Audit committee and auditor oversight update - December 2015

Update No. 25 December 2015 AUDIT COMMITTEE AND AUDITOR OVERSIGHT UPDATE This Update summarizes recent developments relating to public company audit committees and their oversight of financial reporting and of the company’s relationship with its auditor. PCAOB Takes Final Action to Require Disclosure of Engagement Partner and Participating Accounting Firm Names On December 15, the Public Company Accounting Oversight Board voted unanimously to require that accounting firms make a public filing with the PCAOB for each of the firm’s public company audits disclosing the name of the engagement partner and the names and certain additional information relating to other accounting firms firm that participated in the audit. The new filing requirement will take effect in 2017. The PCAOB’s action is the latest step in a contentious, multi-year proceeding. As discussed in the July 2015 Update, in 2009 the Board published a concept release on the possibility of requiring engagement partners to sign audit reports in their own names, along with their firm’s name. There was substantial opposition to the signature proposal, based in part on fears that it would increase engagement partner personal liability. In 2011 – and again in 2013 – the Board proposed a rule that would have required the name of the engagement partner (but not his or her signature) to be included in the audit report, along with information concerning other accounting firms that participated in the audit. See November-December 2013 Update. This approach was also controversial. Supporters argued that personal identification would strengthen accountability and provide an added incentive for the engagement partner to perform his or her responsibilities contentiously. Opponents expressed concerns about new liabilities to which engagement partners and participating firms might become subject, and about delays that might result in the ability of companies to raise capital, since the engagement partner and the participating firms would have to file written consents to liability with the SEC before a public offering using the audit report could proceed. Under the final rules the PCAOB has now adopted, auditors will be required to file a new PCAOB form -- Form AP, Auditor Reporting of Certain Audit Participants -- for each public company audit. Form AP will disclose –  The name of the engagement partner. In This Update: PCAOB Takes Final Action to Require Disclosure of Engagement Partner and Participating Accounting Firm Names Audit Committee Transparency Barometer Year Two: Disclosure Levels Rising SEC Chief Accountant Has Some Advice for Audit Committees Audit Fees and SOX Compliance Costs are Increasing, But Many Companies Think They are Getting their Money’s Worth Cybersecurity and Multi-location Audits Join the CAQ’s List of Top Audit Risks FASB is on Track to Overhaul Lease Accounting PCAOB 2014 Inspections Status Report Prepared by: Daniel L. Goelzer +1 202 835 6191 Daniel.Goelzer@bakermckenzie.com Update │ December 2015 2  The names, locations, and extent of participation of other accounting firms that took part in the audit, if their work constituted 5 percent or more of the total audit hours.  The number and aggregate extent of participation of all other accounting firms that took part in the audit, if the individual participation of such firms was less than 5 percent of the total audit hours. In most cases, the filing deadline for Form AP will be 35 days after the date the auditor's report is first included in a document, such as a Form 10-K, filed with the SEC. In the case of an initial public offering, the filing deadline will be 10 days after the auditor's report is first included in a document filed with the SEC. Partner identification will permit financial statement users to determine the other audits for which the engagement partner has been responsible and to compile information regarding quality incidents, such as restatements, in which partners have been involved. Participating firm identification will permit users to determine whether the other firms -- particularly non-U.S. firms -- are subject to PCAOB inspection and, if so, to review the participating firms’ inspection reports. However, one objection that has been raised to including the identifying information in a PCAOB filing, rather than in the audit report itself, is that it will be cumbersome for financial statement users to find the names of the engagement partner and participating firms, since they will need to access the PCAOB’s website to obtain the information. The PCAOB has committed to creating a searchable database in order to facilitate research on engagement partners and participating firms. Like all PCAOB rules and standards, these new disclosure requirements will not take effect unless approved by the SEC, after an SEC public comment period. If approved, the disclosure requirement for engagement partner names will be effective for audit reports issued on or after January 31, 2017, or three months after SEC approval of the final rules, whichever is later. For disclosure of other audit firms participating in the audit, the requirement will be effective for reports issued on or after June 30, 2017. Comment: From an audit committee perspective, engagement partner identification may have several consequences. As noted in the November-December 2013 Update, there is some evidence that partner identification results in increased audit costs. Further, audit committees will need to be aware of litigation, restatements or similar events arising in other audits for which their engagement partner was responsible, since the committee might face press or shareholder scrutiny regarding whether to change engagement partners when such events in other audits seem to reflect poorly on the partner. In addition, partner identification could result in a rating, or "star," system in which particular engagement partners are in high demand (and command premium fees), while others are viewed as less desirable. This could add a new dimension to the task of selecting or retaining an auditor and require deeper audit committee involvement in the choice of the engagement partner. Update │ December 2015 3 Audit Committee Transparency Barometer Year Two: Disclosure Levels Rising On November 3, the Center for Audit Quality and research firm Audit Analytics released their second annual Audit Committee Transparency Barometer. The Barometer is an effort to measure the “robustness” of public company communications concerning the audit committee’s oversight activities by analyzing proxy statement disclosures of the 1,500 companies that comprise the S&P Composite 1500, which consists of the S&P 500 (large-cap companies), the S&P MidCap 400, and the S&P SmallCap 600. The Barometer initiative and the first annual report are described in the December 2014 Update. Other recent studies have underscored the increase in voluntary disclosures regarding the work of the audit committee (see, e.g., the 2015 E&Y report discussed in the October-November 2015 Update). The 2015 Barometer confirms that trend. According to the joint CAQ-AA press release, key findings include –  One-quarter of S&P 500 companies “show enhanced discussion” of the audit committee’s considerations in recommending the appointment of the audit firm, up from 13 percent in 2014.  In 2015, 16 percent of S&P 500 companies explicitly stated the role the audit committee plays in determining the audit firm’s compensation, doubling from 8 percent in 2014. In addition, the frequency of this disclosure tripled among MidCap companies and quintupled among SmallCaps, although, in both of those cases, the increases were from a very low base of 1 percent in 2014.  Disclosure of the criteria considered when evaluating the audit firm more than tripled among S&P MidCap 400 companies, rising from 7 percent in 2014 to 25 percent in 2015. Disclosure of such criteria among S&P SmallCap 600 companies increased from 15 percent to 22 percent. The impact of lengthy auditor tenure and the possibility of mandatory audit firm rotation have been widely discussed during the last several years (see March 2014 Update), and the focus on this issue has apparently affected disclosure. More than half of S&P 500 companies – 54 percent – now disclose the audit firm’s tenure (i.e., the period of time it has served as the company’s auditor), a 7 percent increase since 2014. For MidCap and SmallCap companies, the percentages that disclosed tenure in 2015 are, respectively, 44 percent and 46 percent. For SmallCap companies, this represents a 4 percent decline from 2014. The Barometer report points to several developments that have had the effect of encouraging enhanced reporting concerning audit committees. In particular, the SEC published a concept release in July inviting public comment on expanded disclosure regarding the audit committee’s oversight of the external auditor (see July 2015 Update). Further, some institutional investors have begun to request additional disclosure regarding the audit committee’s role in the appointment, compensation, and retention of the external auditor (see, e.g., United Brotherhood of Carpenters Pension Fund letter). Despite the general trend toward more transparency, the Barometer identifies some areas in which disclosure declined between 2014 and Update │ December 2015 4 2015. For example, in 2014, 3 percent of S&P 500 companies and 2 percent of Midcap companies made disclosure of “significant areas addressed with the auditor.” In 2015, the percentage of S&P 500 companies willing to talk publicly about these areas fell to 1 percent (presumably, 5 companies), and no Midcap companies at all made such disclosure. The percentages of large and Midcap companies that provided an explanation for a change in audit fees also declined between 2014 and 2015, as did the percentage (noted above) of SmallCap companies disclosing auditor tenure. Comment: As discussed in the October-November 2015 Update, many commenters on the recent SEC concept release regarding possible new audit committee disclosure requirements pointed to the increase in voluntary disclosure as evidence that the SEC should refrain from adding requirements in this area. As a way of encouraging voluntary disclosures, the Barometer report includes some company-specific examples of actual disclosures in the areas surveyed. Companies and their audit committees that are considering expanding their disclosures may find it useful to review those precedents. SEC Chief Accountant Has Some Advice for Audit Committees On October 23, in remarks at the Second Annual University of California Irvine Audit Committee Summit, SEC Chief Accountant James Schnurr discussed the oversight role of the audit committee and provided audit committee members with advice on how they should be spending their time. He identified three specific areas to which audit committees should be devoting attention –  Internal control over financial reporting. Mr. Schnurr characterized the ICFR audit as an area “where I see room for additional involvement by audit committees.” He encouraged audit committee members to “engage in a dialogue with your auditors regarding matters such as the auditors’ risk assessment decisions, selection of key controls, and approach to testing these controls in the context of existing guidance from the SEC and the PCAOB.” Where there are differences of opinion between management and the auditor, the audit committee may want to “seek understanding of the critical audit decisions from both the engagement team and, if necessary, request that the concerns or disagreement between management and the engagement team be elevated to others at the audit firm.”  Revenue recognition. Mr. Schnurr noted that the FASB has adopted a new standard on revenue recognition and that, although the Board has deferred effectiveness of the standard for one year (see August-September 2015 Update), the new effectiveness date “will be upon us before you know it.” Accordingly, “I encourage audit committees to review and critically evaluate management’s detailed implementation plan.” Some things that audit committees should be alert to in the implementation plan include – o The completeness of management’s plan. The plan should “include the key actions to be taken during the implementation phase, the estimated timing of these Update │ December 2015 5 actions, and how management is tracking against that timing. * * * [M]anagement’s key actions should holistically consider how the new guidance will impact other aspects of the organization, including information systems, business processes, compensation and other contractual arrangements, and tax planning strategies, just to name a few.” o Resources. “I would encourage you to consider whether adequate resources have been dedicated to analyzing the impact of the new guidance and whether additional internal or external resources may be needed.” o Industry alternatives. “In particular, I would suggest that you inquire whether there are differing views within the industry on how to implement the new standard and if so how have management and the auditor concluded that the company’s approach was appropriate.” o The communications plan. “[A] thorough implementation plan should also consider how management will identify and communicate with key constituents about the impact the new standard will have on its financial statements. This may include understanding from investor relations the nature and timing of communications with various users and analysts. It will also include developing appropriate disclosures regarding the impact the new standard will have on the financial statements * * * .”  Disclosure effectiveness. Mr. Schnurr also discussed the SEC’s initiatives to make disclosure more meaningful and the role that audit committees can plan in improving the quality of their company’s disclosures. “I would encourage you to set the tone for the organization – one that expects effective disclosure and robust judgments on preparing it. Empower management and embrace efforts to focus on disclosure effectiveness. For some companies, this could entail, among other things, redesigning portions of the document to include tables and graphs, removing outdated disclosures when appropriate, and increasing the use of hyper-links and cross-references instead of repeating the same disclosure in multiple places.” Comment: As is frequently noted in these Updates, the expectations of regulators regarding the scope and depth of audit committee activities is continuing to increase. Mr. Schnurr’s speech highlights three areas that are – or should be – important to many public company audit committees. Also, it provides a window into the level of detail at which he expects audit committees to become involved in ICFR auditing, implementation of the new revenue recognition standard, and disclosure. Audit Fees and SOX Compliance Costs are Increasing, But Many Companies Think They are Getting their Money’s Worth In an October 8 press release available on the website of Financial Executives International (FEI), the Financial Executives Research Update │ December 2015 6 Foundation (FERF), the research affiliate of FEI, announced the results of its annual Audit Fee Survey (available for purchase from FEI). FERF’s most recent survey, which covers 2014 audit costs, found that the median SEC filer audit fee rose 3.4 percent in 2014, compared to 2013. Average fees for private companies and for non-profit organizations rose as well. In fact, private company respondents with less than $5 million in annual revenue reported an average audit fee increase of 11.2 percent and a median increase of 6.7 percent over 2013 – considerably higher than the increases reported by public company survey respondents. FERF’s two most recent prior annual surveys are discussed in the October-November 2014 Update and the August 2013 Update, respectively. Public companies blamed their fee increases primarily on “acquisitions” and on “the review of manual controls resulting from PCAOB inspections.” Not surprisingly, public companies that reported ineffective internal control over financial reporting experienced somewhat greater audit fee increases than the average public company. A majority of public companies said that the volume of annual audit work performed by their external auditors in 2014 increased compared to 2013. Many public company respondents indicated that PCAOB inspections had an impact, not just on their audit fees, but also on their controls. FERF stated that 57 percent of public company survey respondents with audit firms were subject to the PCAOB inspection “shared the comments they received from the PCAOB” and that 45.3 percent of respondents “were required to change their controls as a result of PCAOB requirements or findings”, although none of the survey respondents indicated that the PCAOB inspection resulted in a restatement. More than half of the respondents – 58.7 percent – indicated that, during the past three years, the internal cost of compliance with the ICFR provisions the Sarbanes-Oxley Act had increased. Despite these added costs and burdens, almost half of respondents thought that the additional money devoted to controls produced positive results: 45.3 percent of respondents reported an improvement to their internal controls and “were satisfied with the additional expense.” The release states that the FERF survey examined “total fees companies paid to external auditors in 2014 and several additional services related to the auditing process, based on responses from 220 financial executives. In addition, the report examined audit fees as reported by the larger pool of SEC filers of more than 7,000 organizations.” Comment: These survey results are consistent with trends that began several years ago. The 2012 FEI Audit Committee Survey (released in 2013) found that public company audit fees rose 4 percent in 2012, and the 2013 Survey (released in 2014) reported a 4.5 percent increase. Public company respondents in the 2012 and 2013 surveys, like those in the most recent survey, blamed the PCAOB for the increases. And, as was the case last year, many respondents reported that their controls had improved. These conclusions are also broadly consistent with the findings of Protiviti’s annual Sarbanes-Oxley Compliance Survey (see June 2015 Update). Update │ December 2015 7 Cybersecurity and Multi-location Audits Join the CAQ’s List of Top Audit Risks On October 12, the Center for Audit Quality released its third annual Alert, Select Auditing Considerations for the 2015 Audit Cycle, highlighting audit areas that are likely to be particularly relevant during the 2015 audit cycle, including judgmental and complex audit areas and areas identified in the PCAOB’s October 2015 Staff Inspection Brief (discussed in the October-November 2015 Update). The CAQ’s Alert covers nine topics – (1) Professional Skepticism; (2) Internal Control Over Financial Reporting; (3) Risk Assessment and Audit Planning; (4) Supervision of Other Auditors and Multi-Location Audit Engagements; (5) Testing Issuer-Prepared Data and Reports; (6) Cybersecurity; (7) Revenue Recognition; (8) Auditing Accounting Estimates, Including Fair Value Measurements; and (9) Related Parties and Significant Unusual Transactions. While most of these topics also appeared on the list in the CAQ’s 2014 Alert (see December 2014 Update), cybersecurity; risk assessment and audit planning; supervision of other auditors and multi-location audit engagements; and testing issuer-prepared data and reports are new for 2015. CAQ observations on these new issues that may provide insight into how auditors will be approaching their work in the current audit cycle include –  Cybersecurity. “Cybersecurity is a critical issue with potentially serious implications for public companies, their boards, investors, and other stakeholders. Cyber-incidents are occurring more frequently at entities of all sizes, resulting from both deliberate attacks and unintentional events. While financial statement and ICFR audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform, the financial statement audit and, where applicable, the audit of ICFR, includes procedures with respect to a company’s financial reporting systems, including evaluating the risks of material misstatement to a company’s financial statements resulting from unauthorized access to such systems. In the event of a cyber-incident, the auditor is also responsible for assessing the risk of material misstatement, which may include evaluation of company’s accounting for known cybersecurity-related losses (including contingent liabilities and claims), and for assessing the company’s financial statements and disclosures.”  Risk Assessment and Audit Planning. “In certain inspections, the PCAOB identified deficiencies involving auditors’ failure to assess and respond to risks of material misstatement. In these circumstances, auditors did not always sufficiently identify the risks or respond effectively to existing risks that they had identified, such as performing tests that were not sufficiently responsive to the assessed risks. Further, in some instances, audit files contained insufficient documentation related to the completeness, thoroughness, and timeliness of consideration of all applicable risks of material misstatement at the relevant assertion level.”  Supervision of Other Auditors and Multi-Location Audit Engagements. “The lead auditor may involve other member firms or other independent audit firms to assist with an audit of the financial statements of one or more subsidiaries, divisions, Update │ December 2015 8 branches, components, or investments of the company. In certain cases, PCAOB inspections identified failures to adequately address risks of material misstatement in lower risk locations and insufficient supervision of work conducted by the engagement teams in member firm offices.”  Testing Issuer-Prepared Data and Reports. “Certain recent PCAOB inspections identified deficiencies in testing of the accuracy and completeness of data and reports provided by the company’s management.” The discussion of the auditor’s obligations with respect to related party transactions is also of interest. Many companies have noticed an increase in the attention auditors are devoting to related parties. The PCAOB’s Auditing Standard No. 18, Related Parties, which was adopted in June 2014, is effective for audits of fiscal years beginning on or after December 15, 2014 (see June 2014 Update), and is being applied for the first time in the current audit cycle. The new standard increases the audit requirements in three areas: (1) related party transactions, (2) significant unusual transactions, and (3) financial relationships and transactions with executive officers. The auditor’s focus on related parties and transactions has attracted the most attention and, in that regard, the Alert states that the new standard requires auditors to –  Perform specific procedures to obtain an understanding of the company’s relationships and transactions with its related parties, including obtaining an understanding of the nature of the relationships and of the terms and business purposes of transactions involving related parties.  Evaluate whether the company has properly identified its related parties and relationships and transactions with its related parties. In making that evaluation, the auditor is required to perform procedures to test the accuracy and completeness of management’s identification of related parties and transactions.  Perform specific procedures if the auditor determines that a related party or related party transaction exists that management failed to disclose to the auditor.  Perform specific procedures regarding each related party transaction that is either required to be disclosed in the financial statements or determined to be a significant risk.  Communicate to the audit committee the auditor’s evaluation of the company’s (a) identification of, (b) accounting for, and (c) disclosure of its relationships and transactions with related parties, and other related significant matters arising from the audit. Comment: While the CAQ’s statement is aimed at auditors, not audit committees, the Alert provides a road map for audit committees regarding the topics that auditors are likely to view as posing the greatest risks – and the highest likelihood of PCAOB inspection attention. As such, it may help audit committees better understand the perspective from which their audit firms will approach 2015 engagements. Update │ December 2015 9 FASB is on Track to Overhaul Lease Accounting On November 11, the Financial Accounting Standards Board voted 6-1 to proceed with the issuance of a final standard in its long-running project to revised lease accounting. According to the FASB’s public statement, the final Accounting Standard Update (ASU) on lease accounting is expected to be published in early 2016 and will be effective for public companies in 2019. FASB Chairman Russell Golden said in the statement: “We believe that this new standard is important because it will provide investors, lenders and other users of financial statements a more accurate picture of the long-term financial obligations of the companies to which they provide capital.” The new standard will require companies to include most lease obligations on their balance sheets and will have an impact on the assets, liabilities, and financial statement ratios of many companies. For companies that engage in a substantial amount of leasing, implementation is also likely to require significant changes in accounting systems and internal controls. According to the overview of the project on the FASB’s website –  The “core principle” of the new leasing standard is that a lessee should recognize an asset and a liability arising from a lease with a term of more than 12 months. The FASB believes that this would represent an improvement over existing US GAAP, which does not require leased assets and lease liabilities to be recognized by most lessees.  The new standard will implement this core principle through a “dual approach” to lessee accounting. Lessees will account for most existing capital leases as Type A leases and most existing operating leases as Type B leases. o A Type A lease will be treated as effectively an installment purchase. The lessee will recognize a rightof-use asset and a lease liability, initially measured at the present value of the lease payments. The lessee will also recognize and present the interest on the lease liability separately from the amortization of the right-ofuse asset. o For Type B leases (in which the leased property is not effectively purchased or consumed by the lessee), the lessee will recognize a right-of-use asset and a lease liability, initially measured at the present value of the lease payments, and recognize a single lease cost, combining the interest on the lease liability with the amortization of the right-of-use asset, on a straight-line basis.  Lessors will also classify leases as Type A or Type B. Most sales-type or direct-financing leases will be Type A, while most operating leases will be Type B. Type A leases will be accounted for in a manner substantially similar to current salestype/direct-financing leases, while Type B leases will be accounted for in substantially the same manner as current operating leases. Update │ December 2015 10  The new standard will also require financial statement disclosures designed to enable users to understand the amount, timing, and uncertainty of cash flows arising from leases. The next step in the project will be for the FASB’s staff to prepare a “ballot draft” of the leasing ASU that includes all of the Board’s final decisions. Board members will review the draft to ensure that it accurately reflects those decisions. When the Board is satisfied with the draft, it will be submitted for final publication, which, as noted above, is expected to occur early in 2016. The new standard will take effect for public companies in fiscal years beginning after December 15, 2018, including interim periods within those fiscal years. For private companies, the standard will be effective for annual periods beginning after December 15, 2019. Early adoption will be permitted. Comment: For companies with substantial lease commitments, implementation of the new standard may be a complex and time-andresource intensive process, comparable in some cases to the effort necessary to implement the FASB’s new revenue recognition standard (see August-September 2015 Update and Jim Schnurr’s advice, described earlier in this Update, to audit committees regarding implementation). Audit committees should seek to gain an understanding of how their company will be affected by the new standard and of management’s implementation plans as earlier as possible. PCAOB 2014 Inspections Status Report On November 10, the PCAOB issued the Report on 2014 Inspection of KPMG LLP. The PCAOB has now released all four of the reports on its 2014 inspections of the largest U.S. accounting firms. For the 2014 inspection cycle, the PCAOB has expanded the information in the public portion of inspection reports to include more summary analysis than in prior reports. The new information includes such matters as tables presenting the most frequently-cited auditing standards underlying deficiency findings; whether deficiencies in particular engagements relate to the financial statement audit, the ICFR audit, or both; and the revenue ranges and industry classifications of the inspected issuers. The frequency-of-standards-cited ranking and financial statement/ICFR deficiency data parallels information that has previously been included in these Updates. The next Update will present a tabular overview of the PCAOB’s 2014 large firm reports. 2014 Inspections (Reports Issued in 2015) Firm Report Date Engagements Inspected Part I Deficiencies Percentage Deloitte & Touche May 12, 2015 53 11 21% Ernst & Young June 16, 2015 56 20 36% KPMG October 15, 2015 52 28 54% PwC June 30, 2015 58 17 29% ©2015 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. Update │ December 2015 11 Comment: Audit committees should discuss the results of the firm’s most recent PCAOB inspection with their engagement partner. If the company’s audit is mentioned in either the public or nonpublic portion of the inspection report, the audit committee should understand the reasons for the reference to the audit and how it will affect the engagement in the future. If the company’s audit is not cited in the report, the audit committee should explore with the auditor how deficiencies identified in other audits might have affected the company’s audit and how changes in the firm’s procedures might affect future audits. Audit committees should also have an understanding of how the firm intends to remediate quality control deficiencies described in the nonpublic portion of the report. Prior editions of the Audit Committee and Auditor Oversight Update are available here. www.bakermckenzie.com For further information please contact www.bakermckenzie.com Daniel L. Goelzer +1 202 835 6191 Daniel.Goelzer@bakermckenzie.com 815 Connecticut Avenue Washington, DC 20006-4078 United States