Question: Can a CAM lead to or require an internal investigation?
My answer: Yes, I would say that it certainly can in some circumstances – please read below.
In discussing and describing CAMs (critical audit matters) in relevant part PCAOB Staff Guidance has said:
A CAM is defined as any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that:
(1) Relates to accounts or disclosures that are material to the financial statements; and
(2) Involved especially challenging, subjective, or complex auditor judgment.
The determination of CAMs is based on the facts and circumstances of each audit. AS 3101 is principles-based and does not specify any matters that would always constitute CAMs. The Board expects that, in most audits to which the CAM requirements apply, there will be at least one CAM. However, there also may be audits in which the auditor determines there are no CAMs.
Relates to accounts or disclosures that are material to the financial statements
CAMs are required to relate to accounts or disclosures that are material to the financial statements. Materiality is not solely based on quantitative factors; it also reflects qualitative factors.
This element of the CAM definition is grounded in the financial statement presentation and disclosures of the applicable financial reporting framework. Matters that meet the other elements of the CAM definition may or may not be CAMs, depending on whether they relate to accounts or disclosures that are material to the financial statements.
A potential loss contingency for which management recorded an accrual and/or made a disclosure could potentially be a CAM. However, a potential loss contingency for which the likelihood was appropriately determined to be remote, and which was not recorded in the financial statements or otherwise disclosed, would not be a CAM because it would not relate to an account or disclosure that is material to the financial statements.
A potential illegal act about which management provided disclosure could be determined to be a CAM. Even if the amounts involved were not quantitatively material, such a disclosure on its own may be qualitatively material. On the other hand, if management appropriately determined that no disclosure or accrual was required in the financial statements, the matter could not be a CAM.
Thus, considering, for example, the two PCAOB examples that are quoted above,
1. In the first PCAOB example of a loss contingency accrual that is made and/or that is disclosed, and that is material, I would say that a CAM certainly could lead to an internal review and evaluation of those processes but in most circumstances would not lead to an internal investigation except possibly in unusual circumstances.
2. However, in the second PCAOB example of a potential illegal act, if the potential illegal act is either quantitatively or qualitatively material, and if an internal investigation has not been performed which concluded that no disclosure or accrual was required, then the CAM certainly might lead to an internal investigation of the potential illegal act.
And, also consider, for example, the following two hypothetical scenarios in the context of the second PCAOB example:
(1) In a circumstance where an internal investigation had been performed but which concluded that no disclosure or accrual was required, the extent to which the auditor could or would evaluate the sufficiency of that investigation or the conclusion that was reached in that investigation, and whether a CAM could or would be issued if the auditor determined that in the auditor’s view the internal investigation was not sufficiently performed or that the conclusion of the investigation was incorrect, or where the auditor communicated concern to management and/or to the audit committee that the auditor had that the internal investigation was not or might not have been sufficiently performed or that the conclusion of the investigation was incorrect or might not have been correct.
(2) Or in a definitely much more remote circumstance or possibility, where an internal investigation either had or had not been performed but where in the course and scope of the audit the auditor became knowledgeable about internal investigation processes and procedures and the oversight of such, and where the auditor communicated concern to management and/or to the audit committee that the auditor had about possible or actual insufficient internal investigation processes and procedures and the oversight of such.
This second situation certainly could lead to an internal review and evaluation of internal investigation processes and procedures and the oversight of such (and possibly of anonymous reporting processes), but could it also in an extreme situation lead to a CAM if the auditor thought that the deficiency was or could likely be quantitatively or qualitatively material to the financial statements or to the integrity of the financial statements in terms of either effective internal investigation processes and procedures and the oversight of such, or in terms of overall governance or governance oversight processes?
This second situation definitely is much more remote, if possible or probable at all. However, we have seen in the news circumstances were alleged unlawful behavior or actions, or alleged repugnant but not unlawful behavior or actions, by people within an organization or by an organization itself, have gone on, and have been allowed or unwittingly allowed or enabled, for years without internal action being taken – thus, as CAMs are new and we are considering different possible CAM scenarios, it is appropriate to ask and discuss whether this second type of a situation or scenario could lead to a CAM in an extreme circumstance, for example, in a situation where quantitatively or qualitatively material affirmative representations are being made by the organization, or such as in regard to ESG or material ESG disclosures, which might not be correct or which cannot be sufficiently corroborated or assured?
Remember, every case and situation is different. It is important to obtain and evaluate all of the evidence that is available, and to apply that evidence to the applicable standards and laws. You do need to consult with an attorney and other professionals about your particular situation. This post is not a solicitation for legal or other services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation or as legal or other professional advice or representation.
Thank you for reading this post. I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.
Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only.
I am also the Chair of the Business Law Section of the Bar Association of San Francisco.
Blogs: Trust, estate/probate, power of attorney, conservatorship, elder and dependent adult abuse, nursing home and care, disability, discrimination, personal injury, responsibilities and rights, and other related litigation, and contentious administrations http://californiaestatetrust.com; Business, D&O, board, director, audit committee, shareholder, founder, owner, and investor litigation, governance, responsibilities and rights, compliance, investigations, and risk management http://auditcommitteeupdate.com
My law practice primarily involves the following areas and issues:
Probate Court Disputes and Litigation
- Trust and estate disputes and litigation, and contentious administrations representing fiduciaries and beneficiaries; elder abuse; power of attorney disputes; elder care and nursing home abuse; conservatorships; claims to real and personal property; and other related disputes and litigation.
Business and Business-Related Disputes and Litigation: Private, Closely Held, and Family Businesses; Public Companies; and Nonprofit Entities
- Business v. business disputes including breach of contract; unlawful, unfair and fraudulent business practices; fraud, deceit and misrepresentation; unfair competition; licensing agreements, breach of the covenant of good faith and fair dealing; etc.
- Misappropriation of trade secrets
- M&A disputes
- Founder, officer, director and board, investor, shareholder, creditor, VC, control, governance, decision making, fiduciary duty, conflict of interest, independence, voting, etc., disputes
- Buy-sell disputes
- Funding and share dilution disputes
- Accounting, lost profits, and royalty disputes and damages
- Access to corporate and business records disputes
- Employee, employer and workplace disputes and processes, discrimination, whistleblower and retaliation, harassment, defamation, etc.
Investigations and Governance
- Corporate and business internal investigations
- Board, audit committee and special committee governance and processes, disputes, conflicts of interest, independence, culture, ethics, etc.
The following are copies of the tables of contents of three of the more formal materials that I have written over the years about accounting/auditing, audit committees, and related legal topics – Accounting and Its Legal Implications was my first formal effort, which resulted in a published book that had more of an accounting and auditing focus; Chapter 5A, Audit Committee Functions and Responsibilities, for the California Continuing Education of the Bar has a more legal focus; and the most recent Tate’s Excellent Audit Committee Guide (February 2017) also has a more legal focus:
The following are other summary materials that you might find useful:
An internal investigation summary overview page from a prior blog post which you can find at https://wp.me/p75iWX-dk if the below scan is too difficult to read (and you will also find other posts about investigations on my blog):
AUDIT COMMITTEE SELF-EVALUATION
David W. Tate
Attorney at Law
Certified Public Accountant (inactive California)
Copyright 2019 David W. Tate (however, you are authorized to download and print these materials for your use, and to also pass them to other people who would be interested)
D&O, Audit Committees, Risk Management, Compliance, Investigations & Governance: http://auditcommitteeupdate.com
Trust, Estate, Conservatorship & Elder Abuse Litigation: http://californiaestatetrust.com
Self-evaluation is an important board and committee activity, and can be very helpful if done properly.
A. Introduction and Overview
The following discussion covers audit committee self-evaluation and provides processes that you can use. As noted elsewhere in these materials, although many board and audit committee functions, responsibilities and tasks are specified by statute, regulation, rule or pronouncement, board and audit committee member standards of care remain significantly dependent on due diligence and prudent judgment.
Boards and audit committees of various entities are required by law, regulation or rule to conduct annual committee self-evaluations; however, it is worthwhile for boards and audit committees of all public and private companies and nonprofit entities to conduct self-evaluations. Board and audit committee jobs are challenging, ongoing, and technical in nature, and require the members to significantly interact with many people in different capacities within and outside of the entity. It only makes sense that both boards and audit committees should at least once each year take time to step back and review, evaluate and make improvements to their manners of operation, and also consider helpful actions that can be taken by other people with whom the boards and audit committees interact. Self-evaluation will be worthwhile even if it results in improving only one area of operation.
Board and audit committee responsibilities originate from several different sources at least including (1) activities and responsibilities that boards or audit committees voluntarily undertake or that are delegated to them; (2) the business judgment rule; (3) the specific laws, regulations and rules that are applicable to the entity’s directors and audit committee members; (4) the wording of the board and audit committee charters, if there are charters; (5) shareholder and stakeholder expectations, and (6) for audit committees, accounting and auditing pronouncements relating to the outside auditor’s activities.
Prudent board and audit committee processes and diligence are also important to reduce member and entity liability and reputation risk. An increasing number of cases hold that board and audit committee members can be liable for failure to exercise sufficient diligence, failure to spot and respond to red flags, and failure to take action. Active board, committee and corporate diligence tend to demonstrate prudent business judgment and negate allegations of recklessness, improper intent, intentional wrongdoing, or “scienter” such as in the context of securities litigation, thus reducing the risk of securities liability and damages. In the context of audit committee activities, potential entity, board, and audit committee member liability typically arises in the context of alleged improper accounting practices, written and oral public misrepresentations (such as with respect to financial matters), and improper employment practices.
Although not required, there can be advantages to having a facilitator conduct an interactive interview approach to the self-evaluation process, but without performance grading or rating: it can be difficult to construct a questionnaire with standardized questions that would be similarly understood by each of the participants in the self-evaluation process; different people use different rating scales; different people express responses in different manners; and certain important issues will change from year to year. A facilitated approach may encourage better discussion and comment, compilation, continuity, explanation, and follow-up. Contact me if you are interested in committee self-evaluation assistance at a reasonable fixed fee.
Issues and topic areas to consider during the self-evaluation process will naturally vary from entity to entity, and from board and audit committee to board and audit committee. Thus, to stimulate discussion, below for both boards and audit committees I have provided lists of potential broad issues or topic areas to consider for discussion and evaluation, including both successes and possible improvements; and I have also outlined processes to assist your board and audit committee self-evaluation processes.
B. Audit Committee Self-Evaluation
1. Sample List of Issues and Topics to Consider for Audit Committee Self-Evaluation
The following is a list of issues and topic areas to consider for discussion and evaluation. The list is intended to help trigger thought processes, but, of course, is not exhaustive as areas of discussion and evaluation will vary from entity to entity, and from committee to committee. The following list is not intended to and does not suggest that each or any of the below issues and topics must be considered or covered and is not a checklist – instead, if your audit committee is required to conduct a specific evaluation process or to cover certain specific issues and topics, you will need to separately consider the specific requirements, if any, for your audit committee and its evaluation process pursuant to law, regulation or rule. In that regard, please also see the disclaimer and limitations at the beginning of these materials.
-Audit committee meeting agenda preparation and dissemination process.
-Committee member independence and situational independence, financial literacy, experience and expertise.
-Committee member access to information and/or education pertinent to the functions and responsibilities of the audit committee. Are the needs of the committee members being met, so that they are sufficiently knowledgeable and educated about the company or nonprofit and its industry; relevant significant accounting and auditing issues; relevant legal matters; internal controls, risk assessment and management; governance; and new developments in those and other areas?
-Committee and committee member interactions, including interaction between committee members, and between the committee and the board, the CEO, the CFO, the outside auditor, the internal auditor, legal counsel, compliance and ethics, HR, consultants, and other people.
-The committee’s processes for identifying and spotting issues, evaluation and decision making.
-The contents of the audit committee charter, and a mutual understanding of the audit committee’s responsibilities and tasks. The charter is a requirement for public companies, and is a good idea for many private companies and nonprofit entities. The charter is a prudent document to identify and clarify the audit committee’s responsibilities. In addition to the committee itself, it is important for the board, the executive officers, and other stakeholders to have a correct understanding about the committee’s responsibilities and limitations, and the extent to which state or local jurisdiction, U.S. and international requirements and responsibilities apply or may apply to your audit committee.
-Selection of the outside auditor; audit planning; review of the performance of the outside auditor; and review of the quarterly review and annual audit report and process (or compilation if appropriate).
-Review of recent developments relating to the business judgment rule, standard of care and acceptable reliance on other people.
-Review of accounting and financial internal and fraud/embezzlement related controls and processes, risk assessment and management, possible entity and individual liability and reputation risk exposure; and compliance assessment and management relating to laws, regulations, and rules that are within the scope of the audit committee’s functions and responsibilities including issues relating to the Foreign Corrupt Practices Act.
– Review of the accounting department, and accounting and financial reporting for transactions including all of the subcomponents such as principles and policies applied (quality not just acceptability); judgments, estimates and reserves; timing and cutoff procedures; off balance sheet transactions; related party transactions; contingencies and liabilities; revenue recognition; expenses; inventories; goodwill; insider trading; and other matters relating to accounting and financial statement reports.
-Implementing revenue recognition rules, and other important, new or changing accounting principles.
-Review of internal investigation processes, procedures and needs.
-Review of the financial and internal audit functions, and how they can be helpful to the audit committee in the performance of its responsibilities and tasks.
-Review of risk management and uncertainty issues, practices and processes that are within the scope of the audit committee’s function and responsibilities.
-Implementing COSO 2013 or other appropriate processes.
-Documenting and reporting the audit committee’s activities and minutes.
-The audit committee’s use of attorneys and consultants.
-The company’s investor communication processes.
-Whistleblower, ethics, anonymous reporting and complaint handling processes to the extent that the reporting is within the scope of the audit committee’s function and responsibilities.
-Document retention policies.
-Review of the compliance and ethics function and processes that are within the scope of the audit committee’s responsibilities, and how they can be helpful to the audit committee in the performance of its responsibilities and tasks.
-Governance, including tone at the top, financial leadership, transparency and appearance.
-Review of employer, employee and workplace processes, culture, safety, and disciplinary practices that are within the scope of the audit committee’s function and responsibilities.
-Review of tax compliance and reporting issues that are within the scope of the audit committee’s function and responsibilities.
-Review of cybersecurity and internet security issues that are within the scope of the audit committee’s function and responsibilities.
-Review of pension and health plan related issues that are within the scope of the audit committee’s function and responsibilities.
-Review of information privacy issues, practices and processes that are within the scope of the audit committee’s function and responsibilities.
-Review of asset protection, IP, trade secret, etc. practices to the extent that they are within the audit committee’s function and responsibilities.
-Review of environmental issues and safety that are within the scope of the audit committee’s function and responsibilities.
-Review of product and consumer safety issues, practices and processes that are within the scope of the audit committee’s function and responsibilities.
-Review of ESG, ESG processes, and ESG discussions and disclosures.
-Review of billing and accounting relating to the receipt of funds or revenue from governmental sources such as Medicare and Medicaid; compliance with applicable laws, regulations, rules and other requirements; and oversight of expenses relating to these areas.
-Review of the acceptance, receipt, allocation, expenditure or distribution, and accounting for all charitable and donor funds, grants, contributions, pledges and other resources, including compliance with all requirements, restrictions and special uses.
-Review of accounting for collaboration and joint venture arrangements, including the allocation of receipts/income and distributions/expenses between the entities.
-And, in this economic environment, review of the fair value of funds and investments, including loss of value; liquidity concerns; possible going concern issues; estimates for uncollectibles and related reserves; debt/loan covenants; and funding source uncertainties including those that relate to collaboration and joint venture arrangements.
-It is also important for the audit committee to clarify with the board what responsibilities it has, if any, for oversight of the numerous and various areas of taxation and compliance; ERISA, pension and health and welfare plans; investments; tax exempt status including fund raising, dues, solicitation, and political, campaign and lobby activities; and other areas significant to the entity.
-Discussion about audit committee membership and recruitment needs.
-Additional significant topics or issues that should be discussed.
2. A Self-Evaluation Process and Format for Audit Committees
The following eight primary steps outline a proposed audit committee self-evaluation process that is workable for audit committees of public companies, private companies and nonprofit entities, whether using or not using, an outside facilitator.
Step 1. Determine the people who will be participating in the evaluation process, including the audit committee members, and other people, if any, to interview for comment.
Provide the names of the people who will participate in the evaluation process.
Step 2. Determine how the participant interviews will be conducted, individually or in a group, in person or by telephone, skype or some other means.
Provide comments or information about how the interviews will be handled with the various different people who will participate in the evaluation.
Step 3. Arrange participant individual or group interview dates and times.
Provide participant individual or group interview date and time information.
Step 4. Provide the participants with pre-interview materials and a list of possible issue or topic areas (broad and specific) for consideration and discussion. Of course, the participants can add additional issues or topics. Use this paper for that purpose.
Provide information regarding the status of disseminating the pre-interview materials.
Step 5. Have each participant provide a list of one to five, or more, issues or topic areas that the participant would specifically like to discuss during the evaluation process.
Provide comments and information regarding receipt of issues or topic areas from the self-evaluation process participants, and the respective issues or topic areas listed.
Step 6. Conduct information intake or interviews with participants individually or as a group.
Provide comments and information from the participants or the status of such – the input can be made by the participants themselves or by a facilitator during self-evaluation interviews.
Step 7. Summarize in a report format the issues and topic areas, information received, and suggestions made during the self-evaluation process.
Provide a summary in a report format.
Step 8. Provide a report back to the audit committee, and possibly conduct a committee group review of the self-evaluation process, information obtained, and suggestions made, and possible future actions or follow-up.
Provide additional comments and information about the self-evaluation process or results.
Concluding comments. I hope you have found this discussion helpful and at least a good starting point for your audit committee self-evaluation. Feel free to contact me if you are interested in discussing the audit committee self-evaluation process, or if you would like help with facilitation of committee self-evaluation at a reasonable fixed fee.
Best to you,
David Tate, Esq.
* * * * *