Moody's Questions Ability To Audit Around Deficiencies

In October 2004, Moody’s Investors Service opened a Pandora’s Box with the issuance of a special comment paper titled “Section 404 Reports on Internal Control: Impact on Ratings Will Depend on Nature of Material Weaknesses Reported.”

With the start of the first Sarbanes-Oxley reporting season just around the corner and more than 500 public confessions of material control weaknesses already filed by SEC registrants, the technical flaws of the external auditing profession are slowly, but steadily, being exposed to harsh public scrutiny.

Moody's Categories

The Moody’s special comment paper outlines how Moody’s credit rating arm will react to material weakness disclosures on internal control from SEC registrants (see box below, right for complete document).

In brief, the paper says that Moody’s anticipates taking no action when the disclosed control weakness relates to a specific accounting disclosure such as inventory, accounts receivable or legal proceedings. These are termed “Category A” problems. They believe external auditors can effectively “audit around” this type of problem and still produce a reliable audit opinion.

However, if the control weaknesses relate to “company level” controls, they will be considered “Category B” problems; for those, Moody's anticipates bringing the company to the rating committee to reassess the company’s credit rating.

“We are concerned about these material weaknesses because we question the ability of the auditor to effectively 'audit around' problems that have a pervasive effect on a company’s financial reporting,” says the Moody's report.

Although understated, in essence, Moody's is questioning how external audit firms have been able to provide clean audit opinions on literally hundreds of financial statements filed by SEC registrants over the past year when there are huge disclosed gaps in the quality of a company’s macro-level control system, up to and including concerns about the integrity and competence of the CFO/controller’s team that prepared the statements.

Don Nicolaisen, chief accountant at the SEC, has already publicly signaled agreement with the serious concern raised by Moody’s.

Audit Opinions Are Not All Equal

The Moody’s special comment paper raises an issue that is the tip of an iceberg—an unspoken danger that has been the cause of numerous corporate shipwrecks over the past 50 years, and has been the root cause of trillions of dollars of market value. Though the external audit profession has decided to use an opinion system that is largely an on/off switch—they currently certify that financial statements "fairly present," or they don’t— insiders like Moody’s know that audit opinions on corporate financial statements are not all created equal.

There is a factor at work that many financial statement users know very little about—one that is critical when assessing the likely reliability of financial disclosures.

That factor is called “audit risk,” the risk of the public accountant incorrectly certifying that the financial statements “fairly present” the true financial results and position of an enterprise.

Hidden Secret: Audit Risk Index

Audit risk, the risk that certified statements are wrong, is impacted by a number of key factors.

Management's Knowledge—The quality of the control environment of the company being audited including the knowledge, skill and integrity of the management team and controller’s organization.

Management's Systems—The effectiveness of the internal control systems in place to ensure specific disclosures in the financial statements are reliable.

Auditor's Tools—The quality of the audit processes and tools used by the external auditor.

Auditor's Knowledge—The integrity, skill and knowledge of the audit partner(s) and audit team assigned to the audit.

The more weaknesses in these four audit risk factors, the less reliable the audit opinion.

If an index could be constructed that numerically scored weaknesses in all four areas, the higher the number of reported weaknesses, the more likely an audit opinion could be wrong. If this index for each company was made public, it would equip stakeholders with information on the likelihood the external auditor’s opinion on the financial statements might be wrong. Most stakeholders that rely on financial disclosure are not privy to this information.

Of course, the overarching aim of the Sarbanes-Oxley Act is to reduce audit risk and accordingly increase the reliability of financial disclosures used by stakeholders. SOX legislated that management and external auditors formally assess Nos. 1 and 2, above. This additional knowledge was to be used to improve No. 3. The Public Company Accounting Oversight Board was created to rectify serious concerns with No. 4.

As companies have progressed their assessment of points one and two, above—accompanied by the aggressive prodding of their increasingly litigation-sensitive external auditors—the flow of control weaknesses being reported to the SEC is growing rapidly. All of this activity is proceeding according to the "master plan" outlined by SOX, the SEC and the PCAOB.

The Disconnect

However, what is raising the concern of credit agencies like Moody’s—not to mention the SEC and the PCAOB—is that clean opinions on the financial statements are continuing to be filed by external auditors no matter how bad the internal control concerns identified in No. 1, above.

This defies well-accepted audit tenets that have been taught in universities and professional programs for many decades, and frankly suggests that some serious structural problems exist in areas three and four, above.

Now, auditing theory says that when an auditor is confronted with a situation that indicates there may be widespread problems with the reliability of management’s representations, they must increase the scope of the audit work to try and compensate for the deficiency in controls. This is possible and practical in some situations such as concerns related to inventory controls where the auditor can demand that inventory count procedures be expanded to verify the existence and value of the stock as of the date of the financial statements.

But in situations that indicate pervasive control problems—like deficient data access controls, incompetent controllership staff, or clear signs that management is dishonest or inappropriately managing earnings—audit theory mandates that the external auditor must expand their work to compensate for the deficiencies identified.

More Work, Time, And Money

The problem occurs when the external auditor is confronted with documented and very public knowledge of Moody's "Category B" control problems: company-level control weaknesses.

Auditing theory requires that the external auditor advise their client that additional audit work will be required to compensate for Category B control deficiencies. In many cases, this will necessitate a delay in filing the financial disclosures with regulatory authorities and the market. This can have huge negative ramifications; once the material control weakness has been reported to the company’s audit committee and filed with the SEC, the external auditor must have sufficient additional personnel available to complete the necessary supplemental audit work. And, of course, the company must have sufficient funds to pay for the massive increase in audit fees. If the problems are severe enough, it can mean re-verification of a large percentage of the universe.

To date, preliminary research into material weakness filings in 2004 suggests that many external auditors are not responding to pervasive control deficiencies according to the textbooks.

A number of explanations can be advanced to try and explain why, including the facts that

clients are already frustrated with additional expenses,

and external auditors lack the necessary staff to correctly respond to knowledge of serious pervasive problems in a client’s control environment.

In addition, it is not clear that it is possible to "audit around" knowledge that key management personnel have demonstrated traits of dishonesty or incompetence. Some corporate environments are complex and massive in size—the reality is that sometimes some control deficiencies of this type have such enormous implications on the reliability of the financial statement representations that the work to properly compensate for the problem is impractical if not impossible.

Global Implications; Stakeholder Reaction Critical

The implications of Moody’s special comment paper are enormous. It is increasingly clear that in countries that have not legislated SOX-like regimes, the amount of information on the true state of control in companies is limited, and the approach used by auditors to certify the financial statements is handicapped by deficient data on the state of control. This in turn indicates that audit risk; the risk that auditors incorrectly certify financial statements will be significantly higher in countries without Sarbanes-Oxley regimes than in countries with Sarbanes-Oxley like regimes.

Over time this should mean that the cost of capital for each public company will slowly adjust to reflect the additional risk premium in countries that elect not to implement SOX-like rules and continue to conceal the true level of audit risk from external auditors and stakeholders that rely on the financial statements.

In the short term, SEC registrants and companies in countries that legislate SOX-like rules will be penalized by credit level adjustments because they have been forced to disclose more information on the true level of audit risk in their specific corporate environment than in other countries.

External auditors affected by this dynamic will have no choice but to perform significant additional work resulting in massively increased audit bills and credit rating changes. This could disadvantage these countries relative to those registered exclusively in countries that continue to suppress information on the true state of audit risk.

And the key factor that will influence the future will be whether key stakeholders—investors, credit agencies, insurers, auditors, bankers, and others—accept the premise that financial disclosures filed in countries with SOX-like regimes are more reliable than those in countries where the true level of audit risk is concealed, and where the likelihood of incorrect audit opinions is hence more likely.

The U.S. has led the way on this path, however Canada has indicated it will soon be following the U.S. lead in the near future. Other regions—including the U.K., the European Union, Australia and elsewhere—are mulling over their options.

With the issuance of Moody’s special comment paper stating that corporate credit ratings may be negatively impacted by the disclosure of Category B control concerns—and the SEC's strong endorsement for the validity of the concern—it is reasonable to assume that awareness of stakeholders of this issue is poised to increase exponentially over the next year.

Credit agencies are increasingly signaling that they believe there is a significant correlation between assurance provided through SOX and SOX-like rules, lower audit risk, and more reliable accounts. They may soon begin to request SOX-like comfort from companies on their financial disclosures regardless of the country in which they reside and regardless of whether they are public companies. Director and officer insurers and error and omission carriers that ensure external auditors may soon follow. If this chain of events occurs, the impact will be massive.

What Should Companies Do?

In my humble opinion, events will soon confirm that the existence of Moody's "Category B" control weaknesses seriously undermines the ability of external auditors to provide reliable audit opinions on accounts.

In addition, I believe a sizable number of companies have such weaknesses.

This will lead to other countries around the world legislating regimes that force management to assess and report whether they have similar "Category B" concerns; it will also force external auditors to clearly explain how they have successfully “audited around” these problems.

Some steps companies can take in the interim include:

Track "Category B" Deficiencies—Ensure that control assessment work includes a careful assessment of whether the Category B-type control deficiencies referenced by Moody’s are present. If they do, disclose them to the company’s external auditor, audit committee and the SEC and resolve them as quickly as possible.

Audit Committee Inquiries—If a "Category B" control deficiency is identified, it is critical that the audit committee inquire what steps the company’s external auditor will perform to compensate for these pervasive control deficiencies.

Track Remediation—Audit committees, CFOs and CEO should carefully and regularly monitor the status of all remediation work to rectify the "Category B" control problems, and document their oversight activities.

Analyze Impact—Assess the impact on the company of a credit rating downgrade that could be triggered by "Category B" control deficiencies, and factor that potential cost when considering resourcing options and resource allocation decisions.

Know The Score—Take steps to try and calculate the company's overall audit risk score. Wrong audit opinions can have devastating impacts on careers, investors, and the future of a company.

Moody’s is the first credit agency to publicly question the reliability of audit opinions when "Category B" deficiencies exist.

I can assure you that they won’t be the last.

Editor's Note: A copy of Moody's report, "Section 404 Reports on Internal Control:

Impact on Ratings Will Depend on

Nature of Material Weaknesses Reported," is available from the box above, right.

This column solely reflects the views of its authors, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.