Declining audit quality of public companies continues to be an issue; what can you do to get ahead of your risks of financial misstatements and fraud?

You may have read last week, how the PCAOB continues to communicate its concerns on audit quality and resulting risks of inappropriate or unsupported audit opinions when the financial statements are materially misstated. On the 26th?of July, PCAOB Chair Erica Y. Williams, added to previous calls for audit firm improvement by describing audit deficiencies as being?“completely unacceptable” .??The PCAOB Chair also highlighting that audit firm explanations of poor audit quality stemming from COVID-19 impacts of remote working, failings of junior staff, and hiring challenges, were no longer acceptable.

To provide?investors, audit committees and potential audit firm clients with more information to themselves hold firms accountable for high-quality audits , the PCAOB also recently published enhancements to its?Firm Inspections website.? New functionality allows searchers to more readily zoom-in on key audit quality criteria across all prior PCAOB inspections. Including as an example, how to search and filter inspections with the firms that have the highest deficiency ratings in key audit components (depicted here).?

It’s been believed for some time that audit quality for a company influences its ability to raise capital ?(Doty, 2015). Searching or downloading the complete enhanced PCAOB Inspections dataset certainly makes for interesting reading, with many audit firms showing 100% deficiency rates. So, those looking for a solution to help understand and quantify audit risk might be tempted to see this dataset as the obvious solution to their due diligence needs.?

Those however who have previously attempted to assess audit risk from inspections reports will know that even with more accessible inspection data, there remains the time consuming, and usually flawed task of unraveling which companies the audit risk materialized within.?Regulatory restrictions that require the issuers names are withheld in newly published auditor inspections ?(Ho, 2023) usually result in frustrating attempts to reverse engineer transparency from opaqueness with issuer anonymity. Often, there is no trail back to the issuer audited until some years later when publicized in an unrelated dataset of restatements, or perhaps PCAOB and SEC enforcements. Clearly, too late for effective due diligence and risk assessment efforts.?

The challenges to assessing audit risk from this dataset sadly don’t end there. What may be less obvious amongst this positive PCAOB effort to improve functional access and transparency to inspections, therein lies a much more significant and fundamental challenge to this dataset being used to assess audit risk across firms or the market overall. Those that follow this space keenly will know how this annual discussion of audit quality trends often plays out between the key system players. Each year, as seen again this year, the PCAOB signals trends from its audit firm inspections. The auditing industry through groups such as the Center for Audit Quality (CAQ) invariably state their own assessments of what the inspections mean. For example,?here is an excerpt of the CAQ’s 2021 “Guide to PCAOB Inspections”:

The PCAOB makes most inspection selections from those audits that they believe have a heightened risk of material misstatement, including those with challenging audit areas. As a result, audits selected and reviewed by the PCAOB do not provide a representative sample that can be extrapolated to the hundreds and sometimes thousands of audits performed by a public company audit firm during any given year.?

Technically speaking, the CAQ is absolutely correct on the inapplicability of extrapolation of findings beyond the individual inspections themselves. It’s perhaps then less obvious what generalized investment due diligence insights an organization can reliably draw from this data directly. Other than what we have all already come to know – namely, there are degrees of audit risk in the market to be concerned about, and the data supports the PCAOB saying its inspections found more deficiency than it found last year.?

Wherever your organization stands in the relenting debate of what auditors are expected to find in financial statements (and then don’t). Or the relative value of this enhanced dataset in your due diligence process. You and your organization still likely have a standing regulatory due diligence responsibility, including in some form the expectation to identify and be accountable for addressing potential audit risk.

For those in capital markets, this can reach back to the earliest pre-IPO moments of a company and its first financials. The professional gatekeepers in the IPO path e.g., M&A lawyers, risk, and compliance, all base some reliance on audit firms and quality audits. Their assessment of quality of earnings reports is invariably seen as a critical first step in managing future audit risk. In turn, audit risk consequences of course extend further to those professional’s own insurers providing auditor negligence or Errors & Omission (E&O) liability coverage. Bottom line, the interconnected nature of business creates real susceptibility to knock-on audit risk for many parties. and can do so from audit deficiencies in just one company audit, starting with the very first audit.

For financial services companies specifically, due diligence expectations for corporate counterparties have been in place for some time. Even if the way to achieve them remains challenging and often found wanting in practice and overall effectiveness. In response to the continuing impacts of repeated corporate failings from the Wirecard period, barely a month ago the US federal regulators for financial services published their new guidance on?Third Party Relationships: Risk Management ?(The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury, 2023).?

The revised standards incorporate renewed regulatory expectations that financial services organizations make diligent assessments of a third-party’s financial condition and its resulting risk to a financial services company operations. Including assessing financial information, such as audited financial statements. These enhanced requirements of third- and extended fourth-party supplier risk due diligence requirements perhaps come as no great surprise to financial services and their suppliers,?given the systemic ripple effects of corporate failings like Wirecard ?(Collins, 2020). The concern for implementers maybe less what is needed, but still how to do it effectively. Especially when these failings were rooted in financial mismanagement, fraud, and accompanying auditing deficiencies and materialized audit risk, which other organizations have apparently not seen “upstream”.

The importance of due diligence targeted upon company financial condition and audit risk has also become even more important for industries far outside of capital markets and financial services.??The most recent collapse of Silicon Valley Bank (SVB) and domino-type knock-on effects that caught many organizations by surprise as a threat that?“no one saw coming” ?(Bousquette, 2023) again underscores the importance for?all?industries to seriously consider their exposure to audit risk. Ironically, these industries may need to apply the financial services 3rd-party risk requirements in reverse and begin looking more closely back through the audit risk mirror at their financial services providers.?

Given the challenges in identifying and quantifying audit risk, it is perhaps no surprise that the majority of organizations and the due diligence industry remains focused predominantly on reputational due diligence, and some aspects of financial performance and commercial credit worthiness. There obviously remains important value in knowing companies through these Know Your Customer (KYC) type of lenses. Understanding common associations between officers or gatekeepers is a critical financial crimes table stakes capability. However, when it comes to audit risk and financial misstatements risk, it arguably has its limits to only highlighting risks amongst those who, as the old adage goes, have let themselves be known by who they acquaint with – or perhaps shouldn’t have.?

Similarly, reports on commercial credit from even the largest most established data aggregators, usually carve out in contractual small print that their data and reporting does not address manipulation of reported financials or a company’s management fraud. As a result, corporate financial data is in many data products represented “as-is”, without any meaningful verification for financial reporting veracity.?As such, with two-thirds of accounting fraud by public companies believed to be going undetected ?(Dyck, 2023), we believe that other analytic techniques are required for all of these approaches. So, how can you augment your risk analytics to do better?

Our team, has spent years as practitioners educating organizations how to bring clarity to fraud. Including, specifically the risks of auditors not discovering materials misstatements and fraud (“audit risk”) as seen through the array of accounting fraud schemes as we use in our financial statement fraud taxonomy below.

Grounded in the practitioner experiences of investigating and studying these events for many decades, we took that knowledge and built??óta Signal Analytics ?to help investors and others like regulators, wholesale lenders, and vendor managers get better transparency into public company financial statements from the outside-in. We did so, having too often observed that organizations are unnecessarily relying on incomplete or misleading signals about a company’s financial condition. Tragically so, when the valuable risk signals are actually hidden in plain sight right within the company financials.?

In the first instance our?Pressure Risk ?óta Score?signals a company’s susceptibility to material misstatements through fraud or mismanagement. In many ways, the kind of advanced analytics to highlight the hidden?“pressure” risk, that in October 2022 the SEC Chief Accountant Paul Munter suggested for gatekeepers and the markets to prioritize attention on ?(Munter, 2022),?is what we have built.

Second, our?Asset Revenue Overstatement (ARO)??óta Scores?signal the degree of financial statement fraud risk across our taxonomy of fraud schemes. In simple terms, developing those latent telltale signs that are often present in damaging corporate failings after the fact, but camouflaged to fit-in and avoid traditional detection approaches.?

Put together, these two complimentary lenses offer your organization the early warning of a company’s potential financial misstatement risks due to mismanagement or fraud, and with it whether there are signs that they may have begun manipulating financials to camouflage their true financial condition from the market and its associated gatekeepers, or not.?

Our AltData SaaS analytics provide you the capability to see for yourself,?what auditors should be seeing and reacting to skeptically in their risk assessments of publicly traded firms’ financials before they audit them (PCAOB, N.D). These signals embedded in your organization’s due diligence approach can transform your current mode of maybe reacting to sporadic interventions by the PCAOB and SEC, or related publicly reported controversies from groups such as short-sellers. You probably wouldn’t drive your car based on what risks you previously navigated through the rear-view mirror, and your audit risks and financial misstatement risks need not be reactive either, waiting for restatements and materialized manipulation events to become public; on average two years after they started.??

As depicted in this real company example from an organization with manipulated financials:

• we have observed that the?Pressure Risk ?óta Scores?are often the leading indicator of Asset Revenue Overstatements (ARO). As such it can be an early warning for counterparties of future damaging company restatements, not to mention the risk of consequences of negative attention from related class action lawsuits, regulatory investigation, or enforcements against the company concerned, or its auditors;?
• accounting manipulation and fraud, such as revenue recognition schemes, are often observed to be at the center of relieving Pressure Risk spikes; often only known in later years to the market through published restatements or enforcements; and
• with many private companies supplying their financial reporting data as part of the IPO registration process, “fraud in flight” before public registration can also be revealed.

Leveraging our automated AltData SaaS insights, what traditionally took highly skilled and expensive forensic accountants days, if not weeks, to analyze a single company, entire exchanges get risk scored in mere seconds for you. Our flexible data model and intuitive analytics provide insights that can help your organization mitigate the audit risk of incorrectly classifying something as okay when it’s not or vice versa. So, whether you are looking at audit risk and the susceptibility to misstatements and accounting fraud at an individual company level or portfolio level, your organization can see outside-in signals of the hidden risks in financial statements and react proactively in your selection and deselection risk management approaches.?

For example, shown here are the?Pressure Risk??óta Scores?and?Asset Revenue Overstatements (ARO) ?óta Scores?for one institutional investor.

Shown in market-values (in $ millions), the portfolio ARO scores of “7” (on a 15-point scale where 7 is the highest risk) can quickly be analyzed in our datasets to identify the underlying companies, and provide early warning of their emerging risks, produce lines of focused inquiry, and potential needs for urgent intervention where warranted.?

If you have already acknowledged the limitations of the PCAOB inspection data for extrapolation, but still really need to know how the concentration of audit risk looks across a particular audit firm and the organizations they are auditing, our data model and analytics could support you with that perspective and insights too.??

As depicted in this audit firm company portfolio scored through Pressure Risk ?óta Scores and Asset Revenue Overstatements (ARO):

• audit firms can gain an understanding of where the greatest potential for financial statement risks is within all of their audited entities, and can ensure appropriate experience exists in the audit teams assigned to that company or even industry sector;
• investors can see existing or recent audit quality deficiencies alongside a holistic view of the aggregate financial misstatement risks an audit firm is managing; and
• regulators, associated oversight bodies, and related gatekeepers can see where audit quality and audit risk inspections are most valuable based upon risk to investors.

Whatever approach to due diligence your organization has adopted to counter these types of risks, the chances are it remains time consuming, expensive, incomplete, and often frustrating when it’s exposed as deficient after-the-fact once audit risk has materialized. Few due diligence capabilities help organizations with individual company or portfolio views of what might go wrong in the future that you can act upon before you and your stakeholders get harmed. So, how can you get ahead at scale and prioritize your due diligence where the audit risk and your organizations risk reside are hidden? We have seen and applaud that a few leading investment organizations such as Nicolai Tangen CEO of Norge Bank Investment Management?have been?augmenting their existing investment risk management processes with the insights of forensic accountants and fraud experts to increase their capability to analyze companies where there are financial misstatement risks they can and have avoided ?(Fixsen, 2021). The kinds of Insights, which with??óta?you can use for ongoing portfolio and broader market monitoring across over a hundred countries, 173 exchanges, and with trend history going back to the 1980s.??

Perhaps you too are now ready to invest in the insights garnered from forensic accounting and fraud risk experts with deep practitioner knowledge in helping you get a head start on your exposure to audit risk, misstatements, and accounting fraud by companies that matter to you. ?óta provides your organization with an outside-in view of potentially hidden mismanagement and manipulation of company financials to put alongside the other existing pieces of your market analytics capabilities.?

References:

Bousquette, I. (2023, March 14th).?IT Leaders Reassess Vendor Risks After Silicon Valley Bank Collapse CIOs say they are checking in with suppliers and have brushed up on contingency plans. ‘If you receive the warning from the universe, take it on board.’.?The Wall Street Journal. https://www.wsj.com/articles/it-leaders-reassess-vendor-risks-after-silicon-valley-bank-collapse-3acbab51 ?[ Isabelle Bousquette ]

Center for Audit Quality (CAQ), (2021, March).?Guide to PCAOB Inspections 2021.https://thecaqprod.wpenginepowered.com/wp-content/uploads/2021/03/caq_guide-to-PCAOB-inspections_2021-03.pdf ??

Collins, B. (2020, June 26th).?Wirecard Collapse Drags Down Online Banking Services. Forbes. https://www.forbes.com/sites/barrycollins/2020/06/26/wirecard-collapse-drags-down-online-banking-services/?sh=9511eb52e282 ?[ Barry Collins ]

Doty, J.R. (2015). The Role of the Audit in Capital Formation. Speech at 2015 FEE Audit Conference.?https://pcaobus.org/news-events/speeches/speech-detail/the-role-of-the-audit-in-capital-formation_566#:~:text=Whether%20the%20audit%20is%20compulsory,investor%20demand%20for%20their%20securities . [ James Doty ]

Dyck, A., Morse, A. & Zingales, L. How pervasive is corporate fraud?. Rev Account Stud (2023).?https://doi.org/10.1007/s11142-022-09738-5 [Alexander Dyck ?Luigi Zingales ]

Fixsen. R. (2021, April 7th).? NBIM revises strategy, builds in Tangen’s focus on mental toughness.?IPE.?https://www.ipe.com/news/nbim-revises-strategy-builds-in-tangens-focus-on-mental-toughness/10052046.article ?[ Rachel Fixsen ]

Ho, S. (2023, June 22nd).?Advisory Panel Discusses Ideas to Increase Transparency of Audit and PCAOB Inspection. Thomson Reuters. https://tax.thomsonreuters.com/news/advisory-panel-discusses-ideas-to-increase-transparency-of-audit-and-pcaob-inspection/ ?[ Soyoung Ho ]?

Livni, E. (2023. January 14th).?Just How Common Is Corporate Fraud?. The New York Times.?https://www.nytimes.com/2023/01/14/business/dealbook/how-common-is-corporate-fraud.html ?[Ephrat Livni ]

Maurer, M. (2023, July 25th).?Accounting Watchdog Expects Deficiencies in 40% of Public-Company Audits in 2022. The Wall Street Journal. https://www.wsj.com/articles/accounting-watchdog-expects-deficiencies-in-40-of-public-company-audits-in-2022-badfcda ?[ Mark Maurer ]

Munter, P. (2022. October 11th).?The Auditor’s Responsibility for Fraud Detection. News. Statement. United States Securities and Exchange Commission. https://www.sec.gov/news/statement/munter-statement-fraud-detection-101122 ?[Paul Munter ]

Public Company Accounting Oversight Board (N.D). AS 2401: Consideration of Fraud in a Financial Statement Audit. PCAOB. https://pcaobus.org/oversight/standards/auditing-standards/details/AS2401

The Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), Treasury (2023, June 8th).??Interagency Guidance on Third-Party Relationships: Risk Management.?Volume 88. Page 37920. https://www.occ.gov/news-issuances/federal-register/2023/88fr37920.pdf