Years after Wells Fargo & Co. and Volkswagen AG shelled out billions to settle federal fraud allegations, investors are still eager for tougher rules that would make auditors weigh the financial toll of deceiving customers and regulators.
The end appears in sight. The US audit board has pledged to modernize requirements dating back decades that spell out how auditors should consider the risk that public company clients violated a law or regulation when vetting their earnings and balance sheets.
Investors want the changes to shed more light on corporate crimes. Accountants and lawyers, meanwhile, say the audit requirements should reflect modern governance practices like ethics hotlines and risk assessments—safety nets that didn’t exist in the 1980s when the rule was written.
“They are more important than ever,” said Steven Richards, a former auditor and now senior managing director with Ankura Consulting Group, of the board’s rules for vetting possible crimes that auditors come across in the course of their work. But those rules haven’t kept up with how businesses operate, nor investors’ higher expectations of auditors, he said.
The Public Company Accounting Oversight Board adopted its illegal acts standard along with other pre-existing rules when the Enron-era regulator first formed in 2003. Those borrowed rules were written by the audit industry before it was regulated by the board and many of the rules remain on the books largely unaltered.
The standard that the PCAOB picked up dates to 1988. It responded to fallout from corporate bribery scandals linked to Watergate, but misses the impact of subsequent securities law changes, whistleblower programs, and updates to other PCAOB rules.
The standard makes clear that it’s not up to auditors to determine whether a crime has been committed. Instead, the auditors’ job is to consider whether the possible cost of misdeeds like an environmental spill or sexual misconduct involving a top executive would materially impact the financial statements. But the rule states that often those financial statement ramifications are indirect.
“We need a fraud standard and an enhanced fraud standard because there’s so many ways to commit fraud today,” said Stephen Masterson, a former audit partner who has served as the CFO of two banks. “The fraud’s going to touch the financial statements either through a lawsuit or through a loss or through just misreported earnings.”
The rules don’t go far enough to capture serious internal failures like high-pressure sales tactics at Wells Fargo or emissions cheating by automakers. And investors have asked for tougher, clearer rules that would warn them sooner about legal risks that could threaten the value of their shares.
The bank admitted in a 2020 agreement with the Justice Department to collecting millions of dollars in fees and interest stemming from millions of customer accounts set up without their consent. The bank’s stock price dropped as the phony accounts scandal became public, and sanctions doled out by banking regulators curtailed its business growth.
The bank’s auditor, KPMG LLP, found that the fake accounts and fees improperly charged to the account-holders were insignificant compared to the scale of the company’s financial statements.
But to investors, the bank’s actions had a material impact on the value of their shares, exposing a gulf between shareholder expectations of auditors and the illegal acts standard.
“It says, ‘Here’s what we don’t have to do.’ It doesn’t say anything about, ‘They’ve got to consider the impact of events like that’,” said Lynn Turner, former chief accountant to the SEC, about the PCAOB rule. “That’s ridiculous.”
Turner and other investor advocates previously urged the board to require auditors to proactively search for possible law-breaking and to take specific steps to assess any financial statement fallout when they uncover misbehavior. Auditors, they say, also should have to report whether or not they learned of any law violations during the course of the audit.
The suggestions borrow from similar but more modern standards that apply to federal government financial audits and business audits conducted internationally, Turner said.
The board researched possible updates to the rule in the wake of the Wells Fargo accounts scandal. But those efforts were scuttled following a leadership overhaul in 2017.
Under new leadership once again, the board earlier this year added a project to its expansive rule-writing agenda to revise the outdated measure, sometimes referred to as non-compliance with laws and regulations. A draft of possible changes is expected in 2023, according to the PCAOB’s fall agenda update.
Out of Date
The list of possible crimes and regulatory violations that auditors may encounter while combing through corporate records includes bribes, federal banking law violations, price fixing, and cybersecurity breaches. How corporate managers and their auditors respond to such risks has evolved over time.
“All those things can have a dramatic impact on the reputation and the financial performance of a particular stock. Maybe that’s always been the case, but I think we have a greater appreciation for how those kinds of events can be material,” said Lisa Wood, a partner and accountant liability lawyer with Foley Hoag LLP.
A pair of significant securities law changes already have reshaped how corporate leaders and their outside auditors respond to legal violations.
Corporate managers now have to identify and disclose any potential illegal acts to the auditor. That includes conversations between company lawyers and its auditors, which are more robust than they once were, said Wood, who believes the audit rule continues to work well.
Among the changes over the last three decades, a 1995 litigation reform law requires auditors to report their clients to the SEC if corporate leaders don’t address the legal risk from a crime or regulatory violation if it has a material impact on the financial statements.
And the 2002 Sarbanes-Oxley Act, which created the PCAOB, tasked corporate directors with overseeing the audit and for ensuring reliable financial reporting. Among other key reforms, that law also ushered in a new era of reporting controls that provided greater confidence in corporate accounting.
Whistleblower programs and chief compliance officers also weren’t mainstays of corporate operations in the 1980s, said Richards of Ankura, who supports efforts to revamp the requirements. “It’s a really different world from a governance standpoint,” he said.
The PCAOB has an opportunity to improve audits involving possible crimes and other legal breeches by clarifying how auditors should incorporate those same legal and governance changes into their work, he said.
Emerging Front for Fraud
Another way the rule may come into play is through new fraud risks stemming from proposed SEC climate reporting requirements, said Richard Chambers, a senior advisor at AuditBoard Inc., a risk management platform, and the former CEO of the Institute of Internal Auditors.
“People don’t think you can have fraud to meet environmental regulations. You don’t have to go very far back to look at Volkswagen,” Chambers said.
Volkswagen agreed to pay $4.3 billion in civil and criminal penalties to settle charges that it mislead the government and customers about whether some vehicles met US emissions standards, a violation of the Clean Air Act. It’s stock price also suffered.
VW and other automakers cheated on the testing to meet environmental targets, not just to boost profits, Chambers said.
“What gets measured, gets done,” he said, “and it also gets gamed.”