oversight

Prevention, Detection, and Reporting of Financial Irregularities

Published by the Government Accountability Office on 1990-08-02.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                   United   States   General Accounting        Office                               -
                   Testimony




For Release   on    Prevention,        Detection,        and    Reporting
Delivery            of Financial        Irregularities
Expected   at
1:00 p.m.
Thursday
August   2, 1990




                   Statement     of
                   Charles     A. Bowsher
                   Comptroller      General        of    the    United      States

                   Before    the
                   Subcommittee     on Telecommunications
                     and Finance
                   Committee     on Energy and Commerce
                   House of Representatives




GAO/T-AFMD-90-27                                                                GAO Form 160 (12,‘87)
?lr.     Chairman            and Members                    of     the       Subcommittee:



          I am pleased                     to     be here               today         to    discuss            the    need         for
better       prevention,                    detection,                   and      reporting               of    financial
irregularities                    in    public              companies                 subject         to       the    Securities

Exchange          Act        of      1934.            I will             address            most      of my comments                      to     your
July      30,     1990,           proposed             legislation,                        which      pertains             only          to
amending           the       1934          act,       but        will        touch          on similar               needs         with

respect          to     federally                 insured               institutions                not        subject        to         the     act.



          During            the     past          several           years,             well-publicized                      cases         of
financial             irregularities                        in    many companies                      and       institutions                    have

raised          serious           questions                 about          corporate               accountability,                       the

effectiveness                  of      corporate                 governance                 and     regulation,               and         the

adequacy          of        audit          requirements.                         In    the       savings          and       loan
industry,             for      example,               which         also          includes            many        institutions                   not
covered          under         the         1934       act,         financial                 irregularities                  on the             part
of     companies'             management                  and directors                       have     contributed
significantly                  to      the        estimated                $500        billion            cleanup          cost.



          There        are        three           major          players              involved            in    ensuring            corporate
accountability--                     (1)        the    company's                  management               and directors,

particularly                 those          who serve               on audit                committees;               (2)     the

accounting              profession;                   and        (3)       government                regulators.                   Each         of
these       players            has      a significant                       role.             We need           to    ensure             that

they      work        well        and        that      they         work          together.                This       is     necessary                 to


                                                                             1
protect          not        only       shareholders,                   but           also      the     taxpayers                who have
had     to      bail        out      companies             like        Chrysler,                   Lockheed,           and           Penn

Central,             as well           as entities                  directly                insured        by the          government--

such      as savings                 and     loans,            banks,           and         pension        funds.               It     is
important              to    note         that     while            some of             these        entities             are         covered

by the          1934 act,             many are             not.           Although              many       large          money            center
banks         are      covered,            other         significant                    financial             institutions                      are

not     covered.               Companies                like        Silverado                are     not      cove:ed                and     these

have      required             major         taxpayer               bailouts.



           In    March            1989,     we reported                   on actions                 needed          to    improve
auditing             and financial                 reporting                   of     public         companies.1                      In     our
opinion,             there         has     been         insufficient                   progress            since          our         report

was     issued.              Recent          events            in    the        savings             and loan           industry                 have
served          to     point         up the        importance                   of     the      recommendations                        we made

in     that       report.              Had those               recommendations                       been       in     effect              at     the

time      of     the        savings         and         loan        disaster                and had        they       applied                to
all     financial                 institutions,                 we believe                   the     crisis          would            have        been
less      serious.



          To help            prevent             these         problems,               we believe               the       Congress

should          amend banking                    laws      as well              as     securities               laws       to

strengthen              both         management's                   and        the     auditor's              responsibilities

for     detecting              and reporting                    irregularities.                         We believe                    both




                                                                           2
management               and auditors                   should         have        greater            responsibility                       to

evaluate            and     report           on companies'                      internal             control             Systems           and
compliance               with        laws        and     regulations.                        The profession                    has made
progress            in    dealing            with        these         matters,               but     recent             events           make     it

clear        that        more        needs         to    be done.                The Securities                      and       Exchange
Commission               (SEC)        also         has     a significant                      statutory              role        to       play     in

the     process            of     setting           auditing               standards                and in          establishing
reporting            requirements                   which        we believe                   should         be pursued                   more

actively.



MPORTANCE OF INTERNAL CONTROLS AND
COt¶PLIANCE WITH LAWS AND REGULATIONS



          A good           internal              control         system            is        important              to    manage

properly            and effectively,                       to    ensure            corporate                accountability                       and

accurate            financial               reporting,            and to            prevent                fraud.             The internal

control         system            can       help        management               ensure             compliance                with        laws
and     regulations                  that        are     fundamental                    to    operations                 and     that       may
materially               affect         the        financial               statements.                  Controls               are

primarily            the        responsibility                   of        management                but      directors,

auditors,            and regulators                      also     have           essential                 roles         to    play.



          The Congress,                     in     enacting            the       Federal             Managers'                Financial

Integrity            Act        of    1982,            sought         to       improve         government                 internal

controls            and     the       government's                ability                to    manage          its        programs.
The Congress                also        recognized               these           same principles                         when        it    passed

                                                                           3
the     Foreign               Corrupt           Practices             Act         (FCPA)             in       1977.          The FCPA,
which           amended          the     Securities                  Exchange                Act         of     1934,        requires

securities               registrants                to     devise               and maintain                     systems            of    internal

accounting               controls            sufficient                   to      provide                reasonable                assurance

that       transactions                  are      executed                consistently                        with     management's

authorization,                    transactions                  are            recorded             to        permit         the
preparation               of         financial           statements                    that         are         in    accordance               with

applicable               standards,               access             to        assets         is      permitted               only        in
accordance               with         management's               authorization,                               and     recorded

accountability                    for      assets          is    compared                    with         existing            assets           and
appropriate               action           is     taken         with            respect             to        any differences.                        The
FCPA was the                   result       of      numerous                   revelations                    that     the

falsification                   of      records          and         improper                accounting                had allowed
businesses               to     make millions                   of        dollars             in     questionable                    or    illegal

payments.



           In    one respect,                    however,             the        FCPA did                 not        go far        enough.             It
set     a statutory                  mandate         for        corporations                        to        maintain         effective
internal           controls,              but      because                it     did         not      require            reporting              on
controls,           it        provided            no mechanisms                        for         follow-up             by the           three
major       players             involved           in      ensuring                corporate                   accountability--

management,               auditors,               and regulators.
Previous            Proposals             to     Strengthen
Reporting            on Internal                 Controls



           In    1978,          a Commission                 on Auditors'                     Responsibilities
established               by the         American             Institute                of      Certified             Public

Accountants                  (AICPA)         called          for      both           management             and auditors                   to

report          on internal              controls.                  This           was followed,               in     1979,           by an
SEC proposal                  that      would         have         required            management              to     report           on

whether          the      system         of      internal             controls               reasonably              assured           that

the      internal            control            objectives                specified              in    the     FCPA were

achieved.               The proposal                  would         have           required           auditors            to    express
an opinion              on the          reasonableness                        of     management's              report           on

internal           controls.                 The SEC withdrew                         this      proposal             in    1980 after
receiving              numerous          objections                 based            on the         costs      of     compliance

and      the     standards              of      materiality                   to     be applied.               The SEC,               in
withdrawing               its        proposal,           stated               that      it     wanted         to     allow        private

sector          initiatives               for      public           reporting                on internal              controls              to

develop.



           In    1987,          another          commission,                   the     National             Commission                on

Fraudulent              Financial               Reporting             (known           as the          "Treadway
Commission"),                   recommended              that         the          management            of    public           companies

report          on the          adequacy           of    internal                  controls           and     that        auditors

report          on management's                    report.                The SEC again                  followed              this

private          sector          proposal             with         a proposed                rule      that        would        require

management              to      issue        a report              that        includes             an assessment                 of


                                                                          5
pi:: s t :I E r the           internal              control          system             provides              reasonable               assurance
as to       the         integrity               and reliability                         of    financial               reporting.

Auditors           would          report             any disagreements                             with      management’s                report

identified               during             the      audit          of    the      financial                 statements.

However,           under             that       proposal,                auditors             would          not      have       been
required           to      perform              any     procedures                 specifically                    directed             towards

forming           a conclusion                      about      management’s                        report       or       the

effectiveness                   of     controls.                 This          proposal,                  released         for         comment
2 years           ago,         has      still          not     resulted                 in    a final            rule.



Current           Legislative                   Proposal             to     Strengthen
Reporting            on Internal                     Controls



          Your      proposed                 bill       would            require             both         management             and
auditors           to     address               and report                on internal                     controls,            including

controls           over         financial               statements                 as well                as controls             designed

to    meet        the     objectives                   in     the        FCPA.           Standards              for       audi tars’
examination               of      and report                  on management’s                        report           would       be
established               by recognized                       auditing             standard                 setting        bodies.

Thus,      the      Auditing                 Standards               Board         of        the     AICPA,           which       is     the

recognized               body         for       setting          auditing                standards,                would         have      some
discretion               in     determining,                   subject             to        SEC review               and approval,

the      extent          of     work         auditors            should            perform                and the         form     of      the

report       they         should             issue.




                                                                           6
          We strongly                 support            the      provisions                 in     your         proposed                bill
which       would        require             both        management                  and auditors                 to         address            and

ie>Ort          on internal                 controls.                Auditors,               however,             may object                    to
the      provision             in     the        proposed            bill         requiring              them       to        evaluate               and

report          on controls                 not     directly                related          to     the     financial

statements,              such         as those            spelled              out     in     the        FCPA.           Auditors                   may
contend          that       providing               an opinion                 on management's                      report               on

internal          controls             intended              to      satisfy           the        requirements                      of    the

FCPA,       as you          have       suggested,                 requires             judgments                 that         are        beyond

their       expertise.                 Indeed,            the        profession's                   current             standards
preclude          auditors             from         issuing            a report              that        provides              assurance
on compliance                  with        the      internal                control          provisions                 of     the        FCPA.



           In    spite         of     these         concerns                by auditors,                 we believe                  the        time

has      come for           auditors              and the            SEC to           deal        with      these             problems               and

develop          ways       to      examine            and      report            on controls               to      ensure
compliance              with        laws       and regulations                        such        as those              spelled               out        in

the      FCPA.          We believe                that       this           can    and should               be done.                     At     a

very      minimum,             we believe                that        auditors           can         and     should             examine               and

report          on controls                 relating            to     financial              statements.                      If        the

auditors'            role        is    limited            by the             profession,                 then       other            ways           to

evaluate          company             compliance                with         the      FCPA will             need         to         be sought.
NEED FOR STRENGTHENED                                  AUDIT           REQUIRW-IENTS



            In     addition                to        broader           reporting             requirements,                   we believe
auditing            procedures                       need        to    be strengthened                    to     better         deal         with

financial                irregularities,                          such       as those           revealed              as a result                of
the      savings               and      loan          problems.                Your        proposed            bill        would
strengthen                    audit        procedures                  in    three         areas:        related             party

transactions,                       compliance                  with        laws      and     regulations,                   and     early
warning           of          the      collapse             or        demise         of    a company.



Related            Partv            Transactions


          Current                auditing              standards               require          auditors              to     be aware           of
the      possible               existence                  of    material             related        party            transactions

that      could             affect          the        financial               statements.                Auditors             use
judgement                in     determining                     whether            audit      procedures               are     required.

The proposed                    bill       would            specifically                   require         that        auditors

design           audit          steps           to     identify             related          party        transactions,
including              those            that         do not            necessarily              relate          directly             to   the

financial              statements                    but        require            disclosure            under         SEC rules.                We
support           this          provision.



Compliance                With          Laws and                Regulations


          Auditors                  have        responsibility                      under       current           auditing
standards              to       evaluate               compliance                  with     laws     and        regulations               that


                                                                               8
may      have      a direct                and material                       effect           on the             financial

statements.                    The proposed                        bill       would          strengthen               auditors’
responsibility                       in    this             area          by requiring                specific              procedures                  and

also      broaden              their           responsibility                          to    include             detection              of     illegal
acts       which         may indirectly                            as well             as directly                 affect            the

financial            statements.                            For      example,               auditors             would          be required
under       the      proposed                  bill           to     evaluate               compliance              with         banking             laws
that      might          not      directly                   affect           financial               statement                 amounts.



           Auditors             may object                     to         broadening              their          responsibilities                        in
this       area      for        reasons                similar              to        objections             to     broadening                 their
responsibilities                          in     evaluating                   and reporting                      on internal

controls,            as discussed                           earlier.                  However,         we believe                    the      time       has
come to           develop              ways           for      auditors                to    address             compliance                with         laws

and regulations                       beyond                those          that        directly            and materially                      affect
the      financial              statements.                          It     should           be possible                  for        auditors,

working           with         the        SEC,         to      define             those        laws        and      regulations                   for
specific           industries                    that          are         particularly                   relevant              to    their

operations               but      only           indirectly                   affect           the        financial              statements.

Defense           and health                   care           are         examples           of      industries                 in    which

auditors           should              review               relevant              laws       and regulations.                           We believe

auditors           can         and should                     play         an important                   role       in     ensuring              that

public       companies                    and federally                       insured             financial               institutions
comply       with          laws           and regulations.




                                                                                  9
Ability          to     Continue              as a
Going       Concern



          Auditors             are      required            under           current              auditing           standards                 to
consider           an entity's                 ability            to    continue                 as a going               concern             for    a
reasonable              period          of     time,        not        to        exceed          1 year           beyond         the         date
of    the    financial                 statements.                 Specific                   audit       steps        are       not
required,             however.                The proposed                  bill         would           require          auditors             to
use     audit         procedures               designed            to       review             risks,        uncertainties,                        and
other       conditions                 which        may affect                   the        issuer's         ability             to

continue           in    business              and which               permit            the       independent                 public
accountant              to     conclude             whether            there           is      substantial                doubt         about

the     issuer's             ability           to     continue              as a going                  concern           over         the
ensuing         fiscal          year.           We support                  this         strengthening                    of     the
auditors'             responsibilities.



REQUIRED RESPONSE TO AUDIT                                  DISCOVERIES



          Traditionally,                     auditing         standards                     have        recognized              an
auditor-client                  relationship,                 with           the         auditor's            primary             reporting
responsibility                  being         to      the   client               or      to     the      client's              audit

committee.               Any outside                  reporting              has generally                    been         considered
the     responsibility                   of     the      client             or     the        client's            audit         committee.

Although         the         auditor          may have            a duty,                under          certain         limited




                                                                       10
circumstances,                  to        inform       others           outside            the       client            organization

of     problems,             there         is    no clear              requirement                 for       reporting                to

regulators.



          The proposed                 bill         would        significantly                     change            this        by
requiring             direct         reporting              to    the         SEC of            illegalities                  o;lly        if      the

management             and/or         directors              or        audit         committee               of      the      issuer

does      not     promptly            terminate              and correct                   an illegality.                          Recent
changes          to    8-K      reporting              requirements                      and actions                by the            auditing
profession              improve            the      likelihood                that        the      SEC will                learn       of

illegalities                 known         by auditors.                      However,            we do not                 believe              these
changes          90 far         enough           to    ensure           timely            and complete                     reporting.
We believe             that      timely             and complete                   reporting             of       illegalities                     to

the     SEC, coupled                 with        prompt          and effective                     enforcement                 actions              by

the     SEC,      should         provide              a significant                   deterrent                to      illegal             acts.

We support             the      requirements                 of        the        proposed           bill.



SEC JURISDICTION


          The Securities                      Exchange           Act         of    1934      grants            the         powers,

functions,             and duties                vested          in     the        SEC to          administer                 and enforce
certain          sections            of       the     securities                  laws     to      banking             regulatory

agencies          such         as the           Federal          Deposit             Insurance               Corporation.
Your      bill        would      repeal             this     provision                   (subsection                 (i)      of      section

12).        We support               this        provision.



                                                                       11
         We are         concerned,                though,              that         many federally                           insured
institutions              do not          fall          under          the         purview            of     the            1934     act.          In
f--L
  ac c some of               these       institutions                   are         not        even        required                to    be

audited.           We believe               these              institutions                    should             also        be required

to    follow       the        provisions                in      this         proposed             bill,            as well              as
additional           suggestions                  for          strengthening                    the        bill          which          I will

discuss.           We believe              Congress                  should           consider               legislation                     to
extend         coverage          to      these          institutions                      as    soon         as possible.



OTHER SUGGESTIONS FOR STRENGTHENING

THE AUDIT          PROCESS


         We have          several           suggestions                      for      strengthening                          the    audit
process         which         we believe                will         greatly              enhance            the         effectiveness

of    the      proposed          bill.



Audit       Committees



         Public         companies            and          insured             depository                   institutions                      should

be required             to     have       audit          committees.                       Members                of     audit

committees           should           be made up of                     outside                directors                 who are             totally
independent             in     fact       and appearance                           and have            no impairment                         which

would       keep     them        from       acting              in     the         best        interest                of     stockholders
and     the     public.              A strong            argument                  can     be made that                       directors                of

institutions              with        government                  deposit             insurance                   also        have       a
fiduciary          responsibility                       to      protect             the        government's                    interest.


                                                                       12
Audit          committees           can        play         an important                 role       in     preventing              and

detecting            fraudulent                financial               reporting            and       in      enhancing
auditor           independence.                      The committees,                     which        should           include        at
least          one attorney,              can         help         assure         that      their          companies             comply
with       laws      and regulations.



           Both      the    SEC and             the         public         accounting               profession              have

endorsed           audit         committees.                   The SEC,            for      example,             has      noted       the
importance            of        informed,             vigilant,                and effective                  audit       committees
as overseers               of     companies'                  financial            reporting               processes          and
internal           controls          and as an effective                             force          for       ensuring        auditor
independence.                    However,             neither            the     SEC nor            deposit           insurance
regulatory            agencies            require              audit           committees,                and existing
committees            may not            have         sufficiently                 stringent               rules       on

independence               or     require             that         committees              include            a lawyer.



          We suggest              that         the         following            language          be added             to    your

bill:



          "AUDIT          COMMITTEES AND AUDITORS.                                   (1)         Every         issuer        to     which
          section          13(b)         (2)     of         this       title       applies           shall         have     an
           independent              audit        committee                 made up of               totally           independent

          outside          directors                 (in     both        fact      and appearance),                       including

          at      least     one attorney."




                                                                        13
Peer      Review



          All    auditors           auditing              public           companies              and          insured
depository          institutions                     should          be required                to     obtain              a peer

review.          Peer      review,             which           is    the      cornerstone                 of         the    public
accounting          profession’s                     quality            assurance              efforts,               is    essentially

the     verification               by other             auditors              that       an auditor                   or    an auditing
firm      has    a system           of        quality           controls             that       provides               reasonable
assurance          that         audits         are      conducted               in     accordance                with

established            standards.


          Some auditors                  of    public           companies              and      insured               depository

institutions              are     not         subject           to      any     requirements                    to     obtain          a peer

review.          We believe               that        requiring               peer       review,           with            appropriate

SEC involvement,                  will         help       protect             against           the       exposure              to

irregularities              which             your      bill         seeks        to     reduce.



          We suggest             that         the     following               language            be added                 to   your
bill:



          “(2)      All     audits             required              by    this        title          shall           be performed

          only     by an independent                           public         accountant               who has              received       a

          peer     review         within             a time          interval            set      by      the         Commission.

          Reports         on peer             reviews           shall         be available                 for         public
          inspection.”




                                                                     14
Notification                 of      Auditor             Changes



          Auditors             should            promptly             inform           appropriate           regulatory
authorities                 when they                 resign        or    are        terminated.             The AICPA has
adopted             rules      for        its      members           which           provide       that      they       promptly

and directly                 notify             the     SEC when they                   resign       or    are      terminated.

This      serves            as an early                 warning           device          for    possible           problems
which        caused          a company                 to    change           auditors.            However,           not       all
auditors             are     members             of     the      AICPA.           As discussed               earlier,                the     SEC
needs          to    undertake              prompt           and effective                 enforcement              actions            when

problems             are     suggested.



         We suggest                  that        the        following            language          be added            to   your
bill:



          ” (3)         Any auditor                    performing              an audit          under       this       title          who

          is        removed,          replaced,                or    resigns            shall      promptly           notify           the

         Commission                  of     such        action           and     the      reasons         therefor."



Sharing             Information                 With        Auditors



         Regulators                 should             be required              to      share      reports          and
information                 with      independent                   public        accountants              concerning

regulators'                 knowledge             of        potential           mismanagement,                fraud,            or     abuse

by companies.                      Exceptions                should          be made for             situations             involving

litigation              and ongoing                    actions           OK investigations.                      In     those


                                                                         15
 situations,                   regulators                  should          inform          auditors              that          reports              are
 not       available              and     the           reasons            therefor.



            Sharing              information                  with         independent                 public           accountants
 will       enable             them     to        expand            the       scope       of      their         work        appropriately
and        thereby             improve            the       effectiveness                    of     their            audits.               The
results            will          enhance             the      process              of    detecting              and        reporting

 illegal           acts.



           We suggest                 that           the      following                 language              be added              to    your

bill:



            "(4)          The Commission                       shall           share       reports              and other
            information                 concerning                   any      potential              mismanagement,                           fraud,
           and      abuse          on the             part         of     an issuer               with         any      independent

           public           accountant                  performing                  an audit             of     the      issuer               under

           this       title,            except             when such                sharing         would             impair             an
           investigation                     or       litigation."



COSTS AND TIXETABLES



           There          will        be substantial                       additional               audit            and
administrative                    costs           for        all        companies              subject           to     the         new

provisions                of     your        bill.             In       our    view,           these          costs,           at        almost        any
level        imaginable,                 cannot              compare           with        the      potential                costs             to    the
taxpayers             and to            other           interested                 parties          of        failing           to        adopt


                                                                              16
these       new provisions.                        The tight                  timetables               set           in    your           bill          will
require           the     SEC and other                      standard             setting            bodies               to

expeaitiously                   develop           implementing                    procedures                 and          rules.

However,           any       imperfections                    which        may result                 from            trying              to      meet

tight       timetables                  can be addressed                         later.           The urgency                        of      the
problems           being          addressed              by your           bill           justify,              in        our        view,          these

potential               consequences.



CONCLUSIONS



          We have           previously              made recommendations                                   to    the           Department                  of
Treasury           in     its      review          of        existing             financial                institutions
legislation                (the       Financial                Institutions                  Reform,             Recovery,                       and

Enforcement               Act      of     1989)          which          are       incorporated                   in        this           bill          and

our     suggested               additions               to    this       bill.             These           recommendations                              have
resulted           from         our     work       with         respect             to     failed           savings                  and         loan
institutions                as well            as other              studies.                Our ongoing                       work         on the

banking           industry            strengthens                our       belief            in      the        need           for        these

reforms.             For        example,           we have              identified                serious                 internal

control        weaknesses                 in      the        banks       which            have       recently                  failed.



          I believe               we owe it              to     American              taxpayers                 to        take        whatever
steps       are     necessary                to    protect              them        from       future            problems.                        Strong

corporate            governance,                  along         with       effective                 auditing                  and the

appropriate               level         of     regulatory                oversight                and supervision,                                are



                                                                        17
the   keys    to    identifying            and correcting             internal        control

weaknesses,         noncompliance             with     laws     and    regulations,             and

fraudulent         financial         reporting.




       Mr.    Chairman,           this     completes          my statement.            I would         be
pleased      to    answer      any       questions      you     or    other      members        of    the

Subcommittee         may have.




                                                        18