November 4, 2013

Expanding Roles and Responsibilities in Corporate Governance: Change for the Better

Cindy Fornelli
Executive Director, The Center for Audit Quality

SIFMA Internal Auditors Society
Annual Conference 2013
Delray Beach, FL

November 4, 2013

Thank you for that kind introduction.

It is an honor to be here with you all today, and I say that for a couple of reasons.

First, I very much appreciate the work that the SIFMA Internal Auditors Society does representing internal auditors from across the securities industry. Last month, I had the opportunity to participate in a Society seminar on fraud risk in New York. It was a great discussion, both among my fellow panelists and with a very engaged audience.

Another reason I’m pleased to be here is that I have to say that joining you all today makes me feel like an ambassador of sorts.

Internal auditors, as you well know, represent a key pillar of good corporate governance, along with audit committees, management, and external auditors.

And as John mentioned, the latter of those pillars—external audit—is focus area of the organization I lead, the Center for Audit Quality. So like an ambassador, I come to you to build relations and share with you a view into the world of external audit today.

So, just what is that view?

Broadly, as I see it, the role and responsibilities of external audit are expanding, just as they are for internal audit—and indeed just as they are across the spectrum of corporate governance. This expansion has implications for all of us, not the least of which is the importance of working together. As I’ll discuss, my view is that when internal and external auditors work together, both are more effective.

Today, I want to take a closer look at this and the other implications of the expanding and transforming roles and responsibilities in corporate governance. There are three areas that I will cover.

First, I’d like to briefly introduce you to the CAQ and our approach.

Second, I’ll touch on the state of affairs in corporate governance, from the standpoint of the public company auditing profession. Now here’s the short version: Things are good, but we are committed to a continuous cycle of improvement.

Finally, I want to touch on how we all can work together to enhance audit quality and financial reporting. What are a few key things we need to do to improve corporate governance for the benefit of businesses, investors, and the economy?

Let me start by telling you a bit more about the CAQ.

The CAQ was founded in 2007, in the wake of the passage of Sarbanes-Oxley Act and the accounting crisis that precipitated it.

The Center is an autonomous, nonpartisan, and nonprofit public policy advocacy organization. It is governed by a board made up of the CEOs from the eight largest accounting firms and the American Institute of CPAs, and three members from outside the public company auditing profession. We now have nearly 600 U.S. public company auditing firms as members.

The CAQ has a simple overarching mission. We are dedicated to enhancing investor confidence and public trust in the global capital markets. We do this by fostering high quality performance by public company auditors; convening and collaborating with other stakeholders to advance the discussion of critical issues requiring action and intervention; and advocating policies and standards that promote public company auditor’s objectivity, effectiveness, and responsiveness to dynamic market conditions.

In carrying out these objectives, we provide thought leadership on proposed rules and standards by conducting our own research. We also work closely with the academic community to facilitate outside research relevant to the auditing profession.

Like the Society, we offer webcasts, events, and tools for the profession and other members of the financial reporting supply chain. All of our resources are free of charge and publicly available on the CAQ’s website: TheCAQ.org.

So that’s what the CAQ does. Now, what’s our view of the state of things?

Broadly speaking, our view is simple—and positive. Public company auditing is in very good shape in the United States. Arguably, it’s in the best shape it has ever been in.

Now, that doesn’t mean we’re all on easy street. As you know, all of the constituents of the financial reporting supply chain operate in an increasingly complex and challenging environment.

Among other things, they must manage the challenges of fair value accounting, increasingly complex transactions and new and evolving standards and regulations in fast-paced global economy.

But we have indicators that public company auditors and others in financial reporting have made real progress over the last decade or so.

Here’s one data point for you. An analysis of financial reporting trends released earlier this year by Audit Analytics found that the total number of financial restatements has leveled off over the last few years. Meanwhile, the severity of restatements continues to decline, and restatements are being filed more quickly after a misstatement is disclosed. The average number of issues per restatement also has fallen to a 12-year low.

These improvements could well be a factor in the uptick that we’ve seen in investor confidence. Since 2007, the CAQ has commissioned an annual survey of investors on four key confidence measures pertaining to capital markets. We call this our Main Street Investor Survey.

The survey only targets individual and not institutional investors. To qualify for it, an individual must have at least $10,000 invested in stocks, bonds, mutual funds, or a retirement account. So these truly are “man on the street” investors.

In 2007, when we started the survey, investor confidence in U.S. capital markets clocked in at 84 percent. But then the financial crisis hit, and confidence fell to a low of 61 percent in 2011.

Happily, we’ve seen a rebound. For our most recent survey, in August, investor confidence moved up to 69 percent.

We also polled investors on confidence in investing in U.S. public companies. Here the percentage of investors expressing confidence rose to 79 percent, up eight points from last year.

And with respect to confidence in audited financial statements released by public companies, confidence has held steady at a respectable 72 percent.

So restatements are down, and confidence is up. We are trending in the right direction. Still, I want to be careful not to paint too rosy a portrait for you today. As we all know, there is room for improvement and enhancements in corporate governance.

The auditing profession recognizes this fact, just as investors do. Regulators certainly see the need for change, and they are pressing forward with a wide range of proposals aimed at bolstering the structure of corporate governance. In many areas, roles and responsibilities are set to expand.

 We’ve seen this expansion in the context of broker-dealers, of course, with the Securities and Exchange Commission’s adoption of new audit and reporting requirements for brokers and dealers. As you know, the Public Company Accounting Oversight Board adopted final audit and attest standards for auditors of brokers and dealers last month.

I’ll note that the CAQ is encouraged by these developments, notably the PCAOB’s efforts to balance regulation and investor protection through a risk-based approach that is designed to be scalable based on the broker's or dealer's size and complexity.

The rules help provide some structure and a framework of how to do an attest for a broker-dealer. Having a regime in place, knowing expectations, and hearing the results will give clarity to the marketplace.

In the remainder of my time, I’d like to discuss more changes we are seeing. What are the key issues, and what do we, as key stakeholders, need to do?

Well, there are probably dozens of things to do, as I know you will hear and discuss over the next few days. But permit me to give you just three.

One, we can expand our roles and responsibilities by increasing transparency in a measured way.

Two, we can increase collaboration between key constituencies in corporate governance.

Three, we can push ourselves to do more in our own roles, while evaluating what these changes mean for the markets, investors, and the auditing profession, both internal and external.

Let’s start from the top: Increasing transparency. In the world of public company auditing, there are number of hot issues that fall under the heading of transparency.

For example, regulators and standard-setters have been exploring ways to update the auditor’s reporting model. At the CAQ, we have closely tracked these efforts, as well as the increasing calls for disclosure and transparency around the role of the auditor.

It’s important to keep these calls for change in context. As I mentioned, polling shows growing investor trust in audited financial statements.

Still, across industries and across the globe, the desire for greater transparency around what auditors and other entities do—and disclose—is unmistakable.

Here in the United States, the PCAOB has issued a rule proposal to change the auditor’s report. The CAQ will be weighing in on this proposal in December, when comments are due. We are also actively engaged on international proposals to update the auditor’s report.

The U.S. auditor’s report, of course, hasn’t changed in decades, so updating it presents quite a challenge. It will require a good deal of thought—and rigorous field testing—involving all members of the financial reporting supply chain.

The idea is to strike the right balance, because, as SEC Chairman Mary Jo White flagged in a recent speech, more information is not always better information. So we need to identify areas for meaningful, tailored disclosure and avoid information overload.

We also need to ensure the integrity of information in financial statements. Our view, for example, is that the external auditors should not be the original source of information about an entity. That responsibility belongs with management.

Here’s another key issue for us on expanding transparency: the effort to identify key performance indicators in audit quality, or “audit quality indicators” (AQI).

Last May, the PCAOB announced plans to pursue a project to define key elements of audit quality.

Just as with the auditor’s reporting model, the public company auditing profession believes that participants in the capital markets benefit from better information about the audit process—and that includes the factors that may affect audit quality.

So the CAQ has provided perspectives from the profession to the PCAOB as it contemplates reforms.

In short, we believe a communication of audit quality should do several things.

First, it should focus on engagement-level metrics with firm or industry metrics on a contextual basis, as relevant.

Second, it should recognize the audit committee’s oversight role and how the audit committee enhances confidence in financial statements.

Third, it should be the starting point for a meaningful dialogue with the audit committee on these metrics and which are most important to the audit committee.

Fourth, it should incorporate compliance with input- and output-based regulations and professional standards, as well as consideration of the audit firm’s own system of quality control.

And finally, it should link the key elements of an audit quality framework based on the PCAOB’s quality-control standards or other professional standards. These standards include areas such as ethics, and attitude; knowledge, experience, and time; process and execution; and reporting and communications.

As with the auditors reporting model, there are big challenges with AQI.

Certainly, one challenge is that views on audit quality vary quite widely among stakeholders. Much depends on the degree to which stakeholders have direct involvement in audits—and the lens through which they assess auditor responsibility and performance, thus our focus on audit committees. At the CAQ, we are working through these issues to achieve consensus where possible.

Which leads me to my second point on what we need to do. More than ever, in this transforming and expanding world of governance, we must collaborate with each other.

From the CAQ’s perspective, the value of working together has been particularly evident in the joint efforts to address the risks of financial reporting fraud.

Three years ago, the CAQ teamed up with several other organizations to form what we call the Anti-Fraud Collaboration. The Collaboration is made of up organizations that represent those in the anti-fraud supply chain: Financial Executives International, The Institute of Internal Auditors, and the National Association of Corporate Directors and the CAQ.

The goal of the Collaboration is to enhance the ability of the key players in the financial reporting supply chain to better focus on fraud deterrence and detection.

The Collaboration has developed educational programs and case studies. It has promoted forums for constructive debate and produced research, and, I believe, it has served as a catalyst for continuous improvement and change. All of our collaborative anti-fraud resources are free of charge and publicly available at AntifraudCollaboration.com.

We’re certainly gaining new insights from working together.

Last month, for example, the Collaboration released a report entitled “Closing the Expectations Gap in Deterring and Detecting Financial Fraud.”

I highlight this report, because it contains some striking findings, such as a recent survey of the members in the organizations that make up the Collaboration. That survey found that a large majority of respondents—87 percent—said that financial executives have primary responsibility for deterring financial reporting fraud. No surprises there.

However, the group that owns primary responsibility for detecting financial reporting fraud is less clear. Among those surveyed, 52 percent designated financial executives, a sizeable 31 percent put the primary responsibility on you, the internal auditors.

Let’s talk a bit about skepticism, an important component of deterring and detecting fraud. The survey asked each constituent group about their level of confidence that each party exercised a sufficient level of skepticism. As for board members, the vast majority of them are confident that the other three groups are exercising skepticism adequately. And most board members (75 percent) are also confident in their own ability in that area.

However, that belief is not at all held as strongly by other groups. For example, only 36 percent of internal auditors are confident in the board’s ability. For external auditors, that number improves somewhat to 46 percent.

Of course, trust also is important, and finding the right balance between trust and skepticism is key.

Although both external and internal auditors identify skepticism as key to performing their work, just less than half of internal auditors say they strike the right balance between trust and skepticism. By contrast, 70 percent of external auditors say they strike an appropriate balance.

In my mind, these results reinforce the need for effective collaboration. We need open and active lines of communication among the different financial supply chain participants. That way, we can work to close the expectations gap revealed in these statistics I just cited. In doing so, we’ll improve our chances of detecting and deterring fraud.

It seems communication between internal audit and external audit is particularly important. After all, both external and internal auditors have a responsibility to be aware of fraud indicators and to respond if anything is identified. Indeed, internal and external auditors look to the same standards for guidance.

This overlap should be regarded as an additive feature in corporate governance. Internal audit, of course, knows the company very well and its culture. That coupled with the experience of the external auditor in a variety of sectors and types of corporate structures can combine to help deter fraud. Working together, in other words, strengthens us both.

My final thought today on how we can change corporate governance for the better is this—we can all push ourselves to do more. We can embrace new responsibilities, even new skill sets.

For example, just think of developments in technology. This was a topic of discussion last August at the CAQ’s Symposium. That’s an event we hold each year where senior leaders of the profession get together with top academics to contemplate present and future challenges.

One item on our Symposium agenda was big data.

I’m sure you’ve all heard some of the stats here, but it’s hard not to be astounded by the figures. Ira Solomon, the dean at Tulane’s business school, told our symposium that we are creating 2.5 quintillion bytes of data per day.

He pointed out that data is starting to get measured not just in terms of megabytes and gigabytes, but bigger increments, like brontobytes. I don’t know about you, but I had never heard of a brontobyte before. To put this measurement in context, a brontobyte is characterized by a “1” followed by 27 zeros.

Also on that symposium panel was Robert Moritz, who as you know is Chairman and Senior Partner at PricewaterhouseCoopers. We’re also lucky to have Bob as chair of the CAQ’s Governing Board.

Bob said that in his judgment, auditors today are not leveraging big data and data analytics as effectively as they could.

He added that PwC is bulking up in its data capabilities, hiring technologists that know the latest on data collection and tagging. The firm is also developing its own algorithms that can predict where the risks are. This information, he noted, can be a huge help for companies, not just in the context of audits but also in simply understanding their own businesses.

At our symposium in August, our panel considered this simple example. Suppose an auditor works for a retailer, and that auditor spots a big improvement in margins in a business segment. Management may be using big data analysis and data mining to help drive that improvement in profitability. In interfacing with management, the auditor needs have a grasp of big data models and analytics.

Yes, technology is one area where we can all stretch ourselves, now more than ever.

But, on a less technical level, I think we can all look at our basic portfolio of responsibilities and find ways to improve.

If you’ll permit me, as an ambassador from the world of external audit, it seems there are a number of ways that internal audit can and will expand the valuable role it plays.

One enhancement is underway with the upcoming changes in the control assessment framework or COSO 2013.

Under that framework there is an opportunity for internal audit to better assist management in their assessment of internal controls over financial reporting.

Internal audit can also help management with scoping, risk assessment, and identification of control gaps or deficiencies.

As John [Noto] mentioned in his opening, outside of financial reporting, internal auditors need to make sure their seat at the table with management is well established.

The director of internal audit, for example, should be involved in risk assessment decisions of management. IA should be a part of due diligence and integration when considering, for example, any new product or acquisition.

The idea here is that IA can help management get things right the first time, as opposed to playing the after-the-fact role of doing cleanup when things go wrong.

Now I understand it may not be easy to expand IA’s role in this manner. After all, management sometimes views IA as the “Department of No”.

But that attitude sets up a false economy. As I see it, bringing in IA earlier actually helps efficiency. By elevating its voice at the beginning of a process, IA can save a company from headaches and hassle down the road.

I know I’ve covered a good deal of ground today, even if it’s not quite a brontobyte’s worth of information. But just to quickly recap:

From our standpoint at the CAQ, we are making progress in corporate governance. Financial reporting is improving, and investors show increasing confidence.

But, investors, regulators, and those of us in the financial reporting supply chain know we can do more.

We can work to increase transparency.

We can collaborate more, especially on key issues such as fighting fraud.

And we can push ourselves to embrace new roles, responsibilities, and skill sets.

I think if we do these things, we will strengthen our system of corporate governance, reinforce confidence in our markets, and work toward change that benefits our businesses, investors, markets, and our economy.

Thank you.