Douglas R. Carmichael, Ph.D., CFE, CPA, chief auditor of the Public Company Accounting Oversight Board, has the tough task of guiding the standards-setting procedures of the Sarbanes-Oxley Act while balancing the interests of diverse groups. This CFE is ready for the challenge.
The economic pendulum swings widely in the United States. From the promise of riches and unbridled greed of the ’90s to the bursting bubbles and shocked austerity of the ’00s – the country has seen the extremes. When monolithic corporations crumbled due to fraud and average citizens lost jobs and pensions, Congress stepped into the gap and created the Sarbanes-Oxley Act (SOX) of 2002.
The lawmakers’ outrage spawned the far-reaching Act but now it’s time for the new Public Company Accounting Oversight Board (PCAOB) to clarify and implement. The Act established the PCAOB as a private-sector, non-profit corporation to oversee the auditors of public companies to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports.
Fraud Magazine recently spoke to Douglas R. Carmichael, a Certified Fraud Examiner, and the first chief auditor and director of professional standards of the PCAOB, about his efforts to implement SOX.
Dr. Carmichael has the task of guiding the standards-setting process while balancing the concerns of investors, general public, auditors, fraud examiners, corporations, the Securities and Exchange Commission (SEC), and Congress. On March 9, the PCAOB approved the important standard, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statement.” Section 404(a) of SOX and the SEC’s related implementation rules require the management of a public company to assess the effectiveness of the company’s internal control over financial reporting. Section 404(b) of the Act, as well as Section 103, directed the PCAOB to establish professional standards governing the independent auditor’s attestation, and reporting, on management’s assessment of the effectiveness of internal control.
The new standard requires auditors to review management’s assessment of corporate controls, run their own tests of those controls, and, among other requirements, judge the effectiveness of corporate board members who sit on a firm’s audit committee. As of publication time, the SEC still had to approve the rule. (The text of the auditing standard and related appendices are at www.pcaobus.org under “Rulemaking.”)
Dr. Carmichael comes to the job as an experienced practitioner, consultant, author, and academician with a desire to serve. He will be one of the keynote speakers at the 15th Annual ACFE Fraud Conference & Exhibition. (See page 43.)
Dr. Carmichael answered our questions in his new office at the PCAOB in Washington, D.C. (Dr. Carmichael’s views are his own and don’t necessarily reflect the views of the PCAOB Board or other members of the staff.)
Fraud Magazine: I know you’ve been in your new job for approximately one year. What’s it like to be a CFE in the midst of a trailblazing governmental effort?
Carmichael: It’s really a unique opportunity because the main reason that the Sarbanes-Oxley Act was passed was to respond to the concerns of the American public and Congress about major fraud in companies like Enron and WorldCom. So the perspective I bring to it as a Certified Fraud Examiner helps a great deal in that environment.
FM: In what specific ways?
Carmichael: It was more personal with me because I not only had been a CFE but also had been involved with standards-setting in the past. A lot of my work as a CFE involved investigating alleged audit failures and trying to assess what happened, and the deficiencies in complying with the standards. So it is an unusual opportunity to be able to put that background and knowledge to work to improve auditing standards and the quality of auditing practice.
FM: ACFE members might think, “one of us is in this job.” Even though you have to balance out the views of many, I’m sure it helps that the members know there’s someone at the PCAOB who can speak their language.
Carmichael: I hope so. I think that the detection of fraud is such a major part of an audit of financial statements that having the CFE certification is really helpful in developing the necessary improvements in professional standards.
FM: As the first chief auditor of the PCAOB, what do you see as your biggest challenge?
Carmichael: There were several large challenges apparent at the start. One challenge that we just completed is release of the standard related to Section 404 (of SOX) on internal control. That was probably the most difficult standard we’re going to have to deal with because it related to developing standards for a comprehensive and complex area of activity for independent auditors. That standard was extremely important because it was mandated by the Sarbanes-Oxley Act and the SEC established a tight time schedule of implementation of its rules by management. All that put a lot of pressure on us to release a very comprehensive standard, which we did. Another critical challenge was to build a staff with collective extensive experience in auditing practice and standards-setting. I’m proud to say we have an excellent staff with impressive knowledge and background as well as dedication and a passion for standards-setting.
FM: What has been your biggest surprise?
Carmichael: The great interest in our standards-setting has been a surprise. Every open meeting that we’ve had on standards-setting has had a huge turnout of observers and press, there’s been a lot of Congressional interest, and the SEC is closely following what we’re doing. I expected the interest from CPA firms and to a certain extent from issuers (public companies), but we’ve also had significant interest from investor groups. We’ll be calling on those groups more in the future.
FM: PCAOB Auditing Standard No. 2 states that the identification of fraud of any magnitude on the part of senior management, or the discovery of material financial statement fraud that wasn’t initially identified by the company’s internal control over financial reporting is a “strong indicator” that a material weakness in internal control over financial reporting exists. Some people think this is at odds with the position taken in the Federal Sentencing Guidelines for Organizations, where the commentary states that “Failure to prevent or detect the instant offense, by itself, doesn’t mean that that [compliance] program was not effective.” [USSG Section 8A1.2, comment (n 3(k))] It seems that the new standard could be a recipe for even more dissatisfaction with auditors and more litigation against them, since we know that it’s impossible to prevent and detect 100 percent of frauds. Is the PCAOB asking more of auditors than they can deliver?
Carmichael: As far as litigation, the key issue is that responsibilities established by standards should be specific and definitive. When a professional doesn’t know his or her responsibilities, that’s when there are unfortunate litigation problems. If you can be clear about the responsibilities, naturally people are going to be held accountable for meeting those responsibilities and if they don’t, there will be consequences – from the PCAOB and from people pursuing private rights of action. However, the cause will be their own failure to meet clear requirements.
As far as the sentencing guidelines – our objectives and the objectives of internal control over financial reporting are different from the sentencing guidelines. We emphasize the importance of the “tone at the top” of an organization. Unless there’s an effective internal control environment then the rest of the controls are not going to be effective. That was our reason for highlighting any fraud by senior management as being so critical. Fraud by senior management is incontrovertible evidence of a poor tone at the top. It is the case that a fraud by senior management could result from management overriding the controls but we think that in a good organization there will be controls in place to deal with management override. It’s critical that those controls include, for example, the audit committee.
In contrast to past practice there is a strong incentive to identify fraud by senior management as a material weakness. However, if there is a fraud by senior management it’s possible for the auditor of the company to conclude that there’s not a material weakness. We identify it as a strong indicator but stop short of saying that it is presumptively a material weakness. But by saying that it is a strong indicator we shifted the responsibility to those who take that position to be able to substantiate and be comfortable with it not being a material weakness.
FM: What if a major fraud is discovered at a SEC registrant in the future and previously the auditor may have issued not only a clean opinion on the fraudulently misstated financial statements but also a favorable attestation report on the internal controls related to financial reporting. Would they be open to liability at that point?
Carmichael: Liability is always an issue when there is a legitimate case that the required duty of care was not met, and I believe there is no doubt that having the auditor responsible for expressing an opinion on both the internal control over financial reporting as well as the output from that system really raises the stakes and puts a real pressure on the auditor to do a better job in both areas. But I believe that the liability is not going to be there unless the work was not done with the necessary degree of care.
FM: Based on feedback from several thousand seminar attendees who have studied the ACFE’s Fraud Prevention Check-up, we have yet to find a company that would achieve a passing grade in that evaluation. Some people say this indicates that all the companies evaluated under Section 404 should likely be reported as having material weaknesses in their internal control over financial reporting, relating to fraud prevention and detection. Do you think this will happen in practice and if not, should we be relieved or concerned?
Carmichael: Companies have a substantial period of time to improve things and avoid an opinion that their systems aren’t effective. I think that the issue will be whether companies will go ahead and do that. A lot of companies have not had good control systems or haven’t adequately documented them or tested in the past. That’s going to have to change. Generally, I think public companies recognize that’s the case, and it’s going to be necessary to make improvements so they can say that by the time the reporting starts their systems are effective.
FM: Many companies believe that Auditing Standard No. 2 will incur inordinate costs and overcharges for the extra benefits. What’s your viewpoint?
Carmichael: We received many comments to that effect during our proposal period and we did try to make our standard more balanced and flexible. Instead of providing a long list of required procedures we included criteria for using the work of others and what it could be used for. We have raised a fairly high bar for achieving that but we do permit that kind of flexibility. We definitely did take cost-benefits into consideration. We tried to develop a balanced standard but one that made it clear that it was the independent auditor’s ultimate responsibility, whether the auditor was using the work of others or doing the work himself or herself.
In addition, it’s probably inevitable that in the first year the costs will be higher because companies have not necessarily had good controls. ... Both management and the auditor in the first year are probably going to be erring on the side of getting it right rather than making mistakes. If people are doing a good job those costs should begin to drop after the first year.
FM: There has been controversy on the requirement that auditors judge the effectiveness of audit committee members who have the power to hire and fire them. Why did the PCAOB decide to retain that requirement?
Carmichael: There were several reasons. Many said there was always a conflict that the auditor had with the management of the company. Sarbanes-Oxley takes care of that conflict by making the audit committee the group that hires and fires the auditor. But now you’re putting another similar conflict back in. I think it’s not the same because management’s performance is reflected in the financial statements that are being audited. It’s not the audit committee’s performance. The audit committee doesn’t have the kind of vested interest in exaggerating its performance in the financial statements that management might have. And, therefore, the conflict is not the same kind of conflict at all.
The Sarbanes-Oxley Act did place critical importance on the role of the audit committee. Some people said the audit committee is the responsibility of the board of directors. However, we believed that if the audit committee wasn’t doing its job it was because the board wasn’t doing its job. And if that were the case there would be no one in that whole process – the management, the board, the audit committee – blowing the whistle. Really, the only objective party in that whole process that can stand up and say there’s a problem when the audit committee isn’t doing its job is the independent auditor. Therefore we felt that it was important that the independent auditor have that responsibility.
We believe the auditor would have the knowledge and experience to do it because auditors have exposure to a great number of audit committees and the different kinds of practices that audit committees follow. So we didn’t think it would be difficult. We were not expecting the auditor to make some kind of scaled evaluation to grade the audit committee but when the audit committee is not doing its job to stand up and say so.
FM: What are some of the major components of Auditing Standard No. 2 that should encourage fraud examiners that companies will be held accountable?
Carmichael: There is a section at the beginning of the standard that points out the importance of fraud controls. Also, at several points we recognize the significance of management override, which is usually involved in frauds. That’s one of the reasons the audit committee is such an important factor. There are relatively few things that deal with management override; the audit committee is one.
Another is whistle-blowing responsibilities and a system to receive anonymous complaints. It’s required by Sarbanes-Oxley and is something we would expect the auditor to be following up on.
FM: Some believe that SOX’s pass/fail nature of the attestation report would create additional auditor bias and transmit less information to investors than is desirable. One view is that registrants should instead receive grades for their internal controls (similar to the credit risk ratings they receive from Standard & Poors or Moody’s), which could provide an incentive for excellence. What are your thoughts on that issue?
Carmichael: I believe that, going forward, alternatives to the pass/fail reporting approach definitely have to be explored. That wasn’t really possible with this standard because Section 404 and the SEC implementing rules require management to give an opinion on whether internal controls are effective and the auditor is required to give an opinion as to whether he or she agrees with management. So the Act and the implementing rules establish pass/fail as the approach. Plus the reporting on the financial statements is still in a pass/fail mode. It didn’t seem appropriate to have a different approach for audits of financial statements versus audits of internal control. I believe that it’s important to reexamine that possibility in the context of all audit reporting and not just reporting on internal controls.
FM: So do you think the PCAOB will look at this in the next year or so?
Carmichael: I don’t believe it would be in the next year because it’s such a big project and there are other pressing priorities, but the Board should begin to explore ways of improving audit quality through having the auditor issue more informative reports, relatively soon.
FM: The necessary specific language about what constitutes effective anti-fraud programs and controls or internal control relating to the prevention, identification, and detection of fraud is said by some to be vague or patchy in the COSO framework that auditors are required to use to for Section 404 evaluations. Does the PCAOB think there is enough guidance to enable companies and auditors to issue opinions that are consistent and reliable about the operating effectiveness of companies’ fraud prevention and detection efforts?
Carmichael: COSO is clearly an acceptable framework. The SEC has indicated that it is but I think any company using it has to recognize that the COSO framework was created in an earlier environment and companies should update it when implementing it. In other words, COSO’s framework was developed before audit committees were given the role they have today under Sarbanes-Oxley. As CFEs know, there have been innovations in fraud prevention and detection since then. So it’s certainly incumbent upon companies to implement the COSO framework within the current environment and not to view it as something static that doesn’t require improvements.
FM: What can fraud examiners do to help their clients and businesses better understand PCAOB’s efforts?
Carmichael: I believe some of the key things would be stressing the importance of implementing the Section 404 requirements and the audit committee requirements promptly ... and stressing, as I’m sure they will, the importance of being vigilant in the areas of fraud prevention and detection. You would think that the day has passed when people would take an “it can’t happen here” attitude, but it’s always important to work to overcome that attitude.
FM: The PCAOB has laid some stringent – some would say overdue – standards on auditors. Some auditors believe that they are being asked to perform functions for which they weren’t trained. What are some options for these auditors?
Carmichael: We’re going to be looking at the training programs at registered CPA firms and particularly in the coming year how SAS 99 is being implemented in training and actually put to use in doing audits. So people in the firms should know that’s coming. I don’t believe that’s a secret. An essential part of the training is being knowledgeable about how frauds are being perpetrated and concealed.
FM: If the SEC approves Auditing Standard No. 2, what are the PCAOB’s future plans to give companies and auditors more guidance on how to make the subjective evaluations implicit in the standard?
Carmichael: We are in the process of identifying implementation issues and we expect to be issuing guidance in the implementation of Standard No. 2 sometime after the standard becomes final.
FM: I would imagine that there are fraud examiners who are quite pleased that the PCAOB actually exists now and that they can have a little bit more clout behind what they’ve been telling their bosses for years now.
Carmichael: Yes, that’s certainly what people have told us – that there’s a great opportunity within corporations. Resources that are now available for fraud prevention and detection and improving financial reporting generally are unparalleled. ... It’s a good time to be a fraud examiner.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 5 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 5 mins
Written By:
Felicia Riney, D.B.A.
