The Public Companies Accounting Oversight Board has proposed an amendment to its auditing standards that requires auditors to assume a larger role in corporate compliance. Roy Shapira and Luigi Zingales suggest a simple modification that addresses auditors’ concerns while improving the effectiveness of corporate compliance.
The Public Companies Accounting Oversight Board (PCAOB) has recently issued a proposed amendment to its audit standards that will enhance the role that auditors play in corporate compliance. The amendment requires auditors to identify the regulations that are important for each audited company and evaluate whether the company complies with said regulations. Auditing professionals fiercely criticized the proposal, arguing that it requires them to step outside of their traditional role and make substantive judgments on specific compliance issues that are beyond their skills and expertise. We suggest that a light modification to the PCAOB’s proposal could keep auditors within their core competencies while still carving a larger role for them in the oversight of compliance standards to the benefit of investors and society at large.
Our idea, in a nutshell, is to have auditors focus on auditing the hiring and performance of third-party compliance advisors. To understand why our proposal is both necessary and feasible, let us take a step back and explain the surge in the importance of the compliance industry since 1988, the last time audit standards on this issue were modified.
The outsized role of third-party compliance advisors
Back in 1988, the compliance industry was still nascent. These days, compliance is a multi-billion-dollar industry and a critical corporate governance issue. The size and complexity of modern corporations mean that corporate boards do not have the capacity to keep all oversight functions in-house and increasingly rely on outside experts. These outside compliance advisors are now involved in every step of the compliance process, from advising companies on how to design reporting systems to meet evolving regulatory demands to conducting internal investigations once wrongdoing has been uncovered. Companies managing motorways hire outside advisors to conduct engineering safety audits on the stability of their viaducts; food-manufacturing companies bring in third-party sanitation audits; and public companies pay for racial equity audits. Outside compliance professionals are thus perceived as “gatekeepers,” supposedly serving as “the thin blue line […] between insatiable corporate appetite for success at any cost and the demands of the government and investors that companies not even test the line of legality.”
Yet, there seems to be a large gap between the high level of expectations from these consultants and their low levels of accountability for compliance failures. When bridges collapse and listeria break out in food plants, the companies’ officers and directors may face criticism in the courtrooms and in the court of public opinion, yet the third-party compliance advisors who were nicely paid to detect and prevent such problems largely escape accountability.
This is where the PCAOB standards could step in, requiring that auditors audit the selection and performance of compliance advisors. This task is coherent with auditors’ expertise, and it is likely to improve corporate governance. To understand what value auditors could add to corporate compliance, one first needs to grapple with the puzzle of why companies’ gigantic investments in outside compliance advisors do not appear to succeed in curbing corporate wrongdoing.
Three potential problems with third-party compliance advisors
Based on our research and previous personal experience, we identify three reasons why considerable investments in third-party compliance services do not deliver the promised results. First, the hiring decisions are plagued by the perverse incentives of corporate insiders. Top corporate managers, whose compensations are tied to stock prices, have little incentive to select effective gatekeepers who will prevent the company from making short-term profits by skirting regulations. Managers have even fewer incentives to hire gatekeepers who will probe diligently after the fact and trace the blame for corporate wrongdoing all the way to the top of the corporate hierarchy. Given the desires of the corporate managers who hire them, gatekeepers have incentives to develop a reputation for being lenient. Managers may shop around for the most lenient consultants so that they can then present the board with a rosy picture of the company’s compliance status.
Second, even if the “right” outside advisors are hired, corporate managers can strategically design the parameters of what the advisors will look at. If top managers want to reassure their board that everything is fine and create plausible deniability toward regulators, they can hire reputable outside consultants while designing the charge given to these consultants in ways that assure “no surprises.” The external consultants, in turn, have little interest in going beyond the parameters given to them, even when (especially when?) they intuit that managers want to cover up the real problems.
Third, even if the right advisors are hired, and the right parameters are set, corporate managers can still affect the framing of the advisors’ reports. It is common practice for external consultants to present preliminary results to the top managers and then incorporate the managers’ feedback in their final reports. While this process is not without its merits and certainly not necessarily corrupt, it is hard to ignore the space it creates for managers to massage the final report and make it more difficult for boards and regulators to identify the real problems.
These three factors hinder the effectiveness of corporate compliance, even when a lot of money is spent on compliance services. The ones suffering from this equilibrium are dispersed publics: from outside shareholders who foot the bill for hefty consulting fees and heavy fines to the community members who suffer from collapsed bridges and listeria outbreaks.
Unfortunately, these injured parties find it difficult to sue gatekeepers successfully. Across all potential claims—from securities law to contract and tort law to aiding-and-abetting fiduciary duty obligations in corporate law—plaintiffs must show bad faith on the part of the gatekeepers in order to advance past the motion to dismiss, as one of us argued here. The only way for plaintiffs to survive such a hurdle is to have access to internal documents that show what the gatekeepers knew in real time. Yet, those who have access to internal documents, namely, the corporate insiders, do not have incentives to fight gatekeepers in court, if for no other reason than out of fear that the latter will air their dirty laundry in public. Those who have incentives to recoup harm and hold gatekeepers accountable, namely, public shareholders, are usually blocked from accessing internal documents. As a result, compliance gatekeepers are rarely named as defendants in shareholder litigation following compliance failures.
Auditors can mitigate these problems and reinvigorate compliance
The PCAOB standards could get us out of this bad equilibrium. Auditors are well positioned to audit the three critical processes described above (hiring, setting parameters, and framing the results) and, in so doing, create the right incentives for external compliance experts. First, auditors can audit the selection process to ensure that companies select compliance advisors based on their reputation for integrity and competence rather than their reputation for looking the other way. Second, auditors can audit the parameters that these compliance advisors receive. Third, auditors can audit the way that the advisors’ results are reported, such as monitoring changes between the initial versions and the final ones, and ensuring that damning material information flows up to the board level.
The reason that auditors are well positioned to audit these steps in the compliance process is that, unlike public shareholders, auditors are privy to inside information about what compliance professionals knew and when. And unlike corporate managers, auditors can objectively assess whether compliance professionals are willfully blind. At the same time, by focusing on the auditors’ comparative advantage in auditing processes, our approach addresses the main criticism of auditing professionals, namely, that the new amendment requires auditors to become experts in product safety or environmental regulations.
To be sure, there are nuances that will need to be addressed before our proposal is adopted, such as requiring a separation between auditing and compliance consulting. Too often, the same accounting firm that is the auditor also offers compliance services. The so-called Chinese walls between the two functions are as ineffective as the Great Wall of China was in deterring the Manchu invasion. Corporate non-compliance and fraud cost companies more than $800 billion a year. The costs imposed on the rest of society are more difficult to estimate but are likely to be much greater. Thus far, the compliance industry has succeeded in protecting insiders from responsibility and accountability but has not been equally effective in reducing the pervasiveness of fraud. The PCAOB revision of the auditing standards on non-compliance provides a unique opportunity to fix this problem. Having auditors audit the selection and performance of third-party compliance advisors is within the current capabilities of audit firms and is likely to improve the compliance function, with potentially great benefits to investors and society at large.
Authors’ Disclosure: Luigi Zingales consulted for the PCAOB from 2003 to 2016.
Articles represent the opinions of their writers, not necessarily those of ProMarket, the University of Chicago, the Booth School of Business, or its faculty.
