From the earliest days in her legal career, Cindy Fornelli was most interested in litigation, but not for the kind of courtroom drama normally associated with such proceedings.

Fresh out of law school in 1990, Fornelli remembers spending her first year as an associate at law firm Fried Frank rotating through various legal departments to get exposure to many areas of the practice. “You would rotate through government contracts, litigation, transactions, mergers, and acquisitions, just to see where you fit and where your skills and interests were,” says Fornelli. “I was drawn right away to litigation, but what I really enjoyed was helping companies build compliance programs.”

Call it prophylactic compliance, if you will, but Fornelli says she found much greater satisfaction on the front end of the compliance curve, trying to prevent companies from ending up in courtrooms. She liked learning about companies and their culture and helping them prevent problems rather than fixing problems after they erupted.

“When you are helping a company defend against the Securities and Exchange Commission or the Department of Justice, they are already back on their heels,” she says. “It seems much better to me and much more enjoyable to help companies build up a compliance program so they didn’t get into litigation trouble later down the line.”

About Cindy Fornelli


Title:  Executive Director, Center for Audit Quality


About the Center for Audit Quality:  An association formed in the aftermath of Sarbanes-Oxley to foster high-quality performance by public company auditors as a way to enhance investor confidence and public trust in the global capital markets.


Years of experience: 27


Areas of expertise: Leveraging legal and compliance background to advocate for audit quality


Quote: “Some hear the word compliance and think of a check-the-box mentality. … When you step back and look at what a compliance function is, it’s looking to make sure you’re adhering not only to the black-and-white rule or regulation but also the spirit of it as well.”

Now as executive director of the Center for Audit Quality, Fornelli is doing much the same kind of work on behalf of the entire audit profession. The CAQ is committed to advocating for high-quality audits in capital markets as a way to build and improve investor confidence and public trust in audited financial statements, a cornerstone of efficient, properly functioning capital markets.

So how did an attorney end up becoming an advocate for audit quality? It goes back to the early foundation of her career, says Fornelli. After Fried Frank, she spent a few more years at another law firm helping investment advisers, hedge funds, and mutual funds set up compliance processes or prepare for inspections and examinations by the SEC. Eventually, that led to a jump into public service in the SEC’s Division of Investment Management.

It was a “sleepy little division” at that time, says Fornelli, until scandal erupted in the early 2000s around mutual funds engaging in illicit late trades and market-timing activities. Suddenly the division got very busy writing new rules and regulations to guard against such maneuvers. “Until that time, the SEC had never issued more rules or regulations than it did immediately after that time,” she says.

After working through that burst of regulatory activity, Fornelli was attracted to the challenge of a new position at Bank of America in 2004. Her task was to create a program to protect against conflicts of interest across the organization. “It was about helping the bank look across the organization holistically or horizontally, rather than vertically, looking for conflicts of interest,” she says.

While Fornelli was deep into compliance concerns in the financial services sector in the early 2000s, capital markets were beginning to reel over the dot-com collapse, accounting scandals at companies like Enron and WorldCom, and the prosecution and collapse of Arthur Andersen. Congress was rolling out the Sarbanes-Oxley Act to transform the financial reporting process for public companies and rescue investor confidence.

CEOs and CFOs would be required to certify financial statements. Companies would be required to report on the effectiveness of their internal control over financial reporting. And auditors would be required to pass judgment on those reports.

Even more, auditors would no longer be left to the self-regulation they had enjoyed for decades under the American Institute of Certified Public Accountants. They would still be licensed as they always had been under state law, but now they would be subject to regulation under a new body formed by Sarbanes-Oxley, the Public Company Accounting Oversight Board.

For public companies, the early years of Sarbanes-Oxley compliance were marked by an unprecedented flurry of activity to document hundreds, even thousands, of internal controls. Their activity was driven largely by demands from auditors, who had new marching orders of their own under the PCAOB’s new Auditing Standard No. 2 telling them how to conduct an internal control audit.

The outcry over the effort required, not to mention the cost, was deafening. The PCAOB eventually right-sized AS2 with a more risk-based approach in Auditing Standard No. 5, intended to do away with burdensome busy work and steer internal control focus to the areas where they could do an organization the most good.

As part of the audit profession’s effort to acclimate to the new regulatory era where their work was subject to massive new scrutiny, the AICPA spearheaded the creation of the CAQ. It would serve as an autonomous public policy body supported by the audit firms themselves to galvanize the profession by fostering and promoting audit quality.

As it has evolved over the past decade, it can be seen today as a kind of compliance office for the audit profession, with Fornelli as its chief compliance officer. She brings multiple points of view to the table to assure the auditor’s role is both understood and leveraged.

“We wanted to make sure we had the perspectives of investors, academics, preparers, boards of directors, audit committees, and regulators so when we take a position on a policy, we get informed,” she says. “We don’t call that compliance, but there’s an element of compliance to that. How do you comply with the rules or regulations to benefit the marketplace?”

But it’s more than strict compliance Fornelli is after. She’s looks to bring those stakeholders together to engender a genuine sense of playing by the rules for the benefit of everyone involved. “Throughout my career, I always had a sense that compliance gets a bad name or is misunderstood,” she says. “Some hear the word ‘compliance’ and think of a check-the-box mentality.”

That’s as true of the audit profession as anywhere in capital markets, where auditors have been called out by the PCAOB for failing to bring an adequately skeptical mindset to their work—or checking boxes on checklists rather than seeing red flags and investigating more deeply.

“When you step back and look at what a compliance function is, it’s looking to make sure you’re adhering not only to the black-and-white rule or regulation but also the spirit of it as well,” says Fornelli. “We’re talking about the letter of the law as well as the spirit of the law, whether that’s a policy, a procedure, or a regulation or law.” I think that gets lost sometimes when we talk about the compliance function.”

Indeed, gathering together all the various players in the financial reporting supply chain to bring about improvements in the audit process is much more complex than any checklist could achieve. Sarbanes-Oxley put into place a new environment where a checklist mentality would not cut it for the audit profession. And it was an adjustment for the profession, to say the least.

“Sarbanes-Oxley was a sea change for the auditing profession and the whole supply chain of financial reporting,” she says. “It wasn’t aimed at just the audit function, but that was a piece of it.” With CEOs and CFOs certifying financial statements and audit committees compelled to enhance their oversight, auditors faced new demands and new expectations that would change the profession.

And Fornelli believes auditors have stepped up to the plate. The CAQ keeps a pulse on investor confidence through an annual survey, and it finds in recent years that investor confidence has rebounded. After a spike in financial statement restatements following Sarbanes-Oxley, where reporting and auditing improvements flushed through the system to wring out a historic number of errors and misstatements, restatement levels have dropped both in size and number. “Audit quality is higher,” she says. “Higher than it’s ever been.”

That’s not to say the work of the CAQ or the audit profession is finished. The PCAOB still turns out inspection results on audit firms that many would agree are not yet acceptable. And auditors, along with everyone else in the reporting supply chain, are bracing for an onslaught of new accounting rules that will ripple through Corporate America over the next few years bringing massive change.

Public companies are in the throes this year of adopting new requirements for how to recognize revenue in financial statements, which replaced hundreds of historical accounting rules that had accumulated piecemeal over decades. The new five-step method for how to recognize revenue means new policies, procedures, processes, and internal controls that touch potentially every area of operations for many companies.

While the new revenue rules were published in 2014, companies received a long runway, until 2018, to begin following the rules to give them plenty of time to prepare. But the change doesn’t stop there.

The very next year, public companies will also be required to adopt new methods for how to account for leases, bringing them for the first time out of the footnotes of financial statements and on to the face of the balance sheet. That means companies need more centralized processes for tracking their leases and more extensive accounting policies and processes to gather and report the information required under the new standard.

And the change for financial services is a bit different but equally daunting. They face new requirements for how to measure and classify financial instruments and even more significant change in how to measure and report on signs of distress in debt instruments, such as loan portfolios.

As auditors prepare themselves for those changes they will soon face, they also are getting up-to-speed on drastic changes in technology and how it is affecting their work, says Fornelli. Technology is changing the way companies prepare their financial statements, but it’s also changing the way auditors can dig into that work and look for problems or anomalies that merit further study.

“Technology will profoundly shape the audit,” she says. While some muse over the possibility that technology may even displace auditors—with technology performing checks not just on samples of transactions or but on entire populations of data, and with continuous monitoring and continuous auditing becoming more real—Fornelli believes the human eye will always have a role to play in auditing.

“Auditors are going to need different skill sets perhaps, but what’s exciting about technology is that it can free up people’s space of mind to look in and see where the anomalies are,” she says. “Where are things not quite right? Why is that so? Is there a problem there, or is it something with policies and procedures that needs to be changed? It’s going to demand a lot more judgment and analysis. That’s exciting. It makes the profession that much more dynamic.”

As Fornelli girds up for the next phase of compliance in the auditing profession, she remembers the sage advice she learned from a young age in her own home life. “My parents made it very clear to me that it’s just as easy to be nice and pleasant as it is to be disagreeable,” she says. “Finish what you start. And give it your all. If you’re going to do something, do your best, whether that’s loading the dishwasher, vacuuming the carpet, volunteering at your kids’ school, taking care of the dog—or building a compliance program or advocating for the public company auditing profession. Always give whatever you do 100 percent.”