Sarbanes-Oxley and Smaller Reporting Companies: There is a Better Way

I apologize for the long interval between this and my last posting – especially to those of you who have privately thanked me for material just boring enough, and long enough, to induce a good night's sleep. Tax blogs, I am told, are much too potent unless one is planning to spend an entire holiday weekend in bed.

This long-awaited naturopathic sleep remedy is based on Floyd Norris' recent critique of efforts to roll back some of the provisions of the Sarbanes-Oxley Act. Roughly in descending order of offensiveness, we have movements afoot to:

1. Place the FASB under the supervision of a systemic risk agency, which would in turn be heavily influenced by the banking interests who still blame fair value accounting for the financial crisis;
2. Rescind for companies that have a public float of less than $750 million the requirement that an auditor attest to management's assertions regarding the effectiveness of internal controls (S-OX 404(b));
3. Challenge the constitutional legitimacy of the PCAOB; and
4. A House of Representatives committee vote to exempt the 6,000 'smaller reporting companies' (i.e., market cap. < $75 million) from complying with S-OX 404(b).

If I had been writing a blog back in 2002 as S-OX was being rushed to a vote in spasms and fits of self-righteous bipartisanship (did blogs actually exist?), I would have predicted something like this would be happening about now. Having nothing whatsoever to do with the philosophical leanings of the party in the majority, such is the formula by which U.S. political dramas are scripted. Declarations of war (figuratively and literally) through zealous and hastily enacted statutes are inevitably followed within just a few years by reversals to more moderate positions. Regarding the securities laws (and holding the frightening prospect of IFRS adoption aside), we are clearly in a period of moderation, albeit more misguided than usual.

While I echo Norris' sentiments on the first three items, I had only a few weeks ago expressed my glee that requiring smaller public companies to comply with S-OX 404(b) might soon be trashed. I had previously observed that S-OX 404(b) attestations have appeared to devolve into a go-through-the-motions exercise. Those suspicions are validated to some extent by a recent ruling against defendant Deloitte on a motion for summary judgment in a lawsuit alleging that Deloitte failed to adequately report on internal control deficiencies at WAMU. Jim Peterson of the Re: Balance blog avidly follows the solvency tightrope that each of the Big Four is walking as they try to fend off litigation arising out of 'traditional' public company audits. His view is that auditors should walk away from S-OX 404(b) work while they are still ahead. 

There Must be a Better Way

Even though S-OX could have, and should have, been more tightly focused on measures to prevent another Enron or WorldCom from happening, something was missing in the securities laws for providing reasonable assurance that management public companies, both large and small, are taking their financial reporting responsibilities seriously enough. I just don't agree that S-OX 404(b) was the right way to go about it.  Notwithstanding other merits of a financial reporting regulation, a windfall to gatekeepers, especially those sharing the blame for a lack of confidence in the system, is a reason for any reasonable person to be suspicious. 

Given that change is in the offing, now may be the time to bring back my old war horse, mandatory audit firm rotation. The resistance to mandatory audit firm rotation in the wake of Enron and WorldCom came from the AICPA, which couldn't bear the thought of auditors being audited by other auditors. Their main stated argument had been that switching costs would be too high, as audit efficiencies in the client's environment take a few years to be realized.

Even accepting the AICPA's excuse, which I absolutely do not, it is a fact that the vast majority of audits of smaller firms are much more straightforward. That should mean that the successor auditors can, relatively speaking, take over from predecessors without breaking stride. I would like to suggest to Mary Schapiro that, instead of pushing against the bipartisan will of Congress to let smaller reporting companies out of S-OX 404(b), she should promote mandatory audit firm rotation. There is nothing to suggest that it will impose anywhere near the scale of costs engendered by S-OX 404. With little at risk, it could actually transform audits from a make-the-client-happy exercise to one that moves the U.S. toward the forefront of global capital markets just in terms of basic integrity.

Let's pick 2,000 smaller reporting companies at random and require that they switch auditors within a year; another 2,000 next year, and 2,000 the year after that. If done right, there should be a wealth of data for the SEC and academics alike to analyze. For the next time we take a whirl on the regulate/moderate merry-go-round, we will at least have some hard evidence to take along.

(By the way, I recommend that you try Kevin LaCroix's D&O Diary blog for excellent non-technical summaries of current developments in securities litigation.)

S-OX 404(b) for Non-Accelerated Filers: A Political Crime Waiting to Happen

Section 404(a) of the Sarbanes-Oxley Act, together with SEC rules implementing the provisions of the Act, require management to assess and report on the effectiveness of internal control over financial reporting (ICFR). It took a few years for the SEC to phase everybody in, but all public companies, large and small, are now subject to the requirement.

As pretty much everyone knows, however, S-0X 404 doesn't stop with a management report. Auditors get in on the action in Section 404(b). Therein is the lucrative requirement that an independent auditor attest to management's assessment regarding the effectiveness of their internal controls over financial reporting (ICFR). One person testifying before Congress has called the provisions of S-OX 404(b) the largest windfall to audit firm partners in history, and as I will soon describe, 6,000 more public companies await a new 'service' for which the benefits are, to be charitable, unclear.

Why S-OX 404(b) is Little More than Chicken Salad for Auditors

The corporate corruption scandals that got politicians moving on the Sarbanes-Oxley Act of 2002 were the result of fraud by CEOs and CFOs. ICFR can have little to no impact on the actions of the top executives, because they always possess the power to override internal controls, or sometimes to orchestrate collusive schemes that circumvent those controls. Thus, Section 404 cannot possibly do much to mitigate these particular sources of fraud risk; and there is no better example of that than Enron itself. I have been told (but have not verified) that Enron was the only public company to disclose with much pride and pomp that it paid its world-class, independent auditor to perform a separate evaluation of internal controls. Andersen's report was, of course, clean as a whistle.  

No one should doubt as well, that Enron's relationship with its auditors wasn't much cozier than the norm, either. No matter who the client is, and especially if it is a big one, material weakness are generally only reported after an error has occurred; i.e., after a control has obviously failed. Thus, all the machinations to test ICFR, and prevent a control from failing, don't add much beyond the testing of account balances that occurs as part of the regular financial statement audit.

So, it remains questionable at best, that S-OX 404(b) has created a safer environment for investors to trade their shares. Auditors, on the other hand have been champing at their bits, waiting for the SEC to throw them some fresh meat: the 6,000-odd smaller public firms (technically, "non-accelerated filers) who are not yet required to pay for an ICFR report.

Chicken Salad Days Appear on the Horizon

The auditors received some good news on that front a few days ago when the SEC announced that the stay of execution for non-accelerated filers would be extended only until their annual reports for fiscal years ending on or after June 15, 2010. Chair Schapiro and one other commissioner also issued statements to 'assure investors' that no further extensions would be granted.

Indeed, the SEC's Office of Economic Analysis has completed the last of the SEC's go-through-the-motions machinations to steer S-OX 404(b) through the gauntlet of thousands of irate registrants who resent the additional audit fees imposed upon them -- and the additional hoops they must jump through. And, what did OEA's report have to say? As it turns out, not much at all. Although changes to SEC and PCAOB guidance may have reduced the cost of S-OX 404(b) implementation for companies that currently must comply, OEA did not even address the key question: whether the costs of complying with S-0X 404(b) has been less than the benefits, or whether benefits can be expected to exceed the costs of compliance for the 6,000 companies in line to be plucked. It must surely be the case for non-accelerated filers that initial implementation costs are most onerous, especially in an economic down cycle. But nothing so obvious and significant was to be found in the OEA's report.

The Skinny on the Costs and Benefits of Section 404(b)

If I were writing OEA's report, I might have begun and ended with the following modest, albeit virtually dispositive, back-of-the envelope calculation: The total value of all public traded equities in the U.S. is very approximately $14 trillion, based on information available from indexes published by Wilshire Associates. Let's conservatively assume that each and every non-accelerated filer has a total market cap of $75 million, which is the maximum market cap for a non-accelerated filer. Even under that very conservative assumption, 6,000 non-accelerated filers comprise (at the very most) only 3.2% of aggregate equity values.

In the best of worlds (i.e., assuming that there is real information in an auditor's attestation report) can the new fees that auditors will charge these 6,000 smaller companies provide loss protection that will cover the billions of dollars in aggregate fees? Don't bet on it.

In fairness, the SEC would say that their hands are tied; S-OX directs the SEC to require ICFR attestation reports from all public companies. So, what should really happen is for Congress to wake up and amend S-OX to permanently exempt non-accelerated filers from the requirements of Section 404(b). Will it happen? Don't bet on that one, either.

What upsets me the most is that chair Schapiro is once again catering to the wishes of the Big Four instead of affecting much needed reform, as she has pledged to do. Schapiro should use her bully pulpit to inform Congress that they have created an obvious case of excess regulation. Notwithstanding the sorry fact that S-OX 404(b) has devolved into a waste of time for all issuers, to extend it to non-accelerated filers would be nothing less than criminal.

Instead, of rushing to require ICFR audits, why don't we just sit back and wait to see how many non-accelerated filers will voluntarily submit to an examination of their ICFR – just like Enron did. 

 

Accounting Convergence: Deconstructing the SEC's Message

John White, Director of the SECs Division of Corporation Finance, gave a speech at Financial Executives International Global Financial Reporting Convergence Conference last week (June 5, 2008). In no uncertain terms (and with apologies in advance for the bad pun), it was a whitewash for the benefit of the members of the club. I am writing this post, with the objective of waking up at least some investors to the realization that their interests are being trampled upon by the auditors they pay for, their very own executives, financial intermediaries, and sad to say, the SEC.

So, peeling off the oily-based camouflage, here is the bare bones of White's speech -- at least as I see it.

Good morning. Let's skip the formalities and get right to the point. I truly believe that the endpoint of global accounting convergence will be U.S. issuers using IFRS and that it is time to move in this direction. Even though I can't mention the real reasons in public, here are the five darn good ones we're currently pitching.

First, the SEC will have less influence over accounting standards. That's a good thing, isn't it? Even though other regulators don't ask the tough accounting questions like we do, we are going to work with them and pretend we agree. Remember Societe General? We don't, and thats what I'm talking about. Even though the U.S. representation on the IASB will shrink, I know we can count on the Chinese and Europeans to come up with reasonable answers on technical issues like disclosing related party transactions, securitizations, hedging, contingent liabilities, business combinations, and about the twenty other things that really aren't so good about IFRS -- and I don't want to discuss today. Especially not business combinations: the IASB sure screwed up IFRS 3 after we improved FAS 141R, but that probably wont happen again. And sure, the IASB has some governance issues, but we'll be able to fix that with our single seat on a committee of securities regulators from all over the world that will oversee the IASB's activities. Im sure we'll all get along just fine, and everyone will listen to us because we are from the USA.

Second, IFRS leaves a lot more room for management judgment. That's a good thing, isn't it? We believe that investors most want management to have more tools at its disposal to help them manage earnings. That will go a long way to eliminating outright fraud, because management won't have to risk going to jail to make their numbers. And besides, if managements judgment is really, really unreasonable, auditors will be there to fix things, right? (Uneasy laughter from the audience.) Don't laugh! Investors aren't the only group the SEC protects. The feelings and needs of issuers who report financial results must be considered; that's why I haven't mentioned the needs of investors without also mentioning the needs of issuers.

Third, and speaking of auditors, it is going to cost billions of dollars to implement IFRS in the U.S., and auditors, one of our favorite charities, will be raking in a big chunk of that. Despite overwhelming evidence from rigorous academic studies that these costs will provide little or no benefit to investors -- and even that U.S. GAAP is associated with better information and lower cost of capital -- we have to come up with some way to employ the next wave of accounting students, especially since our last full-emplyment initiative -- SOX 404 work -- is drying up.

Fourth, assessing a companys financial results should not depend on what country a company is from. Differences in corporate governance, laws, business norms and culture do not matter to investors, so accounting rules can be the same, and will be interpreted the same whether we're applying them to companies in China or the United States. After all, IFRS is principles-based, isnt it? (More laughs from the audience.)

Fifth, global capital markets have been growing by leaps and bounds for decades, apparently unhindered by the polyglot of accounting standards in use throughout the world. But, having a single set of accounting standards is going to become really, really important; trust me on this one.

I want to conclude by explaining what I mean by "truly believe." I'm just a politician ... whoops, I mean lawyer ... who really doesn't know much about what all you CFOs have to go through to make your numbers. Frankly, the details of the differences between IFRS and U.S. GAAP don't concern me much. I just threw in "truly" to impress upon you that I am on your side -- kind of like "no kiddng," or "I swear." In other words, even though I dont have a single good answer to any of the questions I have raised today, dont worry, because we're going through with this anyway. I truly believe that If IFRS is good for you, it's good for the SEC; and it must be good for everyone.

Thank you and good night.

More on the CAQ Survey

I thought I had beaten flat the CAQ's survey of audit committee members in my last post.  Lo and behold, here is one more nasty tidbit brought to my attention that merits sunlight.

Among the organizations that with whom CAQ partnered for the recruitment of survey takers was the National Association of Corporate Directors (NACD).  NACD must know who among its members are on audit committees; nevertheless, it blithely sent CAQ's survey out as a mass mailing to all of its 17,500 members.  As you may well have anticipated, there were no controls to ensure that the survey would be responded to by audit committee members only.

OK, so maybe not all respondents were actually members of audit committees -- big deal. But, what if respondents weren't even members of a corporate board?  According to the NACD website:

"NACD accepts both individual and full board membership. Associate membership is available to professional services organizations -- such as legal practices, audit firms and compensation consultants -- who provide essential board guidance and advisory services." [italics supplied]

Recalling that CAQ based their statistics on the responses of only 253 volunteers, how many of these volunteers weren't even board members?   What if 50 of the respondents were actually audit partners?  My point is that they survey methodology was so loosey-goosey, we have no way of knowing. 

Gatekeepers Hoodwinking Gatekeepers

As Bejamin Disraeli said, "There are three kinds of lies: lies, damned lies, and statistics."  Perhaps statistics is the most insidious of the trio because they can be the most beguiling.  The CAQ sits at the same point on the Disraeli scale as any other lobbying organizations who conciously produce data that they intend to be mistaken for information.  But, there should be an important difference: the CAQ is controlled by audit firms who, according to the "P" in "CPA", purport to be ethically bound to protect the public interest.  When journalists are hoodwinked by CAQ into reporting on mere data as if it were information, then CPAs have failed to live up to the ethical standards of those who fund it.

Journalists also function in a large sense as gatekeepers for misleading information.  How ironic is it that CAQ, an organization funded and controlled by audit firms, was so facile in its manipulation of other gatekeepers?

Low Quality Stats from Center for Audit Quality

Much ado has been made lately of the insubstantial contribution business school professors have made to practice through research.  Accounting research of the last forty years, being no exception, was blasted in a commentary in the Chronicle for Higher Education for not addressing questions relevant to accounting professionals.  The authors, academic accountants themselves, blame universities for not providing more robust incentive systems to encourage a broader range of topics and methodologies. 

I want to add another reason:  practitioner organizations barely give lip service to academic research, because their members actually don't want to know what academics have to say.  That's because the truth can be so darn inconvenient (apologies to A. G.).  Just recently, the Financial Accounting Foundation says it doesn't believe it is necessary anymore to have academic representation on the FASB (see earlier post); and now a new report by the Center for Audit Quality (CAQ) presents the results of their "commissioned" survey of audit committee members.  "Research," by any standard academic, it ain't.

I have two problems with the survey.  First, the survey methods are so crude, that if an academic had tried to present this work to peers as serious research, either his sanity or intelligence would be called into question.  Second, the presentation of the "key findings," such as they are, have been skewed to fit the public relations agenda of the accounting profession:  post-Enron rehabilitation of auditors' reputations, and entrenchment of the revenue-producing aspects of SOX.  Other than these two criticisms, the report is just fine.

Let's start with the methodology:

Non-random sample -- CAQ states, without explanation, that it was "not feasible from a cost or time standpoint" to take a random sample.  How ironic is it that an organization sponsored by auditors would forgo random sampling, the indispensable basis of so many auditing standards, procedures and concepts?  CAQ blithely asks us to assume this is a minor detail:

"With a pure probability sample of this size, one could say with ninety-five percent confidence that the overall results would have a sampling error of +/- 6.2 percentage points.  As this survey is not a pure probability sample, theoretically no sampling error can be calculated."

Setting aside that calculation of a sampling error is not "theoretically" possible (read simply as "not possible in any way, shape or form"), +/- 6.2 percentage points is actually a pretty large number that can affect one's reading of the results.  Maybe that's why it is not mentioned again in the report.

Sample size -- Let's agree that the population of interest, audit committee members of public companies, number very approximately 10,000.  Only 253 of them volunteered in response to invitations to participate.  Given the low participation level, it is highly likely for non-respondents to have significantly different opinions than the self-selected volunteers.  If anything was done to test that proposition (yes, academics routinely apply techniques for doing so), CAQ did not report it.

Sample demographics -- CAQ gathered very little information about the respondents.  We know virtually nothing about their financial or accounting expertise.  For example, how many are "designated financial experts"?  How many are former auditors? 

We do know, however, that 44% took their first position on an audit committee post SOX.  As some of the key survey questions ask their opinions about the pre- and post- SOX environment, their opinions may be different, or even less reliable, than the respondents with longer tenure on audit committees.

Wording of the questions -- Let's say you joined your first audit committee in 2007.  How would you respond to this key question:

"Based on your experience as an audit committee member [italics supplied], how would you rate the overall quality of audits of publicly traded companies being conducted today?

First, I don't know if a respondent could reliably separate their audit committee member experience from their prior experience.  Second, given the variability in length of tenure of audit committee members -- some pre-SOX, and other not -- it appears as if two populations are being combined into one. 

The next survey question is:

"And over the past several years, would you say that the overall quality of audits of publicly traded companies has...?" 

Assuming that the "based on your experience" language carries forward, how is the newbie audit committee member supposed to answer that?  Dunno.  Remember, these folks are 44% of the respondents!

Integrity and Objectivity Red Flag -- Neither the organization that purportedly conducted the survey was disclosed in the survey report, nor the scope of their responsibilities.  Imagine an audit report not identifying the auditor; this is not much different.  Was the contractor a well-respected company that didn't want to be associated with the end product?  Was it an organization with other ties to CAQ?  Just asking.    

Now, on to the reported "key findings"

Current state of audit quality -- The audit committee now appoints the auditor and reviews their work much more closely than in the pre-SOX era.  What board member would be willing to admit, even anonymously, that their choice of auditor was a mistake?  So, it's not surprising that CAQ finds that 95% of respondents rate their auditors' work as "good" or better.  As a "key finding", it's a big fizzle. 

The other side of the coin is more provocative: a client paying top dollar for audit services should not be satisfied with work that was only "good" or "fair." That's how 22% of respondents saw it.  Moreover, 17% said that the situation had not changed or worsened since the passage of SOX. 

Risk of fraudulent financial statements -- CAQ blithely reports that 87% of respondents believe the risk of releasing financial statements that are materially inaccurate due to fraud is not very high.  That's a good thing?  I don't think so, especially when you consider that these are audited financial statements!  Has SOX affected the potential for fraudulent misstatements?  The CAQ would like you to think so, because auditors sure have made a lot of money out of ICFR audits.  Yet, unstated is the fact that 40% of respondents do not believe that the risk of fraudulent misstatement has decreased with SOX. 

Complexity of financial statements -- CAQ would like you to believe that audit committee members think that financial statements are too complicated.  But, the questions don't even begin to address the nature of the complexity, or the sophistication of the respondents as regards financial statements.  And if you still doubt that a self-serving agenda is driving the report, here's the smoking cannon: buried in the back pages (question 17C) is the undiscussed finding that respondents clearly do not feel that GAAP is too complex.  Yet financial statements are too complicated.  Figure that one out!

If you are one of those who believe that the CAQ was created by the powers that be to function as shill for audit firms, then this survey report could be your Exhibit A.  It is also Exhibit A for my point that practitioners with self-serving agendas have good reason to be threatened by the contribution of academics.  But, if truth is the goal, then the participation of academics, trained and paid to apply discipline and rigor to a question, is an asset. 

The PCAOB is Auditing the Wrong Auditors

Did you know that:

• The Sarbanes Oxley Act requires the Public Company Accounting Oversight Board (PCAOB) to inspect audit firms with one or more public companies as clients at least once every three years, and that firms with more than 100 clients have to be inspected every year;
• There are currently more than 700 audit firms that are subject to PCAOB inspection; and
• More than half of the PCAOB's $130 million budget  and 500 employees are dedicated to inspections?

If you knew all that, you're a nerd like me.  But, here is something I didn't know until I attended a presentation by a senior PCAOB staff member recently, who included this table among his Powerpoint slides:

The first three columns aren't a big surprise, but the fourth one is a whopper: of the 750 audit firms out there, 99% of them audit an aggregate 1% of the reported revenues of public companies!  The presenter made the point that all audit firms are thoroughly inspected, so it would not be outlandish to guess that significantly more than half of the PCAOB's inspection resources (> $65 million) are protecting the public against the equivalent of a flea bite on the hindquarters of a bull (market). And, add to the PCAOB's waste of its own money, the significant costs imposed on small audit firms of submitting to PCAOB inspections.

I am certainly not against regulations to incentivize high-quality audits by all firms, but what we have here is an Economics 101 case study on the pitfalls of centralized planning happening right here in the good 'ole US of A. 

No Incentives to Right the Wrong

If you passed my trivia test, you would also know that the demand for qualified accountants and auditors has increased since SOX--and so have their salaries.  I have heard SEC staffers claim that they have trouble hiring qualified accountants for their own inspection work due to the competition provided by the PCAOB. 

What I find most irritating is that PCAOB members, each paid over $500,000, are not screaming loudly at Congress that the static burdens imposed by statute on their august organization render one of its two most important functions (the other is promulgating auditing standards) half as efficient as it could be.   Well, here's the freakonomics of it:

• The PCAOB has no incentive to control costs by reducing the number of unnecessary inspections.  The more inspections that are mandated by SOX, the larger the budget that can be justified for approval by the SEC. 
• The Board members personally benefit (albeit indirectly) from bloat. The larger the scale of PCAOB's operations, the easier it is to justify their salaries.

The Board's greatest fear should be that their inspection of the audit of a Fortune 100 company concludes without discovering a problem -- and that the audit turns out to be as big a bust as the Arthur Andersen audit of Enron.  Evidently, it doesn't register with the Board that the big bucks they get are to make sure that one thing doesn't happen. They should be doing everything in their power to make the inspection process more efficient--including lobbying Congress to craft a more sensible mandate for the PCAOB's inspections -- and by the way, puts an end to the persecution small audit firms.   

The Four Sins of Stock Option Backdating

I have a weak spot in my heart for my former students--especially if they were also my tennis or cycling buddies.  Chris, of the cycling variety, recently sent me this email message:

...So, today I was reading some posts on the Greg Reyes trial/verdict (he was the CEO of Brocade ...  I must confess that I've heard all the fuss, but don't really understand it (and haven't followed it very closely) ... was wondering what you make of it all.

Chris, I'm not going to remark about the specifics of the Brocade case, and would rather give you a broad outline of the general issues underlying illegitimate stock option backdating.  The following simple example is representative of the types of transactions that have been questioned:

The board of directors of BD Company met on December 1, 20x1, on which date the market price of BD was $50 per share.  The board authorized the granting of one at-the-money option to BD's CEO, to vest over two years. The CEO instructed the vice president of human resources to backdate the option to November 1, on which date the market price of BD was $40 per share.

The stock option backdating scandal involved four kinds of ripoffs, which I'll describe more fully below:

1. Shareholders ripoffs--By selecting a date in the past on which the stock price is lower than the current stock price, options are deceptively granted in the money.  In my simple example, the effect is to transfer more value to executives than the board of directors intended.  In some cases, the board may actually participate in the backdating scheme.
    
2. Accounting fraud--Options that were effectively granted in the money (because the real grant date is not the backdated one--it's the date the board authorized the award) are accounted for as if they were granted at the money.  Under APB 25 (recently superseded, but in effect during the halcyon days of scandal), expense is measured at the intrinsic value of options at their grant date. (I'm oversimplifying here, but am being specific enough to make the point.) In my simple example, recording zero expense overstates net income by $10, which is the intrinsic value of the option. Often, the accounting fraud has not had a material impact on earnings, except that it was an essential to misstate earnings in order to cover-up the shareholder ripoff (See #1, above).
   


3. Tax fraud--In addition to backdating grant dates, there is strong evidence of executives backdating their exercise of options to a date on which the stock price was low. In so doing, they could reduce the amount of payroll taxes they owed, and reduce the amount of profits they realized on exercise from being taxed at ordinary rates.  If they could then manage to hold the stock for at least a year, they would eventually pay taxes on the rest of their profits at the lower capital gains rate. 


4. Inadequate SEC regulations created a loophole the size of Arthur Andersen--Under SEC rules (promulgated under Section 16a of the Securities and Exchange Act of 1934), executives have to report (i.e., publicly announce) their personal acquisitions of financial instruments issued by their company, and also derivatives underlying those financial instruments.  Until Congress forced them to tighten the loophole (one of the many good things accomplished by SOX), executives had as much as 40 days to report the transactions.  In effect, that gave executives a window of more than a month from which to cherry-pick the lowest share price for option backdating purposes.  A funny thing happened when the report due date was shortened to two days: backdating disappeared. 

That last point, above, doesn't get a lot of press, but it rankles me the most.  I had criticized the SEC for years about the 40-day window--not because I was aware of the backdating frauds, but because I didn't see why investors had to wait so long to receive important information about executives trading in their own shares.  Of all the wonderful things Arthur Levitt tried to accomplish as SEC chair, I don't know why this one wasn't on his radar screen.  After all, it was during his watch that the SEC first floated the idea of accelerating the due dates of annual reports.  (Dear Mr. Levitt, if you perchance should read this, I would consider it an honor to publish your response.) 

Based on the number of SEC investigations and the academic research that exposed this repulsive scandal, there must be hundreds of executives who betrayed the trust of their shareholders with the some criminal indifference that possessed Enron's top guys.  Also similar to Enron, there are likely just as many dupes and facilitating lawyers, accountants, board members, etc. as there were executives who profited directly.  For those Pollyannas amongst you who thought that Sarbanes-Oxley was an overreaction to the crimes committed by a few, I hope the stock option backdating scandal has transported you closer to my world.

So, Chris, you owe me one ... or maybe I owed you one.  It doesn't matter.      

How to Prevent Your Auditor from Telling the World You're in Deep Doo-Doo

Jonathan Weil, the accounting and corporate finance columnist for Bloomberg News, has written an excellent column (read it!) on auditors failing to provide going concern qualifications in reports when they are clearly warranted.  I want to comment briefly on the following points Jonathan made:

• Following the bursting of the dotcom bubble, a Bloomberg study found that auditors failed to provide a going concern qualification for 54% of the 673 largest bankruptcies between 1996 and 2002.  It reminds me of earlier days when I was at the SEC during the S&L crisis. Walter Schuetze, the Chief Accountant was particularly irritated by the auditor's failure to include going concern qualifications in their reports--even when the book value of net assets (largely financial, since he was looking at banks) was substantially above market capitalizations.  Evidently, nothing changed.
• Auditing standards require the auditor to add a going concern qualification to its report when there is 'substantial doubt' about an entity's ability to survive.  I bring these weasel words, 'substantial doubt' to your attention, because of my recent post on the subject of the weasel words in AS 5 and FAS 5, which allow auditors and companies to evade their responsibilities to investors.  I have no clue what 'substantial doubt' means.
• The FASB recently voted unanimously to add a project to its agenda that would make a company's management responsible for assessing the possibility of failure to continue as a going concern.

The Really Interesting Part

Of news to me in Weil's article was a situation he described, where companies can be in technical default on their loans if the auditor issues a going concern opinion.  It appears to be commonplace, and the story told about American Home is particularly depressing:

"You think your job is tough? Think about the poor schlimazels from Deloitte & Touche LLP who blessed the books at American Home Mortgage Investment Corp., mere months before it went belly up....

Tucked inside American Home's credit-facility agreement was a clause that said the ... company would be in default with lenders if its auditor tagged it with the dreaded going-concern language.

For the accountants, if they thought for even a second about this, it must have felt like staring into a house of mirrors. Had they made what proved to be the right call, they probably would have inflicted a mortal wound on American Home. Then again, looking back, a self-fulfilling prophecy would have spared investors from the company's April 30 public offering of 4 million shares at $23.75 each, the prospectus for which incorporated Deloitte's audit opinion. American Home's shares closed yesterday at 22 cents.

Weil makes it clear that loan covenants triggering technical default can have an undue influence on the auditor, who is already gun-shy about issuing going-concern opinions. The Financial Accounting Standards Board project to require chief executive officers to provide disclosures of going-concern risk has only just begun; and I ask myself whether CEO's have incentives to do a better job identifying high going concern risk than auditors.  Of course not!!  If anything, putting the fox in charge of another henhouse would make matters worse.  It would also give auditors some reprieve where none is deserved or needed.  Also, it would just add another layer of internal controls over financial reporting for which auditors could charge higher fees. (What a surprise!)

K.I.S.S.

As an interim step, the SEC should require prominent disclosure of contractual terms that would trigger material adverse consequences depending on the type of audit opinion issued.  It should also direct the PCAOB to clean up the weasel words that auditors hide behind in avoiding going concern qualifications. 

Beyond this, Sarbanes-Oxley has reinforced the principle that it just ain't kosher for management to unduly influence the auditor; and this principle should be followed to its logical conclusion.  That is, this type of arrangement should be prohibited.   I am quite sure that the lending community should have no problem finding other technical-default triggers that are just as efficient and reliable, if not more so.

Finally, I can't resist beating the mandatory-audit-firm-rotation drum just one more time. (I couldn't decide whether I wanted to beat a drum or a dead horse. I picked a drum because I'm an optimist.)  The shameful state of affairs exemplified by the American Home debacle is just one more thing that Congress could have mitigated by mandatory audit firm rotation. Given the fees auditors charge for their Sarbanes-Oxley work, which are still increasing, mandatory rotation would cost less and be more effective.

Would Someone Please Audit the Auditor?

Auditors are not priests, immune to the temptations of the material world.  Many of us have come to realize that even priests are not priests. 

Granted, the mindset may have been different in 1933.  That's when representatives of the accounting profession were able to convince Congress that government involvement in audits would not be necessary, and it was not even necessary to "audit the auditors."  The public could rely on the "conscience" of auditors to do the job right.  As Bill Cosby's Noah said to God, "Right." 

Could mandatory audit firm rotation have prevented at least some of the major accounting scandals?  Would it have been more effective, and less costly, than SOX 404?  Guess what I think. 

Enron, Tyco, Kmart, Xerox.  Whichever accounting scandal you can name, pre- or post-SOX, the odds are that culpable auditors had been at the same trough for decades.  In 2003, the GAO reported that average tenure of auditors to the Fortune 1000 was 22 years.  From my personal experience, it is not uncommon to find the same auditor retained by a firm for more than 40 years.   How would you like to be a first-year  partner-in-charge, and to be put between the rock that has been one of your firm's biggest clients for decades, and the hard place that is their material violations of GAAP?  If you're lucky, they'll fit you with a muzzle and give you an offer you can't refuse--like a transfer to Finland.  In fact, that's what KPMG's head did to the irksome partner who was questioning Xerox's management over their many fraudulent accounting techniques. 

The theory behind mandatory audit firm rotation is that successor auditors would have a strong economic incentive to perform a thorough initial review of their new clients, so as to avoid exposure for restatements occurring on their watch. The really interesting part is the incentives it gives to the predecessor auditor, who expects the successor to be as strict as a drill sergeant inspecting the barracks on his first visit.  Mandatory firm rotation makes too much sense, and perhaps now that we have evidence on the costs and efficacy of SOX 404, it may be time to reconsider it. 

I say 'reconsider', because I believe that Paul Sarbanes, the Democratic Senator from Maryland, placed mandatory audit firm rotation at the foundation of the bill he first envisaged.  It was vigorously opposed by the AICPA (the accounting counterpart of the National Rifle Association); for successor auditors pitted against predecessor auditors would have been their worst nightmare come true. 

Into the breach stepped Michael Oxley, a Republican Representative from the state of Ohio and well-known supporter of the accounting profession. Oxley was also the Financial Services Committee Chair in the House. Using the largely unsubstantiated argument that audit firm rotation would be far to costly, most of the burdensome responsibilities on corporations in the Act — CEO/CFO certification, SOX 404, new board and audit committee requirements, to name a few — were added by Oxley in exchange for giving the ax to mandatory audit firm rotation.  The happy ending for the AICPA was that not only could they avoid auditors auditing auditors, SOX 404 gave them a windfall in the form of new services for which they could charge an arm and a leg.   

The costs of SOX 404 have been absurd, and there is a lot of evidence that they will not abate without regulatory changes.  In their fifth annual study of corporate governance compliance costs, the law firm of Foley & Lardner report that although internal SOX 404 compliance cost  declined slightly in 2006, total  out-of-pocket costs associated with Sarbanes-Oxley compliance showed a double-digit percentage increase for companies both large and small.   Would you be surprised to know  that the largest area of cost increase was external audit fees?  I didn't think so. 

The combination of SOX and consolidation/attrition of the Big Eight down to the Final Four has created what one congressional witness characterized as the biggest windfall to audit partners in history.  The great irony is that instead of mandatory audit firm rotation, we now have mandatory loyalty to current auditors.

AS 5: The Illegitimate Child of FAS 5

This is a rather long post, for which I apologize in advance.  It is an adaptation of a much more diplomatic comment letter that I wrote to the PCAOB, criticizing its proposed, and ultimately adopted, definitions of 'material weakness' and 'significant deficiency' in AS 5. As you will soon see, my critique addresses a larger problem having to do with how poorly uncertainty (for example, contingent liabilities) is dealt with in key financial reporting standards.

Let's start with a common example outside of the realm of financial reporting.  We all pretty much know that the threshold burden of proof to find someone guilty of committing a crime is 'beyond a reasonable doubt.'  What does that mean?  Methinks that individual jurors have their own personal definitions for 'reasonable doubt.'  However, to express uncertainty as a quantitative probability might create more problems for the jury-serving public than it would solve.

It has long been a puzzlement to me that the SEC, FASB and PCAOB take the same vaguely-worded approach as the criminal law--as if accountants and managers were innumerate.  Yet, all business schools and accounting programs have required courses in statistics and the use of quantitative probabilities in decision making.   

Here are some of the major examples of weasel words standing in for probabilities in financial reporting standards:

• MD&A requirements for forward looking information concerning uncertainties that could affect future profitability, liquidity or capital resources is based on a probability threshold vaguely specified as 'reasonably likely'. 
• FAS 5 on the accrual of contingent liabilities can require an accrual when the likelihood of occurrence is 'probable.'  Disclosure only is required if the contingency is less than probable, but more than 'reasonably possible'. 
• AS 2 (now replaced by AS 5) required an auditor to conclude that a material weakness existed if the probability of a material misstatement was 'more than remote.'
• AS 5 replaces 'more than remote' with 'reasonably likely' in its definitions of 'material weakness' and 'significant deficiency'

Incidentally, the PCAOB stated in its proposing release for AS 5  (page 9) that by changing terminology, it would not be changing meaning, but merely providing clarification.  This is supposedly because (1) auditors were familiar with how to apply the weasel words of FAS 5, as they have been around since 1975; and (2) 'more than remote' is not a term used by FAS 5.  The first reason is disingenuous, because everybody is aware that auditors have been ineffective in curbing abuses of FAS 5 by their clients.  The second reason is simply false (see FAS 5, paragraph 3b).  In FAS 5, 'more than remote' is indeed a lower threshold than 'reasonably possible.'  Evidently, weasel words can beget weasel logic.

I now want to explain why weasel words to express uncertainty inevitably result in low quality standards of financial reporting.  I'll be discussing FAS 5 and AS 5, but as with my comment letter, my focus will be on AS 5. 

Analysis

The points A, B and C in the diagram below denote unspecified probabilities that must, of necessity, demarcate the ranges of uncertainty used to apply SFAS 5, AS 2 and AS 5: 

Before proceeding further, it is important to note that Points A, B and C do not change.  In other words, the points are unaffected by the facts and circumstances of a particular transaction or internal control; by way of confirmation, no publication of the PCAOB or FASB that I am aware of provides any indication that either of these august bodies believe that the points should vary across audit engagements or particular events.

Since the FASB is the fount of the weasel words that are the subject of this quixotic diatribe, it is also important to note that the FASB did not disclose any information concerning the process by which “probable” and other qualitative terms for describing uncertainty were selected in the Basis for Conclusions section of SFAS 5; or whether quantitative probabilities were even considered.  Arguably, many of the well-known problems in application of SFAS 5 have resulted from the absence of explicit points of demarcation—particularly Point C in the above diagram.  The ambiguity and inevitable disagreement between auditors, preparers and users as to the appropriate demarcation Points B and C has had two effects: (1) substantial lack of comparability of financial statements, and (2) windfalls to auditors and preparers by allowing them to avoid being held to account for misleading financial statements. 

But, regardless of the FASB’s motives for promulgating SFAS 5 as it did, it was neither in the public interest, nor is it consistent with the PCAOB’s mission, to continue to follow their conveniently vague approach to dealing with uncertainty set forth in SFAS 5.  In particular, investor protection is less than it could be due to the ambiguation through weasel words of the point between “more than remote” and “reasonably possible” in AS 5 (i.e, Point B in the above diagram).   Blurring terminology adds judgment and cost to financial reporting while providing no discernible purpose that is consistent with the mission of the PCAOB. 

Some may argue that quantitative probability thresholds constitute bright-line rules that are contrary to the notion of principles-based standard setting.  This is wrong, because weaselly wording runs contrary to  normative economic principles on the application of judgment in decision making.  These overarching principles require that subjective probabilities be quantified.  These principles have been widely applied for generations, taught in all accredited schools of business and accounting (Managerial Economics 101), and incorporated into more recent accounting standards. 

Note on recent accounting standards: SFAS 144 on impairment of long-lived assets recognizes that probability-weighted cash flows may be used to test the recoverability of long-lived assets (¶17).  SFAS 109 on income taxes specifies a probability threshold of 0.5 when measuring the deferred tax asset valuation allowance (¶17).  Perhaps most germane is the auditing literature, wherein it is stated in AU Section 350 on sampling, “…the auditor should determine an acceptable audit risk and subjectively quantify [emphasis supplied] his or her judgment of the risk of material misstatement.” (¶20).

Now, let's set FAS 5 aside and speak only of auditing.  The auditor's assessment of risk is inherently quantitative and structured, even though an assessment of materiality may be more judgmental and dependent on facts and circumstances.  Along these lines, the Board’s contention that “evaluation of whether a control deficiency presents a reasonable possibility of misstatement can be made without [emphasis supplied] quantifying the probability of occurrence as a specific percentage or range”  [¶73 of proposed AS 5] runs counter to norms of rational decision making.  Here is an illustrative example of what I mean:

Assume that Point B in the earlier diagram represents the probability 0.4. In the terms of proposed AS 5, this is the lower bound of “reasonably possible.”  Further assume that the auditor determines the materiality threshold for a misstatement of revenues to be $1,000,000.  Therefore, $400,000 (0.4 x $1,000,000) represents the maximum allowable expected misstatement (given that a misstatement is at least reasonably possible) such that an internal control weakness would not be disclosed as material.

The PCAOB is simply wrong to expect an auditor to obtain reasonable assurance for its opinion within the framework of AS 5 without undertaking a process substantially similar to the one described by the above example.   Stated another way, as AS 2 was written, and as proposed AS 5 is currently written, it should be unacceptable for auditors to adopt different threshold probabilities for different clients, or even for different financial statement amounts  (although materiality thresholds may reflect case-specific factors).   The unavoidable conclusion from the PCAOB’s language in these auditing standards is that it should not be necessary, or required, for each auditor and client to come to separate conclusions on each engagement, and negotiate the threshold probability for “reasonably possible.”  Yet, the weaselly specification of Point B is an invitation for such costly and counterproductive negotiations to occur.

Note: To illustrate another problem of logic in AS 5 (some might call this a loophole), consider the following extension of my numerical example: if a particular control over revenues had a probability of misstatement of 0.39, the control would never be reportable as a material weakness even if the resulting misstatement would be significantly greater than $1,000,000.   Thus, thresholds per se in proposed AS 5 lack foundation in principle.

Summary and Looking Ahead

For both FAS 5 and AS 5, probability thresholds can be, and therefore should be, explicitly quantified.  For example, a change from qualitative terminology (i.e., “more than remote” in AS 2, or “reasonably possible” in proposed AS 5) would simplify auditing standards, increase reliability of ICFR audits, and reduce audit and compliance costs.  Such a change would better protect the interests of investors and further the public interest through greater clarity and transparency of auditing and financial reporting.  I know of no reason consistent with investor protection for intentionally blurring the lines with ambiguous language when precise thresholds are feasible.

Looking to the near future, the FASB may soon require recognition at fair value of contingent liabilities assumed in a business combination.  But, how will the FASB specificy which contingent liabilities would be recognized--'probable' contingent liabilities, or some other weaselly-worded standard for recognition? Will a bad accounting rule beget another bad accounting rule?  Indeed, the FASB has long known that FAS 5 is not working (nearly universal understatement of environmental liabilities being just one example), and their stated intention is to consider contingent liabilities as part of the project to revise the conceptual framework. But, don't hold your breath; if improved recognition criteria for contingent liabilities should ever come to pass, it may not be until the year in which both the Cubs win the World Series and the Rangers win the Stanley Cup.