.jpg)
Transparently collaborated with guest writers Bob Conway and Joe Howie in a series of op-eds on audit quality and regulatory capture. Neither author was paid to write for us and their views are their own.
In our series:
SEC Focus on capital formation comes at the expense of investor protection
SEC, PCAOB fall victim to regulatory capture: Lessons learned
Can audit committees be counted on to protect investors?
Are the Big Four failing public trust? A Culture of Silence
Are the Big Four failing public trust? The business of assurance
Bob Conway, United States - The three-legged stool has frequently been used as a metaphor for the shared responsibility for reliable financial reporting by management, the auditors, and the audit committee. In our anthology about the protection of investor interests, Germaine Chia from Transparently.AI, former Big Four audit partner Joe Howie, and I have focused on the auditors and audit committees. This article speaks to whether management can be counted on to protect the interests of investors.
The positives coming out of the Sarbanes-Oxley Act of 2002
Management has always been responsible for the preparation and accuracy of the financial statements. However, pre-SOX, many companies did not fully embrace that responsibility. For the less responsible issuers, the mindset was “If we can get the auditors to sign off on the financial statements, then the financial statements must be good, right?” For the most aggressive issuers, the mindset was, “What is the most we can get away with?”
The Sarbanes-Oxley Act did a lot to set the record straight. Most notable are requirements in SOX sections 302 and 906 that require the CEO and CFO to personally sign certifications covering the financial statements, internal controls over financial reporting, disclosure controls and procedures, and the absence of any untrue statement or omission of any material fact in the applicable 10-K or 10-Q. Willfully signing false certifications can lead to a maximum fine of $5 million and a potential prison sentence of up to 20 years.
Sarbanes-Oxley also introduced the first federal law requiring, in some situations, the claw-back of bonuses, equity-based compensation, and profits from stock sales during the 12-month period following the filing of misstated financial statements that were subsequently restated. These provisions were expanded under the Dodd-Frank Act. Today, the employment contracts of many executives include claw-back provisions.
Sarbanes-Oxley also mandated that the SEC make various improvements to the auditor independence rules which, among other things, identified various prohibited services that auditors could no longer provide to public company audit clients. Gone (at least theoretically) are the days when public company management could ask auditors for help in deciding applicable GAAP. Ideally, this means the public companies prepare the financial statements (including the analysis of any technical applications of GAAP and the position taken) and the auditor audits. This is intended to keep the auditor from auditing their own work. In a similar manner, public companies are responsible for internal controls over financial reporting and the auditor separately reports on ICFR.
Sarbanes-Oxley also prohibited public companies from retaliating against employees who were blowing the whistle. Years later, the Dodd-Frank legislation gave rise to the SEC’s current day whistleblower program that, under the right circumstances, provides monetary rewards to whistleblowers.
The SEC also took on the fight against earnings management
Through its enforcement actions in the 1990s, the SEC observed that some companies were intentionally recording small errors to manage earnings. In some cases, multiple small errors were collectively significant and the misstatements were masking trends or hiding volatility. To address this problem, in 1999, the SEC issued Staff Accounting Bulletin 99 titled “Materiality.” No longer could an issuer or auditor justify not correcting known errors based on the assertion that the error was less than a quantitative measure of materiality (i.e., five percent of pre-tax income). SAB 99 also requires the consideration of qualitative measures. For instance, does an uncorrected error enable management to meet analyst expectations or achieve a level of earnings that affects management bonuses? SAB 99 also stated that, in certain circumstances, intentional immaterial misstatements are unlawful.
What could possibly go wrong?
Stock options and performance-based incentive plans can undermine management judgment when preparing the financial statements. In some instances, there is the potential for executives to achieve life-changing wealth. The pressure from analysts and investors to “hit the numbers” can also be intense. The Fraud Triangle (Pressure, Opportunity, and Rationalization) is always lurking nearby.
Some CEOs perceive their role as “driving subordinates to maximize their performance.” That’s fair, but this is where CEO signals can get crossed, either consciously or unconsciously creating an atmosphere of fear. Edicts like, “We have to hit our earnings targets” can be misinterpreted to mean “Do whatever it takes to hit the numbers, including cooking the books.” Proper tone at the top is enormously important. Poor tone at the top can drive a company off the rails.
The SEC’s 2019 settlement order against Hertz found that “inaccurate reporting occurred in a pressured corporate environment that placed improper emphasis on meeting internal budgets, business plans, and earnings estimates.” Hertz paid a $16 million penalty. The SEC’s 2020 settlement of an enforcement action against the CEO required the claw back of $2 million in bonus and other incentive compensation under the Sarbanes-Oxley Act claw pack provisions and the payment of a $200,000 civil penalty.
inaccurate reporting occurred in a pressured corporate environment that placed improper emphasis on meeting internal budgets, business plans, and earnings estimates
There is no shortage of actions a company can take to make up for a shortfall of actual GAAP results relative to the earnings projections given to analysts and investors. Methods to make accounting estimates can be altered in ways that are inconsistent with prior periods but yield more favorable results. Cookie jar reserves can be bled down to make up for shortfalls from analyst’s expectations. Recent SEC enforcement actions of this nature include Rollins (2022), Healthcare Services Group (2021), Gentex (2023), and Roadrunner Transportation (2022-2023). There are also operational actions (like accelerating shipments scheduled for later dates) that can distort the comparability of the financial statements without making appropriate disclosure (Under Armour). There are individually immaterial intentional misstatements that can be spread across many accounts across many subsidiaries that collectively have a material effect on reported results (a la Toshiba). Recently, Archer Daniels Midland used inter-segment transfer pricing to make the results of its higher multiple, growth segment look more promising. Lastly, there is the “make up fictitious assets” approach used by companies such as Madoff Investment Securities and Sino-Forest.
Despite all the improvements stemming from Sarbanes-Oxley and Dodd-Frank, investors are not out of the woods. Blind reliance on management to protect the interests of investors is not a reliable strategy.
Where were the auditors?
Hindsight is always 20-20. And yes, auditors only provide reasonable assurance. Plus, there is a degree of complexity in sorting out many of these situations. But I am not giving the auditors a pass. In my first article in this series titled “SEC Focus on Capital Formation Comes at the Expense of Investor Protection,” I described how the audit firm staffing model is a mismatch for the complexity that auditors are expected to master. Firms permitting excessive workloads, high turnover, low experience levels, low year-over-year continuity, and inadequate supervision and review (also a product of heavy workloads at the partner and manager level) put their auditors at a disadvantage. Time pressures compound the staffing issues. Detecting earnings management and fraud requires more experienced people on the front lines who are knowledgeable about the industry, the history of fraudulent financial reporting, and what can go wrong.
Audit professionals also need a strong sense of professional skepticism. As I also discussed in my first article, professional skepticism can be undermined by leadership pressure to retain the audit client. Rather than forcing the issue, some may rationalize comfort in finding a liability that may be overstated or other errors in the conservative direction, especially when discovered late. “Leaving it be” can be a dangerous game.
The audit firms point to improved data analytics and artificial intelligence as dramatically improving audit quality. That may be. But at the risk of stating the obvious, we still need people to operate the tools, interpret the results, and properly react to the results. Regulators have observed significant risk and instances of firm overreliance on technology. As long as the audit professionals are conflicted by things like pressure to retain the client and pressures to achieve profit targets on individual audits, we will continue to be disappointed that auditors either 1) didn’t identify a significant problem or 2) they identified the problem but caved under the web of conflicts that overwhelmed professional skepticism and reasonable judgements.
The stakes are high
It is widely acknowledged that valuations are high in today’s markets. In the AI space, there is enormous competition and a huge need for capital. Not everyone will be winners. Companies slipping behind in this life and death battle may feel pressure to fudge the books when facing the choice of getting the next round of financing or coming up empty-handed, out of cash, breaching covenants or defaulting. This life and death battle is not applicable to just the AI race. This is how capitalism works. It is a competition based on the survival of the fittest.
The “going concern” evaluation is not solely an auditor responsibility. US GAAP (ASC 205-40) requires management to make a similar evaluation. If substantial doubt about the entity’s ability to continue as a going concern exists, management must disclose that to be the case. The SEC would also expect discussion of such risks in MD&A. How good is management at making such disclosures? I don’t have direct data on that, but I can tell you something about the auditor’s track record. Academia tells us that from the beginning of the Great Recession through 2015, roughly 30% of the US public companies that failed had clean audit opinions. So don’t count on management to tell you everything you need to know.
