During the past few weeks, we have been flooded with countless notices on the advent of a “new audit report.” According to at least one such article, an “extreme makeover” is needed to address growing investor concerns about company performance and Big Four accounting firm (BFA) audit quality. However, any debate over a “new audit report” is a poor use of time, as the solution to accounting restatements and declining audit quality likely resides with corporate management, not the accountants.
And the recent London Whale case provides a clue as to what really may be ailing financial reporting today. The fact that portfolio losses could be hidden in a global financial services firm with the stature of J.P. Morgan Chase is astounding, particularly given the lessons that should have been learned from the Financial Crisis of 2007, and past trading scandals at UBS, Barings Bank, and the like.
As with so many high profile “accounting failures” since the turn of the century, the major problem was NOT really with the accounting, or even the auditors. Sure, both could have been better, but the real culprit in virtually all of these cases was the company itself! And recent investigations appear to confirm the same result in the recent Whale Case: an internal controls failure.
So, exactly what are these things called “internal controls?” Well, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission defined internal control broadly as:
Still not clear? Well, the Center for Audit Quality adds a bit more specificity suggesting that:
All sounds pretty technical and boring, huh? Well, simply put, internal controls are how management makes sure the company’s business model is operating correctly.
Since both managers and investors need timely and accurate information, internal controls over financial reporting (ICFR) in particular have attracted a lot of attention over the past four decades, usually in response to some catastrophic audit failure or accounting collapse:
- The Foreign Corrupt Practices Act of 1977 (“FCPA”) first required public companies to establish and maintain a system of internal control.
- Then, in 1985, the National Commission on Fraudulent Financial Reporting (the Treadway Commission) recommended that COSO develop a common perspective on internal control, which ultimately happened seven years later.
- Finally, the Sarbanes-Oxley Act of 2002 required public company management to annually assess the effectiveness of ICFR, and report the results to the public.
However, an ICFR focus is limited in that it restricts attention primarily to accounting systems that support financial reporting. Consequently, accountants and auditors tend to view ICFR mechanically and procedurally, often ignoring internal controls outside the accounting systems. And that’s a problem!
Lin and Wu note that accounting did not cause recent corporate scandals, management did. The misleading financial statements characteristic of most accounting and audit failures resulted from poor management decisions, often the result of weak or non-existent internal controls. So, making accountants and auditors scapegoats for bad management, masks the real issue.
And just how bad is this internal control problem? Well, if we focus solely on ICFR, it’s pretty discouraging. According to Audit Analytics, management reported ineffective ICFR in almost 20 percent of registrants over the past three years.
And the internal control breaches are not isolated to any one particular area according to Chao and Foote, who researched public company deficiencies between 2004 and 2011.
So, why might this be the case? One major factor just might be the pressure to innovate. In their rush to be perceived as “world class,” companies are striving to create high customer value (i.e., world class effective), through low-cost operating models (i.e., world class efficient). Today’s business leaders routinely label business process reengineering as innovation as they seek ways to grow margins, often through aggressive cost cutting. And frequently the target of cost reduction is middle management, where many internal controls often reside, as noted by Melissa Korn in “What’s It’s Like Being a Middle Manager Today:”
Next, the popularity of inorganic growth strategies (i.e., mergers and acquisitions (M&A)), particularly in the technology, healthcare, and financial sectors, also may have contributed to the breakdown in internal controls. Given the historically high failure rates of most M&A transactions, often due to poor post-merger integration, I would not be shocked to see poor internal controls as an outcome in most of these M&A deals. And recent federal securities class action litigation seems to confirm my concerns about M&A transactions in general, and ICFR.
Finally, there is the sad, but simple truth that far too few of today’s managers really understand what goes into creating and executing a good business model. And key to the effective functioning of a business model’s processes are the aforementioned internal controls over systems and reporting. Managers must not only “talk the talk,” but also “walk the walk,” when it comes to business model details.
And the current situation has the potential for even getting worse. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 exempted companies with less than $75 million in public float from having an auditor report on ICFR. And last year’s Jumpstart Our Business Startups (JOBS) Act legislation also provided disincentives to build solid internal controls. According to Chris Dieterich in a recent Wall Street Journal article:
Proponents of “emerging-growth” company (EG) internal control reporting exemptions claim cost savings that promote business development. The reality is that most EGs simply have no internal controls.
In fact, this Grumpy Old Accountant recalls participating as a staff auditor in a tech company IPO several decades ago. This client’s claim to fame was the development of a “super slow-motion” camera lens that eliminated blur from still pictures taken at sporting events. The hope was that the engineer-owners of the firm would enrich themselves with the rapidly approaching summer Olympics. However, a major IPO hurdle was that the company had no books and records! The owners literally brought grocery bags filled with receipts and cancelled checks into our then Big Eight firm office conference room. From those documents we then constructed and “audited” a set of financial statements for the IPO registration statement. Do we really believe it is all that much different today? I seriously doubt it…
Interestingly enough, a recent governmental report linking exemption from ICFR attestation with accounting errors has not received much press. The U.S. Governmental Accounting Office (GAO) found that the number of accounting errors (i.e., restatements) was higher for companies exempt from auditor attestation of ICFR than for nonexempt companies from 2005 to 2011. As a result, the GAO recommended that the U.S. Securities and Exchange Commission (SEC) require all public companies to disclose whether they obtained an auditor attestation of their ICFR to increase transparency for investors. Is this really too much to ask of companies seeking access to our capital markets?
But there does remains one thorny issue…who can we trust to report on a company’s internal controls? Apparently the BFA are not only poor financial statement auditors, but according to the Public Company Accounting Oversight Board (PCAOB), they also aren’t very good at evaluating internal controls, even after presumably all of the “experience” they gained doing Sarbanes-Oxley 404 work. Or should that work be suspect as well? Should we really be surprised that technical GAAP specialists don’t know a thing about business processes?
So where does all of this leave us? As Albert Einstein said, “ In the middle of difficulty lies opportunity.” Here are a couple of thoughts:
- Given the recent shift to principles-based accounting (i.e., reliance on management judgment), continued decline in BFA audit quality, and the ever-widening “expectations gap,” it may be time to de-emphasize reliance on “audited” financial statements.
- Instead, require ALL publicly traded companies to have a periodic, independent third-party evaluation of their internal control systems, including ICFR. This evaluation would be performed by a non-BFA firms selected by the SEC on a rotational basis, and paid for by the publicly-traded company being examined. Companies could actually lower their review costs by having high quality control systems that might actually contribute to strategy execution.
- The PCAOB could shift the majority of its oversight duties away from evaluating financial statement audits to monitoring internal control evaluations.
This internal controls focus just might end the fruitless debates about auditor rotation, partner signatures, and the like. It also could grow the market for “audits” of internal control systems, and encourage the development of new internal control specialist firms other than the BFA, thus diminishing the current “too few, to fail” concerns of the regulators.
With all of the accounting and auditing problems bombarding us today, we should focus on the common denominator: most accounting errors and audit failures have their roots in the failure of a company’s internal controls. Consequently, management should be held responsible for this crisis in investor confidence, not the accountants. And it sure seems like internal controls are central to earning this confidence. If not, we are left with the old idiom: garbage in, garbage out!