Category: Accounting and Auditing

PCAOB spotlight on auditor independence outlines considerations for audit committees

The PCAOB has released a new Spotlight on auditor independence, which provides observations from PCAOB inspections regarding independence issues and identifies considerations for both auditors and audit committees.   Auditor independence has, for years, been a major focus of the SEC’s Office of the Chief Accountant, and current Chief Accountant Paul Munter has addressed the issue in a number of statements, characterizing auditor independence as a concept that is “foundational to the credibility of the financial statements.” (See, for example, this PubCo post and this PubCo post.)  But auditor independence is not just an issue for auditors.  It’s important for companies to keep in mind that violations of the auditor independence rules can have serious consequences not only for the audit firm, but also for the company as the audit client. For example, an independence violation may cause the auditor to withdraw the firm’s audit report, requiring the audit client to have a re-audit by another audit firm. What’s more, auditor independence violations can sometimes even result in charges against the company; for example, Lordstown Motors was charged with several Exchange Act violations in connection with misrepresentations and failures to include financial statements audited by independent auditors required in current and periodic reports. Munter has long recognized that the responsibility to monitor independence is a shared one: “[w]hile sourcing a high quality independent auditor is a key responsibility of the audit committee, compliance with auditor independence rules is a shared responsibility of the issuer, its audit committee, and the auditor.”  As a result, in most cases, inquiry into the topic of auditor independence should certainly be a recurring menu item on the audit committee’s plate.  Fortunately, the Spotlight offers advice, not only for auditors, but fortunately, also for audit committee members.

SEC charges Zymergen for “unsupported hype” in its IPO

The SEC has announced settled charges against Zymergen, which, prior to its recent bankruptcy and ultimate liquidation, was a biotech “focused on the manufacture of novel materials, including optical films used in electronic screens.” The SEC charged that, in its $530 million IPO in 2021, Zymergen misled “IPO investors about its overall market potential, revenue prospects, and customer pipeline for its only commercially available product, an electronics film named Hyaline.”  According to  the Director of the SEC’s San Francisco Regional Office,  “[p]re-revenue and early-stage companies that seek to tap the capital markets must do so with reasonable estimates of their market potential….Today’s order finds that Zymergen failed to satisfy this obligation when it misled investors with what amounted to unsupported hype.” The company agreed to pay a civil penalty of $30 million. In the meantime, Bloomberg reports that a federal district court has recently allowed claims by Zymergen investors to proceed against several VC funds (along with the company, the board, the underwriters, etc).   The investors contended that, among other things, the levers provided in the company’s governing documents allowed the VC funds to “control[] the company in the lead-up to its initial public offering” and claimed that they were “responsible for misleading IPO papers before the biological manufacturing company imploded.”

At open meeting, SEC approves new PCAOB quality control standard

Yesterday, the SEC approved, by a vote of three to two, a new  PCAOB quality control standard, QC 1000, A Firm’s System of Quality Control, and related amendments to its standards, rules and forms. According to the press release, the new standard

“establishes an integrated, risk-based quality control standard that will require all registered public accounting firms to identify specific risks to their practice and design a quality control system that includes appropriate responses to guard against those risks. Registered firms that perform engagements under PCAOB standards will be required to implement and operate the QC system. The new quality control standard focuses on an audit firm’s accountability and continuous improvement of its audit practice and will require an annual evaluation of the firm’s QC system and related reporting to the PCAOB, certified by key firm personnel. In addition, firms that annually issue audit reports for more than 100 issuers will be required to establish an external quality control function (EQCF) composed of one or more persons who can exercise independent judgment related to the firm’s QC system.”

According to SEC Chief Accountant, Paul Munter, “[e]ffective QC systems provide critical investor protections by driving continuous improvement in firms’ audit quality in support of the issuance of informative, accurate, and independent audit reports….QC 1000 is an integrated risk-based QC standard that strikes an appropriate balance that can be applied by firms of varying sizes and complexities along with a set of mandates tailored to the size of the firms’ audit practices, which should assure that QC systems are designed, implemented, and operated with an appropriate level of rigor.” SEC Chair Gary Gensler pointed out that the “auditing profession has changed in the 21st century, and the Amendments we are considering today are long overdue. To put in context how important it is to update the quality control standards, the PCAOB found that 46 percent—nearly half—of the auditing engagements it reviewed in 2023 fell short of obtaining sufficient appropriate audit evidence.” The two dissenters primarily took issue with, in their view, the too-brief time allotted by the SEC to the process of refining the standard, the requirement that every PCAOB-registered firm design a compliant QC system—even if they are not required to implement it—and the failure to address adequately commenters’ concerns about the new EQCF. QC 1000 and related amendments will take effect on December 15, 2025.

Center for Audit Quality comes to the rescue for audit committees tasked with AI oversight

In this 2023 article in Fortune, a survey of 2,800 managers and executives conducted by management consulting firm Aon showed that business leaders “weren’t very concerned about AI….Not only is AI not the top risk that they cited for their companies, it didn’t even make the top 20.  AI ranked as the 49th biggest threat for businesses.” Has “the threat of AI been overhyped,” Aon asked, or could it be that the “survey participants might be getting it wrong”? If they were, it wasn’t for long. Fast forward less than a year, and another Fortune article, citing a report from research firm Arize AI, revealed that 281 of the Fortune 500 companies cited AI as a risk, representing “56.2% of the companies and a 473.5% increase from the prior year, when just 49 companies flagged AI risks. ‘If annual reports of the Fortune 500 make one thing clear, it’s that the impact of generative AI is being felt across a wide array of industries—even those not yet embracing the technology,’ the report said.”  This widespread recognition of the potential risks of genAI will likely compel companies to focus their attention on risk oversight, and that will almost certainly entail oversight by the audit committee.  To assist audit committees in that process, the Center for Audit Quality has released a new resource—an excellent new report, Audit Committee Oversight in the Age of Generative AI.

Are companies getting the clawback checkboxes right?

As you know, in 2022, the SEC adopted a new clawback rule, Exchange Act Rule 10D-1, which directed the national securities exchanges to establish listing standards requiring listed issuers to adopt and comply with a clawback policy and to provide disclosure about the policy and its implementation. Under the rules, the clawback policy had to provide that, in the event the listed issuer was required to prepare an accounting restatement—including not just “reissuance,” or “Big R,” restatements, but also “revision” or “little r” restatements—the issuer must recover the incentive-based compensation that was erroneously paid to its current or former executive officers based on the misstated financial reporting measure. The recovery policy had to apply to incentive compensation received during the three completed fiscal years immediately preceding the date that the company was required to prepare a restatement.  (See this PubCo post.) The clawback rules added a requirement to include new checkboxes on the cover pages of Form 10-K, Form 20-F and Form 40-F to indicate separately (a) whether the financial statements of the issuer included in the filing reflect correction of errors to previously issued financial statements, and (b) whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received by any of the issuer’s executive officers during the relevant recovery period. (See this PubCo post.) It’s worth noting here that the first box, which applies to correction of any errors in the financial statements filed, is broader in scope than the second, which applies if the restatements needed a potential clawback analysis, even if no actual recovery was required. Apparently, there hasn’t been much action for the second box. In this article, Bloomberg reports on a study by research firm Nonlinear Analytics LLC, which showed that of “the 205 companies that reported accounting corrections in their annual financial statements so far this year, just 29—less than 15%—said they reviewed the error to see if they needed to force a compensation clawback,” i.e., reported that they performed a potential recovery analysis. And, only two of the companies that performed an analysis ended up clawing back any executive bonuses.   

SEC approves new PCAOB proposals

Yesterday, the SEC held an open meeting to consider a number of PCAOB proposals addressing the “general responsibilities of an auditor conducting an audit as well as technology-assisted analysis and contributory liability rule for associated persons.” In his opening remarks, SEC Chair Gary Gensler put this initiative in the historic context of the adoption of SOX in 2002, which led to the establishment of the PCAOB as “an independent watchdog over the audits of public companies and registered broker-dealers and their auditors. The Enron crisis revealed a key problem: the quality of auditing standards. Candidly, the relationships between issuers and auditors, between standard-setters and auditing firms, were too clubby.”  Auditing standards were set by the AICPA, which meant that, in effect, the “profession was writing its own rules. That’s an inherent conflict. To correct course, the PCAOB was tasked with setting enhanced auditing standards. For practical purposes, Congress permitted the newly established PCAOB to carry over existing AICPA standards on an interim basis. The expectation was that the Board would produce a more appropriate set of standards going forward.” Although these standards “were already decades-old when the Board adopted them in 2003,” before now, the PCAOB had adopted only seven new standards—“42 of these 49 so-called ‘interim standards’ remained in public company audit practice.”  Yesterday, the SEC approved a proposed rule amendment and two proposals for new and updated audit standards adopted by the PCAOB:  an amendment to PCAOB Rule 3502 governing contributory liability (approved three to two); AS 1000, regarding the general responsibilities of the auditor in conducting an audit (approved unanimously), and AS 1105 and AS 2301, amendments related to aspects of designing and performing audit procedures that involve technology-assisted analysis of information in electronic form (approved unanimously). According to the press release, Gensler said that he was “pleased that the PCAOB is fulfilling its obligations under the Sarbanes-Oxley Act by updating its standards and rules regarding the practice of auditing….I’m proud to support the PCAOB’s proposed changes to instill greater trust among investors and issuers in our markets.”

SEC charges Ideanomics for misleading revenue guidance

As discussed in this press release, the SEC has announced Orders settling charges against Ideanomics, Inc., its current CEO and former CFO, as well as its former Chair and CEO, for alleged misleading statements about the company’s financial performance between 2017 and 2019. There were multiple alleged fraudulent acts, but featured most prominently was an allegation that the Company and the former Chair/CEO reported 2017 revenue guidance that ended up being well off the mark, “despite numerous known issues indicating that the company would miss this guidance by a wide margin.” The Company later reported 2017 revenues that were less than half of the amount represented to the public in its guidance. According to the Associate Director of Enforcement, as the SEC alleged, “Ideanomics and its executives defrauded investors, including by misstating its financial statements and failing to disclose material information to investors….The investing public must be able to trust the accuracy of a company’s disclosures, and we will hold accountable executives who abuse that trust by engaging in fraud.”   

Do companies adopt clawback policies exceeding minimum SEC requirements?

In 2022, after seven years of marinating on the SEC’s long-term agenda, the SEC adopted rules to implement Section 954 of Dodd-Frank, the clawback provision. The rules directed the national securities exchanges to establish listing standards requiring listed issuers to adopt and comply with a clawback policy and to provide disclosure about the policy and its implementation. Under the rules, the clawback policy was required to provide that, in the event the listed issuer was required to prepare an accounting restatement—including not just “reissuance,” or “Big R,” restatements, but also “revision” or “little r” restatements—the issuer must recover the incentive-based compensation that was erroneously paid to its current or former executive officers based on the misstated financial reporting measure. (See this PubCo post.) The requirements have been in effect for a bit now. But how did companies respond?  Did they stick to the script? Or, after examining their own “governance philosophies,” did companies amp up the rules to actually expand the scope of their clawback policies? This piece from consultant FW Cook reporting on their study of large cap companies showed that “80% maintain an expanded clawback policy that goes beyond the SEC requirements.”

SEC charges RR Donnelley with control failures related to cybersecurity incident

In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges.  Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”  

Munter and Gerding discuss the need for additional disclosures under IFRS 19

The director of Corp Fin, Erik Gerding, and the SEC Chief Accountant, Paul Munter, have issued a new “Statement on the Application of IFRS 19, Subsidiaries without Public Accountability: Disclosures, in Filings with the SEC.” IFRS 19 permits reporting company subsidiaries “that do not have public accountability” to provide reduced disclosures […]