Audit regulators plan to propose new standards in 2008 for how auditors should assess risk, including risk of fraud, as well as how to assess the work of specialists, including those helping with fair-value measurements.
The Public Company Accounting Oversight Board published an updated five-year strategic plan last week that says the board expects to propose the new standards this year and adopt them sometime in 2009. The board also expects to finalize this year a pending standard for how auditors should perform internal quality reviews on audit engagements and some lingering adjustments to auditor independence rules.
The board has long pondered whether and how to write a standard directing auditors on how to assess risk of misstatement, especially the risk of fraud. A report was published by the PCAOB in January 2007 describing how auditors could be more vigilant even within the context of existing standards to seek out evidence of fraud.
As fair value has increasingly taken root in accounting standards— especially with the controversial new standard defining how it should be measured, Financial Accounting Standard No. 157 Fair Value Measurement—the PCAOB has said auditors need to get up to speed on how to audit financial statements reflecting increasing reliance on fair-value measurements. A practice alert was published in December instructing auditors to pay close attention to how fair value is measured.
The board has tasked its Standing Advisory Group during a number of sessions dating back to 2004 with offering views on risk assessments and fraud. More recently, the board has asked the SAG to weigh in on fair value and the use of specialists at sessions in 2006 and 2007.
At the October 2007 session of SAG, chief auditor Tom Ray told the advisory group that the board has heard concerns that auditors are not “consistently effective at assessing risk and then responding appropriately.” He said the board’s inspectors have noted cases where auditors failed to flag and react to fraud risks.
“The staff is evaluating how the auditor’s fraud risk assessment should be integrated with the auditor’s overall risk assessment,” he said. “We believe there is an opportunity to clarify, in the professional standards, this relationship.”
Ray noted that other audit bodies, such as the International Auditing and Assurance Standards Board and the U.S. Auditing Standards Board (an arm of the American Institute of Certified Public Accountants) have revised their risk-assessment standard, affecting the PCAOB’s work. He noted that efforts to rewrite the standard on internal control over financial reporting also “have advanced our thinking on these issues as we determine the appropriate direction.”
On fair value, Ray told the group “we have been evaluating the existing auditing standards on auditing estimates, auditing fair values, and using the work of specialists—all of which are pertinent to the audit of fair value measurements—to determine whether any changes to the Board’s standards or additional staff guidance are needed.” In assessing the use of specialists, Ray said the staff would reevaluate how auditors use the work of specialists, whether hired by the company or the auditor, and rely on that work as evidence for the audit.
Study Suggests Companies Are Adopting a Broader View of Risk
Companies are expected to spend 7.4 percent more in 2008 than in 2007 on governance, risk management, and compliance, although spending on Sarbanes-Oxley compliance is expected to grow only 2 percent, according to a study by AMR Research.
Overall spending is expected to reach a high of $32 billion since the firm began gathering such data in 2003, AMR said. The data suggests companies will be shifting their governance and compliance spending for the first time away from a primary focus on Sarbanes-Oxley toward a more generalized concern about risk, the firm said.
“The tone of the conversation has changed quite a bit,” says John Hagerty, vice president and research fellow at AMR Research. “It’s not just about being compliant, but it’s about managing risk. To me, that represents a maturity that companies are looking at all the things they may face as a company, and not reacting to each one individually.”
The firm said 31 percent of companies reported that the most influential issue driving their 2008 governance spending plans is a goal to better manage and mitigate risk in the business. That means Sarbanes-Oxley and other regulatory compliance programs represent necessary objectives, but not top-of-mine initiatives.
“Companies have decided that risk is what the conversation is really about,” says Hagerty. “People are looking up and seeing the forest for the trees.”
Audit Integrity’s Top 100 Governance Companies
Audit Integrity has published its second annual listing of what it deems the top 100 public companies in terms of their governance and financial reporting integrity.
While the research firm is better known for using its metrics and analysis to point out bad or risky reporting behavior, Audit Integrity CEO Jack Zwingli says the top 100 listing provides an opportunity to spotlight companies that are doing the right things. “Our intent was to make note of the best companies from the standpoint of financial disclosure, transparency, and good corporate governance,” he says.
Zwingli says the company’s metrics are based on a number of factors, including accounting practices, financial reporting, disclosures, transparency of information, and consistency. The criteria also include information where data might be a little tougher to gather and analyze, “things that indicate management’s interest are not aligned with shareholders’ interests,” he says, such as officer turnover, executive compensation and any evidence of insider trading.
The research firm has found over time that companies with good governance and good reporting habits also tend to have good financial results, according to Zwingli. “Good companies outperform the market, and bad companies under-perform the market,” he notes. “Good companies with a clean slate reward their shareholders with a significantly lower risk profile and better returns. Good things happen to good companies.”
Zwingli says that in the firm’s most recent ratings, Bear Stearns was identified as an aggressive company with low ratings, while JP Morgan, which recently offered to buy the collapsed investment-banking firm at a deep discount, showed more solid ratings.
“Companies that are aggressive with the way they run the business and report the numbers are very vulnerable whenever there’s a shock in the marketplace,” Zwingli says. “Good companies end up winning. Bad companies end up effectively disappearing.”