The CPA Journal Symposium, held July 19, 1993, presented a discussion of the POB's and AICPA's recommendations to improve financial reporting and the audit process. A summary of the Symposium was published in the October issue, along with an adaptation of a speech of Waiter Schuetze, Chief Accountant of the SEC, given at the symposium. Schuetze's remarks focused primarily on why, in his view, external auditor reporting on internal controls for public companies should not be made mandatory.

Donald Chapin, as a spokesperson for the U.S. General Accounting Office at the Symposium, expressed an entirely different point of view on internal control. As with some of the other proposals, Chapin feels the recommendations for internal control reporting do not go far enough.

In March 1993, the Public Oversight Board (POB) issued its report addressing major issues confronting the accounting profession. The issues concerned litigation, self regulation, standards for auditing and financial reporting, public confidence, and professional practice. In June, the AICPA Board of Directors essentially endorsed the POB's recommendations and included them in the AICPA's commitments to meeting financial reporting needs of the future.

Both the POB and the AICPA acknowledged the need to consider the public interest in addressing the serious issues confronting the profession. I believe this is a giant step forward and one that needs to be kept at the forefront in judging the merit of recommendations that have been made. The recommendations themselves are serious proposals that need to be carefully considered.

Fundamentally, the merit of the recommendations needs to be assessed by carefully considering the root causes that have contributed to the need for the profession to reassess whether its services are meeting users' needs, including the public's.

With that frame of reference, I will focus my comments on those areas where I believe the proposals have not broken the traditional mold of thinking and are likely to come up short in fully serving both the public need and ensuring the future success of the profession. The areas where the actions need to be more far reaching are 1) corporate governance, 2) the role of the profession, 3) assessing internal controls, and 4) users' financial information needs.

Changing Needs

In today's complex and rapidly changing business environment, the needs of the users of financial information have changed. The ability of the profession to satisfy those needs through the assurances it has historically provided is in question. Today's high level of litigation initiated by users of financial information, at least in some measure, reflects significant dissatisfaction with the assurance function presently being delivered by the profession. Also, there is some evidence that because of the high risk of litigation-related losses, the profession is unwilling to deploy its resources to meet users' needs in new nontraditional areas where a professional assurance function is needed.

Both packages of proposals should be judged by the following standards: Will the proposals result in providing users with the assurance function they may reasonably expect from the profession, and will the proposals engage the profession in providing those assurances?

With that background, I would like to discuss the areas where both packages need to be clarified or strengthened.

Significant Improvement Needed In Corporate Governance

Neither the POB nor the AICPA deals sufficiently with the role of the outside directors' or the auditors' relationship with management. This is critical to making necessary reforms. Years ago the Treadway Commission reported that 43% of litigation against auditors involved fraudulent financial reporting and at least 66% of that could be traced to top management. Treadway was concerned with management's "ability to override systems and keep significant decisions, such as estimates and judgments, outside the system."

More recently, GAO's reviews of failed banks showed that ineffective audit committees, as well as weak internal controls, were at the heart of management problems that led to many of the failures. Internal controls that contributed most significantly to the bank failures were inadequate or imprudent loan policies and procedures, inadequate supervision by the bank's board of directors, weak loan administration, poor loan documentation, and inadequate credit analysis. These types of weakness were exacerbated as management of troubled banks took larger financial risks to avoid failure. As a minimum, effective review and reporting by auditors of an entity's general control environment and safeguarding of assets would alert stockholders, as well as independent board members, to such serious weaknesses. Effective audit committees that work with the auditors are a crucial defense to timely identify weak controls or management actions to override controls. Consequently, if instituting better controls to monitor the actions of management is not a center piece of the reforms, stockholders and others will continue to be needlessly exposed to loss.

Corporate law provides that the directors are responsible for the corporation's well being. The functioning of the corporate governance system in practice today suggests there are serious flaws in director oversight. Recently, we have seen some hopeful incidents of outside directors taking action to turn out poorly performing management. This seems to occur, however, only after a long slide in performance, and sometimes it appears accounting has been slow to recognize the slide. IBM is an example. One wonders whether investors were as informed as possible or disadvantaged from a lack of timely information during that slide. Then, there is the disturbing tale of Empire Blue Cross where it appears directors were totally ineffective and, reportedly, government and other creditors will be among the losers.

There are many reasons for these types of corporate governance problems. A very important one is that the directors are not getting a true picture of the facts from management. Another is that the job of the outside director is loosely defined and there are no qualifications or specific independence requirements. Proposals like those of Dale Hanson, CEO, California Public Employees' Retirement System, to redress the balance between management and the directors have been made. They include properly functioning audit committees. Currently, only in case of banks is there any legislative requirement for audit committees.

The Federal Deposit Insurance Corporation Improvement Act of 1991 requires financial institutions to have an independent audit committee made up entirely of outside directors who are independent of management. For large institutions, the act requires the audit committee include members with banking or related financial management expertise, have access to the committee's own outside counsel, and not include any large customers of the institution. In addition to focusing on the financial statements and the related auditor's opinion, the audit committee is required to review with management and its independent public accountant the basis for management's report on internal controls and compliance with safety and soundness laws and regulations as well as the independent public accountant's report on management's assertions in that report.

Audit committee provisions like that make sense for all large public companies. A statutory requirement would be preferable. However if legislation cannot be accomplished, perhaps the POB and the AICPA could prevail on the stock exchanges to strengthen their audit committee rules. The SEC in its role of protecting investors could also act to help strengthen audit committees. If that can be done, the role of the auditor can also be substantially strengthened.

Major Changes in Role of the Profession

The 1991 banking legislation, by requiring audit committees to review audit reports on financial statements, internal controls, and compliance with laws and regulations, puts a burden on bank directors to retain competent and truly independent auditors. It also tends to increase auditors' responsibility to the outside directors. But, the banking legislation did not tie the knot by making the auditor primarily responsible to the audit committee rather than management. In my judgment, such a step would substantially enhance auditors' independence.

In discussing auditors' independence, the POB and the AICPA agree that auditors' litigation risk reinforces their independence. But, if litigation risk is substantially reduced and auditors are not made directly responsible to the audit committee, is there sufficient separation from management pressures to reinforce auditors' independence and heighten their awareness of the needs of all users of financial statements and controls reports? The POB would rely on present oversight arrangements and leave enforcement with the SEC. The AICPA, but not the POB, appears to favor a National Association of Security Dealers (NASD) type organization to improve auditor performance. I believe neither alternative is fully thought through and the SEC should weigh in with its views. Whatever is done needs to result in more effective oversight.

However oversight of the profession is strengthened, there are other issues relating to the role of the profession. Is there a need for legislation that better defines the auditors' role as protector of third parties? Should the principles of the 1984 Arthur Young case be extended by legislation? Confirming that the auditor has certain defined responsibilities to others is totally consistent with providing liability relief to auditors.

Such legislation might include specific requirements to enlist auditors in protecting third parties generally and specific interests of government. The Federal government is increasingly operating through grants to state and local governments and through contracts with private sector businesses. GAO studies show that time after time Federal oversight of these parties has generally been ineffective. Independent auditors have the talent and resources to fill part of the void left by weak Federal oversight of private sector contractors. We (at GAO) will be considering this possibility and may make recommendations to Congress. It would be helpful if the profession would also consider how it might help serve the public interest in this area.

These ideas for change in the role of the profession will probably require legislation. It would appear a legislative package for liability relief for the profession should encompass some or all of these ideas as well.

"Making Internal Control the First Line of Defense Against Fraudulent Financial Reporting"

These words are excerpted from the recent AICPA public commitment. I could not agree more. The idea of having management report on internal control and having the auditor attest to management's report has long been a goal of the Comptroller General. We believe the proper kind of reporting can have a major salutary effect in reducing fraud and improving the operations of U.S. businesses. The POB and the AICPA are to be congratulated on the thrust of their proposals. But the proposals need to be carefully crafted, both to achieve the desired result and to gain acceptance.

Treadway made the most exhaustive study of fraudulent financial reporting to date and was totally focused on its reduction. The solution was to enhance, and I quote, "Internal accounting controls contemplated under the Foreign Corrupt Practices Act to reduce the incidence of fraudulent financial reporting." I am concerned that the POB and AICPA reports, while not very explicit may, inadvertently perhaps, be buying into the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's defined financial reporting controls as the "first line of defense." Such narrowly defined controls that exclude safeguarding of assets from the definition of financial reporting controls provide little, if any, defense.

COSO, instead of addressing the central issue raised by Treadway and enhancing the Foreign Corrupt Practices Act's (FCPA) controls, transferred both FCPA controls over safeguarding of assets and assuring that transactions are executed in accordance with management authorizations into the "mush" of operational controls, or lost them in a definition of the control environment, or set them aside under a new category of compliance with laws and regulations. Remember, FCPA controls were the very same controls the AICPA worked hard in 1976-1977 to get the Congress to include in the FCPA to provide, and I quote, "a more workable and effective law and one more certain of accomplishing its objectives."

Bank regulators did not accept COSO's view as the proper focus of internal control in implementing the 1991 banking legislation and, recently, agreed with GAO's view that safeguarding controls are a part of what is contemplated by the term "financial reporting controls." I am pleased COSO did not prevail in the first test of what constitutes a proper focus for internal control. I believe the SEC professionals at Dr. Sandy Burton's time, when they defined internal controls for the FCPA, had it basically right. Hopefully, the AICPA will reconsider its support for COSO's position as actions are taken to address the issues facing the profession. We have offered to work with the AICPA on the details of all their proposals. Also, we have offered to work with the people who led the COSO effort to amend their report to address our concerns.

However, if efforts to amend COSO's report cannot reach a timely conclusion, it would appear that the SEC, as the regulatory body most concerned with fraudulent financial reporting, should not only consider the internal control issues referred to it by the POB, but what additional action may be appropriate. For example, we think the SEC should work directly with the standard setters of the profession and other concerned parties to foster a timely amendment of the COSO approach. We hope this and other steps will be taken to ensure proper evaluation, reporting, and oversight standards for internal controls. What are some of the other steps?

One is controls over compliance with laws and regulations in assessing and reporting on controls. This can be dealt with despite doubts by some in the profession. The necessary criteria for evaluating such controls can be established, if they are not already established, as we believe they are, by the COSO general criteria. At GAO, our audit opinions cover compliance controls as well as financial reporting controls defined to include safeguarding of assets. Compliance with laws and regulations has a special importance for government organizations but, especially today, they are also relevant to private sector corporations.

I believe controls over compliance with laws and regulations were really part of the FCPA control definition, although not in so many words. The FCPA did it through a combination of fixing the responsibility for lawful corporate behavior on management and including in the definition of good internal controls the standard that transactions should be executed in accordance with management's authorizations.

A step the profession could probably take on its own to increase the incidence of internal control reporting is to adopt an appropriate version of the one put out for public comment by the Comptroller General. The Comptroller General's Advisory Committee has proposed an update of minimum standards for all government audits which includes important advances in auditor responsibility for internal control.

The advancements in the proposed standard require the auditor, as part of the normal financial statement audit, to separately evaluate the control environment and the controls over safeguarding of assets to the extent such controls might be material to the financial statements. Evaluating the control environment may provide significant information about the potential for management override of established internal controls or uncontrolled fraudulent or reckless behavior by management. Evaluating safeguarding controls may provide significant information about the potential for loss or misappropriation through the absence of effective controls over the acquisition, handling and disposition of the entity's assets. A decision by the auditor not to rely on these controls in performing the audit would not remove these specific evaluation requirements. Significant findings, as a result of these evaluations, would have to be reported publicly.

The proposed advancements would also require the auditor to discuss with the client the options for expanded work on internal control, ranging from specified procedures relevant to specific controls to an opinion- level report with a very broad control focus. The client discussion would put some pressure on the client to deal with control issues and would help to tailor the internal control effort by the auditor to the perceived need for specific control work. The auditor would he required to publicly report who is responsible for deciding if expanded control and compliance work should he done.

The 1991 banking legislation model for opinion-level reporting on internal control, which I previously mentioned, fits conceptually with the standard being advocated for government auditing by the Comptroller General's Advisory Committee. Similar to what the banking legislation accomplishes for banks, the proposed standard would include the important safeguarding and compliance controls in planning the level of audit work. The proposed standard would allow more flexibility where the need is less, but it nevertheless sets a basic focus that we believe is an essential part of any financial statement audit to meet the needs of users. Although this proposed standard might not go as far as we in GAO would like, it is probably more likely to gain general acceptance at this time than the POB's across-the-board requirement for public reporting on controls.

If the proposal for government audits were adopted by the profession for the private sector, especially if the client was defined as the audit committee rather than management and the reporting was included in the auditor's opinion on the financial statements, we believe it would go a long way toward meeting users' needs. Such changes, except possibly for the audit committee tie, could be done by the profession acting on its own.

I hasten to point out, however, that government interests in private sector business activity could only be directly protected by legislation or SEC action. For example, the SEC might wish to require control work with respect to the use of financial derivatives by mutual funds now thought to be a high-risk area. The Resolution Trust Corporation might wish to have certain control work done with respect to how contractors are discharging their fiduciary responsibilities. Only with legislation or rule making would government he able to intervene in the process of deciding how much control work should be done and be a beneficial party to the results of what was done.

Meeting Users' Financial Information Needs

A number of leaders of the profession acknowledge that present day financial statements and related reporting do not fully meet the needs of users. There are many problems being studied. I would like to mention two problems with generally accepted accounting principles (GAAP) relevant to the POB and AICPA recommendations.

First, with management acting to bar the way, GAAP rules are failing to keep up with changing user needs. Second, some managements use the latitude within existing GAAP rules without sufficiently considering the substance of transactions being recorded.

On my first point, management's financial reports are not judged on whether they meet users' needs, but whether they conform with GAAP. For example, the profits of the 500 largest U.S. industrial corporations were virtually eliminated by the $70 billion charge that recent accounting rules required to recognize the cumulative liability for retiree health benefits. It is not that management could not previously estimate these costs and should have been recognizing them, it was that GAAP had not required they do so.

All such problems have not been resolved. I think, for example, we need some form of value-based financial statements for financial institutions. I believe some managements are using historical cost statements to manage earnings and paint rosy pictures for the public, while many of them actually run their business on a mark-to-market basis. POB's recommendations that the Financial Accounting Standards Board (FASB) put value-based accounting on its agenda is a step in the right direction. I am concerned that management's opposition to value- based statements cannot be overcome through a POB recommendation to the FASB. The profession will have to assert its independence and weigh in on the side of users of financial statements and reports. In so doing, it must he willing to place a higher value on the relevance of information and a bit less on its verifiability. Speaking more broadly, the profession could be a factor in moving management preparers of financial reports to recognize more fully the needs of users of financial reports. The profession could also play a greater user advocate role through its participation in FASB standard-setting activities.

Regarding my second point, there is a tendency by some to interpret GAAP rules unfairly and without regard to economic substance. I am encouraged by POB's call for the auditor to consider the substance of the transaction, not just codified accounting principles. How best to do that needs to be thought through more thoroughly than what appears in the POB recommendations. We think more specific guidance can be provided. Again, the profession will have to participate in a positive fashion and recognize that it will have to be more willing to confront management when appropriate and to take on the risk of making judgment calls on substance.

Time to Act In the Public Interest

We believe the POB and AICPA proposals open the door to an agreement by all concerned parties on what should be done. I have outlined GAO's concerns with the proposals made and, in the case of internal control, I have proposed a specific alternative for consideration which may be more appealing than the POB's proposal to some concerned parties. We at GAO think the time is right and necessary to come to agreement on solutions. It is time for all to listen to other points of view. We are hopeful all directly concerned parties can come to a specific overall agreement to act in the public interest which will gain the support needed to make it effective.

Donald H. Chapin, CPA, is Assistant Comptroller General for Accounting and Financial Management at the U.S. General Accounting Office.

This article was adapted from a paper prepared by Mr. Chapin for The CPA Journal Symposium "In the Public Interest." Mr. Chapin's remarks at the Symposium were based on the paper.