by Glenn Cheney
Austin, Texas — The Association of Certified Fraud Examiners claims that the Public Company Accounting Oversight Board’s proposal on internal controls will do little to prevent or detect fraud.
“We are concerned that Section 404 of the Sarbanes-Oxley Act includes specific requirements for internal controls related to the prevention, identification and detection of fraud, yet there is very little specific guidance in the Council of Sponsoring Organizations of the Treadway Commission framework for evaluating internal control,” said Toby Bishop, president and chief executive officer of the ACFE. “People are being asked to perform a task where there doesn’t appear to be sufficient specificity of the requirements and criteria for evaluating operating effectiveness.”
Section 404(b) of the Sarbanes-Oxley Act, as well as Section 103, direct the PCAOB to establish professional standards governing the independent auditor’s attestation to, and reporting on, management’s assessment of the effectiveness of internal control. The board’s proposal is not valid until approved by the Securities and Exchange Commission.
The standard that the PCAOB approved March 9 makes scant reference to fraud. Its 195 pages include just three paragraphs on fraud considerations and a list of five areas of related internal control. With regard to fraud, the approved version is little different from the version proposed for public comment in October 2003. The changes are matters of wording, with one sentence removed from the original proposal: “However, the auditor should place a special emphasis on the evaluation of such controls in the control environment.”
The standard cites COSO as a source of guidance, but Bishop warned that the COSO document admits its own lack of information. The result, Bishop said, is a big gap in the standards, guidance and measurement processes.
“I don’t see how anyone can complete the task until more guidance is provided,” Bishop said. “A lot of work needs to be done before this can be implemented successfully.”
An unsuccessful standard that allows another major corporate scandal would be devastating to the profession and to the economy, Bishop said, after millions of investors invested trillions of dollars based on their assumption that auditors have adequately tested internal controls.
The board received 193 comment letters on the proposed standard. The ACFE did not write one, but it had contributed recommendations prior to the PCAOB’s issuing its proposal.
The American Institute of CPAs wrote that it agreed that fraud by senior management is a serious issue. It did not believe, however, that auditors should be responsible for identifying fraud of any magnitude. The institute also did not believe that fraud of any magnitude would necessarily constitute a significant deficiency or a material weakness, particularly in situations where the company’s controls uncovered the issue.
The institute’s letter did not recommend better guidance on auditing internal controls for susceptibility to fraud.
Chuck Landes, AICPA director of auditing and attestation, said that, while the AICPA supports the SOX requirement and the PCAOB’s proposed standard to audit or attest to the effectiveness of internal controls over financial reporting, these still do not deal with the major cause of many major frauds: management override of internal control.
“Part of the problem is the criteria that you audit against,” Landes said. “It’s very helpful, in fact essential, to have a strong control environment including a code of conduct, the proper tone at the top and, clearly, all those things help. Testing for these things will help, but it still doesn’t get to the root of the whole idea of management override because, by definition, management override is going on outside the area of internal control. If you only test internal control, you’re not getting into all the things going on behind the curtain.”
Landes cited the Auditing Standards Board’s Auditing Standard 99, on auditing for fraud, as an example of a standard that directs auditors to go beyond tests of internal control to look for evidence of management override.
“The PCAOB standard is good, and we certainly support it, but we believe that more work needs to be done on the issue of management override,” Landes stated. “Our Anti-Fraud Program and Control Task Force is currently doing that.”
The Institute of Internal Auditors wrote that public auditors should be allowed to rely on competent internal auditors to detect fraud. It suggested, however, that, when appropriate, internal and external auditors should avail themselves of the expertise of professionals whose primary responsibility is the detection and investigation of fraud.
Warning of audit fees increasing by 30 percent to 50 percent to meet the proposed requirements, Financial Executives International wrote that “the work required by the final standard should be focused on the significant issues, such as business risk and fraud prevention and detection.”
FEI also felt that the standard would go too far in requiring auditors to evaluate all controls addressing the risk of fraud. The letter recommended that auditor judgment of the degree of risk of fraud, based on experience with and knowledge of the client, should be allowed.
The ACFE’s Bishop agreed that the criteria for testing internal control was not a total solution. He referred to the requirement that companies have codes of ethics. An auditor might verify that it had such a code, or even that employees had signed confirmation that they had read it. But would that, he asked, indicate that the company had the right “tone at the top,” a real management commitment?
More specific guidelines, he said, might require auditors to conduct a confidential survey of employees about their perceptions of the tone at the top and the presence of fraud. The guidelines might require comparison with a benchmark or results at other clients.
Such a survey might result in a “fraud risk rating” for a given company, but that grade would disappear in the auditor’s “pass-fail” approval of the company’s internal controls.
The ACFE objected to the limitations of that approval.
“It would be so much more valuable to investors if we had a fraud risk rating system similar to the bond ratings that would allow auditors to communicate to investors the quality of a company’s anti-fraud programs and controls,” Bishop said. “That would enable investors to take higher risks, if they wished to, in exchange for a higher investment return.”
That, Bishop said, would be one way for the auditing profession to climb out of the “liability hole” that they’ve been in for a number of years with respect to fraud, while simultaneously giving investors much more useful information that they could use to take action based on their own fraud risk tolerance.
