Critical Audit Matters (CAM)

In 2017 the SEC approved a new audit standard, AS 3101 The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses and Unqualified Opinion,  which has been adopted by the Public Company Accounting Oversight Board.  The new standard dramatically affects the form and content of  the audit report issued under PCAOB standards.  Correspondingly, auditors will most likely extend their procedures accordingly.  The purpose of this article, however, is not to discuss audit procedures, but rather to suggest some opportunities to mitigate potential negative impacts to your company.

What is a CAM?  Under the new standard, a CAM is anything that was or is required to be reported to the audit committee by the auditor.  These items normally include:  balances or disclosures that are material to the financial statements; or matters that involved challenging, subjective or complex judgement on the part of the auditor.

When is my company affected?  For audits of large accelerated filers the new standard is effective for fiscal years ending on or after June 30, 2019.  For all other companies, including SRCs the new requirements are effective for fiscal years ending on or after December 15, 2020.

The audit report will: (1) identify the CAM; (2) describe the considerations that caused the auditor to identify it; (3) describe how it has been addressed and refer the user to the appropriate accounts and footnote disclosures; and finally (4) describe how the CAM was addressed in the audit.

For all including accelerated filers there is still a bit of time to be proactive.  Identifying potential CAMs and documenting them thoroughly will save audit time and money.  In addition t reviewing past auditor communications to your audit committee,  it would be worthwhile to sit down during your current year audit with your auditors and ask them to share any matters they have identified and how you might mitigate them before the new reporting requirements go into effect.

While the purpose of the new standard is to make the auditor’s report more informative and useful to the users of the financials, more likely than not, if not done properly it will only add another layer of confusion.

Audit Committee Standards

While there are many requirements and expectations of an issuer’s audit committee, the 1934 Exchange Act under rule 10A(3) mandates five specific standards in order for a company to be listed.

1.  Independence – each member of the audit committee must be a member of the Board of Directors of the listed issuer, and must otherwise be independent:

–  there can be no consulting, advisory or compensatory relationship, outside of that as a member

–  members of the AC can not be affiliated persons as defined of the issuer or any subsidiary.

2.  Responsibility – the audit committee, as a sub-committee of the Board of Directors must be directly responsible for the appointment, consultation with, and retention of the registered independent accounting firm, while including oversight including problem resolution between management and the auditor.

3.  Complaint Resolution – the AC must establish procedures for addressing complaints received by the issuer including anonymous submission by employees.

4.  Advisers – the AC must have the authority to engage advisers, including accountants, auditors, attorneys and consultants they feel are reasonable and necessary to carry out the duties of the committee.

5.  Funding –  the issuer must provide appropriate funding to allow the AC to carry out their duties as a committee of the Board of Directors.

Our experience has been that if there is a failure in meeting the requirements for an audit committee established by the ’34 Act it typically is for one of two reasons:  first, and most common there is often confusion as to who the auditor should be responsible to – the AC or management.  All too frequently, the unofficial role that management can play in the selection of the auditor becomes significant.  Second, is the ‘step-child’ status many audit committees relegate complaint resolution too.  this absolutely can not be the case if the issuer is going to minimize exposure, considering our litigious society.


MD & A Are You Blowing an Opportunity?

As a service to our public company clients we routinely perform an extensive review of the other information included in their annual report.  While  completing a large number of such reviews recently for our clients with December 31 year-ends we became aware of opportunities that are regularly over-looked by issuers.  In preparing Management’s Discussion and Analysis there are some critical elements that will make them more effective.

Attitude – your MD & A is an opportunity to tell the story of the company in a positive way.    As is your web page, your SEC filings are the ‘face’ of the company to potential shareholders, investors and others considering doing business with you.  Do not minimize this opportunity by viewing it primarily as an obligation.  We all have a tendency to spend less time on things we view as ‘necessary evils’ as opposed to ‘opportunities’.

Approach – the primary purpose of the MD & A is to allow the reader to “look at the company through the eyes of management by providing both a short and long-term analysis of the business of the company” (SEC Financial Reporting Policies sec. 501).    The MD & A is intended to be entirely prospective, not historical.  Too frequently we see comments like “As of 12/31/x1 revenues declined $xxx,xxx which was a reduction of x% over revenues of $xxx,xxx as of 12/31/x0”.  That’s historical, not prospective, and anyone could calculate it from the financials.  It provides no additional information of any value to the reader.

 Executive Level Overview – Sec. 501.12 is a gift from the SEC that most issuers don’t open.  This is a chance to tell your story.  Because many companies have become larger, global and more complex, and the disclosure rules correspondingly so,  MD & A has  become lengthy and complex and correspondingly, boring and so not read as thoroughly as it should be.   In an effort to improve clarity and understandability many company’s are incorporating an Executive Level Overview (ELO) as an introductory section  summarizing the most significant areas of the MD & A that management wants to emphasize.  Typically this includes:  economic or industry wide factors; how the company earns revenues and generates cash; lines of business, locations, principle products, services; and provide insight into material opportunities, challenges and risks which management is most focused on.

It is a ‘highlight’ of those things that are important to the company, reported elsewhere as well (e.g. Risk Factors, or Business Description).

Liquidity, Capital Resources, Results of Operations – You must address each of these areas specifically.   When drafting these comments keep in mind that you should address three questions for the reader: (1) What happened? (2) Why did it happen? and most importantly (3) Is it expected to continue?  That last one is the crux of the MD & A.  Remember – the reader is entitled to assume that “past performance is indicative of future performance” unless you tell him different.

Other Tips – (1) If you’ve previously discussed it in your Form 10k you don’t need to keep beating it to death unless it applies to new information in the current interim filing .  Most companies over disclose information that they’ve previously discussed numerous times.  The unwelcome result is that the points you want to make get buried in the irrelevant.  (2)  Discussion for interim reports should be limited to material changes occurring subsequent to the last annual report.  Over disclosure, again,  can result in burying relevant information in the minutiae.  (3) The SEC requires that it be “presented in clear and understandable language”.  That means you need to lose the ‘legalese’.   (4)   In the words of an internationally recognized securities attorney with whom we’ve worked – “Disclosure is too important to leave up to only the attorneys”.  While their focus is compliance, as it should be, this is more than a compliance document.  It is  the public face of your company.  Remember it is an opportunity to ‘sell’ to investors, financiers and those people you want to do business with.  (5)  Finally, sentence structure,  grammar and spelling are critical.  If your MD & A is sloppy, those reading it will assume the company is run the same way.

You have a great company with a great business plan and outlook for the future.  Tell the world in your MD & A.


Would SOX 404(b) Have Protected Koss?

Koss Business Fraud & EmbezzlementLast week Koss, the manufacturer of high quality head phones, disclosed that their principal accounting officer had embezzled between $4.5 million and $31 million between 2005 and December, 2009. The advocates of requiring small issuers  to annually file integrated audit reports on their respective internal control systems immediatley pointed  at Koss as justification for requiring the  implementation of 404(b) beginning in June, 2010. Is this adequate justification?  For several reasons, I don’t believe it is.

This was an intentional fraud. Neither financial statement nor internal control audits are designed to guarantee the detection of fraud.  Yes, an internal control audit would have disclosed the existence of significant deficiencies and material weaknesses. An expanded internal control review might have even stumbled across the defalcation. More likely it would have only resulted in an adverse opinion on the internal control systems by the company’s auditor. This could have been an alert to investors, but more likely it would have been ignored as the SEC’s own studies have indicated. Integrated audits have not resulted in a higher level of confidence by investors. Fraud audits for all issuers require a lower level of materiality that can not be justified economically.

If in this particular case the amount embezzled was material for any of the five years effected it would seem that it should have been detected under normal financial statement audit procedures in at least one year. A failure by the audit firm  to properly complete an audit is not justification for adding another layer of regulation on small issuers under SOX.

The company had retained the same national audit firm for the past five years. Based on the professional fees disclosed in the proxy statement it is possible that Koss was a small fish in the big pond of this national firm and may or may not have gotten the service it needed and deserved. Some large national firms have been known to ‘rank’ their clients. If you are not the big dog on the porch you are not likely to get the same level of expertise, experience and service as the bigger clients.

Cost. Certainly for Koss  the cost of an ICFR program – including both the external audit fees and the internal program costs –  would have been less expensive than the amount embezzled, but requiring all firms to bear a cost to ‘potentially’ prevent an occasional fraud loss of this type is ridiculous. Theoretically, 404(b) would cost a firm similar in size to Koss, $250,000 annually (ballpark WAG).  One-third to one-half of that being for the external auditors. So the investors in Koss would have been out something in excess of a million dollars. The cost/benefit equation for requiring this universally just wouldn’t seem to balance, unless you subscribe to the premise that something graeter than 10% of all statements are fraudulent.

There are already criminal and civil penalties in place to protect the investor from this type of malfeasance as we’ve discussed in our prior posts. Another in the form of 404(b)  is not needed. The responsibility to the shareholders rightfully lies with the Audit Committe of the Board, the Board of Directors and management. If more company oversight is needed and beneficial those charged with governance are ostensibly sophisticated enough and in the best analytical position to know and provide it.

I still view the cost of 404(b) as an ineffective unsupportable dissipation of investors equity. We’ve had some great dialog on this topic in the past.  Did I change anyone’s mind?

SEC Extends ICFR for Small Issuers to 2010

Today, October 2, 2009, the SEC announced that independent audits of internal control over financial reporting has been extended for smaller reporting companies.  The press release indicates small companies will now need to be compliant beginning with annual reports for fiscal years ending on or after June 15, 2010.

Risky Business for Directors – How's your ERM?

Risky Business for DirectorsNot so many years ago, being elected to the Board of Directors of some companies essentially required you to act as a figurehead. Lunch in an expensive restaurant once a month, an annual retreat to a vacation resort to discuss corporate ‘strategy’ and a small stipend were all that was required in trade for the collective experience and informal leadership. That’s all changed with the increased exposure to liability now faced by corporate governance.  With the current state of our business environment, that exposure is greater this year than ever.

In an on-line article Executives Anticipate Rise in Fraud nearly two thirds of the executives polled anticipate an increase in fraud and misappropriation this year. In conjunction with auditors anticipating that nearly 25% of all firms may not be going concerns; the myriad of new regulatory requirements related to governance; and the corporate challenges fomented by a floundering economy this may not be a desirable year to be a Director. The current hot topic seems to be enterprise risk management.

While a long time focus of management, ERM has often been given little attention by the board. Recently, COSO published a document highlighting four critical areas that contribute to effective board oversight. It can be downloaded at

As public company auditors and consultants we have observed the importance of an integrated approach to governance between the board and management. We regularly participate in joint meetings as frequently as allowed (we don’t charge for meetings with management and the board), for our own self-interest. Our best clients have the strongest most engaged boards. Boards of Directors are invaluable resources.  Take full advantage.

IFRS – No Big Deal!

Judging by the material that is coming out from the Big 4 accounting firms, it seems that accounting as we know it is about to disappear and a new behemoth called IFRSs are about to invade the US accounting scene.  Recently the office managing partner of one of those firms admitted to me that they viewed the issue as a consulting opportunity rather than a threat.  I agree.

Judging by the material that is coming out from the Big 4 accounting firms, it seems that accounting as we know it is about to disappear and a new behemoth called IFRSs are about to invade the US accounting scene.  Recently the office managing partner of one of those firms admitted to me that they viewed the issue as a consulting opportunity rather than a threat.  I agree.  Fear mongering is a great way to generate revenue for the consultants.  Just look at the millennium bug.

IFRS are already here and have been for quite some time. Most of the standards that have been issued since in the past four years have been designed to bring US GAAP standards and international GAAP standards (IFRS) closer and closer together.  This is commonly referred to as ‘convergence’.   FASB 141 (R) for business combination’s and FASB 160 on minority interests are typical examples. FASB has issued  standards that are  consistent with the international standards.  The International Accounting Standards Board (IASB) is doing the same thing as the FASB. They are issuing standards to bring them closer to US GAAP alternative over time where US GAAP is deemed preferable to IFRS. This convergence process has been going on for years and is nothing new.

What is new is the “road map” that has been put in place by the SEC, and it changed again recently. Foreign listers on the US exchanges are already allowed by the SEC to use IFRS. A limited group of about 100 US companies will experiment with early adoption of IFRS in the US in 2009. Most of these companies are already using IFRS for significant parts of their international operations anyway so they don’t need much outside help. For the rest of us, the SEC will make a decision in 2011 on whether to move to require all US listed companies to follow IFRS by 2014. Unless we get some xenophobic idiots appointed to the SEC  this is a done deal.  Although the new SEC Chairperson, Mary Shapiro, has announced that she is considering slowing down the process, it probably won’t change the FASBs agenda.

Is this a major issue? I don’t think so. By 2014, all of the major differences between US GAAP and IFRS will almost certainly have been eliminated. There are some problem issues to be resolved. Some are straightforward like the use of LIFO for inventory accounting. The problem here is that tax accounting in the US is impinging on real accounting. We will have to find some tax solution to unbundle the inbuilt tax problem that LIFO has created for many companies.

Other issues are more difficult and highly technical. The ugly issue of derivatives is always at the forefront here. Almost nobody understands the US standard FASB 133 and the same is true that almost nobody understands its international equivalent. All we know is that they have some differences and the financial institutions don’t like either of the standards anyway.

Some issues appear more frightening. For example, with IFRS we will lose those “bright line” guidelines that US accountants love so much. For example, the four tests for a capital lease that lawyers love to circumvent will be no more. Greater judgment will be required. This is an issue because you may have to get up in a court of law to defend your judgment. Looking on the bright side, at least you wont get tripped up by some smart trial lawyer because you did not follow some little known paragraph of one of the 14 FASs, 6 INTs, 10TBs, 2FASBSPs and about 25 EITFs that currently relate to leases in US GAAP. They will be gone as authoritative documents.

For non-listed companies, there are some proposals on the table on how to apply IFRS to smaller entities. Personally I don’t like the proposals because I don’t like having two-tier GAAP for large and small enterprises. Again, whatever changes occur will drift in over time largely unnoticed by most.  If you have any experience with IFRS please comment.