United States General Accounting Office - Testimony For Release on Prevention, Detection, and Reporting Delivery of Financial Irregularities Expected at 1:00 p.m. Thursday August 2, 1990 Statement of Charles A. Bowsher Comptroller General of the United States Before the Subcommittee on Telecommunications and Finance Committee on Energy and Commerce House of Representatives GAO/T-AFMD-90-27 GAO Form 160 (12,‘87) ?lr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss the need for better prevention, detection, and reporting of financial irregularities in public companies subject to the Securities Exchange Act of 1934. I will address most of my comments to your July 30, 1990, proposed legislation, which pertains only to amending the 1934 act, but will touch on similar needs with respect to federally insured institutions not subject to the act. During the past several years, well-publicized cases of financial irregularities in many companies and institutions have raised serious questions about corporate accountability, the effectiveness of corporate governance and regulation, and the adequacy of audit requirements. In the savings and loan industry, for example, which also includes many institutions not covered under the 1934 act, financial irregularities on the part of companies' management and directors have contributed significantly to the estimated $500 billion cleanup cost. There are three major players involved in ensuring corporate accountability-- (1) the company's management and directors, particularly those who serve on audit committees; (2) the accounting profession; and (3) government regulators. Each of these players has a significant role. We need to ensure that they work well and that they work together. This is necessary to 1 protect not only shareholders, but also the taxpayers who have had to bail out companies like Chrysler, Lockheed, and Penn Central, as well as entities directly insured by the government-- such as savings and loans, banks, and pension funds. It is important to note that while some of these entities are covered by the 1934 act, many are not. Although many large money center banks are covered, other significant financial institutions are not covered. Companies like Silverado are not cove:ed and these have required major taxpayer bailouts. In March 1989, we reported on actions needed to improve auditing and financial reporting of public companies.1 In our opinion, there has been insufficient progress since our report was issued. Recent events in the savings and loan industry have served to point up the importance of the recommendations we made in that report. Had those recommendations been in effect at the time of the savings and loan disaster and had they applied to all financial institutions, we believe the crisis would have been less serious. To help prevent these problems, we believe the Congress should amend banking laws as well as securities laws to strengthen both management's and the auditor's responsibilities for detecting and reporting irregularities. We believe both 2 management and auditors should have greater responsibility to evaluate and report on companies' internal control Systems and compliance with laws and regulations. The profession has made progress in dealing with these matters, but recent events make it clear that more needs to be done. The Securities and Exchange Commission (SEC) also has a significant statutory role to play in the process of setting auditing standards and in establishing reporting requirements which we believe should be pursued more actively. MPORTANCE OF INTERNAL CONTROLS AND COt¶PLIANCE WITH LAWS AND REGULATIONS A good internal control system is important to manage properly and effectively, to ensure corporate accountability and accurate financial reporting, and to prevent fraud. The internal control system can help management ensure compliance with laws and regulations that are fundamental to operations and that may materially affect the financial statements. Controls are primarily the responsibility of management but directors, auditors, and regulators also have essential roles to play. The Congress, in enacting the Federal Managers' Financial Integrity Act of 1982, sought to improve government internal controls and the government's ability to manage its programs. The Congress also recognized these same principles when it passed 3 the Foreign Corrupt Practices Act (FCPA) in 1977. The FCPA, which amended the Securities Exchange Act of 1934, requires securities registrants to devise and maintain systems of internal accounting controls sufficient to provide reasonable assurance that transactions are executed consistently with management's authorization, transactions are recorded to permit the preparation of financial statements that are in accordance with applicable standards, access to assets is permitted only in accordance with management's authorization, and recorded accountability for assets is compared with existing assets and appropriate action is taken with respect to any differences. The FCPA was the result of numerous revelations that the falsification of records and improper accounting had allowed businesses to make millions of dollars in questionable or illegal payments. In one respect, however, the FCPA did not go far enough. It set a statutory mandate for corporations to maintain effective internal controls, but because it did not require reporting on controls, it provided no mechanisms for follow-up by the three major players involved in ensuring corporate accountability-- management, auditors, and regulators. Previous Proposals to Strengthen Reporting on Internal Controls In 1978, a Commission on Auditors' Responsibilities established by the American Institute of Certified Public Accountants (AICPA) called for both management and auditors to report on internal controls. This was followed, in 1979, by an SEC proposal that would have required management to report on whether the system of internal controls reasonably assured that the internal control objectives specified in the FCPA were achieved. The proposal would have required auditors to express an opinion on the reasonableness of management's report on internal controls. The SEC withdrew this proposal in 1980 after receiving numerous objections based on the costs of compliance and the standards of materiality to be applied. The SEC, in withdrawing its proposal, stated that it wanted to allow private sector initiatives for public reporting on internal controls to develop. In 1987, another commission, the National Commission on Fraudulent Financial Reporting (known as the "Treadway Commission"), recommended that the management of public companies report on the adequacy of internal controls and that auditors report on management's report. The SEC again followed this private sector proposal with a proposed rule that would require management to issue a report that includes an assessment of 5 pi:: s t :I E r the internal control system provides reasonable assurance as to the integrity and reliability of financial reporting. Auditors would report any disagreements with management’s report identified during the audit of the financial statements. However, under that proposal, auditors would not have been required to perform any procedures specifically directed towards forming a conclusion about management’s report or the effectiveness of controls. This proposal, released for comment 2 years ago, has still not resulted in a final rule. Current Legislative Proposal to Strengthen Reporting on Internal Controls Your proposed bill would require both management and auditors to address and report on internal controls, including controls over financial statements as well as controls designed to meet the objectives in the FCPA. Standards for audi tars’ examination of and report on management’s report would be established by recognized auditing standard setting bodies. Thus, the Auditing Standards Board of the AICPA, which is the recognized body for setting auditing standards, would have some discretion in determining, subject to SEC review and approval, the extent of work auditors should perform and the form of the report they should issue. 6 We strongly support the provisions in your proposed bill which would require both management and auditors to address and ie>Ort on internal controls. Auditors, however, may object to the provision in the proposed bill requiring them to evaluate and report on controls not directly related to the financial statements, such as those spelled out in the FCPA. Auditors may contend that providing an opinion on management's report on internal controls intended to satisfy the requirements of the FCPA, as you have suggested, requires judgments that are beyond their expertise. Indeed, the profession's current standards preclude auditors from issuing a report that provides assurance on compliance with the internal control provisions of the FCPA. In spite of these concerns by auditors, we believe the time has come for auditors and the SEC to deal with these problems and develop ways to examine and report on controls to ensure compliance with laws and regulations such as those spelled out in the FCPA. We believe that this can and should be done. At a very minimum, we believe that auditors can and should examine and report on controls relating to financial statements. If the auditors' role is limited by the profession, then other ways to evaluate company compliance with the FCPA will need to be sought. NEED FOR STRENGTHENED AUDIT REQUIRW-IENTS In addition to broader reporting requirements, we believe auditing procedures need to be strengthened to better deal with financial irregularities, such as those revealed as a result of the savings and loan problems. Your proposed bill would strengthen audit procedures in three areas: related party transactions, compliance with laws and regulations, and early warning of the collapse or demise of a company. Related Partv Transactions Current auditing standards require auditors to be aware of the possible existence of material related party transactions that could affect the financial statements. Auditors use judgement in determining whether audit procedures are required. The proposed bill would specifically require that auditors design audit steps to identify related party transactions, including those that do not necessarily relate directly to the financial statements but require disclosure under SEC rules. We support this provision. Compliance With Laws and Regulations Auditors have responsibility under current auditing standards to evaluate compliance with laws and regulations that 8 may have a direct and material effect on the financial statements. The proposed bill would strengthen auditors’ responsibility in this area by requiring specific procedures and also broaden their responsibility to include detection of illegal acts which may indirectly as well as directly affect the financial statements. For example, auditors would be required under the proposed bill to evaluate compliance with banking laws that might not directly affect financial statement amounts. Auditors may object to broadening their responsibilities in this area for reasons similar to objections to broadening their responsibilities in evaluating and reporting on internal controls, as discussed earlier. However, we believe the time has come to develop ways for auditors to address compliance with laws and regulations beyond those that directly and materially affect the financial statements. It should be possible for auditors, working with the SEC, to define those laws and regulations for specific industries that are particularly relevant to their operations but only indirectly affect the financial statements. Defense and health care are examples of industries in which auditors should review relevant laws and regulations. We believe auditors can and should play an important role in ensuring that public companies and federally insured financial institutions comply with laws and regulations. 9 Ability to Continue as a Going Concern Auditors are required under current auditing standards to consider an entity's ability to continue as a going concern for a reasonable period of time, not to exceed 1 year beyond the date of the financial statements. Specific audit steps are not required, however. The proposed bill would require auditors to use audit procedures designed to review risks, uncertainties, and other conditions which may affect the issuer's ability to continue in business and which permit the independent public accountant to conclude whether there is substantial doubt about the issuer's ability to continue as a going concern over the ensuing fiscal year. We support this strengthening of the auditors' responsibilities. REQUIRED RESPONSE TO AUDIT DISCOVERIES Traditionally, auditing standards have recognized an auditor-client relationship, with the auditor's primary reporting responsibility being to the client or to the client's audit committee. Any outside reporting has generally been considered the responsibility of the client or the client's audit committee. Although the auditor may have a duty, under certain limited 10 circumstances, to inform others outside the client organization of problems, there is no clear requirement for reporting to regulators. The proposed bill would significantly change this by requiring direct reporting to the SEC of illegalities o;lly if the management and/or directors or audit committee of the issuer does not promptly terminate and correct an illegality. Recent changes to 8-K reporting requirements and actions by the auditing profession improve the likelihood that the SEC will learn of illegalities known by auditors. However, we do not believe these changes 90 far enough to ensure timely and complete reporting. We believe that timely and complete reporting of illegalities to the SEC, coupled with prompt and effective enforcement actions by the SEC, should provide a significant deterrent to illegal acts. We support the requirements of the proposed bill. SEC JURISDICTION The Securities Exchange Act of 1934 grants the powers, functions, and duties vested in the SEC to administer and enforce certain sections of the securities laws to banking regulatory agencies such as the Federal Deposit Insurance Corporation. Your bill would repeal this provision (subsection (i) of section 12). We support this provision. 11 We are concerned, though, that many federally insured institutions do not fall under the purview of the 1934 act. In f--L ac c some of these institutions are not even required to be audited. We believe these institutions should also be required to follow the provisions in this proposed bill, as well as additional suggestions for strengthening the bill which I will discuss. We believe Congress should consider legislation to extend coverage to these institutions as soon as possible. OTHER SUGGESTIONS FOR STRENGTHENING THE AUDIT PROCESS We have several suggestions for strengthening the audit process which we believe will greatly enhance the effectiveness of the proposed bill. Audit Committees Public companies and insured depository institutions should be required to have audit committees. Members of audit committees should be made up of outside directors who are totally independent in fact and appearance and have no impairment which would keep them from acting in the best interest of stockholders and the public. A strong argument can be made that directors of institutions with government deposit insurance also have a fiduciary responsibility to protect the government's interest. 12 Audit committees can play an important role in preventing and detecting fraudulent financial reporting and in enhancing auditor independence. The committees, which should include at least one attorney, can help assure that their companies comply with laws and regulations. Both the SEC and the public accounting profession have endorsed audit committees. The SEC, for example, has noted the importance of informed, vigilant, and effective audit committees as overseers of companies' financial reporting processes and internal controls and as an effective force for ensuring auditor independence. However, neither the SEC nor deposit insurance regulatory agencies require audit committees, and existing committees may not have sufficiently stringent rules on independence or require that committees include a lawyer. We suggest that the following language be added to your bill: "AUDIT COMMITTEES AND AUDITORS. (1) Every issuer to which section 13(b) (2) of this title applies shall have an independent audit committee made up of totally independent outside directors (in both fact and appearance), including at least one attorney." 13 Peer Review All auditors auditing public companies and insured depository institutions should be required to obtain a peer review. Peer review, which is the cornerstone of the public accounting profession’s quality assurance efforts, is essentially the verification by other auditors that an auditor or an auditing firm has a system of quality controls that provides reasonable assurance that audits are conducted in accordance with established standards. Some auditors of public companies and insured depository institutions are not subject to any requirements to obtain a peer review. We believe that requiring peer review, with appropriate SEC involvement, will help protect against the exposure to irregularities which your bill seeks to reduce. We suggest that the following language be added to your bill: “(2) All audits required by this title shall be performed only by an independent public accountant who has received a peer review within a time interval set by the Commission. Reports on peer reviews shall be available for public inspection.” 14 Notification of Auditor Changes Auditors should promptly inform appropriate regulatory authorities when they resign or are terminated. The AICPA has adopted rules for its members which provide that they promptly and directly notify the SEC when they resign or are terminated. This serves as an early warning device for possible problems which caused a company to change auditors. However, not all auditors are members of the AICPA. As discussed earlier, the SEC needs to undertake prompt and effective enforcement actions when problems are suggested. We suggest that the following language be added to your bill: ” (3) Any auditor performing an audit under this title who is removed, replaced, or resigns shall promptly notify the Commission of such action and the reasons therefor." Sharing Information With Auditors Regulators should be required to share reports and information with independent public accountants concerning regulators' knowledge of potential mismanagement, fraud, or abuse by companies. Exceptions should be made for situations involving litigation and ongoing actions OK investigations. In those 15 situations, regulators should inform auditors that reports are not available and the reasons therefor. Sharing information with independent public accountants will enable them to expand the scope of their work appropriately and thereby improve the effectiveness of their audits. The results will enhance the process of detecting and reporting illegal acts. We suggest that the following language be added to your bill: "(4) The Commission shall share reports and other information concerning any potential mismanagement, fraud, and abuse on the part of an issuer with any independent public accountant performing an audit of the issuer under this title, except when such sharing would impair an investigation or litigation." COSTS AND TIXETABLES There will be substantial additional audit and administrative costs for all companies subject to the new provisions of your bill. In our view, these costs, at almost any level imaginable, cannot compare with the potential costs to the taxpayers and to other interested parties of failing to adopt 16 these new provisions. The tight timetables set in your bill will require the SEC and other standard setting bodies to expeaitiously develop implementing procedures and rules. However, any imperfections which may result from trying to meet tight timetables can be addressed later. The urgency of the problems being addressed by your bill justify, in our view, these potential consequences. CONCLUSIONS We have previously made recommendations to the Department of Treasury in its review of existing financial institutions legislation (the Financial Institutions Reform, Recovery, and Enforcement Act of 1989) which are incorporated in this bill and our suggested additions to this bill. These recommendations have resulted from our work with respect to failed savings and loan institutions as well as other studies. Our ongoing work on the banking industry strengthens our belief in the need for these reforms. For example, we have identified serious internal control weaknesses in the banks which have recently failed. I believe we owe it to American taxpayers to take whatever steps are necessary to protect them from future problems. Strong corporate governance, along with effective auditing and the appropriate level of regulatory oversight and supervision, are 17 the keys to identifying and correcting internal control weaknesses, noncompliance with laws and regulations, and fraudulent financial reporting. Mr. Chairman, this completes my statement. I would be pleased to answer any questions you or other members of the Subcommittee may have. 18
Prevention, Detection, and Reporting of Financial Irregularities
Published by the Government Accountability Office on 1990-08-02.
Below is a raw (and likely hideous) rendition of the original report. (PDF)