Category: Auditors

Auditor Relationship

~ C.O.R.E. Beliefs ~ 1 Comment

I have written about this before but it is probably worth repeating.

In a meeting today we were told “management’s expectation”… that we are part of the team.  Somewhere there is a misunderstanding as we are not part of any team.

To be clear:

Auditors are engaged by the board of directors to independently audit management on behalf of the owners or others who contractually require an independent check on the financial reports being issued..

The key term there is independently.  To be effective, auditors must be independent of management.  So, how can an auditor remain independent while also being part of “the team?”  We really can’t and we definitely shouldn’t.

Part of the confusion is no doubt that some auditor’s have billed this as a team effort to provide information to the owners.  I have seen proposals by firms which essentially tout this approach; but it is not quite accurate to say this.  I would argue it is against auditing standards to say that you, as an independent auditor, are going to help management through their tough spots.  The independent auditor is not the clean-up position.  We are not fixers.  Finding the error, correcting the error and then expecting the entity to pay for it, when they have already paid management (and the accounting department) to get it wrong defeats the purpose of auditing the books.

Remember: Boards set policy.  Management implements policy.  Auditor’s verify that the implementation was correct.  If it isn’t, well, that is a problem.  It will obviously need to be cleaned up.  The problem is that when the auditor cleans it up, they are actually stepping into management’s role.  Acting as management impairs independence.  There are numerous ethics rulings on this matter.   The auditor is only as good as their independence by the way.  So why would we do it?

By the way, management has access to lots of consultants and CPA’s who could help them get the information right to begin with.  It isn’t like no one would help them.  But when it is done wrong and you expect the auditor to fix it, you are waiting far too long.  Months, possibly even longer than a year has gone by with the incorrect information being reported over and over.  Every report was inaccurate and somehow my pointing it out during the audit means I am not a team player?  Where is management’s responsibility in this?

Management could even have requested the board to make the auditor available to explain the expectations.  We love to talk (most of us anyway) and help you make sure it is right.  Believe it or not, we often sit around and dream about how awesome it would be to have the perfect audit – where everything balanced, management adjusted for all the issues before we brought it up, every receivable was collected and nothing ever happened after the balance sheet date.  We would be happy with just 10% of that truth be told.

Truthfully, we can’t be on your team.  We might like you, hell, you could be the greatest thing since sliced bread and we are going to be envious of your stock options and bonuses; but we can’t support you.  Our job, remember, is to make sure your stock option and bonus isn’t clouding your judgement when you decided to record a transaction.  Our responsibility is to ensure that you didn’t record only one part of the transaction to ensure you hit your target to keep your cushy job.  It isn’t that we don’t trust you but… oh who am I kidding, it is precisely that we don’t trust you.  You are management after all.

So, record the transactions.  Document compliance with policy.  Keep your financial statements in accordance with GAAP.  Or don’t.  But don’t blame the auditor when we find the work lacking.  We are doing our job of keeping “the team” honest and we make no apologies for it.

Auditor Independence

~ C.O.R.E. Beliefs ~ Leave a comment

One of the more challenging aspects of being an auditor is having to turn down potential work.  It is not so much the money we could be paid for that other work, although that is nice in most cases; it is the recognition that our experience and problem-solving ability is valued and desired.  But, if auditors take their ethical responsibilities seriously they should not take additional projects on for their audit clients.

Doug and I discuss this frequently.  For instance, we have intentionally chosen to not prepare tax returns for individuals and businesses and we will only do the most basic 1120-H or 1120 for property associations.  Why?  It is the concern that a reader could question if the tax preparation work would cause us to subordinate our judgement as the auditor.

I know, you are saying, “It’s only a tax return.” And you are right.  But think about it: Let’s say an auditor prepares the tax return for a board member and his small business.  Then the auditor is asked to audit the small business.  The auditor discovers that $100,000 of scrap metal sales was not reported as income by the business.  Or the owner.  And the auditor is also auditing the condo association where the small business owner is also the chair of the board.  And it just so happens the auditor discovers that the association has a contract with the chair’s company to install new piping.  Are you still certain it is only a tax return?

But it can become even more challenging for an auditor if it looks like the fees they charge for that “other service” to the client appears more lucrative than the audit.  First, lets say that you charge $20,000 to a client for an audit.  At the same time the board approves the audit, management dangles a $50,000 consulting fee.  Is this a potential independence problem?

Unfortunately for the profession, many practitioners say “No” or worse, “Not necessarily”.  But think about it.  You are reading the financial statement the auditor attested to and which said there were no problems.  You then find out one of the issues above exists.  Would you, as the reader and who is relying upon that financial statement, be concerned that either of these situations could cause the auditor to issue an inappropriate report?

You see, I can unequivocally state that our opinion is not for sale.  But that is an assertion which is challenging to believe when I receive payments for services that are not audit related.  And I don’t think it matters if it is the board which offers the consulting work or management.  Our engagement is to audit the financial statements prepared by management and to which the board signs off on.  The board engages the auditor on behalf of the owners – but the board still might have its own agenda.  Thus, It is the risk that a reader could believe that our independence – from management AND board – could be impaired that matters.  Accepting money for additional services to an audit client should inevitably lead to the concern that the auditor’s independence is impaired.

Now, I understand that some professionals would say that this is an extreme position.  That is their right.  But I believe that the profession accepting the concept that non-audit fees do not impair independence is one of the primary reasons the auditor and the audit opinion are not held in high regard.

If you want to offer audit or review services to a client, then I think you have to accept that this is all the work you can do for that client.  At C.O.R.E., we believe that an auditor must maintain independence in both action and appearance.  It sucks sometimes.  We have turned down consulting arrangements because we audited the prior year financial statement.  We have turned down audit engagements because we proposed a consulting arrangement in the prior year.

It is our responsibility to do so.

 

 

To Whom does the Auditor Answer?

~ C.O.R.E. Beliefs ~ Leave a comment

One of my google alerts brought an interesting article about the auditor and the relationship the audit firm has with management and the board.  It seems that many boards are concerned that the auditor appears aligned with management and not the shareholders.  This is, sadly, not a new problem, but it is one that C.O.R.E. is trying to address is our own little world of auditing.

At C.O.R.E., we understand our loyalty lies to the reader of the financial statements – that is, the shareholders.  We are engaged by the board on behalf of the owners to audit management.  Ensuring that current and prospective owners get the best information about their association is key to our success, but sometimes getting owners the best information means upsetting management.

Upsetting management, however, potentially hurts the pocketbook of the auditing CPA firm.  In many situations, management offers very profitable consulting opportunities to the auditor.  Systems design, software evaluation, and other arrangements are absolutely essential to the financial health of an organization and a CPA is highly qualified to offer those services.  The problem is the potential for the auditor to be compromised – that is, does the auditor get the consulting gig because they went soft on management?

If you don’t think it is a very real possibility think again.  Can you imagine anyone hiring a consultant who just got through bashing them?  If a CPA firm had the chance to earn $100,000 consulting with management or $30,000 auditing the client (or both hopefully), is it possible that the auditor might turn a blind eye to a problem found on audit for the chance to earn more money?

And in the small and medium sized entity market, it is potentially even more painful.  The small CPA firm gets most of its new business by referral.  But referrals are hard to come by when your work upsets management.  This has impacted us directly – we have had to issue specific communication about management violating internal control systems to an entity’s board.  The Chair of the board was also the president who hired his son, the person who broke the rules.  That organization and six other companies found a new CPA firm because they wanted someone less “negative”.   Seven entities is a lot of billing.  Financially, would we have been better off remaining silent?

This is not an attempt to justify the auditor’s failure to live up to their responsibility to protect owners and stakeholders.  An auditor who accepts a consulting job with a client needs to consider it a bribe, or worse, an attempt to make them complicit in management’s failure.  That is the auditor’s failure.

But the greater failure is on behalf of the boards of directors who have the primary responsibility to protect the shareholders.  When you ask management to interview auditors, when you accept management’s recommendation to terminate the CPA, when you accept management’s excuses for their misdemeanors, you are abrogating your responsibility.

But you can start to address the problem.  It will require boards to start holding management accountable.  And, when it comes to engaging the auditor to attest to your organization’s financial statements:

You, not management, should

  • request proposals from auditors
  • interview the auditor
  • determine if the auditor takes any fees from management for consulting
  • ask how auditors get clients – board or management referral
  • never allow management to dictate non-GAAP policies without auditor approval
  • interview new auditors every 3-5 years
  • demand that the auditor refuse to accept any consulting arrangement with management

As long as the board, or its audit committee, continues to allow management any involvement in the process of selecting, engaging and compensating auditors, this problem will not go away.  The board must make it clear to management that the auditor is the board’s tool to review management and its adherence to appropriate accounting policy and not someone who is there to help management look good.  And the board must make it clear to the auditor they look to them to protect the owners and their investment.  This is your chance to hold both auditor and management accountable, will you step up to the challenge?

Financial Audit or Control Audit

~ C.O.R.E. Beliefs ~ Leave a comment

We are often asked by boards if we believe that the management company’s processes are effective.  The answer is, we have no way of knowing as we are conducting an audit of the financial statements, not an audit of the managers’ internal control system.  To which the response is typically a look of bewilderment as most board members don’t understand the difference.

An audit of the financial statement does require the auditor to understand the internal control structure put in place by management so we can plan and perform the audit.  But what typically happens is that the auditor says, “That’s great, but we are going to assume management doesn’t follow it and plan our audit as though the system doesn’t work.”

Given the size and simplicity of the transactions in the typical association, it is faster and more effective to avoid testing the internal control system to ensure it works.  Take accounts payable; walking a single transaction through the entire control system and documenting the steps would take about an hour.  In order to rely upon the system to ensure it leads to the correct recording and reporting of the transaction we would have to test several dozen.  But, since this is a financial audit and we are concerned with ensuring that vendor invoices are reported to the correct period, we can simply review the individually significant invoices reported in the subsequent period to determine the period in which it was incurred and recorded.  We can go through the 4 or 5 invoices in about 10 minutes.

Since we didn’t rely upon the control system to ensure the invoice was recorded correctly, we completed the procedure faster and determined the results just as effectively as though we had relied upon it.  If we find invoices in the subsequent period (typically January) that should have been recorded in the prior period, we propose a journal entry.  The internal control system might have worked but we can’t say that, even if we didn’t find an invoice posted to the wrong period.

We understand that boards are concerned with the effectiveness of the internal control system and agree that it is important.  But the individual board does not want to engage an auditor to test the management company’s system.  Boards should require their management company to have a SOC audit.

A SOC, or Service Organization Control, audit is performed by an auditor on the service provider: In this case the management company.  The SOC audit ensures the appropriate controls are in place and function as required.  While there are different levels of SOC audit, the end result is the same – reporting on the effectiveness of the providers internal control system.

Frankly, state law should require a management company to have a SOC audit in addition to requiring the association to have a financial audit.  Associations which outsource the receipt and payment of funds need to know that the company they use has the right systems in place and those systems work.  The annual financial audit is not designed to offer an assurance that this is the case.

We realize that a SOC audit could be expensive.  To be honest, it might not even substantially reduce the cost of the association’s financial audit; although I think there would be some cost savings.   If a manager could produce a SOC audit which stated that the controls were in place and effective, we could probably drop our audit charge by 10-20 percent.  But beyond the potential savings you would have a strong marketing tool.

The feedback we have received is that an association board would rather have a report which says that the internal control system is in place and works.  We would like to offer this to a board but this type of report is not cost effective at the association level. But it could be at the management company level.  And it is quite possible that having a SOC audit report can help you land new clients – since everything else being equal, having a documented and tested internal control system is much more important to boards than knowing their financial statements are prepared according to GAAP.

Something to think about.