Why a Deloitte Audit of CCME is Valid and Can Be Trusted
There is no shortage of opinions, blog posts, research pieces or forum discussions regarding an equity that was ranked #1 in the 2011 Forbes China 200 Small-to-Mid Sized Companies with the Most Potential list – China MediaExpress Holdings, Inc., CCME. It is no secret that there is a huge short interest in the stock nor that there is a solid foundation of long investors including institutions from Maurice Greenberg's C. V. Starr to Vanguard, Oppenheimer, Morgan Stanley, Barclays to an almost obsessive group of retail investors with long positions.
China MediaExpress began its price ascent only to be cut down by reports alleging fraud by short-sale focused researchers Muddy Waters and Citron. The entirety of these reports were countered by Global Hunter Securities, LLC in a follow up research report reiterating their original strong buy position along with individual investors whom reside in China and presented first hand evidence; most notably WCT Bills blog. The company themselves released a brief statement and follow up document responding to "inaccurate allegations". As both sides wait anxiously for the 10K to be released sometime around March 16th the heated words continue to flow. As each short allegation has been countered in turn, the stage has been given over to even stranger allegations. Recent desperate pleas include an "It's Too Good To Be True" tale from Citron which carry no real weight with longs or shorts.
Perhaps the most odd, yet possibly the most significant recent ramblings center around the validity of the upcoming 10K audit results performed by Deloitte Touche Tohmatsu Hong Kong, a division of the largest of the "Big 4" auditing firms.
As the recent short biased allegation goes, being audited by a Big 4 is meaningless since the likes of Enron, Fannie Mae, Freddie Mac, WorldCom and similar organizations, almost all of whom were multi-national mega-conglomerates, underwent such audits. The fate of these organizations is well known.
I simply do not believe or accept this latest assertion by the short seller camp and feel compelled to explain why a Deloitte audit is significant TO ME.
Not being a financial auditor myself, in order to put the Deloitte audit in perspective I need to evaluate it against something I do have extensive experience with.
I am an Information Assurance consultant and business owner who holds certifications including CISM, CISA, CISSP and others in the information technologies sector. I began computer programming with BASIC and Assembly on a Zilog Z80 in 1979 with real world experience in LISP, ADA, FORTRAN, PASCAL, C/C++, HTML, XML, PHP, JAVA, Python, BASH shell scripting and a few others. I am sincerely not trying to be arrogant or brag here – but it is important that the reader understands where I am coming from on this, or my point will not hold any meaning. For all intents and purposes I am the security auditing and programming equivalent of a high end Deloitte financial auditor.
I have performed different types of security audits for different organization, each subject to their own unique requirements. These range from ISO 17799/27002, HIPAA, SOX, GLBA, FERPA and others as well as audits against established organizational internal policies. Each has an entirely different set of requirements and for different reasons. Various facets within organization's technology divisions are weighted and tested to varying degrees depending on the type of audit.
To help illustrate my point regarding a Deloitte financial audit of CCME, I will compare two such network security audits. The first was a small division of a government agency that needed to comply with HIPAA regulations due to maintaining individual identifiable health information in a digital format on less than a dozen minors. I will refer to this as the SMALL audit. The other was a telecommunications company who was preparing to IPO. This company offered traditional POTS telephone services, VOIP, cable, ISP services, hosting services, commercial wireless hotspot services in hotels and numerous other offerings in a 7 state region with over 7,500 employees at 50+ locations. I will refer to this as the LARGE audit.
While the audits were obviously required to comply with different legal mandates, they both included a review of internally developed or "home grown" applications. These exist in most companies. These are programs that often start as one person writing a program to make his or her life easier. These catch on, grow and get handed off to outside programmers to update and expand upon and eventually tend to take on lives of their own. Because these are developed organically and are unique to the organization there are no peer reviews or market feedback to help discover security vulnerabilities. Security auditors mush test these with various tools and by reading the lines of source code.
The SMALL audit had a single such application. It was a simple web script written in PHP to provide real time web based access to data stored in a MySQL database. The reader does not have to understand what this means, just understand that anyone with a year or more of web site programming should be able to easily write and understand this script. Its purpose was to track an aspect of federal grant money being handed out through the agency (a common task that every many agency provide). To go through this script line by line and completely understand it was an easy task. The various input validations and other aspects that are normally reviewed on such applications all fell within common, easily understood standards.
The LARGE audit, by comparison, uncovered over 100 home grown applications written in everything from mainframe System 390 code to FORTRAN to several esoteric scripting languages produced by companies long since out of business. And these only included the ones that were FOUND. The truth is no one had any idea how many such applications there were. Information Technologies was completely decentralized as this organization had grown via merger and acquisition, not internal organic growth. In fact no one within the organization could even identify every physical location that housed critical servers, more or less workstations running applications from within cubicles across the enterprise. It would be literally impossible to find people that were skilled enough in each of these languages to go through them line by line – and even if you had such skills it would take well over a year to do so, with little hope of complete accuracy.
The SMALL audit I completed in a few days with as near 100% accuracy as I believe can be obtained in such an audit.
The LARGE audit team was led by myself with a group of 9 others for approximately 45 days. I freely admit that if we uncovered 75% of what was there it would be impressive by any standards. In fact, the previous audit had been conducted by the I.T. auditing arm of a "Big 4" shop (not Deloitte) and reported on far fewer aspects than our report did but identified similar concerns and challenges with the lack of complete documentation within the enterprise.
So what is my point?
CCME is the equivalent of my SMALL security audit. CCME is a small cap Chinese advertising company. Its corporate structure includes a contractual arrangement with Fujian Fenzhong that may not be easily identified with by people familiar with American corporate structures. This is primarily due to the way the Chinese government interacts with businesses and is a common structure in that nation. This arrangement is well known and well understood by any auditors in the region and is by no means unique to CCME. Other than that one deviation from what we may be familiar with in the United States, CCME is a cut and dry straight forward business. They have not grown through merger and acquisition activities – the way they exist today has been organically grown. Yes, in order to obtain a listing in the U.S. markets they did perform a SPAC type reverse merger with TMI – essentially buying out a traded company in order to greatly accelerate the process of going public themselves. Do not make the mistake of equating CCME with the former TMI nor of equating the current management to the former TMI owners. CCME sells essentially 3 types of ads that are run on video monitors on intercity and airport shuttle buses. They maintain the physical security and integrity of the video display systems such that they cannot be loaded with different content nor turned off. They provide routine updates to content via in person installations through USB memory sticks. They sell both to agencies and direct, primarily through an outside sales team. They recently started a catalog and online sales business, SWITOW - basically a simple mail/web order type system for premium grade products such as Apple iPads. This portion of their business is no different than thousands of Mom and Pop's do across the United States. They have a government mandated monopoly - even if not in exact letter, clearly in exact spirit of the law – through a "Tongzhi" (Translation, Explanation). Again, this is a cultural difference that short biased authors will exploit to incite fear, uncertainty and doubt. Auditors in the region would be well versed in such arrangements and completely understand the spirit and significance.
That is about it. CCME is in fact a simple business model.
In reality, many U.S. based businesses, including my own, have more complex corporate structures. It is common to see a C Corp as a "Management" company with one or more LLC or S Corp arrangements under it in order to maximize individual state benefits or tax implications. Many such small businesses include several different divisions for services, products, support and other offerings. If CCME were a U.S. based business no one would consider it to have any significant complexity to it at all.
I believe that almost any auditor could easily and accurately audit CCME. The only way I believe they would "get it wrong" is if they did so intentionally. This would require fraud and complicity on the part of the auditor, in this case Deloitte. Let's be entirely honest here, no matter how big any of us think CCME is, they are just NOT big and rich enough to bribe Deloitte, which is why a Big 4 name is so important here. A smaller accounting firm in the region may be easily paid off. Does anyone really think Deloitte is ready to hang up their hat and go home (and face lawsuits and jail time) based on anything CCME has to offer them? To even consider it would be completely naive.
Back to the contention that a Deloitte audit is meaningless due to comparisons to other companies that have undergone such and failed… The "other companies" are the equivalent to my LARGE audit. The companies that are always thrown around as being audited by Big 4 (or previously Big 5 prior to Enron/ Arthur Andersen) are not in any way similar to CCME. Enron, WorldCom, Bristol Myers, Freddie/Fannie, et. al. were HUGE organizations with 100 times more employees, offices around the country and around the world, generating business revenues in many different forms of currency, subject to many different tax laws/business laws, countless divisions, etc. In all of these cases no one within the organization could even explain or identify all of the divisions, including the CxO level people. In the case of Enron, no one could even fully explain the business model - it just somehow generated revenues, or at least moved large sums of money around. No one, no matter how good they were, could ever fully audit every single aspect of any of these organizations. Even if they could we are talking about companies with revenues and cash beyond 1000 times what CCME claims. They could not only bribe a Big 4 accounting firm, they could outright buy them along with a few elected officials for good measure.
The comparison of CCME to an Enron or WorldCom simply does not hold up on any level.
That is my reason for believing that a Deloitte can be taken face value without hesitation. Remember that this is also the second annual audit performed by Deloitte, with each quarter also being signed off by them.
Not everyone is going to agree with my reasoning. I understand that. Each trader or investor must weigh the options and risk their capital in a way they feel comfortable doing.
The concept of even questioning the this audit raises some serious additional credibility concerns for those voicing such an opinion. If an investor is expected to believe that a small cap company such as CCME can either fool or bribe Deloitte during 2 audits and a year's worth of quarterly reports, then who couldn't fool them? In fact, would this not mean that every company – in China, the United States or elsewhere – is in fact a fraud candidate and that an annual audit by any firm would be meaningless? To use this excuse to justify CCME being a fraud is ridiculous. If there was merit to this argument than by definition, ALL - and I mean ALL companies could be a fraud regardless of who audited them. There would be no exceptions, and there would be no valid reason to even audit them in the first place since this argument makes the statement that all auditors themselves are subject to being frauds or at the very least completely incompetent.
In my mind this is a ridiculous argument not based on any logic, facts or common sense.
But Wait! There's More! as they say on the infomercials. Apparently this is a selective argument. Deloitte is being accused of being so bad at their job that they cannot correctly and accurately audit a small cap company given over a year to do so. An anonymous short biased author even went as far as "assisting Deloitte" by creating a web site at DeloitteWatch.com – which disappeared as quickly and mysteriously as it arrived. Fortunately Google never forgets. This site provided point by point steps that should be reviewed. One would think that Deloitte, being the largest of the Big 4 auditors, may already know how to audit CCME.
There is a contradiction here though. In each of these short biased pieces CCME is compared to other companies that, while not direct competitors to CCME, do operate in the advertising sector in China. These include FMCN, VISN and AMCN. The authors of these pieces refer to the financial statements of the competitors to build their case against CCME. Readers of these reports are expected to accept these other financials as being accurate; otherwise the argument does not hold up. So who audited those financials? In each and every case the financials of the competitors to CCME were in fact audited by the same company: Deloitte.(FMCN starting pg 112, VISN starting pg 97)
Will Deloitte Sign Off?
That is the 64 Thousand Dollar Question. Until CCME releases its 10K or provides additional guidance in the form of a press release, we will not know. Based on my experience performing information compliance audits as well as working with clients undergoing financial audits, I believe that YES, Deloitte will sign off. With the 10K due on March 16th, since CCME is an accelerated filer, experience would dictation that all phases of data collection have been completed. This close to the deadline they are well into compiling the final deliverable documentation and the SEC forms. If Deloitte had found anything, especially given the immense scrutiny of both them and CCME recently, it is highly likely they would have resigned. Since they have not I interpret that to mean they are still on board and thus stand by their previous audits and the upcoming release. This is, of course, speculation. I would also not be surprised if CCME files for an extension. After all of the drama they would want to make sure they took the time to get it right. Short biased traders will no doubt push this as further evidence of fraud when in fact it is merely further efforts to prove legitimacy.
I encourage each investor to carefully consider the entire body of information on CCME before making a decision. When reading "research reports" and other information consider not only the validity of the argument being made, but the relevance of it.
For Additional Information on CCME there is an F.A.Q. page on their website as well as additional information here. An experienced financial auditor has put together some general information regarding audit procedures of cash and other aspects of CCME.
Disclosure: I am long OTCPK:CCME.
Additional disclosure: I hold no position in FMCN, VISN and AMCN. I am not affiliated with, nor have I received consideration from any entity mentioned in this article. I am a private retail trader. Please consult your own financial advisor before making investment decisions.