to disclose material weaknesses prior to a material error (i.e., restatements).  One potential reason is that auditors misclassify the severity of identified internal control deficiencies due to complexity in judging the materiality and likelihood of potential related errors.  Another reason is that auditors face disincentives to report a material weakness without a clear indication of an existing error.  The paper evaluated these possibilities using a proprietary database on auditor-identified control deficiencies that are not deemed material weaknesses, hence not publicly disclosed.  The authors then compared the severity of the control deficiency with the severity of ex-post reporting errors.  Even though the authors found some evidence consistent with auditor and management incentives to misclassify material weaknesses as less serious deficiencies, the authors generally found that 1) the severity of identified control deficiencies is properly assessed and 2) the auditor is able to provide reasonable assurance about whether financial statements are materially misstated in the presence of identified deficiencies.  Their evidence indicates that the inability of auditors to properly identify relevant internal controls is a contributing reason why material weaknesses are not discovered and disclosed prior to material error restatements.

With this in mind, readers may find of interest a former blog post wherein I discussed the SEC cracking down on a publicly-traded company for ineffective ICFR, even though there were no material misstatements in its financial statements at the time.

To sum up a critical finding from this research, Martin Baumann, Chief Auditor at the PCAOB, stated in a 2010 speech:

It has been observed that disclosures of material weaknesses, which should be a leading indicator of potential financial reporting problems, have instead become a lagging indicator.  That is, Material Weaknesses seem to be reported, generally, only in connection with a restatement – where the material weakness is often obvious.  In many cases a material weakness likely existed before the restatement as well, but unfortunately the ICFR audits are often not identifying them.

3. Auditors With or Without Styles? Evidence from Unexpected Auditor Turnovers

Using unexpected auditor turnovers as a quasi-experiment, in this study the authors examined whether individual auditors exhibit a significant impact on audit quality.  More specifically, focusing on auditor turnovers precipitated by the incumbent auditor’s sudden death or by resignation due to health issues or a career change, they investigated audit quality changes surrounding these unexpected events.  While the authors found some evidences that unexpected auditor turnovers are associated with significant audit quality changes for non-Big 4 audit firms, this is not the case for auditor turnovers at Big 4 firms even though there are greater differences in personal characteristics between outgoing and successor auditors in Big 4 firms. This finding suggests that notwithstanding differences in auditors’ personal characteristics, standardized audit procedures and strong internal controls can constrain individual auditors in large audit firms from impacting audit quality.

Because data on disclosures of signing audit partners does exist in Taiwan, the authors relied on financial data and the names of signing audit partners for all public firms from the Taiwan Economic Journal.  In my view it will be interesting to research this topic using U.S. data once the PCAOB’s rule on audit firm disclosures is in full effect.

In summary

The take-aways from these academic papers impact a number of areas for auditors (including their audit clients).  These include, among other things, the timely identification and assessment of risks of material misstatement, internal control deficiencies, and audit team culture and influence.  Stay tuned for a future post wherein I will discuss interesting take-aways from the remaining three research papers.

Photo credit

Posted on

Responding to accounting restatement risk

A fundamental tenet of financial reporting is that a company’s internal controls over financial reporting (ICFR) are sufficiently robust to ensure transactions are properly recognized and disclosed in its financial statements.  The appropriateness of financial statements hinges on the fair presentation in conformity with GAAP.  Furthermore, the concept of materiality is the deciding factor of what is “fair” and what is not.

However, at times companies misstate their financial statements.  In some situations these misstatements are simple, unintentional errors; whereas, in other cases they may be intentional.  When misstatements occur, companies must determine whether or not these misstatements result in materially misleading financial statements.  For purposes of clarity, an error is defined in ASC 250, Accounting Changes and Error Corrections as “[a]n error in recognition, measurement, presentation, or disclosure in financial statements resulting from mathematical mistakes, mistakes in the application of [GAAP], or oversight or misuse of facts that existed at the time the financial statements were prepared.”

Because identified misstatements that relate to the current period can be addressed by management without any required restatements, today’s post will address certain risk areas and requirements that companies will want to address in assessing misstatements in prior periods.

Materiality

In a previous post I wrote about materiality considerations, which should be considered in assessing whether or not the prior period financial statements are materially misstated.  Indeed, it is well established that calculating a quantitative threshold of materiality is an important step in a materiality assessment (such as 5-10% of pre-tax income).  However, companies should give consideration to qualitative factors as well.  The SEC’s staff issued SAB No. 99 to provide some guidance to considering qualitative factors.  Notwithstanding its guidance, SAB No. 99 does not address what might be considered not material.

Types of restatement

Depending on the outcome of a materiality assessment, companies may find themselves in one of two categories:

  1. Reissuance restatement – referred to as “Big R” restatement because this means the previously issued financial statements were materially incorrect and, therefore, are unreliable and must be reissued/restated.  In these cases, the prior period financial statements must be amended.
  2. Revision restatement – referred to as “Little r” restatement because, although there are errors in the previously issued financial statements, they were not material to the prior periods.  A company may choose to either make the error correction in the current period or it may recast its prior period financial results in connection with issuing its current period financial statements.  When a company elects to recast its prior period financial statements in connection with issuing its current period financial statements, it revises its financial statements.  In these circumstances, the prior period financial statements do not need to be amended.

Sarbanes-Oxley Act certification requirements

In the context of restatements, SEC registrants must be aware of risk exposure related to Sarbanes-Oxley Act (SOX) certification requirements.  As a refresher, as early as 2004 SEC registrants were required to implement certain provisions of SOX.  These provisions address requirements that the principal executive officer or officers (CEO or equivalent) and the principal financial officer or officers (CFO or equivalent) must certify.  The first requirement, Section 302, is found in SOX’s Title III – Corporate Responsibility.  The second requirement, Section 906, is found in SOX’s Title IX – White-Collar Crime Penalty Enhancements.

  • SOX Section 302 – In connection with filing of periodic financial reports with the SEC, the CEO and CFO (as signing officers) are required to certify in each quarterly and annual report:
    • the signing officer has reviewed the report;
    • based on the signing officer’s knowledge, the report doesn’t contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
    • based on the signing officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
    • the signing officers:
      • are responsible for establishing and maintaining internal controls
      • have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
      • have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
      • have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
    • the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function):
      • all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
      • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
    • the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
  • SOX Section 906 – In connection with filing of periodic financial reports with the SEC, the CEO and CFO (as signing officers) are required to certify in each quarterly and annual report:
    • the periodic financial report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.

Section 906 provides for criminal penalties if the CEO and/or CFO:

  • certifies any statement within Section 906 knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in Section 906 shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or
  • willfully certifies any statement as set forth in Section 906 knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in Section 906 shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.

In light of these certification requirements and the potential criminal penalties, signing officers must be confident that their financial reporting controls are reliable.  With this in mind, when Big R restatement risk is heightened, companies should be cognizant of the regulatory and legal exposure associated with potential non-compliance.

Furthermore, when it comes to material misstatements in the company’s prior period financial statements, there is a rebuttable presumption that a material weakness in ICFR exists.  Another thing to keep in mind is that even though a Little r restatement may end up being the correct solution to addressing misstatements, the SEC registrant may end up concluding that a material weakness still exists in ICFR.  This gets at the concept of the “could” factor in assessing deficiencies in ICFR, which I previously wrote about.

Tips for companies

I recently listened to a webcast discussing 10 pitfalls to avoid when navigating a Big R restatement (replay link).  For convenience, I’ve listed these 10 pitfalls:

  1. Engaging inexperienced counsel and advisors for the investigation
  2. Forming a special committee when the audit committee might suffice
  3. The run-away or open-ended investigation
  4. Failing to keep auditors apprised of the investigation and errors found
  5. Indecisiveness and inability to reach conclusions
  6. Waiting too long to deal with wrongdoers
  7. Not self-reporting findings to the SEC
  8. Audit committee micromanagement of the restatement
  9. Failing to remediate
  10. Creating an unnecessarily detailed SAB 99 materiality analysis

In addition to these tips, companies should ensure they follow the standards governing accounting restatements in ASC 250 and that they assess misstatements for each reporting period.  Although certain misstatements may be insignificant in any given reporting period, they could aggregate to a material amount over time (such as the impact to the balance sheet).

When restatements arise, SEC registrants will need to disclose relevant information on SEC Forms 10-K/A and 8-K (for Big R) and SEC Form 10-K (for Little r).

Influencing the narrative

I’m going to fast forward the process of restating financial statements to communicating with outsiders what the facts are.  When management becomes aware of material misstatements in prior periods, the company should be clear and assertive with users of its financial statements about the nature and extent of the misstatements identified.  In connection with its assessment, management should be able to, at a minimum, address the following concerns:

  • explain the magnitude of the misstatement;
  • identify which accounts were affected;
  • describe what was done to remediate the misstatement (both in the financial statements and in ICFR);
  • explain what programs and controls have been put in place to avoid misstatements from occurring in the future; and
  • explain the implications of misstatements on the company’s future financial reporting and forecasts

It goes without saying that if companies do not take active measures to effectively management the risks I’ve discussed, users of their financial statements may call into question whether or not the root-causes in the company have been addressed.

Photo credit

Posted on

A Look-back: 12 years of SOX Section 404

Many companies became subject to the provisions of Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) beginning for fiscal years ending on or after November 15, 2004.  Specifically, Section 404(a) requires public companies’ annual reports to include the company’s own assessment of internal control over financial reporting (ICFR).  Section 404(b) requires an independent auditor’s report on the effectiveness of the company’s ICFR.

Since the implementation of SOX 12 years ago, we have seen some interesting trends in financial restatement statistics and SEC enforcement trends, which I have written about recently (here and here).  In fact, a recent Audit Analytics report has highlighted some key take-aways related to Section 404 disclosures.

Effectiveness of ICFR requiring auditor attestation

SOX Section 404(b) states that accelerated filers (including large accelerated filers) must provide an independent auditor’s report on the effectiveness of the filer’s ICFR.  The following chart shows adverse auditor reports as a percentage of total auditor reports on ICFR on an annual basis within the last 12 years.

% Adverse Auditor Attestations

For clarification, according to PCAOB Auditing Standard No. 5 (AS 5), An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, an adverse opinion signifies that at least one material weakness exists within a company’s ICFR.

Naturally, one would expect the first year of implementation, 2004, to yield the least favorable results.  To also note is that because the SOX Section 404 requirements went into effect in late 2004, only a portion of companies whose fiscal years ended in 2004 were required to implement these requirements (i.e., those whose fiscal years ended on or after November 15, 2004).  This means that a smaller number of companies filed auditor attestations related to fiscal 2004 when compared to fiscal 2005.

What I find interesting about the above chart, and the Audit Analytics report discusses, is the historical “low” in the rate in 2010.  In 2010, the PCAOB inspection program began determining if audit firms had obtained adequate evidence to substantiate the auditor’s attestation of management’s assessment regarding the effectiveness of ICFR.  The impetus for this was the implementation of AS 5, which became effective in late 2007.

After initially reviewing audit firms’ implementation of AS 5 in 2008 and 2009, the PCAOB’s inspections began in 2010 to focus on inspecting for and reporting on whether firms obtained sufficient evidence to support their audit opinions on the effectiveness of ICFR.  Although somewhat unclear, we might gather from the above chart that the PCAOB’s scrutiny of audit firm compliance with AS 5 in 2010 may have re-focused the emphasis of audit firms on improving audit quality in 2011 (when compared to 2010).

Key areas of adverse auditor reports

Among those auditor reports with an adverse audit opinion on ICFR, the Audit Analytics report identifies the following internal controls issues with the highest frequency in 2015:

Ineffective ICFR issues

Total number of attestations

As % of total attestations citing ineffective ICFR
Material and/or numerous auditor and/or management adjustments

118

58%
Inadequate accounting personnel resources, competency, and/or training

105

52%
IT, software, security, and access controls

60

30%
Segregation of duties and/or design of controls

50

25%
Controls related to non-routine transactions

39

19%

As illustrated in the table above, the top reason for ineffective ICFR in 2015 was due to accounting issues which were known to materially misstate the financial statements.  Said differently, without recording the necessary adjustments, the financial statements taken as a whole would have been materially misstated.  The remaining top five reasons for ineffective ICFR in 2015 were due to internal controls issues (which either did or “could have” contributed to material errors in the financial statements).

Moreover, the Audit Analytics report lists the following accounting-related ICFR issues as most commonly cited in adverse audit reports in 2015:

Ineffective ICFR issues related to accounting

 Total number of attestations

As % of total attestations citing ineffective ICFR
Revenue recognition 47

23%
Income taxes

36

18%
A/R, notes receivable, investments, and cash

34

17%
Fixed assets and/or intangible assets

29

14%
Related parties and/or affiliates/subsidiaries

27

13%

Effectiveness of ICFR not requiring auditor attestation

In contrast to the requirements in Section 404(b) for accelerated filers, non-accelerated filers and smaller reporting companies need not comply with this provision, thanks to the Dodd-Frank Act of 2010, but they must comply with Section 404(a).  Furthermore, non-accelerated filers were not required to implement Section 404 until late 2007.

For clarification, a non-accelerated filer, as defined by SEC Rule 12b-2, is public company whose public float (as opposed to market capitalization) does not exceed $75 million as of the last business day of the company’s most recently completed fiscal Q2.  Furthermore, smaller reporting companies are those companies that meet the definition of a non-accelerated filer and had annual revenues of less than $50 million during the most recently completed fiscal year for which audited financial statements are available.

Having said that, the following chart shows the percentage of adverse management-only assessments relative to total management-only assessments on an annual basis in the last 12 years.

% Mgmt-Only Reports

Interestingly, this chart shows a negative trend over the years, with a drop in 2015.

Key areas of adverse management-only assessments

The Audit Analytics report identifies the following internal controls issues with the highest frequency in 2015 in management-only assessments:

Ineffective ICFR issues

 Total number of assessments

As % of total assessments citing ineffective ICFR
Inadequate accounting personnel resources, competency, and/or training

985

79%
Segregation of duties and/or design of controls

893

72%
Ineffective, non-existent, or understaffed audit committee

388

31%
Inadequate accounting disclosure controls

246

20%
Material and/or numerous auditor and/or management adjustments

204

16%

To note is that two of the five top ICFR issues in the table above are also among the top five ICFR issues in adverse auditor attestations.  A key reason for the provision in the 2010 Dodd-Frank Act eliminating the requirement for non-accelerated filers and smaller reporting companies to comply with SOX Section 404(b) was due to cost of compliance.  Since we can see from the table above that overwhelmingly the two most common ICFR issues were inadequate accounting resources and segregation of duties/design of controls, it certainly seems reasonable to conclude that the cost of accounting resources is a relatively big factor for smaller public companies.  While understanding that these statistics describe ICFR issues for public companies, to my surprise is that the third most common issue deals with inadequacies of the audit committee.

With respect to accounting-related ICFR issues noted in management-only assessments, the Audit Analytics report lists the following most commonly cited in 2015:

Ineffective ICFR issues related to accounting

 Total number of assessments

As % of total assessments citing ineffective ICFR
A/R, notes receivable, investments, and cash

95

8%
Debt, quasi-debt, warrants and equity-related (beneficial conversion features)

53

4%
Income taxes

48

4%
Revenue recognition

38

3%
Related parties and/or affiliates/subsidiaries

24

2%

The above table demonstrates that the most frequently cited accounting-related issues in ICFR was similar between accelerated and non-accelerated filers and smaller reporting companies.  Furthermore, the Audit Analytics report indicates the top five accounting-related issues represented approximately two-thirds of the total accounting-related issues in 2015, both for adverse auditor reports and management-only assessments.

Summary

To put these findings into context for 2015, of those accelerated filers whose auditors issued an adverse SOX report, there was a pull toward ICFR failures due to accounting-related issues.  On the other hand, companies that issued management-only assessments citing ICFR failures experienced significantly higher rates of ICFR failures due to internal controls issues as opposed to accounting-related issues.

In addition, the ICFR failure rates reported by companies with management-only assessments were significantly higher than the ICFR failure rates reported by accelerated filers.  By applying a simple average over the last 12 years for accelerated filers and nine years for non-accelerated filers, the ICFR failure rates were 6.9% and 35.4%, respectively.

Finally, for additional context, I noted per review of the Audit Analytics report that in 2015 there were approximately 3,800 auditor attestations on SOX effectiveness filed with the SEC.  With regard to management-only assessments, there were approximately 3,500 management reports filed in 2015 with the SEC.  Therefore, the quantity of filings with the SEC between these two groups was comparable.

Source for charts:  Audit Analytics August 2016 report, SOX 404 Disclosures, a Twelve Year Review.

Photo credit

Posted on

Payout trends in the SEC’s whistleblower program

In July 2010, the U.S. Congress enacted and President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act.   In connection with reform on investment protection, the Dodd-Frank Act provided for the establishment of a new whistleblower program.  The program provides for financial incentives for individuals to report potential federal securities laws violations to the SEC and provides for protection from employment retaliation.

Adoption of whistleblower rules

On May 25, 2011, the SEC adopted the new whistleblower rules, codified as Section 21F of the Securities Exchange Act of 1934, entitled “Securities Whistleblower Incentives and Protection.”  Pursuant to these rules, the SEC has ability to provide monetary awards to eligible individuals who come forward with high-quality original information that leads to an SEC enforcement action in which over $1 million in sanctions is ordered.  The range for awards is between 10% and 30% of the money collected.

The rules clarify that “original information” must be:

(i) Derived from your independent knowledge or independent analysis;

(ii) Not already known to the Commission from any other source, unless you are the original source of the information;

(iii) Not exclusively derived from an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media, unless you are a source of the information; and

(iv) Provided to the Commission for the first time after July 21, 2010 (the date of enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act).  See Rule 21F-4(b)(1)

Furthermore, the rules state that information submitted to the SEC is provided “voluntarily” if:

…you provide your submission before a request, inquiry, or demand that relates to the subject matter of your submission is directed to you or anyone representing you (such as an attorney):

(i) By the Commission;

(ii) In connection with an investigation, inspection, or examination by the Public Company Accounting Oversight Board, or any self-regulatory organization; or

(iii) In connection with an investigation by the Congress, any other authority of the federal government, or a state Attorney General or securities regulatory authority.  See Rule 21F-4(a).

Discretionary payouts

As mentioned previously, the range of awards that the SEC will pay out is between 10% and 30% of the money collected, not of the monetary sanctions ordered.  With this in mind, the SEC considers the following factors to determine the size of the award:

  1. The significance of the information
  2. The assistance provided by the whistleblower
  3. Law enforcement interest that might be advanced by a higher award
  4. Whistleblower’s participation in internal compliance systems

In addition, the SEC considers the following factors to decrease the payout percentage of the award:

  1. Culpability
  2. An unreasonable reporting delay by the whistleblower
  3. Interference with internal compliance and reporting systems

SEC’s payout trends

From its inception through July 2016, the SEC’s whistleblower program has issued 24 final award orders and 51 final denial orders.  Of these 24 final award orders, the largest award amount disclosed was over $30 million (announced September 22, 2014) and the smallest award amount disclosed was $125 thousand (announced August 30, 2013).

Of the 19 disclosed award amounts, the median payout is approximately $700 thousand.

Furthermore, of the nine awards disclosing the payout as a percentage of the monetary sanctions collected, the SEC has ordered payouts of 30% on five occasions, a payout of 28% once, payouts of 20% twice, and one payout of 15%.  It should be noted that these figures represent the total payout percentages for each matter (regardless of the number of claimants).

Seven of the 24 final award orders mentioned more than one claimant for payout, with three of these awards naming two claimants and four naming three claimants.  The distribution of the payout to each of these claimants varied from equal proportion of the award among the claimants (33% or 50% to each claimant in final award orders naming three and two claimants, respectively) to as dispersed as 50% of the award to one claimant, 33% to another, and 17% to the third claimant within the same final award order.

Another interesting observation is that, of the 24 final award orders, the SEC disclosed the whistleblower profiles for 11 of them.  Of these 11 awards, two were in the compliance function, one was an officer, seven were non-descriptive insiders/employees, and one was an outsider.  There does not appear to be any correlation between the whistleblower profile and the payout percentage or amount of the award.

I have prepared a schedule that summarizes key information for each final award order.  This schedule includes all final orders through July 2016.

Photo credit

Posted on

SEC settles charges with publicly-traded company for internal controls violations

Earlier this year the SEC announced that it had brought charges against a publicly traded company, Magnum Hunter Resources Corporation (MHR), a diversified natural gas, natural gas liquids and crude oil exploration and production company based in Texas.

The SEC’s charges are not based on material misstatements in MHR’s 2011 financial statements on Form 10-K. Rather, because of high growth arising from multiple business acquisitions, the company’s accounting staff could not keep up with the ever-increasing demands to maintain effective internal controls over financial reporting (ICFR).  As a result, the SEC claims there existed a material weakness in MHR’s ICFR and that MHR did not adequately disclose this in its 2011 SEC filing.

The SEC imposed a Cease-and-Desist Order on MHR in March 2016, which states in part:

This proceeding concerns failures by MHR and its management to properly implement, maintain, and evaluate [ICFR] for the fiscal year-ended December 31, 2011 and to maintain ICFR sufficient to keep pace with MHR’s growth from at least the fiscal year-ended December 31, 2011 through the quarter-ended September 30, 2013.

The SEC Order also states that this failure was, in part due to improper evaluations of the severity of internal control deficiencies by both MHR’s SOX consultant and external auditor.

Material Weakness

To put all of this into context, SEC Regulation S-X defines a material weakness as:

…a deficiency, or a combination of deficiencies, in [ICFR] such that there is a reasonable possibility that a material misstatement of the registrant’s annual or interim financial statements will not be prevented or detected on a timely basis. [Rule 1-02(a)(4)]

This is consistent with the definition of a material weakness in U.S. auditing standards, which is:

a deficiency, or a combination of deficiencies, in [ICFR], such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. [PCAOB AU 325, par 3]

Note these definitions use the term “reasonable possibility” to describe the likelihood of a material misstatement occurring.  This term carries the same meaning as in ASC 450 (formerly SFAS No. 5), which I discussed in a previous post.

Charges by the SEC

In essence, the SEC’s charges hinge on the premise that, even though it did not find any material misstatement in MHR’s financial statements, because a material misstatement could have occurred, MHR should have made appropriate disclosures in its 2011 financial statements. Of interest is that MHR’s assessment of the effectiveness of ICFR concluded that a significant deficiency existed, not a material weakness.

In its audit work papers MHR’s external auditor documented that the control weaknesses arising from inadequate accounting staff did not rise to the level of a material weakness for the following key reasons: (1) the audit work did not identify material errors for the reporting period and (2) the auditor understood that MHR had recently hired additional accounting staff and that the existing staff, while overworked, was competent.

Despite the auditor’s documentation for its conclusion, the guidance in PCAOB AS No. 5 states that “[t]he severity of a deficiency does not depend on whether a misstatement actually has occurred but rather on whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement.” (see par. 64)

Take-aways

Companies required to comply with SEC regulations should take note of these charges brought by the SEC. Further, companies should take seriously the requirements to maintain effective ICFR and disclose information that is pertinent to users of their financial statements.

In the end, it is the responsibility of the company’s management to not only prepare its financial statements, but to also maintain a system of ICFR sufficient to provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in conformity with GAAP (see SEC Exchange Rule 13(b)(2)(B) at 124).

Photo credit

Posted on

Fraud auditing, a new trend

We all know that fraud is alive and well in today’s society.  On a daily basis, it seems, we hear unpleasant fraud statistics and read eye-catching news headlines about new fraud schemes or deceptions.  Indeed, businesses today are no less vulnerable to fraud than before.

Because of its ever-presence in today’s business world, a new trend of fraud auditing is becoming more and more popular.  So, what is it?  In essence, fraud auditing is a two-phase exercise.  First, one designs a fraud risk assessment to identify areas where a company may be susceptible to fraud.  Second, in response to findings of this assessment a monitoring and reporting program is put in place as a tool for management oversight.

Preventive vs reactive measures

When I was a former Big 4 auditor I incessantly heard complaints from my clients about audit fees being too high.  Indeed, financial statement audits can be expensive because they are designed to cover all aspects of the financial statements.  In contrast, fraud auditing doesn’t have to be expensive.

Moreover, as a preventive measure, one of the benefits of fraud auditing is that the cost of such an assessment can in large part be determined by the company’s management.  Conversely, as it relates to reactive measures, the cost will depend greatly on the motivation by the company for having the fraud audit conducted in the first place.  Examples of motivations imposed on a business may include: response to fraud already identified within the company, restatement of financial statements, or a decision to bolster internal controls because of restrictions imposed by a regulator, to name a few.

We can probably agree that human nature tends to be more reactive than proactive at different phases of life, such as wellness and personal finance.  In a similar vein, too often companies wait to respond to fraud risks until they manifest themselves through fraud or abuse.  Said another way, companies often do not perceive sufficient value in conducting a meaningful fraud risk assessment and, therefore, they wait until the stakes are much higher.  Oh, how relevant today is Benjamin Franklin‘s famous adage that “an ounce of prevention is worth a pound of cure!”

Consideration examples

Next, I wish to give some definition to the look and feel of a fraud risk assessment.  Depending on the nature and extent of a fraud audit, following are some examples for consideration to begin to understand risks and exposure:

  1. Domination of management by a single person or small group.  This gets at the heart of the tone within an organization.  Regardless of the extent of internal controls (even at the transactional level), if there is management domination by one or a few individuals, this can have a pervasive effect on the organization as a whole.
  2. A practice by management of committing to analysts, creditors, or other third parties to achieve aggressive or unrealistic forecasts.  One can see that being overly aggressive can be an area of risk and exposure.  Conversely, for businesses not beholden to outsiders (such as creditors or investors) this, of course, is irrelevant.
  3. Ineffective communication, implementation, support, or enforcement of the entity’s ethical standards by management or the communication of inappropriate ethical standards.  This really goes without saying. If management doesn’t enforce its own rules, then why have them in the first place?
  4. Recurring negative cash flows from operations while reporting earnings and earnings growth.  Financial pressures placed on management to generate favorable results should be considered when assessing the adequacy and effectiveness of business performance reviews.
  5. Rapid growth or unusual profitability, especially compared to that of other companies in the same industry.
  6. Significant, unusual, or highly complex transactions, especially those close to the period end.
  7. Significant related-party transactions not in the ordinary course of business.  A review of an entity’s financial statements or records can reveal the nature and extent of transactions with related parties.
  8. Recurring attempts by management to justify marginal or inappropriate accounting based on materiality.  Although this one may be difficult to assess, an effective fraud audit should incorporate inquiries of multiple company personnel at varying levels within an organization.
  9. Restrictions on the limitation of access to people, information, or communication by the board of directors or those charged with governance.  

I adapted the above points from the PCAOB’s AU 316, Consideration of Fraud in a Financial Statement Audit.  Although the above list is not exhaustive, it can be a good start to identify areas of heightened risk exposure for a company.  Equally important is that AU 316 was specifically designed to apply to external auditors in connection with the performance of financial statement audits.  Despite this, I believe the principles and guidance within this AU can apply to a variety of circumstances and not just financial statement audits.

Checklisting

It seems that in more recent years auditors have gravitated more toward a “checklist” mentality to discharging of their professional duties.  I believe this is heavily influenced by feedback from regulators.  Of course, checklisting has its place within a professional service engagement to mitigate legal and regulatory exposure.  However, as one can gather from my post above, it is important to exercise professional judgment by inserting a healthy degree of flexibility between checklisting activities and allowing free thinking and creativity.  After all, thinking through the “what ifs” of a situation is always an effective way to identify areas of risk and exposure.  To add to this thought, because risk factors can vary greatly depending on the industry and company-specific factors, it is imperative to tailor the nature and extent of a fraud audit to the needs of an organization.

Less rigorous is still better than nothing

In ideal circumstances companies want to get to the right answer from the beginning.  While this sounds good, the reality is that, as I touched upon earlier, many businesses do not place fraud auditing as an area of focus until they are forced to.

One way to assist companies in overcoming the resistance to a full blown fraud audit is to perform a less rigorous fraud risk assessment.  As a valuable resource the Association of Certified Fraud Examiners (ACFE) offers a Fraud Prevention Check-up.  While I recommend any such assessment be performed with the assistance of experienced professionals familiar with the issues, this check-up exercise could, in theory, be performed by the business itself.  In any case management should take the assessment seriously, standing ready to take action should there be cause for concern.  Additionally, I strongly recommend that, if possible, general counsel be aware of and participate in this process for legal protection to the company.

Altogether, companies that take seriously their obligations to protect company assets and stakeholder value should equally take seriously their oversight and monitoring of financial fraud risks.  Fraud audits provide an excellent means of fulfilling these obligations.

Photo credit

Posted on

The power of walk throughs in investigations

As a former auditor, I performed walk throughs of certain key account processes or cycles to gain a complete understanding of a transaction from start to finish.  Sometimes it became quite cumbersome because certain processes were complex or lengthy.  However, after walking through a process I was able to gain a solid understanding of the areas of risk exposure and, most importantly, I could answer the question, “what could go wrong in this area.”  This informed me further in planning my audits and responding to risks.

As a basis for framing my post today, the PCAOB AU No. 5 at ¶ 37, describes a walkthrough as follows:

In performing a walkthrough, the auditor follows a transaction from origination through the company’s processes, including information systems, until it is reflected in the company’s financial records, using the same documents and information technology that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and re-performance of controls.

Although this guidance is intended to apply to audits of internal controls over financial reporting, implemented by an entity in preparing its financial statements, the principles gathered from walk throughs can be applied to a variety of circumstances.

As basic as they may seem, walk throughs I believe are the bedrock to understanding the flow of transactions in accounts, particularly complex ones.  Following are some powerful things that can be gathered from a walk through:

  • Build rapport with the interviewee through conversation that can be transitioned from “formal” (early on in the walk through) to “informal” or more “relaxed” (once enough questions have been discussed and the anxiety of meeting someone for the first time can be overcome)
  • Identify “types” of documentation not previously known
  • Assess the competency of an account owner/interviewee
  • Assess the body language of the interviewee and gather relevant information therefrom
  • Identify improper segregation of duties (custody, record keeping, and authorization/verification)
  • Identify exposures to fraud and/or error

To do effective walk throughs, it’s critical that the person conducting the meeting have sufficient experience to understand what types of questions to ask and, maybe more importantly, if answers are satisfactory or if probing is necessary.  Depending on the risks/allegations, a walk through may encompass a portion of or an entire process, including: initiation, authorization, recording, processing, and reporting.

I’ve found the following types of questions to be helpful in a walk through (of course, adapting the questions to the relevant facts/allegations and circumstances is critical to an effective discussion):

  • Please describe your role in this process.
  • Who else is involved in this process (preparers, reviewers, approvers, etc.)?
  • What happens when a transaction is not approved?
  • What systems (internal or external) do you use or rely upon to perform your duties?  This type of questioning can assist in identifying the areas of manual intervention, which often times are the areas of highest exposure to fraud and/or error.
  • Where do you understand the areas of judgment or estimate to be?
  • Have you or anyone you know been asked to override any controls?
  • If there were a questionable transaction or request, who would you go to for guidance or advice?

Depending on the situation, I recommend two interviewers in attendance.  For example, in an investigative scenario, it may be appropriate to have two persons in attendance, one to ask the questions and interact with the interviewee and another to take notes, but also to stand as a “witness” should allegations come back against the interviewer.

Sometimes a walk through may not be possible because access to the person(s) may be restricted.  In these scenarios, the best available information should be considered and, using an experienced professional’s understanding of the flow of similar business transactions, one should formulate an “expectation” for how transactions are processed and then refine that “expectation” as new information becomes available.

As a reiterative point, having an experienced professional involved in the process greatly increases the odds of a successful outcome (“successful” of course being a relative term) and is critical in sorting through what is relevant, what is not, and what may be an intentional diversion.

Photo credit