Careers
SubscribeRemarks of Chief Auditor Thomas Ray
Good afternoon. I am very pleased to have this opportunity to speak with you at this important conference. I would like to thank Norm Strauss for extending the invitation.
This is, once again, a great conference. Leaders in the accounting profession are addressing many important topics, some of which I plan to comment on, including complexity in financial reporting. There are two other topics important to me that I have been spending a lot of energy on lately, that I also would like to address today. These topics are internal control over financial reporting and fraud.
I am happy to see a large number of accounting students at the conference today. Much of what I will talk about can be included under the broad category of the obligation to society you accept when you decide to enter the accounting profession.
Disclaimer
Before I go further, I have to note that the views I express are my own, and do not necessarily reflect the views of the Board, members of the Board, or other members of the Board's staff.
Internal Control Over Financial Reporting
I would like to start with internal control over financial reporting, and the Board's current efforts in this area.
One of the Board's first tasks was to adopt an auditing standard to implement the internal control reporting provisions of sections 103 and 404(b) of the Sarbanes-Oxley Act. My colleagues and I began working on this project soon after joining the organization in mid-2003, and the Board adopted Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, in March of 2004.
Following the subsequent approval by the SEC and implementation of that standard, there was a substantial public discussion about whether the costs of implementing those provisions of the Act are justified by the benefits. The PCAOB used its resources, including its inspections and public roundtables, to better understand how its auditing standard was being implemented and to help auditors apply the standard more efficiently – that is, to achieve the objectives of the standard with the least expenditure of resources. Significantly, the PCAOB issued a Board Statement and staff Questions and Answers in May 2005, and two reports on the results of its inspections.[1]
In May of last year, the PCAOB committed to a four-point plan to further improve the implementation of those internal control reporting requirements, which includes amending Auditing Standard No. 2. And, in December, the Board proposed a new auditing standard that would replace AS 2.
There is no doubt that one of the Board's objectives in making its proposal is to help auditors perform integrated audits of financial statements and internal control over financial reporting more efficiently. By incorporating into the auditing standard important elements from the Board Statement and staff guidance issued in May of 2005, such as the top-down approach and an enhanced focus on risk, and making the auditing standard leaner, and more "principles-based," I am optimistic that auditors will be able to focus less effort on areas of less risk.
In fact, in a recent report, issued on April 18, 2007,[2] the Board reported that progress was made – and that further improvements can be achieved – in each of four areas addressed in the Board's May 2005 publications: integrating the audits of financial statements and internal control; using a top-down approach; assessing and responding to risk; and using the work of others.
In proposing the new standard that would replace AS 2, the Board also stated its objective to focus the audit on the matters most important to internal control. I will describe three areas that I believe fall into that category: the control environment, the period-end financial reporting process, and anti-fraud controls.
Tone at the top
Perhaps nothing is more important to the effective functioning of a company's internal control than the control environment, including the tone at the top of the organization. COSO describes the control environment as the foundation for all other components of internal control, providing discipline and structure. I will focus today on just three aspects of the control environment that I believe companies and their auditors should be evaluating.
- Does management's philosophy and operating style promote effective internal control over financial reporting?
- Are sound integrity and ethical values, particularly of top management, developed and understood?
- And does the Board or audit committee understand and exercise oversight responsibility over financial reporting and internal control?
Other aspects of the control environment also are important to the effective functioning of a system of internal control. The tone set by top management and appropriate oversight by the Board or audit committee, however, are key factors, in my view, to implementing and sustaining effective controls.
The period-end financial reporting process
AS2 defined and highlighted the period-end financial reporting process and that process also is an area of focus in the proposed internal control auditing standard.
The period-end financial reporting process is high-risk. In many companies, it is an area full of opportunity to manipulate the financial results. Accordingly, it is an area in need of the auditor's focused attention.
Fraud
Financial reporting fraud also is one of those most important matters. The proposed standard specifically focuses more attention on controls that would address the assessed risk of misstatement caused by fraud and controls that address possible override of other controls by management. Questions management and auditors should think about include –
- What controls are there over journal entries and period-end adjustments?
- What about significant or unusual transactions and significant management estimates?
Seize the day
Today's events present another significant opportunity for our profession to improve the reliability of financial reporting. The enhanced flexibility in the proposed internal control auditing standard should allow auditors the ability to appropriately refocus their attention on the controls that are most important, the ones that will result in the most benefit. The resulting improvements in internal control will further enhance the reliability of financial reports which, in turn, will inspire increased confidence in the financial reporting process.
Let's also not forget that focusing on what is important is something we can do right now and I encourage companies and auditors to do so. There is no need to wait for the PCAOB and the SEC to complete our internal control projects.
The comment period on the proposed standard closed at the end of February, and we received over 170 letters of comment. Overall, we received much support for the proposal, and also a lot of helpful and insightful recommendations.
We currently are working closely with our colleagues at the Securities and Exchange Commission to make sure our standard and their proposed guidance to management of public companies will work together effectively, and we expect to adopt a final standard no later than the middle of June.
Complexity
I will now move on to my next topic, complexity in financial reporting.
There is much talk these days about complexity in our financial reporting system and, indeed, you will have the pleasure of hearing more of that talk this afternoon. I don't intend to front-run my professional colleagues on this afternoon's panel and I recognize that I put myself at some risk speaking in advance of such a distinguished group. I would like to say a few words about this subject, though, because it is related to several of the other subjects I am speaking about today.
I am thinking about complexity today in the context of a stated desire by many in the financial reporting community to move to a more "principles-based" accounting framework. How can we get there?
There are two areas that are particularly relevant to me as an auditing standards setter and overseer of public company auditors: judgment and fairness.
Professional judgment
I hear, on a fairly regular basis, pleas that good faith judgments ought not to be "second-guessed" and that there is too much second-guessing going on. From the sound of it, one might conclude that we are a profession of "secondguessers."
To my ear, "second-guessing" is a pejorative phrase, and implies that one is questioning a judgment in hindsight simply because he or she can. On the face of it, that kind of behavior does not seem productive, in that it might discourage the exercise of judgment in the first place.
That does not mean, however, that we should not evaluate important judgments made in the financial reporting process. I see an important distinction between mere "second-guessing" and appropriate evaluation.
Professional judgment permeates the financial reporting process. It must be exercised by financial management in preparing financial statements, by auditors in auditing those financial statements, and by regulators in evaluating whether management and the auditors are fulfilling their responsibilities. Importantly, investors and other financial statement users rely on the fact that people are evaluating the important judgments underlying those financial statements.
Professional judgment is the most important resource the auditor brings to bear in an audit of financial statements and internal control. There is no audit tool more effective than the appropriate application of seasoned professional judgment – to determine the work that must be done in the circumstances and to evaluate the resulting audit evidence.
An essential element of an audit is to evaluate the judgments management has made in selecting accounting policies, interpreting the accounting literature, making decisions about disclosure, and summarizing financial information into financial statements.
Similarly, an important element of PCAOB inspections is to evaluate the significant judgments made by the auditors, and whether they have performed sufficient procedures to obtain the evidence necessary to support those judgments.
Good faith in making a professional judgment is essential, but it is only one part of the equation. We expect professionals, be they members of management or auditors, to exercise their judgment with honesty. It also takes diligence. Was due care exercised when making the judgment? Did the auditor obtain the evidence necessary to make an informed judgment and did he or she exercise appropriate professional skepticism?
Also, are they good judgments? That is, are they reasonable and reflective of the evidence available at the time? Do they reflect the insights and experience of a seasoned professional? Are they unbiased and, in the case of auditors, independent?
Finally, good judgment is more than saying that I can do something because nothing says that I cannot, or that I found a loophole, and therefore it is OK.
It is important that all the players in the financial reporting process foster an environment that will encourage financial statement preparers and auditors to exercise sound, fair and unbiased judgment. That will be necessary for us to move to a more principles-based approach to accounting and auditing standards. I am confident that we can do this in a reasonable and appropriate manner, and not become mere "second-guessers."
Fair financial reporting
The other area related to complexity I want to address is fairness in financial reporting.
The auditor's standard report on the financial statements includes an opinion as to whether the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles. Note how the opinion does not express mere compliance with generally accepted accounting principles. The focus rightly is on the fairness with which the financial statements present the company's financial position, results of operations, and cash flows.
Under current U.S. generally accepted accounting principles there is, in many cases, a range of answers as to how to measure, recognize and disclose a particular transaction or event. Financial statements also are full of estimates. These conditions therefore require management and auditors to exercise judgment in preparing and auditing financial statements. If accounting standards move to be more principles oriented, rather than rules-based, it is possible that the range of answers that seemingly comply with those standards will increase, putting even more pressure on the use of good judgment to present investors a fair picture.
It will continue to be important – perhaps even more so – to apply the fairness principle. Management should evaluate whether the company's accounting policies, and the application of those policies, most fairly presents the results of the company's activities in accordance with the accounting framework.
The auditor should approach his or her evaluation of the financial statements in a similar manner. In fact, the auditing standards require the auditor to make a judgment as to whether the accounting principles selected and applied have general acceptance and whether the accounting principles are appropriate in the circumstances.[3] When making that evaluation, the auditor also should consider whether the substance of transactions or events differs materially from their form.[4]
For a principles-based accounting regime to succeed, we will need both of these elements I have just addressed: sound professional judgment and a commitment to prepare the financial statements in a way that most fairly represents the company's financial position, results of operations and cash flows.
Fraud
And that brings me to fraud – specifically, fraudulent financial reporting.
Fair financial reporting is essential to the functioning of our capital markets. Every public company has a duty to its investors and other users of its financial statements to prepare financial statements that are fairly presented.
As long as there is greed, and other human failings, however, there is a risk that management will not act in accordance with that duty.
There is, as you know, a specific auditing standard, Statement on Auditing Standards No. 99, The Auditor's Consideration of Fraud in a Financial Statement Audit, that addresses the auditor's obligation to plan and perform the audit to obtain reasonable assurance that the financial statements are free of material misstatement caused by fraud. It establishes a practical, risk-based approach to detecting such misstatements and specifically directs the auditor's attention to areas at higher risk of fraud, such as revenue recognition, journal entries and accounting estimates.
Because of the importance of the auditor's responsibility for fraud in an audit, the Board's inspectors have focused on auditors' implementation of SAS No. 99. On January 22, 2007, the Board issued a report in which it identified certain observations made in the course of the Board's inspections that are sufficiently important, or arise with sufficient frequency, to warrant discussion in a public report.[5] It is my hope that this report, and others like it, will help focus auditors on being diligent about the matters addressed.
The observations suggest a need for improvement and I am going to quickly summarize some them.
- Auditors often documented their consideration of fraud by merely checking off steps on a checklist. Specifically, there was a lack of documentation with regard to the actual performance of certain of the procedures outlined in those checklists and programs. In larger audit teams this also raises the question as to how senior members of the teams supervised and reviewed the work of assistants.
- The brainstorming session required by SAS No. 99 was not always held, was not held on a timely basis, or excluded important members of the audit team.
- Some auditors failed to appropriately respond to identified fraud risk factors.
- Some auditors failed to accumulate all identified audit differences, thus rendering the summaries of differences incomplete. This makes it difficult or impossible for the more senior members of the engagement team to evaluate whether misstatements are indicative of fraud.
- Some auditors failed to perform adequate procedures to address the risk of management override of controls.[6] This includes failures in testing journal entries and in evaluating management's assumptions and other aspects of accounting estimates.
I encourage you to read the report because I think it will help you to better understand some of the specific ways in which auditors should improve their work in this important area.
I would like to elaborate on some of the important aspects of the auditor's approach to fraud.
First and foremost, it is essential that the auditor maintain an attitude of professional skepticism during the audit. That is, an attitude that includes a questioning mind and a critical assessment of audit evidence. It means following up on "red flags" and not being satisfied with less than persuasive evidence even though you might believe that management is honest.
The essential elements of SAS 99 are to obtain the information needed to identify the risks of fraud; identify risks that may result in a material misstatement due to fraud; assess those risks; and respond to the results of the assessment.
Importantly the auditor should evaluate whether the specific risks identified relate to specific financial statement accounts and assertions, and respond accordingly. The response might need to be general, including considering whether engagement team members have the right level of experience to address the risks. The response also might need to be specific to certain financial statement accounts and assertions, which might include varying the nature, timing, or extent of the procedures the auditor otherwise had planned to perform.
I have said some apparently negative things about audit checklists and work programs. My point is how they are used and not whether they are used. If used properly, for example, as a tool to remind the auditor about the relevant requirements or to help him or her appropriately focus the work under specified circumstances, they can be very effective.
Current economic conditions
I would like to conclude my remarks with an observation about our current economic conditions. Before I make that observation, however, I want to emphasize that I am not expert economist and I do not intend this to be an economic prediction.
As you know, the economy and stock markets have been quite robust over the past several years. It is possible that some companies are now struggling to keep pace with the growth and profitability they have experienced and reported in the recent past. If that is true, we know from experience the likelihood that pressure will be put on the financial reporting process to make up for shortfalls in operating results.
Management must resist the temptation to try to make things look better than they truly are. And auditors must remain diligent and perform their audits mindful of the risks to fair financial reporting.
Trying to cover up poor, or less-than-expected, performance with false financial reporting, or by ignoring signs that the reported results are inconsistent with reality, is highly likely to make matters far worse. That is a lesson we all need to learn, once and for all.
This, of course, brings us back to the main subjects of my remarks to you today. Accountants play a very important role in our society. Investors are in a position of having to trust the work that we do, and that the financial statements are reliable. We have a duty to them to be diligent, fair and honest.
I urge the financial reporting community to recognize the changes we are making in the internal control reporting requirements as another opportunity to strengthen financial reporting processes and controls, to inspire more confidence in the financial reporting of public companies, and to better serve the interests of investors and other users of public company financial statements.
Thank you for your attention. I look forward to the rest of the conference.
Endnotes
[1] Information received or prepared by the Board in connection with any inspection of a registered public accounting firm is subject to certain confidentiality restrictions set out in Sections 104(g)(2) and 105(b)(5) of the Act. Under the Board's Rule 4010, however, the Board may publish summaries, compilations, or general reports concerning the results of its various inspections, provided that no such published report may identify the firm or firms to which any quality control criticisms in the report relate.
[2] See PCAOB Release No. 2007-004, Report on the Second-Year Implementation of Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, at http://www.pcaobus.org.
[3] See AU sec. 411.04.
[4] See AU sec. 411.06.
[5] See PCAOB Release No. 2007-001, Observations on Auditors' Implementation of PCAOB Standards Relating to Auditors' Responsibilities with Respect to Fraud, at http://www.pcaobus.org.
[6] See, for example, AU sec. 316.57, which directs the auditor to perform certain procedures in response to the risk of management override.