A CAM is defined as a matter arising from the audit that was communicated (or required to be communicated) to the audit committee and that relates to accounts or disclosures that are material to the financial statements. As described in the PCAOB’s standard, CAMs are essentially equivalent to the matters that must be communicated to those charged with governance under GAAS. Determining whether a matter rises to the level of a CAM involves especially challenging, subjective, or complex auditor judgment. The crucial point is that the PCAOB requires their disclosure in the auditor’s report, making it a public disclosure for which the auditor, not the corporate governors, is responsible.
A Burden Shift?
By requiring disclosure of CAMs in the auditor’s report, the PCAOB has established a new standard for auditors to publically report on matters that can be highly sensitive and judgmental. Setting aside the auditors’ ethical responsibilities of confidentiality, which is directly challenged by this new disclosure obligation, whether a matter rises to the level of a CAM, and whether the disclosure of a CAM is sufficient are going to provide fodder for litigation against auditors under the federal securities laws. From a corporate governance perspective, the PCAOB rule effectively shifts the burden of disclosure of such matters from those charged with governance to the outside auditor. Management and the board of directors are responsible for any and all judgments and subjectivity included in an enterprise’s accounting and financial reporting, as they should be, because the entity’s officers and directors are in a better position to appreciate and disclose any material items in the financial statements that involve especially challenging, subjective, or complex judgment. The auditor undoubtedly must exercise reasonable judgment when auditing these financial disclosures, but it is management who determines how the underlying transactions are recorded. Reporting to the public about the quality of the financial reporting should remain with management.
It is the opinion of these authors that, however unintentionally, by requiring outside auditors to disclose CAMs in their audit reports, the PCAOB has sent a not-so-subtle message that it does not trust boards and audit committees to effectively disclose to the public and the users of the financial statements matters that could impact the companies they govern. Although CAMs relate to the application of auditing procedures, in the vast majority of cases those procedures are based on the type and complexity of the underlying business transactions and the accounting by the enterprise being audited.
The PCAOB has imposed a new standard of corporate governance that puts the auditor in a role that the law historically had assigned to those charged with corporate governance, that is, the board of directors. At a deeper level, the PCAOB’s rule suggests distrust that boards and audit committees have the level of competence and independence from management necessary to protect the stakeholders’ interests. It also potentially places auditors on the front line of a new level of legal liability.
The new CAM requirement raises a very serious question: “How will this new disclosure requirement legally impact the auditor, the board, and the shareholders?”
Disclosure of CAMs Is Largely Judgmental
During the performance of audits, CPAs are often called upon to exercise “reasonable judgment,” starting from the design and planning of the audit, and continuing throughout its execution, including when evaluating estimates or complex accounting issues affecting the financial statements. It is in these judgmental areas that auditors have been most prone to second-guessing. AS 3101 heightens the scope of judgments for which an auditor could be unfairly challenged and maligned. These matters are rarely beyond debate, but the failure of an auditor to now include a disclosure in the audit report is likely destined to be another area for opportunistic and aggressive legal counsel.
Indeed, the new PCAOB standard reminds the authors of what happened in the wake of the pronouncements requiring auditors to report on “prospective financial information”; even more basically, pronouncements requiring documentation in an auditor’s working papers. What to document in the working papers always had been a matter of “auditor judgment.” But in the wake of the financial reporting scandals of the early 2000s, there was an increase in the rules and regulations requiring auditors to maintain working papers, subject to a general standard, but nonetheless relying on the auditor’s judgment of what needed to be documented and how this was done. That process morphed—prominently in the minds of the SEC, the PCAOB, and other professional regulators—into a virtually irrefutable presumption that because a procedure was not documented in the working papers, that the procedure was not performed. In fact, although it is a material breach of the standards and not recommended for any reason, legally not documenting the work done in a significant audit area does not mean the work was not done and the proper judgment was not applied. Under the law, testimonial evidence concerning audit procedures performed can be evaluated by the finder of facts in litigation, but this would not change the fact that there was a material breach of auditing standards.
Drawing on this experience with respect to working paper regulation, one can easily can imagine that an auditor’s failure to disclose a matter that others might judge to be a CAM could become the basis of legal action against the auditor, whether by a disgruntled stakeholder or a regulator.
As noted above, GAAS requires an auditor to communicate significant findings from the audit to those charged with governance, which includes the audit committee of the enterprise’s board of directors. Under this standard, the information discussed between the auditor and the entity’s governance group and the anticipated resolution is not required to be included in the auditor’s report on the enterprise’s financial statements, but the communication should nonetheless be documented in the auditor’s working papers.
The PCAOB avers that the public disclosure of CAMs is in accordance with the Sarbanes-Oxley Act (SOX) mandate to “protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports.” This is a clear indication that the PCAOB believes that boards and audit committees are not adequately doing their job of ensuring management’s fair and robust financial disclosure.
In its Release 2017-001 (June 1, 2017), the PCAOB stated:
As part of the audit, auditors often perform procedures involving challenging, subjective, or complex judgments, but the auditor’s report does not communicate this information to investors. Stated differently, the auditor’s report does little to address the information asymmetry between investors and auditors [footnote excluded], even though investors have consistently asked to hear more from the auditor, an independent third-party expert whose work is undertaken for their benefit [footnote excluded].
The PCAOB’s promulgation obviously is justified because the auditor is required to be independent of the client, including its shareholders. The law has long recognized that there is no fiduciary relationship between an auditor and the company’s shareholders, although the auditor is required to exercise due care and uphold the public interest. The new standard imposes a heightened standard of care upon the auditor, and increases the risk that the auditor can and will be held accountable for failure to make disclosures that have historically been the responsibility of those charged with governance to evaluate and, if necessary, take corrective action.
One must wonder what impact this new standard will have on the scope, planning, and cost of an audit, as well as the willingness of auditors to accept this heightened responsibility. On a broader note, one must wonder whether this new standard will cause further contraction of those willing to take on the responsibilities and liabilities associated with audits of publicly traded companies—despite the contrary messaging emanating from the PCAOB, which has frequently bemoaned the concentration of public company audits amongst the Big Four.
The PCAOB states that the communication of each CAM should include the following:
- Identifying the critical audit matter;
- Describing the principal considerations that led the auditor to determine that the matter is a CAM;
- Describing how the CAM was addressed in the audit; and
- Referring to the relevant financial statement accounts or disclosures.
Because the board of directors is legally charged as the shareholders’ fiduciary representative, one must question why the PCAOB has now chosen to shift responsibility for disclosure of these critical matters relating to an enterprise’s financial reporting from the board to the independent auditor.
The Board of Directors Purpose and Responsibilities
An interesting question stemming from the PCAOB’s CAM disclosure requirement is: Does the PCAOB rule limit or absolve the audit committee or board of directors’ responsibilities? It does not require much imagination to conceive that board members will seek to hide behind an auditor’s failure to disclose a CAM as grounds for their failure (or refusal) to disclose such matters to those whose interests that they have been entrusted (and paid) to protect.
Directors’ Responsibility
Under axiomatic principles of corporate law, an enterprise’s board of directors represents the interests of the entity’s owners and supervises all of its activities. For public companies there are clear rules regarding the structure of a company’s board.
SOX embellished these long-recognized rules of corporate governance, and subsequently the SEC adopted rules that enhanced the responsibilities of board members. For example, the SEC rules require a registrant to disclose whether the entity’s audit committee includes at least one audit committee financial expert (ACFE), and, if not, to disclose the reason for not having an ACFE.
The SEC rules define an ACFE as an individual possessing all of the following attributes (see SEC Release 33-8177; 34-47235):
- An understanding of GAAP and financial statements;
- The ability to assess the general application of such principles in connection with accounting for estimates, accruals, and reserves;
- Experience preparing, auditing, analyzing, or evaluating financial statements that present a breadth and level of complexity of accounting issues that are generally comparable to the breath and complexity of issues that can reasonably be expected to be raised by the registrant’s financial statements, or experience actively supervising one or more persons engaged in such activities;
- An understanding of internal controls and procedures for financial reporting; and
- An understanding of audit committee functions.
To qualify as an ACFE, an individual must have gained the attributes through any one or more of the following:
- Education and experience as a principal financial officer, principal accounting officer, controller, public accountant or auditor or experience in one or more positions that involve the performance of similar functions;
- Experience actively supervising a principal financial officer, principal accounting officer, controller, public accountant, auditor or person performing similar functions;
- Experience overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing or evaluation of financial statements; or
- Other relevant experience.
After starting with an expansive list of experience and training needed to qualify as an ACFE, the SEC then broadened the scope of activities that qualified an individual to serve as an ACFE. Unfortunately, this broadened scope of activities has led to a reality that many ACFEs, while possessing excellent business knowledge and judgment, have little direct experience in applying increasingly intricate accounting and auditing standards. The SEC’s broadened ACFE criteria resulted in many boards having only a high level of supervisory experience over their company’s accounting and auditing functions, and thus often lacking the ideal perspective to evaluate the enterprise’s financial reporting and interface with its outside auditors. Knowledge and understanding of the specific application of accounting principles for complicated transactions and the actual conduct of an audit under GAAS would lead to a better monitoring of the company’s internal accounting staff and the outside audit firm.
The authors question whether this is the financial reporting weakness the PCAOB’s CAM requirement is looking to address, and, if so, whether the cure actually addresses the affliction.
Putting It All Together
In the humble opinion of these authors, the PCAOB’s new regulation misses its mark. The disclosure of CAMs in auditor reports will not provide stakeholders with the critical information they need to better understand the company’s financial affairs. That information rests with, and remains to be disclosed by, management.
While CAMs and some evaluative analysis will be included in auditor reports, the universe of facts and circumstances that are analyzed by the auditor to form the judgments needed to resolve the issues will not be known to the reader of the report. Furthermore, judgment is involved in most reactions related to the development of audit procedures and the application of accounting principles. Reasonable people analyzing and assessing the same set of facts can differ as to the proper course of action to take. The auditor’s exercise of due care in identifying and resolving CAMs only addresses the reactions of an ordinary, reasonable person with the expected skill of someone qualified to provide audit services, and is not measured or determined by the results of those actions. Even a knowledgeable reader of the auditor’s report, not having access to the full array of facts and circumstances underlying the resolution of the CAMs, would not be in a position to determine the validity of the resolution and could come to an opposite resolution, leading to potential legal actions.
Possible Legal Implications
Outside auditors.
It seems likely that outside auditors will be subject to second-guessing with respect to the number and extent of the CAMs disclosed. This will lead to allegations in a lawsuit or claim relating to the failure to uncover a material error or fraud in an audit.
It will, most likely, increase the number and scope of the allegations that will need to be addressed by the auditor. This is principally because of the significant judgments involved in complying with the standard.
Board of directors.
CAM disclosure in the auditor’s report may tend to unintentionally limit the board of directors’ responsibility for the governance of the enterprise. It allows them to point to the fact that the user of the financial statements had access to the CAMs and, if a CAM was not disclosed, to point to the outside auditor as the responsible party.
It transfers some of the board’s governance responsibility to the outside auditor in addressing lawsuits and claims with respect to a misstatement related to a material error or fraud.
Financial statement users.
Financial statement users may, in hindsight, apply their judgment when they claim the CAM was not properly resolved by the auditor or the board. They likely will not have all of the information needed to assess the quality of the financial statements.
Increasing the Quality of Financial Reporting
In the authors’ opinion, increasing the quality and independence of boards of directors and enhancing the requirements to qualify as an ACFE will have a more beneficial effect on the quality of an entity’s financial reporting than the auditor’s public disclosure of CAMs. The ACFE needs to understand the issues raised by the auditors and the effectiveness of the procedures used to address those issues. The public disclosure of CAMs in the auditor’s report will more likely only lead to financial statement users making uninformed judgments about the possible and probable result of the CAMs on the quality of the statements.
This disclosure requirement effectively shifts responsibility for public disclosure and resolution of these matters from an entity’s board and audit committee to its outside auditor. The change will increase the exposure of the independent auditor to allegations and claims concerning the exercise of judgment in the identification and resolution of these matters.
If the board and audit committee are not properly and appropriately representing shareholders’ interests and monitoring management’s compliance with laws and regulations, then the requirements for becoming a member of the board and an ACFE should be strengthened. The answer does not lie in moving that responsibility elsewhere.