At its recent open meeting, the Public Company Accounting Oversight Board proposed for comment a new auditing standard concerning related parties and amendments to existing standards addressing a company’s significant unusual transactions and financial relationships with executive officers.[1] The PCAOB noted the auditor’s privileged vantage point in detecting improprieties involving these relationships and transactions, which have played a prominent role in numerous corporate scandals.[2] The proposals build on existing risk assessment standards and are intended to improve investor protection by requiring additional audit procedures. Like many of the PCAOB’s recent initiatives, the underlying current of the proposals is the dual need to improve the auditor’s professional skepticism and the audit committee’s appreciation of matters that are particularly susceptible to abuse.
While a detailed review of the proposals and their impact on financial reporting is beyond the scope of this alert memo, several of the proposed procedures should be taken into account by company management in evaluating the effectiveness of the company’s disclosure controls and procedures and board practices.[3] We highlight the most important of these points below. The importance of reflecting on these and other areas of potential vulnerability should not be underestimated, particularly given the SEC’s expanded authority under the Dodd-Frank Act to pursue aiding and abetting claims based on reckless (in addition to knowing) conduct and SEC staff comments that “gatekeepers,” including lawyers, will remain an enforcement focus for 2012.
Proposed Auditing Standard Regarding Related Parties
The PCAOB’s proposed standard on related parties would replace its interim auditing standard AU sec. 334, Related Parties. The new standard would incorporate the existing standard’s requirements, but would expand and refine them.[4] In particular, it would require the auditor to perform more detailed procedures to identify related parties, obtain an understanding of the nature of the company’s relationships with them and understand the terms and business purpose of related party transactions. A note included in the proposed standard also references AS No. 11, Consideration of Materiality in Planning and Performing an Audit, as a reminder that related party transactions have special status when considering materiality. Paragraph 7 of that standard states that even misstatements in amounts less than the materiality level used for the financial statements as a whole could influence the judgment of a reasonable investor because of qualitative factors, including for example the “sensitivity of circumstances surrounding misstatements, such as conflicts of interest in related party transactions.”
Included among the proposed procedures are the following:[5]
- Gaining an understanding of controls relating to relationships and transactions. The auditor must obtain an understanding of the company’s controls established to:
- identify related parties and relationships and transactions with them;
- authorize and approve related party transactions; and
- account for and disclose relationships and transactions with related parties in the financial statements.
- Additional management inquiries and procedures. The auditor should also make specified inquiries of management about related parties and transactions and relationships with them, including about:
- background information concerning the related parties (g., physical location, industry and number of employees);
- the nature of the relationships with related parties;
- the types of transactions entered into with each related party during the period under audit and the terms and business purpose (or lack thereof) for each type;
- the business reasons for entering into a transaction with a related party versus an unrelated party; and
- significant related party transactions that were not authorized as required under company policy or for which policy exceptions were authorized.
Under the proposal, the auditor should identify and make inquiries of company personnel who are likely to have additional knowledge about the above matters, including those in a position to initiate, process or record related party transactions, internal auditors, in-house legal counsel, the chief compliance/ethics officer and the human resources director. Some of these personnel may already be involved in regular communications with the auditor (e.g., legal and compliance professionals regularly meet with the auditor about legal contingencies), but others may not. If this procedure is included in the final standard, companies should be proactive in identifying the individuals having relevant knowledge and the other sources of information that will assist those individuals in responding to the auditor’s inquiries.
Proposed amendments to AU sec. 333, Management Representations, would complement these inquiries with management representations, among other matters, as to the absence of related parties or related party transactions that have not been properly accounted for and adequately disclosed. The management assertions would be appropriate under the proposed amendments even if the auditor’s procedures indicate that all relationships and transactions with related parties have been properly accounted for and disclosed.
- Mandatory procedures for related party transactions required to be disclosed. Certain mandatory procedures would apply to each related party transaction (or type of transaction) required to be disclosed. These include requirements to read the underlying documentation to determine whether the terms and business purpose (or lack thereof) is consistent with information obtained through the auditor’s inquiries and other audit evidence, and to determine whether the transactions were authorized and approved under company policies and procedures or exceptions granted.
- Communications with the audit committee. The proposal calls for specific communications with the audit committee about the auditor’s evaluation of the company’s identification of, accounting for and disclosure of related parties and related party transactions, as well as other significant matters, including:
- the identification of related parties or relationships or transactions with related parties that were previously undisclosed to the auditor;
- the identification of significant related party transactions (i) that were not authorized or approved in accordance with the company’s policies or procedures; and (ii) for which exceptions to those policies and procedures were granted;
- the inclusion of disclosure that a related party transaction was conducted on terms equivalent to an arm’s-length transaction and the evidence obtained by the auditor to support that assertion;
- the identification of significant related party transactions that appear to the auditor to lack a business purpose; and
- the audit committee’s understanding of the company’s related party relationships and transactions and whether the committee has any concerns about them.
The new standard would retain the requirement of AU sec. 334 that the auditor express a qualified or adverse opinion if management asserts a related party transaction occurred at arm’s-length without providing sufficient evidence to allow the auditor to arrive at the same conclusion. The Release clarifies that qualifying the assertion by stating that it is management’s or the company’s belief does not change the auditor’s responsibility to obtain sufficient evidence. It is noteworthy that management’s removal of the assertion at the auditor’s request due to insufficient support could affect the auditor’s assessment of the company’s internal control over financial reporting. This renewed focus on long-standing guidance suggests that management should review the adequacy of its process for developing supporting data. The guidance should also serve as a reminder to companies that similar qualifications in other settings do not give management a “pass” on developing appropriate support for the relevant assertions as part of their disclosure controls and procedures.
Even though directed at auditors, the proposed standard should prompt companies to take a fresh look at their policies and procedures for related party transactions to ensure that they are sufficiently robust and comprehensive to generate reliable and responsive information. Indeed, the kinds of information called for by the proposal are precisely those that should be reviewed as part of an effective compliance program. In this regard, it is noteworthy that if the auditor discovers an undisclosed relationship or transaction, it must (among other procedures) evaluate the implications for its assessment of internal control over financial reporting. To assist the auditor in identifying relationships and transactions, the Release lists examples of information and sources of information that could indicate that undisclosed related parties or related party transactions may exist. The examples would also be a good starting point for both finance and legal personnel when reviewing the adequacy of internal policies and procedures for consideration of related party transactions. We have reproduced them in Annex A.
To mitigate the risk of undetected relationships or transactions or abuse, a company should design controls and procedures that operate at least annually to identify related parties. The directors’ and officers’ questionnaire used to elicit information responsive to SEC disclosure rules about related person transactions[6] is a common procedure for this purpose, but it should not be the exclusive means used. Companies should have other controls that operate to cross-check and verify the extent of relationships and transactions, as well as controls that surface changes in interim periods (e.g., expansion of a recurring supply chain relationship with a related party). Special inquiries should be undertaken when there is a significant change in the company’s related persons or circumstances, such as following acquisitions or changes in directors or executive officers. Additional controls can include conflict of interest reporting obligations (often included in a company’s code of ethics), certifications, questionnaires for new directors and executive officers, as well as supply chain, accounting and similar internal inquiries and inquiries of other persons involved in a related party transaction.
Relationships and transactions should also be reviewed by management and the audit committee using a systematic approach, including clear lines of approval authority and appropriate documentation presented in a consistent format to mitigate the risk of uninformed decisions. Where deviations from internal policies and procedures are permitted, a well-documented and substantive rationale should be presented as part of the approval and oversight process and reflected in the company’s books and records (including the minutes of the deliberations of the audit committee).
Proposed Amendments Addressing Significant Unusual Transactions
The proposed amendments to standards addressing significant unusual transactions (i.e., those that occur outside the normal course of business or otherwise appear unusual due to their timing, nature or size) would also build on several existing standards, notably AU sec. 316, Consideration of Fraud in a Financial Statement Audit, AS No. 12, Identifying and Assessing Risks of Material Misstatement, and AS No. 13, The Auditor’s Responses to the Risks of Material Misstatement.
The proposed amendments in this area would require additional procedures for identifying significant unusual transactions and provide guidance for evaluating whether they are adequately accounted for and their business purpose adequately disclosed. Many of the procedures are comparable in nature and scope to those set out in the proposed standard addressing related parties and in some cases are explicitly linked to the risks involving related parties. For example, in identifying and assessing the risk of misstatement, the auditor would be required to make a specific inquiry of management and the audit committee about whether the company has entered into any significant unusual transactions and, if so, the nature, terms and business purpose (or lack thereof) of those transactions and whether such transactions involved related parties. Similarly, under the proposed amendments, the auditor should obtain an understanding of management controls to identify, authorize and approve, and account for and disclose, significant unusual transactions in the financial statements, if the auditor has not already done so when obtaining an understanding of the company’s internal control over financial reporting.
The proposed amendments also clarify the auditor’s obligation in evaluating the business purpose of a significant unusual transaction by requiring the auditor to evaluate whether the business purpose indicates that the transaction may have been entered into to engage in fraud or to misappropriate assets. To support this evaluation, the amendments to AU sec. 316 would require the auditor to design and perform procedures to obtain an understanding of the business purpose of the transaction. These should include reading the underlying documentation, determining whether the terms and business purpose (or lack thereof) are consistent with management’s explanations and other audit evidence, and determining whether the transaction was appropriately authorized and approved. AU sec. 316 would also be amended to expand and refine the list of factors the auditor should consider in evaluating a transaction’s business purpose. Among the additional factors is whether the company’s accounting for the transaction enables the company to achieve certain financial targets.
Like the proposed standard addressing related parties, the proposed amendments addressing significant unusual transactions should also be instructive when management evaluates the continuing effectiveness of the design and operation of the company’s disclosure controls and procedures.
Amendments Addressing Financial Relationships with Executive Officers
The final set of amendments included in the proposals is directed at executive compensation. As stated by departing PCAOB Board Member Daniel Goelzer, “as the idea of pay-for-performance has become business orthodoxy . . ., the risk that accounting measures may be manipulated to meet compensation-triggering targets has become painfully obvious.” The discussion at the PCAOB’s open meeting emphasized the importance of additional scrutiny in this area, given the ability of executive officers to circumvent controls.[7]
The PCAOB’s proposed amendments are intended to strengthen several existing standards, including AS No. 12, Identifying and Assessing Risks of Material Misstatement. Whereas the PCAOB’s standards now require that auditors gain an understanding of a company’s compensation arrangements for senior management, the proposed amendments would add procedures that the auditor should undertake, or consider undertaking, to obtain an understanding of the company’s financial relationships and transactions with executive officers.
For example, the proposed amendments to AS No. 12 would require the auditor to perform procedures to obtain an understanding of the company’s financial relationships and transactions with its executive officers, which should include reading executive officer employment contracts and reviewing company proxy statements and other documents filed with the SEC and other regulatory agencies that relate to those relationships and transactions. Obtaining an understanding of executive compensation could assist the auditor, among other things, “in determining areas where management bias might occur (e.g., certain accounting estimates, including fair value measurements)”[8] and would complement the requirement that key members of the engagement team consider “known external and internal factors affecting the company that might create incentives or pressures for management and others to commit fraud.”[9]
The proposal would also amend the procedures that the auditor should consider in obtaining an understanding of the company to include inquiries of the chair of the compensation committee, compensation consultants engaged by management or the committee and appropriate employees (such as the human resources director) about the structuring of executive compensation and the company’s policies and procedures for authorizing and approving executive officer expense reimbursements.[10] While it is difficult to predict how practice might evolve in light of this guidance, it would not be unreasonable to expect that it could prompt the auditor to request an invitation to compensation committee meetings where significant matters are discussed. In our view, the most important of those would be the meetings at which performance targets are set, which typically occur in the early months of a company’s fiscal year.
The Release emphasizes that the proposed procedures are not directed at the substance of the company’s arrangements, but instead are intended to assist the auditor in identifying the associated risks. In this respect, the proposed amendments would work well with the SEC’s rules requiring disclosure about a company’s compensation policies and practices as they relate to risk management.[11] Those rules have prompted companies and their compensation committees to focus on the potential deleterious consequences of compensation incentives and potential mitigating controls when evaluating their compensation practices. The PCAOB’s proposed amendments signal the importance of maintaining that focus as a regular part of management’s and the board’s review of executive compensation arrangements.
[1] PCAOB Rel. No. 2012-001 (Feb. 28, 2012), available at http://pcaobus.org/Rules/Rulemaking/Docket038/Release_2012-001_Related_Parties.pdf (the “Release”). Comments on the proposal are due by May 15, 2012. The PCAOB separately proposed various rule and form amendments to reflect their application to auditors of brokers and dealers registered with the SEC as authorized by the Dodd-Frank Wall Street Reform and Consumer Protection Act, with comments due on these proposals by April 30, 2012. PCAOB Rel. No. 2012-002 (Feb. 28, 2012).
[2] The PCAOB notes, for example, an examination of SEC accounting and auditing enforcement releases from 1997 to 2008 that found that the CEO or CFO was named in 89% of the proceedings involving fraudulent reporting and that the SEC’s “most commonly cited motivations for fraud included the need to meet internal or external earnings expectations, an attempt to conceal the company’s deteriorating financial condition, the need to increase the stock price, the need to bolster financial performance for pending [securities] financing, or the desire to increase management compensation based on financial results.” Release at 11 (citing Beasley, J. Carcello, D. Hermanson, and T. Neal, Fraudulent Financial Reporting 1998-2007 An Analysis of U.S. Public Companies, available at http://www.coso.org/documents/COSOFRAUDSTUDY2010_001.pdf.).
[3] Rules 13a-15(b) and 15d-15(b) under the Securities Exchange Act of 1934 require a U.S. public company to evaluate, among other matters, the effectiveness of its disclosure controls and procedures on a quarterly basis, and the results of the evaluation are reported in the company’s periodic reports.
[4] Recognizing the variations in how different financial accounting frameworks address related parties, the proposed standard refers the auditor to SEC requirements for the company under audit with respect to both applicable accounting principles, including the definition of “related party,” and related disclosure requirements.
[5] Other procedures introduced in the new standard but not discussed in this alert memo focus on communications with the engagement team and other auditors.
[6] See Item 404 of Regulation S-K.
[7] The Release would define executive officer based on the definition of “executive officer” in Rule 3b-7 under the Securities Exchange Act of 1934.
[8] Release at A4-42.
[9] Release at A4-43.
[10] The requirement under AS No. 12 to obtain an understanding of compensation arrangements with other senior management would also be retained.
[11] See Item 402(s) of Regulation S-K.