The PCAOB has proposed standards requiring auditors to assess whether compensatory arrangements held by executive officers create risks of material misstatements. According to Steve Seelig in Towers Watson’s Executive Pay Matters blog (“Does New PCAOB Proposal Really Eliminate the Risk of Auditor Involvement in Executive Compensation Design?,” May 30, 2013), the focus is on “the potential for incentive compensation program structures to create incentives for executive officers to exaggerate gains or minimize losses.”
This a re-proposal of a proposal from 2012. According to the PCAOB, the redraft is designed to make it clear that the auditor isn’t required to assess the reasonableness of the compensation. Steve, however, doesn’t see much difference between the two proposals and based on the comparison he includes in his blog, I don’t see much difference either. To be honest, they both seem fairly inscrutable to me.
Are You Going to Get to Know Your Auditor Even Better?
While there’s the potential for any type of compensation to incent executives to make the company’s financial condition look better than it is, this is particularly a concern with stock compensation, where the value delivered to the exec is driven by the stock price, which, in turn, is driven by the company’s financial performance. Thus, this is potentially something new that auditors will be focusing on when they review your stock compensation programs. The PCAOB proposal calls for auditors to read the related compensation contracts (this would be the grant agreements and any other related documentation for stock awards) and also to read the disclosures in the company’s proxy statement and other public filings.
My first thought is “aren’t the auditors already reading those things?” Probably they are (aren’t they?), but maybe not with a focus on whether the arrangements create risk that execs will be incented to misstate the company’s financials.
But given what many stock plan administrators have told me about their auditors–i.e., their auditors are often fresh from the CPA exam with little to no understanding of stock compensation–I also have to wonder whether the auditors are really capable of making this assessment. It seems unlikely that someone who doesn’t understand what the exercise price of an option is will understand the nuances in financial risk inherent in, say, an option vs. restricted stock, and how clawback provisions and holding requirements might be used to mitigate that risk. Steve is concerned that auditors “may develop bright-line rules on what compensation programs are risky or not,” which seems like a reasonable concern to me.
Light Reading
If you are looking for some light summer beach reading, well, this PCAOB proposal sure isn’t it (however, I do recommend “Let’s Pretend This Never Happened” by Jenny Lawson–perfect summer reading and nothing to do with stock compensation). The whole thing (the PCAOB proposal, not the Jenny Lawson book) clocks in at 203 pages and includes sentences like “In the fourth bullet, delete the period (.) and add a semicolon (;) at the end of the bullet.” Seriously?
On the other hand, if you can wade through the proposal, (1) you are a better person than me, and (2) you have until July 8 to submit your comments to the PCAOB.
– Barbara
Tags: audit, internal control, internal controls, PCAOB, risk, risk management
As of June 15, 2011, SAS 70 is being replaced as the U.S. auditing standard for service organizations. Today, I explore some of the background for a SAS 70 report and why it’s being superseded.
Acronym Soup and Background Information
The Auditing Standards Board (ASB), which is a part of the American Institute of Certified Public Accountants (AICPA), issues guidance for auditors including the Statements on Auditing Standards (SAS). SAS No. 70 (SAS 70) is specifically guidance for auditors to use when “auditing the financial statements of an entity that uses a service organization to process certain transactions.” (See the AICPA site for more information.)
Section 404 of the Sarbanes-Oxley Act requires public companies to report on the effectiveness of the internal controls relating to their financial statements. The Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 2 in 2004–superseded by Auditing Standard No. 5 in 2007–which identified how the independent auditor evaluating a public company may rely on a “service auditor report” like the SAS 70 Type 2 report. The process breaks down like this:
An independent auditor for an issuing company must evaluate the controls that are in place to ensure the accuracy of financial reporting. If that company outsources administration processes that could impact financial reporting, the independent auditor should evaluation the controls in place at the service provider as well. A SAS 70 report can provide the necessary opinion of not only that the controls are suitably designed (i.e., a Type 1 report), but also that service company has effectively maintained each of those controls over a period of time (i.e., a Type 2 report). The issuing company auditor is, therefore, able to review the information in the Type 2 SAS 70 report instead of assessing the service provider’s internal controls directly. This saves a huge amount of time, money, and energy for both the issuing company and the service provider. The SAS 70 report has become a standard request for companies evaluating or using third-party stock plan administration service providers.
SSAE 16
The Standards on Standards for Attestation Engagements No. 16 (SSAE 16) replaces SAS 70 as of June 15, 2011. The new standard is intended to bring U.S. auditing practices more in line with the international standard, ISAE 3402. Like SAS 70, SSAE 16 consists of a Type 1 and a Type 2 evaluation, Type 2 being the necessary follow-up to determine if controls are being effectively performed over time. Companies with a current Type II SAS 70 report may transition directly to the Type 2 SSAE 16 report. You can tell the essential difference between SAS 70 and SSAE 16 in their names alone. SAS 70 is an audit standard that requires only the auditor’s assessment of controls. SSAE is an attestation standard that requires the company to also demonstrate the effectiveness of controls. SSAE 16 requires management at a service organization to provide not just a description of the controls in place, but of the system as a whole. (SAS 70 only requires a description of controls.) In addition, management must attest to the suitability of the system in a written statement that includes a description of the criteria used to make this assertion and the risks that could threaten the company’s ability to effectively maintain the system.
A Little Appreciation, Please
If you’re at an issuing company and the SAS 70 report is something you ask for–or better yet, something you automatically receive–from your stock plan administration service providers, I think it’s time to take a moment to appreciate the effort that’s going to go into the new standard. When you do get your hands on that SSAE 16 report, give it a good look before you pass it on to your auditors. It will give you some serious insight into what controls your service provider feels are essential, which can help you design some of your own internal controls. It can also shed light on what procedures you may need to update in order to help your service provider achieve the control objectives in the report, which in turn helps your company get through that portion of your audit.
-Rachel
Tags: 404, AICPA, audit, PCAOB, report, SAS 70, SEC, SOX, SSAE 16, Type 1, Type 2