The Myth and Fallacy of Reasonable Assurance
The Myth and Fallacy of Reasonable Assurance
Over the last 7 years the one constant corporate executives have complained about has been uncertainty in economic recovery, geopolitical risks, global competition and expanding government regulation however each of these perceived risks has paled in comparison to human behavior in the executive suite. In other words, while concerns have been externally focused the true cause of corporate pain has been self-inflicted by bad corporate behavior.
The most recent example of internal control weakness at Walmart and Toshiba were cited as a wake-up call for external audit firms in an article from a Fortune magazine article. A letter dated Sept. 9 addressed to Securities and Exchange Commission Chair Mary Jo White and the SEC Commissioners was no ordinary letter. Its signers included heavy-
hitters such as former Federal Reserve Chairman Paul Volcker, Vanguard founder Jack Bogle, and former SEC Chairmen Arthur Levitt and Richard Breeden. Former Comptroller General of the U.S. Charles Bowsher, former board member and acting chair of the Public Company Accounting Oversight Board (PCAOB) Chuck Niemeir, and former Chair of the International Accounting Standards Board Sir David Tweedie, along with a host of other luminaries, also signed the letter.
In it they wrote that they have “an interest in the auditing and financial reporting quality of companies listed in the U.S. and internationally … Our purpose in sending this letter is to express our support for Chair [James] Doty’s reappointment [as Chair of the PCAOB] and to explain the reasons for this support.”
With very minor exceptions, no firm fails to attain “reasonable assurance” attestations from their external auditors when evaluating internal controls, even firms who eventually experience massive financial fraud, financial restatements or financial internal control weakness findings after the fact. Why does this happen so frequently and what prevents external auditors from detecting fraud?
After debating this issue with auditors and researching the PCABO website for answers it has become clear that the standard for “reasonable assurance” is one key contributor to failure. To find answers I looked at accounting standards in the U.K. and U.S. to better understand the guidance given to external auditors to formulate reasonable assurance. Here is what I found:
‘Reasonable assurance’ is the level of confidence that the financial statements are not materially misstated that an auditor, exercising professional skill and care, is expected to attain from an audit. The confidence that an auditor attains is subjective and is the basis for offering an audit opinion. Users of financial statements derive their own confidence in the audited financial statements from many sources, including a knowledge that the auditors work to professional standards within a framework of regulation and that the auditors have felt sufficiently confident that the financial statements are not materially misstated to issue an opinion.
As a consequence of their confidence that financial statements are not materially misstated, users of financial statements may also gain confidence that the management of the entity are conducting its affairs in the knowledge that the financial consequences of their actions will be reported.
The assurance the auditor obtains from performing procedures and the assurance the auditor expresses in the report on the financial statements vary based on the type of service the auditor provides. An audit is the highest level of service an auditor can provide. An audit allows the auditor to express an opinion about whether the financial statements are free of material misstatement. In contrast, the objective of a review of interim financial information is to provide the auditor with a basis for communicating whether, as a result of the procedures performed, the auditor became aware of any modifications that should be made to the interim financial information for it to conform with generally accepted accounting principles (“GAAP”).
The procedures performed in a review do not provide the auditor with a basis for expressing an opinion on the financial statements. Thus, the assurance the auditor provides to financial statement users based on a review is more limited than the assurance that can be provided as a result of an audit.
In both cases, the standards boards for both the UK and the US have punted on “reasonable assurance” even though boards of directors and senior executives, not to mention regulators, in the SEC, Department of Treasury and other regulatory agencies depend in these assessments. The UK standard specifically states that reasonable assurance is “subjective” while the US standard is more muddled suggesting that “depending on the level of services provided” the attainment of “reasonable assurance” is varied?
Basically, these standards are legal cover for whatever a firm wants them to mean. If one external audit firm concludes “reasonable assurance” is sufficient and another audit using more advanced audit procedures comes to a completely different conclusion both opinions are acceptable, that is, until the firm restates earnings and lays off thousands of employees to fix the problem.
Auditors frequently argue that “reasonable assurance” is well-established by corporations and broadly accepted. This may be true but blood-letting was also an accepted medical practice in the 17th and 18th century until more patients died from the procedure than were cured! Is reasonable assurance the 21st century’s version of blood-letting? Just because it is accepted as standard practice does not mean that the practice is efficacious!
Blood-letting has since been discredited and would be considered malpractice in medical circles as a result of scientifically advanced procedures for curing health ailments. Isn’t it time that the accounting industry subject its practice to more advanced procedures using a combination of cognitive and analytical processes to give corporate boards and senior executives confidence in their work product? Otherwise, reasonable assurance should be treated more like collusion with management to give the appearance of compliance with little substance whatsoever to demonstrate confidence that internal controls are operating properly.