Taking time after an audit's completion to consider which operations offer the most opportunity for fraud should be part of the audit process.
What audit firms should be doing to improve quality control in their process of vetting client companies’ financial reports is a key question these firms need to ask themselves, said James Doty, chairman of the Public Company Accounting Oversight Board (PCAOB) at the Millstein Governance Forum on June 25.
As part of their examination process, Doty recommends that audit firms take time after completing an audit to sit back, breathe deeply and ask themselves where in the company’s operations there is likely to be most opportunity to commit fraud.
‘Auditors can’t find everything. But what can we test that will give us additional assurance that there’s no fraud we haven’t uncovered?’ Doty asked during the third panel of the two-day governance conference at Columbia Law School.
The value of reliable and practical reporting standards and how best to organize a board’s risk oversight efforts were other key topics discussed during the panel, ‘Managing risk for diverse ownership: what do directors need to properly oversee risk management?'
Doty’s remarks were partly in reference to quality-control criticisms of audits done by PricewaterhouseCoopers that were included in PCAOB inspection reports in March 2009 and August 2010 and that the board released in March 2013. To improve audit quality and better protect investors, the PCAOB is authorized under the Sarbanes-Oxley Act to review the work of public accounting firms that audit over 100 public companies each year.
‘Our job is to make sure auditors have standards like bedrocks that they can stand on and to communicate to audit committees to let auditors do their job,’ said Doty.
Auditing is not a forensic process, and audit committees have historically been slow to hire either former auditors or lawyers who have been on the front lines and can help audit committees look in the right direction to detect fraud, he added.
Determining when the full board needs to be involved in examining risks the company may face and when certain risks require a deeper dive by specialized committees, whether the audit committee or one convened for the specific task, is another key consideration for boards in their risk oversight duties, panelists said.
For example, when Alcoa decided to build a huge strip mine to extract bauxite from the Amazon jungle in Brazil a few years ago, the company appointed a special committee to analyze the reputational risk associated with the venture and determine whether Alcoa would be able to stay in business if any problems with the mine arose, said Donna Dabney, director of The Conference Board and former corporate governance counsel at Alcoa. The committee ended up making four trips to Brazil to speak with non-governmental organizations working in the region and indigenous people who would be affected by the mine, and to otherwise vet the project.
But even individual risks that are delegated to the board’s audit committee need to come back to the full board for discussion and approval, according to Steven Rosenblum, a partner at Wachtell Lipton Rosen & Katz.
Ben Heineman, senior fellow at Harvard University’s Schools of Government and Law, recommended that a wide range of potential risk issues be surfaced and discussed by the full board at its November meeting and then in December a decision be made as to which 15 or so issues the board will focus on in the next year, ‘to educate ourselves about the trade-offs and options.’
Other questions that arose during the panel but didn’t get discussed thoroughly included the key weakness in the audit mechanism, which is that it’s backward looking, while risk oversight needs to be forward-looking in order to spot potential troubles that may be difficult to quantify.