I recently had the chance to visit with Joe Howell, the Executive Vice President (EVP) of Workiva LLC. Howell has been the Chief Financial Officer of a number of public companies, mostly in the technology space, and some private companies, some of which went public. He is a co-founder of the SEC Professionals Group, which includes the folks who are actually drafting financial statements to submit to the SEC, and a newer group, the SOX and Internal Controls Professionals Group which focuses on the issues that are closely aligned with many of those that you address on a regular basis - compliance with control objectives.
PCAOB and Audit Standards
I wanted to consider the function of the Public Companies Accounting Oversight Board (PCAOB) and what role it might play in anti-corruption compliance. Howell explained the PCAOB is a board that was quasi-governmental, was created by Congress, and is part of Sarbanes-Oxley Act of 2002 (SOX). It has two main functions, the first being the creation of the new audit standards for the auditing of public companies. It is also charged with auditing the auditors and issuing inspection reports to help auditors improve the quality of their work.
Howell believes that the audit standards set by the PCAOB have changed the way that companies perform and how their auditors audit them in significant ways, through their inspection reports. These audit inspection reports were not designed to test random audits. They were designed to test those audits that had the largest amount of audit judgment contained within them. These inspection reports issued by the PCAOB themselves have been, in many ways, damning and certainly embarrassing.
...over the past few years, there has been about a 39% to 40% average failure rate for the Big Four.
Howell noted that over the past few years, there has been about a 39% to 40% average failure rate for the Big Four. In some instances, one went up to nearly 50%, but the most recent report from BDO, an international network of public accounting, tax and advisory firms that perform professional services, issued recently found a 73% failure rate. Now, audit firms resent the term “failure” and they push back on it and they preferred to call it “deficiency”, but if one were to take one of those audit inspection reports and look at it and do a quick CTRL-F in Adobe Acrobat to see what the number frequency of the word “fail” is, you will find it hundreds of times.
Now does that mean mistakes or does that mean the failure of process or something different?
I asked Howell what might come up as a deficiency and he related that the number one thing the PCAOB finds is lack of sufficient competent audit evidence to support an opinion. Howell believes this means that auditors do not understand what the client was doing, so they were testing controls that were not functioning properly. While the auditors either found that the controls were effective, when you step back and look at it in the aggregate, it would not have done anything meaningful to assure the reader that the financial statements were prepared in accordance with General Accepted Accounting Principles (GAAP).
For the compliance professional, audit evidence is important. I asked Howell whether that means evidence that the auditor reviewed or evidence that the company created to support the control or the underlying control? He said that one of the problems is that when reading the audit report, it is not immediately obvious which it is; it could be that the auditor simply did not ask for the right evidence or that the auditor did not perform enough documentation of their own work. But both present problems.
You must know your compliance internal controls so that you can adequately explain them to your auditors.
But Howell did not simply level his criticism at the auditors, as he believes the auditor will never understand the client's business or its controlled environment as well as the client. It is the responsibility of the audit client to understand their own controls so they can correctly explain their function to the auditors. This is a key insight for any Chief Compliance Officer (CCO) or compliance professional. You must know your compliance internal controls so that you can adequately explain them to your auditors.
From Howell’s perspective, “the audit client is the generator of the material, they are in the business, they have years of experience. The auditor may come and audit them, really one major time of year, but will be there three or four times a year talking to them, but they have other clients as well in other industries. They will never be as familiar with that client’s business as the client.” Yet this also means that when the PCAOB is speaking to the auditors, they are vicariously speaking to the audit clients, too.
There has been quite a bit written about internal controls and the Securities and Exchange Commission (SEC) focus on internal controls in Foreign Corrupt Practices Act (FCPA) civil enforcement actions. This brings up the issue of how robust internal compliance controls must be to pass SEC muster. In the context of the PCAOB, it relates to the issue of precision.
Howell said that precision is often involved in another area of audit failure. From reviewing auditor work papers, it might note the client reviewed something or did something, yet there would be no discussion of whether the internal control might detect this or that kind of error or an error of a certain size. As Howell put it, “What’s the precision of that control? Would it have missed a freight train or would it have found something that would have been as small as a drop?”
This leads to deficiencies of quantification of a problem. Howell provided the example of a management review of a signature control. Yet by simply signing something, the signature that documents the manager reviewed something does not tell you a thing about what the manager did for the review. For instance, was the review sufficient, did the person who was performing the review look at all the supporting calculations, was evidence actually what it was reported to be, and that it did in fact support the conclusion that the company was drawing?
Auditor Rotation
Howell explained that the basic concept of auditor rotation is simply to keep fresh eyes on things because auditors may become complacent over time. Simply put auditors can get too familiar, too cozy with the clients. Yet the converse can also lead to problems as Howell noted, “almost every time there has been a fraud that has gone undetected or a major failure that has gone undetected for long periods of time, that has resulted from the fact that the auditors didn’t have enough experience to find the kinds of weaknesses that they’re talking about. That often happens when a new auditor is involved. That’s when things seem to go wrong.”
It is a loss of institutional knowledge that can cause problems. An auditor needs to be asking probing, independent questions and being independent in attitude as well as on paper. Howell noted the “other thing that you lose is that sense of deep understanding of the kinds of transactions, the history, and how things flow together. I think that balance is hard to draw, but it really points to the need that the client has to have a clear understanding of their processes themselves and how those processes are going to effect the controlled environment.”
For the compliance practitioner this can be where an auditor fails because there is fraud or some other form of collusion which could generate a pot of money to fund a bribe, there are going to be telltale signs or evidence somewhere, but those red flags might be missed because the client is not thinking clearly about how those red flags would be monitored and how they could detect them.
Inspection Focus is another area that the PCAOB is concerned about and while it may not immediately appear applicable to the compliance department I believe it can have a significant impact. This area focuses on judgments clients make, most generally around revenue recognition or more simply “rev rec”. Howell began by noting, the “number of mistakes are very high and often they’re challenging because when you somehow mischaracterize the top line, the rest of the financial statements change their character because of a number of things that have keyed off of what your revenue is. The other thing that’s true is that it also causes the rest of the financial statements to become questionable just because that most important number was not right.”
The rules that evolved in the 1990’s and early 2000’s made revenue recognition increasingly more complicated. Now companies are gearing up to transition to a new revenue recognition methodology that is a more principles-based practice that is going to affect all industries the same, meaning we no longer have separate revenue recognition approaches for different industries.
This transition is going to also create a lot of opportunities for mistakes and worse, fraudulent accounting to hide evidence of bribery and corruption. This could be through strategies as diverse as channel stuffing to evaluation of long-term contracts. Rev rec is an area that the compliance function needs to depend more highly on the auditing function to help detect either over-rides of internal controls or more simple failures.
Estimates and Goodwill Impairment
This ties into Howell’s next point, which was accounting estimates. Typically, goodwill is perhaps the most challenging when you acquire a company and you have an excessive payment over what the assets that you identified as tangible assets. Howell said, “You end up with this intangible number goodwill, which needs to be tested for impairment. You can’t go judge the fair value of goodwill other than by an accounting estimate at one point in time when you made an acquisition, but the accounting rules now require that you go back and reassess that value from time to time and put an impairment charge against it if you feel that it’s not what you paid for to begin with.”
I found this analysis interesting as Matt Kelly raised this same issue in a blog post, entitled “Impairment Data Hints at Problems Ahead”, on his site, Radical Compliance. Kelly’s basic thesis was that goodwill impairment would negatively impact compliance particularly after an acquisition, when the value of the acquired entity can drop significantly or even propitiously. Witness the HP goodwill impairment charge around its acquisition of Autonomy of nearly $5.5 billion.
This ties into Howell’s concerns from the auditing perspective because, “You can’t say what goodwill is based upon today without understanding that, “Hey, it’s based upon the value I’m going to receive over a period of time in the future.” That means that the auditors have to look to the work that’s being done by the people who prepare those projections and those are usually the Financial Planning and Analysis (FP&A) folks”, who typically do not have an appropriate level of documentation to support their analysis of goodwill value.
Moreover, FP&A is actually trying to drive behavior through these projections. Howell said they typically cannot provide either the specific documentation of analysis or even a history of results over time. This is because they “frequently are developing these projections to be aspirational. They’re trying to drive business behavior, not really trying to predict it. You end up with some issues that are creating strain in accounting organizations around the world.” Such an approach would certainly raise issues in a compliance realm.
Write-Downs
Write-downs are significant for the compliance function as it might be a mechanism to hide money to fund bribes and engage in corruption. I asked Howell about how they might be used to hide monies generated to fund a bribe, in the context of an acquisition. Howell noted, “anytime you have to calculate what that original value is, if you have a spin-off, if you have some sort of massive write-down, then they’re going to want to take a look at that to see, How did you do that write-down? Did you do it to dress up your balance sheet, to make it a little prettier because you got rid of some intangibles because you didn’t want to have them anymore for other purposes? Or there was some sort of thing that was out of the ordinary that you did? Then they really want to look at that to make sure that there’s support for it.”
I then inquired about joint ventures (JVs) and asked if the same or similar rules would apply. Howell began by noting that an audit is focused on the external financial statements for the company taken as a whole as presented to financial statements. While that statement is in the context of what the final opinion focuses upon, it is important to recall that an audit builds up from its parts.
That means an auditor must build up from any JVs a company has and these areas that have the opportunity to create misstatements, mistakes, or completely fraudulent statements. The issues can go so far as to include Enron type of concerns where the company used fraudulent accounting to get “bad stuff” off of their balance sheet. I asked Howell if you have a JV that has engaged in transactions that were based on fraud and the profits from that JV roll up into the parents, i.e. the US Corporation’s balance sheet, that would be an appropriate inquiry for an external auditor? He said “Absolutely. If an auditor finds fraud that’s not material to the financial statements taken as a whole, their job is not over. They don’t pass on stuff because it’s immaterial. If they find fraud, they’re obligated to report it. Also, that they find fraud, then they’re obligated to explore to see if the weaknesses and the controls that permitted that fraud are found elsewhere.”
Internal Controls and the PCAOB
One of the key inquiries from a SEC FCPA investigation or enforcement action is around the issue of systemic failures of internal controls. Such failure is a sure remedy for the finding by the SEC for violation of the FCPA, even absent an affirmative finding of bribery. Howell said that a systemic inquiry from the auditing perspective is critical as well.
Howell said that if management is somehow involved in the colluding, then the auditors must “step back and take a hard look at what they’re going to be able to believe, if anything, that management has told them. If management is not involved and they have reason to believe that this is a bad actor somewhere in the organization, they’re not permitted to stop because it’s not material. They have to “move forward” with the inquiry.”
Interestingly, Howell not only draws a line from the FCPA to the Sarbanes-Oxley Act of 2002 to the Dodd-Frank Act of 2010; but also draws a line from the PCAOB to corruption risk because of the pronouncements from the PCAOB about what the auditors have to look for in terms of risk. This is because he believes “every PCAOB inspection report to date has mentioned fraud. That the purpose of mentioning fraud is that the failures in the accounting control environment that permitted a transaction to go unreported or misreported are the kinds of things that undermine the entire credibility of the financial statements and mean that you’re not going to be able to rely on that control environment. Fraud is central to all of this.”
Howell went on to explain that fraud usually occurs because there are weaknesses in controls which are exploited by bad actors to get the money or the resources, if not money, to actually then pay a bribe that is the focus of the FCPA. The PCAOB's focus on fraud is because the controls need to be in place and they focus on internal controls over financial reporting. Howell noted he has not seen any FCPA settlement that did not have a material impact on the company in one way or another. He concluded by stating, “how can you say that you'’re not dealing with material misstatements of the financial statements if you fail to report something that clearly is going to result in tens or hundreds of millions of dollars of penalties, disgorgement of profits, investigations, and tearing the company inside out in order to do the final remediation?”
Failure of Internal Controls and Best Practices Compliance Programs
What are some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program. There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.
A company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”
Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.
Any FCPA investigation is going to have a profound cost...
Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don't have to report it.”
In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.
While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”
I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?
Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”
I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”
This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”
Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”
This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.
Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”
