Changes in the Regulatory Environment
and their Effects on Audits and Auditors
Peggy Wood, CPA
Professional Standards Partner at Grant Thornton LLP and
President of the New York State Society of Certified Public Accountants
May 9, 2011
Peggy Wood is a Financial Services Professional Standards Partner at Grant Thornton LLP.
Ms. Wood has 21 years of public accounting experience and three years of internal audit experience. Since joining Grant Thornton in 1996, she has worked with financial services clients, as well as clients in the real estate and leasing, manufacturing, retail and distribution, and technology industries.
Ms. Wood joined the New York State Society of Certified Public Accountants in 1985. Since then, she has served as Chair of the Financial Accounting Standards, Auditing Standards and Procedures and Retail committees; a member of its Board of Directors and Executive Committee, including Vice President, President elect, and President for the 2010-11 fiscal year.
Ms. Wood has also been a member of the Society's Securities and Exchange Commission Practice, Quality Enhancement Policy, Advancement of Women in the Accounting Profession, Nominating Committee, and Accounting and Auditing Oversight.
She is a member of the American Institute of Certified Public Accountants (AICPA). She is a Certified Public Accountant in 6 states--Connecticut, Illinois, Massachusetts, New Jersey, New York and Pennsylvania.
Ms. Wood earned a Bachelor of Science degree from SUNY Plattsburgh in Plattsburgh, NY, and a Master of Business Administration degree from Fordham University.
Changes in the Regulatory Environment and their Effects on Audits and Auditors
I am very honored to have been asked to participate in the Emanuel Saxe Distinguished Lecture in Accounting series here at Baruch. This year the New York State Society of CPA's is giving the Emanuel Saxe Outstanding CPA in Education Award to Professor Samuel Dykeman. I would like to congratulate Professor Dykeman and thank him for his 40 years of service to the profession and to instructing, helping and developing students.
As I look out on this audience I see seasoned audit professionals and those who are embarking on a career in accounting and auditing.
Who are auditors?
Most people think of an auditor as the auditing firm that issues an annual report on financial statements of companies, partnerships, funds, not for profits, or retirement plans. The term auditor does not only apply to members of public accounting firms. There are also internal auditors who work for companies and government auditors. Government auditors work for government regulators and, depending on the organization they work for, perform examinations of compliance with regulatory rules of government agencies; similar to an internal auditor, they perform examinations of compliance with regulatory rules on public or private entities, or examinations of work performed by accounting firms in the performance of an audit, review or examination.
One thing is certain the landscape and regulations that we see today is not the same one that will be here in 5 or 10 years from now. The bar is consistently being raised. One thing is clear there is still an expectation gap of what the public thinks an audit is and what the term audit really means.
Let me digress, with one short story-when I visited my parents not quite a year out of college and still in my first year as an auditor, my mother informed me a fraud had been discovered at one of her local grocery stores. The fraud amounted to $100,000, involved 3 individuals the store manager, assistant manager and head cashier, and had taken place over 10 years. The store operated 3 shifts each day and during the day they operated up to 8 registers. My mother wanted to know why the auditors had not found the fraud. I read the article in the paper that she showed me. The store operated 24 hours a day 7 days a week. There had been no rotation of personnel until shortly before the fraud was found. The fraud was found because one of the three individuals involved was transferred and the individual was no longer going to be included in the take. This individual blew the whistle on the other two. My mother's expectation was that every fraud should be found by the audit. The local grocery store was part of chain throughout the southwest United States with over 200 stores. I tried to explain materiality, unsuccessfully. However, when I explained to her my hourly billing rate as a staff associate, the cost of one or two staff for a week, plus a supervisor, she began to understand the scope of the work needed to find this particular fraud in the days before portable computers. This chain did have a store audit function and a daily sales audit function that looked for shorts, voids and series of missing register numbers. Nothing was outside of the norm that had been established. There were no red flags.
We heard the same story but on a larger scale with more recent frauds such as Enron, WorldCom, and Madoff. There are others that we hear of in news programs such as American Greed, Dateline, 60 Minutes or just on the news. Some of these involved auditors, some did not. However, we heard "Where were the auditors and where were the regulators?"
So where were the auditors? In some cases an audit was performed. Questions were raised of the quality of the work performed. In the case of Madoff, a local firm with only one client and one auditor was responsible for the audit of Madoff. The firm was in over its head to perform an audit as complex as Madoff. Enron was audited by Arthur Andersen. There are books on the subject of what happened here, including the destruction of audit workpapers and the downfall of Arthur Andersen. WorldCom was also audited by Arthur Andersen – among the issues included revenue recognition, reserves and improper recognition of expenses as capital investments.
As a result of each major scandal or failure in the system the government has responded with new regulations. If I go back to the 1929 "stock market crash and bank failures", the response by government included the formation of the Securities and Exchange Commission (SEC) and bank regulation, including the Federal Deposit Insurance Corporation (FDIC).
The 1980's saw the failure of the S&L (Savings and Loan) industry. This was met with increased regulations in the industry and new rules, including changes to required reserves and allowance requirements.
Enron, WorldCom and other frauds of early 2000's resulted in the Sarbanes-Oxley Act of 2002. The Sarbanes-Oxley Act (SO) included the requirement of control reporting by the management of public issuers, and the formation of the Public Company Accounting Oversight Board. Auditors of public filers were required to register with the Public Company Accounting Oversight Board, and were subject to review by the PCAOB. The first Chief Auditor of the Public Company Accounting Oversight Board was Professor Douglas Carmichael. The PCAOB was charged with standard setting for audits by registered accounting firms of public filers, inspection of registered firms and enforcement. Initially the implementation applied to public issuers and non public broker dealers that file with the SEC. Multiple extensions of initial implementation were granted to non public broker dealers. The last extension was granted in 2006 extending the delay until years beginning after January 1, 2009.
The PCAOB adopted the standards of the American Institute of C.P.A.s as of April 2003 as interim standards. Since then the PCAOB has issued 15 standards, but more on that later.
Next was the 2008 financial crisis, burst of the housing bubble, falling prices in the housing market, loan defaults, and financial bailout. Questions we heard from the public: Where were the auditors before 2008? Weren't there audits at year ended 12/31/2007? Why were the large financial houses given clean opinions in 2007 and no flags raised prior to the fall and merger of Bear Stearns, or the fall of Lehman? Why were the large banks and financial houses permitted to have these underlying problems? Why didn't the auditors raise the alarm that financial community was on the brink of disaster or that the housing market was about to burst? Why didn't the auditors see what was just around the corner? Why didn't they warn us? Also asked was, "Where were the regulators? Weren't the regulations supposed to prevent this type of thing from happening?"
Why did Bear Stearns need to be bailed out and merge with JP Morgan Chase? Was this a onetime only occurrence? The answer was no as Lehman Brothers was allowed to fail. The federal government entered into a bailout of large financial institutions and mergers occurred as faith in the financial markets was shaken involving names such as Merrill Lynch, Morgan Stanley, Washington Mutual, Wachovia, Citibank, Bank of America and AIG among others. Also, don't forget about Fannie Mae and Freddie Mac.
Let me stop here and talk briefly about who the regulators are.
Who are the Regulators?
Today there are federal regulators and state regulators. Some of these regulatory agencies have been mentioned above and include the SEC, FDIC, CFTC (Commodities Futures Trading Commission), Federal Reserve, OCC (Office of the Comptroller of the Currency), OTS (Office of Thrift Supervision), NCAU (National Credit Union Administration), SIPC (Securities Investment Protection Corporation), HUD (U.S. Department of Housing and Urban Development), Comptroller of the United States, and the U.S. Department of Labor, among others. In addition there are state regulators, including the regulators over banking and insurance, as well as attorneys general, and state controllers. FINRA(Financial Industry Regulatory Authority) is a regulatory agency established by New York Stock Exchange and NASDAQ Stock Market to monitor enforcement of exchange rules and regulations.
Who regulates the auditors?
Public accountants/auditors are regulated by the State Boards of Accountancy that grants licenses to practice accountancy in their states. Some states, such as New York, also require individuals in Industry who were originally licensed as a CPA, and now use the skills and competencies of a CPA to be a licensed as a CPA. CPA's in Industry and Tax are subject to regulation, including the ethics rules of the State of New York and the requirement to take CPE. Failure to comply with the issuing state's rules and regulations can result in the suspension or termination of privileges to practice accountancy in the state.
In addition to the state, auditors and audit firms are subject to regulation by the AICPA, that sets the auditing standards for non public entities, and the PCAOB. Both the AICPA and PCAOB have issued ethics rules which auditors and accounting firms are required to follow. In addition the PCAOB and AICPA both have programs to review firms that are issuing audit opinions. The PCAOB's program is called inspection, and occurs once every three years, except for firms with more than 100 filers, that are inspected every year. The program is conducted by Inspectors who are employees of the PCOAB. This year the PCAOB will expand its program to include non public broker dealers for the first time. The PCAOB's report, except for the non public broker dealers, includes a public and a non public part. The public part is published on the PCAOB's website and includes the firm's response. The non public part can be made public if the firm fails to correct the problems noted in the next review or has not made substantial progress in fixing the problems.
The AICPA program is called Peer Review. Peer Review is conducted once every three years, by a firm considered to be a peer of the firm under examination or review. A report is prepared by the reviewing firm. The report is then reviewed by the AICPA Peer Review Committee and a report is issued to the firm. The report is not public. However, some clients do request a copy of the most recent peer review to be provided to the audit committee, board of directors or those charged with governance. Some potential clients request copies of the most recent peer review report as part of the proposal process.
What is the current reaction to what happened in 2008?
The Congress enacted the Dodd-Frank Act. This act was very wide in its scope requiring regulators to create 242 rules, conduct 67 studies and issue 22 periodic reports. The act was aimed at changing the existing regulatory structure. The act created new agencies, such as the Bureau of Consumer Financial Protection, the Financial Stability Oversight Council and the Office of Financial Research. The act also eliminated or merged existing agencies including eliminating the Office of Thrift Supervision and transferring its remaining responsibilities to the FDIC and the Federal Reserve.
Greater powers were granted to existing agencies including review by the SEC annually of ratings agencies; expansion of the liquidation rules, expanding the regulation of the Federal Reserve to regulate a nonbank financial company if a two-third's vote and vote of the chair of the Financial Stability Oversight Council feels that there would be negative effects if the company failed or its activities would pose a risk to the financial stability of the United States.
The act requires the creation of a central clearing and exchange trading for derivatives, and requirement that investment advisors not covered by the Custody Act to register with the SEC, this included advisers with fewer than 15 clients and who did not hold themselves out to the public as an investment adviser. This group included advisers to funds, also known as private funds, including hedge funds and private equity funds. The definition of a client was not the number of limited partners invested in the fund but the number of entities or accounts the investment adviser advised. Each fund counted as 1 client. Also the act lowered the dollar threshold requiring some advisers to deregister with the SEC and register with the state in which the advisers are located in and do business in. The act also includes mortgage reform, prohibiting financial incentives for subprime loans, legislation designed to prevent the too big to fail, and identification of, or a prewarning system on failure.
Where does Dodd-Frank stand now?
The writing of rules and studies and the approval have fallen behind and some of the rules and studies have failed to meet the deadlines set by the law. The missed deadlines include the Treasury report on the future of Fannie Mae and Freddie Mac. Also, missed were the rule deadlines on commodity trading, and executive pay packages. In a recent speech a member of the SEC indicated that the SEC might delay either the requirement to register or the period for adoption of the custody rule requirements for investment advisers with 15 or fewer clients, and for foreign advisers. The issues include the tight time frame permitted under Dodd-Frank and the number of individuals available to work, review and approve the number of rules, reports and studies as well as the required periods for exposure of the proposed rules and comment required prior to approval. Only time will tell what happens, however, a number of these changes/rules will take place in some form or other. Maybe not at the speed originally intended and I am sure there will be changes to some sections of Dodd-Frank as originally intended or written as our political landscape continues to changes. Stay tuned.
What else is going on?
In addition to the response by Congress, changes have taken place in New York. A new accountancy act was passed in New York in January 2009. This act, in addition to modifying the requirements for licensing, included a provision to require Quality Review in New York State. Reviews will be required every 3 years, in accordance with the regulations and rules set forth by New York State. The State Board of Accountancy has established the Quality Review Oversight Committee (QROC) and named 4 out of the 5 individuals to the QROC. The first meeting of QROC is to be held in June. QROC will be responsible for writing the rules for the program that are under regulation. They will also review each of the reports that is generated under this program. Firms that do not comply, or that are found to be in violation of the requirements set forth by the state, can be referred to enforcement.
Increased activity by regulator's compliance auditors
Since 2009 we are seeing increased activity by regulators, including compliance examinations of investment advisers by the SEC's Office of Compliance Inspections and Examinations (OCIE). The examinations have been targeted examinations or sweeps related to trading, whistle blowing or other abnormalities based upon risk factors and examinations of investment advisers who have not been reviewed for 5 years. Advisers who have never been reviewed should be expecting a visit from OCIE soon if they haven't had one. OCIE has indicated in speeches that they have expanded their staff of auditors/examiners and are planning on increasing the frequency of the compliance audits in the future.
We are also seeing more frequent reviews by the bank regulators with special attention being paid to the quality of the loan portfolio and allowance reserves. A number of banks have been downgraded in the past year or two. Where a 2 camel rating used to be average, average is now moving to a 3.
The SEC continues to review the financial statements of public companies. We are seeing continuing comments on fair value, reserves, consolidation and executive compensation.
The PCAOB continues to comment on auditing of fair value, allowances, sufficiency of audit evidence acquired, audit approach taken, including reliance on reports in systems without adequately testing the system generating the report, proposed passed adjustments and assessments of internal control deficiencies.
The PCAOB has issued a group of 8 standards known as the risk standards that are effective for audits of fiscal years beginning after January 1, 2011. Included in this group of 8 standards are standards on audit risk, planning, supervision of audits, materiality in planning and performing an audit, identification of risks of material misstatement, auditor response to risks of material misstatement, evaluating audit results and audit evidence. In addition, the PCAOB is working on developing audit standards for communications with audit committees, confirmations, related parties, specialists, fair value measurements and estimates, requirements when part of an audit is performed by other auditors (principal auditor responsibilities), quality control standards, going concern, and subsequent events. Other projects they are working on are the audit reporting model and audits of broker dealers.
What other issues might affect the auditor?
The Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) are continuing to work on convergence projects. New standards or modifications to existing standards include revenue recognition, lease accounting, goodwill impairment, and investment properties. The project on consolidation includes a separate project on investment companies. These projects are expected to be completed by the end of the 2nd quarter of 2011. FASB is also working on a project on financial statement presentation, which has been delayed. The FASB calendar of projects indicates in a footnote that this is not expected before December 2011.
The Blue-Ribbon Panel on Private Companies issued their report in January 2011. The panel was formed by the Financial Accounting Foundation (FAF), NASBA (National Association of State Boards of Accountancy) and the AICPA. The panel recommended the establishment of a separate standard setting body to produce standards for private companies. The report is available to be read. (1) The FAF Board of Trustees is reviewing the report and will consider the recommendations in the report, as continues its process and consideration of standard setting improvements. The FAF Board of Trustees has indicated they will be reaching out to the community with questions, looking for additional thoughts and that they will expose for comments their decisions.
The AICPA has been working on the clarity project and is also working on standards for interim review for non public companies and comfort letters.
What does all this mean to the auditor?
This is an exciting time to be in the profession. Whether you are in industry, government, or work with a public accounting firm, change is happening all around us. Changes in standards, rules and regulations are coming our way. One thing we do know is that the standards we are using today will be changing, some of them will change in the next year, others may still be in place for a year, two, three, maybe even 5 years from now. The bar is continuing to be raised. The information we need to know keeps expanding. Use of technology will continue to expand by companies and clients as well as by auditors. The public is looking for real time auditing, predictive information, and they are looking to the auditors to protect them.
As auditors, whether in public accounting firms, industry or government, we need to remember to bring our A game. Remember to do quality work. Do our best job, challenge the work we do and the reason for why we are doing things? Is this approach the best way or best practice? And always remember to bring your professional skepticism with you.
How do you see the role of an auditor?
What are your ideas for meeting the expectation gap?
What do see the role of the auditor in the future?
(1). Blue-Ribbon Panel on Standard
Setting for Private Companies. (2011). Report to the Board of Trustees of the Financial Accounting Foundation