How Do Auditors Respond to FCPA Risk? Free

This article summarizes “How Do Auditors Respond to FCPA Risk?” (Lawson, Martin, Muriel, and Wilkins 2019). Specifically, we discuss the motivation to study auditors' responses to Foreign Corrupt Practice Act (FCPA) risk, the FCPA data used, primary results, and practical implications. The findings of this study are timely for both practitioners and regulators. Auditors may need to consider FCPA concerns as they evaluate potential Critical Audit Matter content under Auditing Standard (AS) 3101—The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion. Additionally, the Public Company Accounting Oversight Board (PCAOB) is currently exploring whether auditors need additional guidance when applying Auditing Standard (AS) 2405—Illegal Acts by Clients.

Although the FCPA is approximately 40 years old (U.S. Congress 1977), compliance with the Act and its anti-bribery provisions is a top priority for regulators, including the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), and the PCAOB. For example, the SEC enhanced its Enforcement Division in 2010 by creating a specialized unit devoted to FCPA enforcement activities. Further, the DOJ and SEC collaborated to produce a comprehensive resource guide regarding the FCPA (DOJ and SEC 2012). In 2016, the DOJ initiated a program to encourage self-reporting of FCPA violations, the DOJ's Fraud Section increased its staff of FCPA prosecutors by 50 percent, and the FBI added three new squads of agents specifically devoted to FCPA enforcement (DOJ 2016).

The PCAOB also remains focused on public companies' compliance with laws and regulations, including the FCPA, and how auditors understand and apply current audit guidance in this area. The PCAOB's Investor Advisory Group indicated that “investors expect auditors to do more in uncovering noncompliance with laws and regulations” and that the related auditing standards are “outdated, confusing, and inconsistent” (PCAOB 2018). The PCAOB is also currently exploring whether AS 2405 should be updated to “provide better direction to auditors regarding their responsibilities with respect to illegal acts” (PCAOB 2018).

Companies pay bribes to secure benefits, such as obtaining or retaining business, reducing tariffs and taxes, securing licenses and permits, or influencing politics and regulation. Although the business obtained through bribery can be significant—on average, 3.3 percent of a firm's market capitalization (Karpoff, Lee, and Martin 2017, hereafter KLM)—the fines and jail time for those caught can also be sizeable. Many firms' 10-K filings acknowledge that violations of the FCPA or other anti-corruption laws could lead to severe consequences. For example, Apple's September 30, 2017 10-K states that “Although the Company has implemented policies and procedures to comply with these laws and regulations, a violation by the Company's employees, contractors, or agents could nevertheless occur … Violations of these laws and regulations could materially affect the Company's brand, international growth efforts, and business.” Similarly, Walmart has spent over $837 million on internal investigations, legal expenses, and an internal compliance overhaul related to a potential violation of the FCPA (Kelly 2017).

In sum, the FCPA created prohibitions against bribery of foreign officials and provided an enforcement mechanism for the SEC and DOJ to prosecute violators. Often included among the violations in bribery-related enforcement actions are the accounting provisions contained within the FCPA. Those provisions require issuers (1) to make and keep books and records that accurately reflect the transactions of the firm (commonly known as the “books and records” provision); (2) to devise and maintain a system of internal accounting controls (the “internal controls” provision); and (3) to prevent anyone from knowingly circumventing or failing to implement a system of internal controls or from falsifying any book, record, or account. As of December 31, 2017, 90 percent of the 278 FCPA enforcement actions involved at least one of the accounting provisions, suggesting that internal auditors, forensic specialists, and external auditors are critical to FCPA enforcement (Lawson, Martin, Muriel, and Wilkins 2019).

Although audit procedures will not detect all illegal acts, external auditors are required to evaluate risks related to the company and its environment during the planning and other stages of the audit (PCAOB AS 2101). Additionally, PCAOB AS 2405 requires that auditors consider the possibility of illegal acts by their clients and discuss these issues with management and those charged with governance. Anecdotal evidence suggests that external auditors recognize the importance of these standards and devote effort and resources toward training staff to identify illegal acts and to incorporate an FCPA compliance component as part of the audit engagement. For example, the 2015 Rolls-Royce audit report indicates bribery and corruption as one of the top eight risks of material misstatement, and the 2016 Tesco audit report discloses compliance with laws and regulations as one of the risks that had the greatest effect on audit strategy and allocation of resources. In addition, every global accounting firm promotes awareness of the FCPA and offers services to assist with compliance.

Given the attention on FCPA enforcement, we expect that audit fees will be higher for FCPA violators than for non-violators. Although this association may seem intuitive, we further investigate the temporal nature of that association. Specifically, we examine audit pricing across four distinct time periods: the violation period (years during which the firm was in violation of the Act); the investigation period (years during which the firm was under formal investigation); the regulatory period (years during which FCPA-related regulatory proceedings were filed against the firm); and the post period (years after the concluding regulatory proceeding). Further, we examine whether audit pricing of FCPA risk is more sensitive to accounts that are commonly associated with high bribery risk; namely, sales, general, & administrative (SG&A) accounts and accounts payable. Following prior research on contagion effects of negative events (e.g., Bolton, Lain, Rupley, and Zhao 2016; Files and Gurun 2018) and guidance from the Institute of Internal Auditors indicating that assessments of FCPA risk should include the history of violations within certain industries or geographic locations (IIA 2010), we also examine whether audit firms charge higher fees for other audit clients that are comparable to the FCPA violating firm. Finally, to examine auditors' pricing of FCPA risk beyond specific violations, we examine whether fees are higher for companies predicted to have high bribery risk, regardless of whether they actually violated the FCPA.

FCPA data for our study comes from an extensive database used in KLM. The database includes all FCPA regulatory enforcement actions against all public and private parties. The information includes the amount of the bribe, the value of business obtained, penalties imposed, regions of violations, and the timing of the violation and enforcement process. Table 1 from Lawson et al. (2019) is replicated here and provides information on the FCPA data. The left side of Panel A presents information available on the full set of FCPA enforcement actions beginning in 1978. The right side of Panel A presents information on the final set of FCPA enforcement actions used in the study. The difference in number of FCPA actions available for testing (i.e., 278 for the pre-screened sample versus 90 for the final sample) is due to several things, including audit fees not being publicly available for companies until 2000 and missing financial data for private and not-for-profit entities.

Although the mean value of the business obtained via the bribe is approximately $61 million (for all 278 FCPA actions), the mean value of the total penalties is approximately $65 million. Similarly, the mean value of business obtained for the 90 actions included in the sample is $11 million, and the mean total firm penalties are $26 million. For all 278 FCPA actions, the mean bribe paid was $22.5 million. For the 90 actions in the final example, the mean bribe equals $3.2 million. The average violation period in both samples is between five and six years. The average time between the end of the violation period and the first regulatory proceeding is three years with the regulatory proceedings lasting two to three years.

Table 1, Panel B, shows that FCPA violations occur across a wide range of industries. Panel C reports the regions where these violations occurred (with many firms experiencing FCPA violations in more than one geographic region). The largest number of violations is in China and the Far East (43), but numerous violations occurred in Africa (20) and the Middle East (19).

Our study (Lawson et al. 2019) shows that, relative to the baseline pre-violation period and to non-violating companies, audit fees are 36 percent higher for FCPA violators in the full sample analysis and 25 percent higher in the matched sample analysis. In Table 2, we show that this significant difference in fees exists despite the fact that the matched sample of non-FCPA violating control firms is very similar in firm and auditor characteristics to the sample of FCPA violators (i.e., none of the variables are statistically different between the two samples). Panel A of Table 3 illustrates that when the FCPA violation variable is partitioned into the four distinct FCPA time periods, audit fees for violators are 28 percent higher in the violation period.¹ Audit fees increase an additional 18 percent in the investigation period. Thus, it appears that auditors price FCPA risk and increase fees even more once formal investigations commence. However, Panel A of Table 3 shows no significant additional fee increases or decreases once the regulatory period is reached or after the concluding proceeding is filed. This finding suggests that auditors continue to associate violating clients with higher FCPA risk and charge these clients higher fees after the regulatory proceedings end.

We also find that audit fees have a stronger association with accounts payable and SG&A accounts (i.e., high bribery risk accounts) for FCPA violators than for non-violators. These relationships can be seen in the last two rows of Table 3, Panel B. Further, industry and geographic peers of FCPA violators pay a fee premium compared to non-peers. In these tests, we identify a unique peer firm using a one-to-one match based on company size, year, industry, auditor, and the geographic location where the FCPA violations occurred. Our tests suggest that auditors may believe that FCPA risk also exists for clients with similar characteristics. However, the initial fee premium is much smaller (only 8 percent, Table 3, Panel C) and reverses over time. Thus, while auditors initially assess higher risk for peers of FCPA violators, the effect is temporary. Although our main analyses examine auditors' response to actual FCPA violations, we also use the KLM bribery prediction model to investigate whether auditors respond to overall bribery risk, regardless of whether the client violated the FCPA or not. Panel D of Table 3 shows that we find a fee premium of approximately 8 percent for clients identified as having a high risk of foreign bribery. Combined, the results suggest that auditors price FCPA risk in general, but that the fee premium increases substantially as the likelihood of illegal activity increases.

We also conduct a number of additional tests. First, because it is possible that audit effort related to bribery risk depends on the extent of a client's foreign operations, we separately examine companies with high versus low foreign sales. Our results for the high foreign sales group mirror the sample-wide findings. However, fees for the low foreign sales group do not increase until the investigation period is reached. These findings suggest that auditors focus on FCPA risk less when foreign operations make up a smaller portion of client operations. While this approach may seem rational from a materiality perspective, auditors should note that regulators are not required to prove materiality or even intent as they pursue FCPA violations (Ebright 2016). We also investigate auditor turnover and audit reporting lag (length of time between the date on the auditor's report and the fiscal year-end date) as additional ways that auditors may respond to FCPA risk. In these tests, we find that FCPA violators are more likely to have auditor changes and also that audits of FCPA violators take more time to complete. Finally, we investigate whether regulator access affects auditors' responses to FCPA risk. In general, our results are strongest when violations occur in countries that prohibit PCAOB inspections.

FCPA compliance is a top priority for the Securities and Exchange Commission and Department of Justice. In this study, we find that auditors respond to FCPA risk by increasing fees (i.e., effort), particularly as they evaluate accounts that are more likely to be involved with illegal activity. However, we also find that the response is weaker and less timely among clients with lower foreign sales. Because the FCPA does not have a materiality threshold and the Act's accounting provisions are of great importance to regulators, our study highlights the need for auditors to consider FCPA risk more broadly. In the FCPA setting, penalties and other costs incurred by violators can turn potentially immaterial concerns into material contingencies. As one example, Avon Products' $8 million in bribes between 2004 and 2008 resulted in a $135 million contingent liability in 2014. While the bribes themselves may have been immaterial during the violation period, the resulting contingency represented over 80% of Avon's pre-tax operating income in the year of its concluding regulatory proceeding. Overall, we believe that our findings are of interest to both auditors and regulators. The PCAOB is currently seeking input on whether updates should be made to AS 2405 (PCAOB 2018). Our study suggests that increased emphasis on the importance of indirect materiality with respect to potential illegal activity is advisable. Further, our study may prove useful as auditors and regulators begin thinking about Critical Audit Matter disclosures under AS 3101 given that contingent liabilities and other compliance costs associated with FCPA violations can be significant.