In December 2005, the first time the Public Company Accounting Oversight Board released a special report based on its audit inspections, the topic was internal controls over financial reporting.
After that, all hell broke loose. When the Securities and Exchange Commission learned about how inept and costly a job auditors were doing under AS2, the PCAOB’s internal-controls standard, the SEC pushed the accounting board to revise, and then replace, the rule.
The issue was — and continues to be — a huge flashpoint in the regulation of auditors. The SEC had been using the audit standard as a default guideline for its own enforcement of Sarbox 404, the internal-controls provision for corporations. When the commission found AS2 sorely lacking, it came out with its own proposed guidance and pushed the PCAOB to replace the auditing rule. The oversight board will decide whether to enact its resulting plan, AS5, after a public comment period closes on February 26.
Now the PCAOB has come up another report like the one that preceded the internal controls dust-up. On Jan. 22, when the board issued the 4010 report, as it’s called, the issue was fraud detection. What’s more, it plans to hold a February 22 panel discussion on forensic audits that will focus on fraud detection. Can a brouhaha about auditor failures in that area be far behind?
Certainly, many of the fraud report’s findings have raised eyebrows. The oversight board inspectors observed that auditors were taking some alarming shortcuts in their overall approach to detecting client finagling. The board’s inspectors also ripped auditors in specific areas, reporting failures in such areas as brainstorming fraud risks; responding when things seem risky; digging into financial misstatements; and detecting larcenous urges in management overrides of controls.
Senior financial executives should watch out for the ripple effect. If the PCAOB does go after auditors with a heavy hand, corporations could end up paying mightily. For instance, the PCAOB’s February 22 panel will ponder whether the board should mandate regular forensic audits every three or five years, say. That would add huge fees to companies’ current audit bills.
The panel will also discuss cheaper alternatives: requiring forensic audits on a random basis or having shareholders decide how much fraud detection they want to pay for. Not surprisingly, those proposed mandates stem from the executive suites of the six biggest accounting firms. The PCAOB cites a November 2006 report by the CEOs of the firms as the source of the ideas.
On the other hand, the first order of business for audit firms may be for them to clean up their own acts, some experts suggest. Indeed, the PCAOB wouldn’t have cited the failings it did in a 4010 report if the board thought they didn’t indicate major gaps in client fraud detection at some firms, Douglas Carmichael, who served as the PCAOB’s first chief accountant, told CFO.com recently. “It does indicate a serious problem,” he says.