About the Panelists
The panel featured Mark A. Adler, JD, acting director and chief trial counsel in the division of enforcement and investigations at the PCAOB; Matthew S. Jacques, CPA, chief accountant in the division of enforcement at the SEC; Scott Univer, JD, LLM, formerly principal and general counsel at Mazars USA LLP; and Michael Young, JD, partner at Willkie Farr & Gallagher. Douglas Carmichael, PhD, CPA, Claire and Eli Mason Professor of Accountancy at Baruch College, moderated the panel. The following is an edited and condensed summary of the panel discussion. The views expressed are the panelists’ own personal views and not necessarily those of their employers or those employers’ boards, management, or staff.
* * *
Adler began by discussing the PCAOB’s enforcement division. “The board is committed to a strong enforcement program,” he said before outlining the activities of the division of enforcement. The highest priorities were investigations involving significant audit violations, including a lack of due professional care or professional skepticism; audit matters relating to independence and integrity; and matters threatening the integrity of the PCAOB’s regulatory oversight process, including noncooperation with inspections and enforcement, and violations of board orders.
Adler then highlighted some significant settled enforcement cases from the last year that illustrated these priorities. The first was the matter of Grant Thornton and Bancorp, where the firm violated quality control standards when it assigned two partners with known audit quality issues to the engagement without sufficient support or monitoring. This was the first time the PCAOB had found quality control violations in a domestic-level network firm, he noted.
Next was the matter of Deloitte Canada and Banro, where the board found that Deloitte failed to maintain its independence by allowing an affiliate in South Africa to provide prohibited nonaudit services to an audit client. Furthermore, the engagement team on Banro’s audit made use of the affiliate’s work, essentially auditing itself. Adler described this as a situation where the firm failed to appreciate a threat to its independence even though its national office was aware of the situation.
The third example case was Deloitte Turkey, which the board found allowed teams to improperly alter their audit documentation before inspection. “This case highlights the importance of cooperating with board inspections and investigations, and the willingness of the board to impose the severest sanctions for the failure to cooperate with a PCAOB inspection,” Adler said. “Notwithstanding the seriousness of the misconduct, Deloitte Turkey was able to significantly reduce the sanctions it otherwise would have faced by providing extraordinary cooperation.” Adler also cited a nonaudit matter wherein a firm paid an auditor under a board bar order a percentage of audit fees collected from clients the auditor had referred to the firm.
Next, Adler talked about themes and trends in the board’s 2018 activities. He stressed that the PCAOB is dedicated to holding firms of all sizes accountable, and that substantial progress has been made in prosecuting cases involving foreign affiliates. With regard to firms doctoring documents, he noted that “we are starting to see firms self-report alteration cases. We encourage firms not only to cooperate with our investigations as they’re required to do, but also provide extraordinary cooperation through voluntary and timely self-reporting, taking voluntary and timely remedial action, or providing voluntary and timely substantial assistance to a board investigation.”
Adler also covered engagement quality reviews, where the board has brought cases both against firms and individuals that failed to obtain a review and reviewers who failed to do the proper amount of work. “We intend to hold engagement quality reviewers accountable when they put investors at risk by failing to provide the meaningful check that the EQR [Engagement Quality Review] standard requires,” he said.
On the subject of a recent federal court decision [Laccetti v. SEC, No. 16-1368 (D.C. Cir. 2018)] that went against the PCAOB, Adler said that the division is now allowing technical experts to assist clients during investigative testimony in most circumstances. Exceptions include cases where the expert is already a witness in the case or in a supervisory relationship with a witness. In addition, the division expects counsel to seek its approval for a technical expert to attend testimony.
Finally, Adler spoke about the board’s attempts to improve its efficiency and effectiveness. “We’re always balancing the need for a complete, effective, and fair investigation with the need to file disciplinary proceedings in as timely a manner as possible,” he said. He outlined steps the division is currently taking to improve its processes, such as reducing the number of witnesses and length of testimony in cases, making more use of interrogatories and requests for admissions, streamlining the scope of investigations, and making technology improvements.
SEC Activities
Next, Jacques spoke about the SEC’s enforcement activities. He started by referring the audience to the SEC’s recently released Enforcement Annual Report for fiscal year 2018, available on the commission’s website. He then touched on the reasons why the SEC starts an investigation, a question he says he receives often. “Typical sources,” he said, include “self-reporting, whistleblowers and other tips, internal and external referrals, and our Corporation Finance Division.” Jacques noted that self-reporting is a good way for companies to get credit for cooperating with the SEC. As for more proactive efforts, he cited the SEC’s increasing use of data analytics and its “deep bench of economists and data analysts who are constantly churning all the information that comes in.”
Another frequently asked question, Jacques said, is what areas the enforcement division looks at. He cited revenue recognition, valuation, internal controls, and non-GAAP financials as topics that all receive significant attention. Regarding auditing, he said, the division pays close attention to adherence to professional standards and auditor independence. “In our investigations,” he said, “we ask the question: ‘Where were the auditors?’” Jacques also emphasized that the SEC is willing to suspend auditors who fail their public trust.
More specifically, Jacques detailed common failures seen within auditing investigations. These included lack of professional skepticism, overreliance on management’s representations, poor documentation, and manipulation of work-papers. Failures sometimes result from form-over-substance rationalizations, he said, wherein “people twist themselves in knots to get to an answer that makes their life a lot easier in the moment.” This happens on the individual level as well as at the level of policies, procedures, and controls.
Jacques also detailed several cases illustrating the types of issues the SEC has been dealing with. The first was an action against BDO, where the firm fell behind in an audit, eventually failing to complete the necessary steps and procedures. To cover its tracks, the firm had the audit team sign off on unfinished workpapers before the deadline and then complete them later. “I believe this was the first of its kind as a predating case,” he said, but “we have concerns that this may be a little more prevalent than the one case we’ve brought.” The audit manager and two partners on the matter were suspended.
Another case involved the owner of a public accounting firm who falsified records in the course of an investigation, including having clients backdate documents to convince the SEC that they were properly completed. In that case, Jacques said, the owner was sentenced to five months in prison.
Jacques also discussed independence matters, saying that “independence in fact and appearance are equally important under the securities laws.” He also stressed that the SEC provides a number of avenues for auditors to clarify any matters they are unsure of. “The most disappointing cases for me are when auditors have the right answer and then find a way to do the work or proceed with the knowledge that it’s probably going to be problematic in the long run,” he said.
“The most disappointing cases for me are when auditors have the right answer and then find a way to proceed with the knowledge that it’s probably going to be problematic in the long run.”
The SEC has received a number of questions about how it will handle enforcement of the new revenue recognition standard, Jacques said. While he noted that enforcement usually follows behind implementation, he did say that, according to some research, most cases brought under the old rules would still be valid under the new rules. “This is something we’re not too worried about, but we are cognizant that people are going to be struggling for a period of time to find their bearings,” he said.
Future Technology Concerns
Univer then talked about how technological progress may affect enforcement in the future. He began by noting that accountants and auditors have made excellent targets for hackers because of the information they have access to. The case of the former Wyndham Worldwide, he said, was illustrative; the FTC sued the hotel chain for committing deceptive and unfair trade practices by falsely describing its defenses against hacking as “robust and adequate,” a claim disproven when the company was hacked and customers’ credit card information stolen. A similar investigation is now under way in New York against Marriott after a similar breach.
On the related subject of privacy, Univer noted the European Union’s General Data Protection Regulation (GDPR) and its “right to be forgotten.” “I wonder whether the right to be forgotten is inconsistent with our obligation as auditors to document our work,” he said. “If you document an audit and then somebody whose information was revealed to you demands to be forgotten, I’m not sure whether you’re allowed to do that or not under our rules.” Clients are also demanding the right to inspect auditors’ security defenses to ensure their privacy is protected, Univer said, which “is driving everybody nuts.” SOC 2 certification, which was previously enough to satisfy clients’ concerns, is becoming less sufficient under the stricter privacy laws of the 21st century, he said.
Univer then turned to the prospect of quantum computing, giving an explanation of the science behind the technology. The upshot, he said, is that quantum computers would in theory have the potential to process information much faster than current binary computers. “What is the relevance of all of this for us?” he asked. “The answer is, the threat that quantum computing poses to cryptology. All current cryptological programs depend upon the mathematical fact that there is no shortcut or algorithm to factoring very large numbers into prime factors. A quantum computer, however, could factor a very large number into prime components in a matter of minutes.” The cybersecurity industry is focused on developing new methods of encryption without this weakness, Univer stressed.
Finally, Univer discussed artificial intelligence, specifically machine learning and neural net modeling, which allows computers to learn to recognize patterns, make predictions, and model complex, intuitive behavior. While Univer stressed that he was speculating, he saw “no reason in principle why a neural network program could not figure out what your materiality thresholds are, decide in advance what your statistical sampling models are, and devise a financial statement fraud that flies under the radar of the audit program that you’re using.”
The State of Litigation
According to the final speaker, Michael Young, “the litigation environment now for auditors is not so bad,” mainly due to a slow and steady economic recovery that has not been conducive to litigation. He warned, however, that “when it comes to litigation and the accounting profession, that pendulum has a very, very long arch. And by that, I mean we are often talking about trends that are in duration 10 or 15 years before things really start to start to turn around.” He characterized the litigation environment of 10–15 years ago as driven by high-profile cases of earnings management, which the profession collectively addressed. Today, volatility in the stock markets has risen, which creates potential damages for plaintiff’s attorneys. In the event of a recession, something he considers likely, the environment would be one that could generate litigation against the accounting profession.
Another factor, and one more under the profession’s control, is good judgment and solid documentation processes. “Don’t think of documentation as a compliance exercise,” Young said. “Think of it as an exercise for yourselves.”
Young noted that litigation does not occur a week or two after the audit but rather much later. “Five years after the audit,” he said, “you may be asked to talk about what judgments you made. And you have to be really, really smart and have a really, really good recollection to be able to recreate from memory the kinds of tough judgment calls that you made. That’s where documentation comes in. … If you can show that something was a tough judgment call and you considered things on all sides and you came to the best judgment you could, that works. That is really hard to attack.”