Careers
SubscribeTestimony Concerning the PCAOB
Chairman Oxley, Ranking Member Frank, and Members of the Committee:
I am pleased to appear today before the House Financial Services Committee on behalf of the Public Company Accounting Oversight Board ("PCAOB" or the "Board").
I want to begin by taking a moment to thank the Committee for its strong bipartisan support of the PCAOB. We benefit greatly from your wisdom and encouragement, and from our positive working relationship.
Through the Sarbanes-Oxley Act, the Congress took a giant step toward restoring shaken investor confidence in financial reporting and auditing of public companies. The Act did not merely create a regulatory environment conducive to investor protection; it also reflected the powerful demand of the American people for fairness and honesty from those participants in the U.S. markets who benefit from the people's investments. More than half of all households in America have invested in our securities markets, [1]and the resources those investments provide to business is a driving force behind the U.S. economy. The more confidence that investors have in the financial information available to them about the issuers of securities, the more resources they will pour into our businesses, both large and small, to fuel the growth and competitiveness of our economy.
I. Introduction
The PCAOB is well on its way to maintaining, as required in the Act, a continuous program of auditor oversight "in order to protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports for companies the securities of which are sold to, and held by and for, public investors." [2] The Board has hired a staff of 319, including auditors, analysts, attorneys, and others, and we expect to have approximately 450 employees by the end of this year. Roughly half of our staff is based in our headquarters in Washington, D.C. In addition, we have offices in New York City and the Atlanta, Chicago, Dallas, Denver, San Francisco, and Orange County (California) areas to support our ongoing inspections of registered accounting firms. We also have an office near Dulles, Virginia, to support our significant investments in technology.
With that brief background, let me now turn to the three main topics that I would like to address today. First, I will discuss our work to ensure a smooth implementation of the Act’s requirements that public companies and their auditors provide investors with annual assessments of, and related attestations concerning, the companies’ internal control over financial reporting. Second, I want to address the impact that independent oversight is having on the practice of public company auditing for both large and small auditing firms. And, finally, I will describe our vision and progress in building an auditor oversight model that meaningfully reduces the risks of financial reporting and auditing failures in U.S. public securities markets.
II. Internal Control Assessments and Related Audit Work
The Sarbanes-Oxley Act has had a profound effect on the integrity of financial reporting in U.S. capital markets and the reliability of public company audit reports. The Act has touched virtually every aspect of the financial reporting process, from preparers’ certifications of accuracy to the independence of third-party analysis, covering the integrity of gatekeepers such as lawyers and auditors in between. Although some of these changes took effect immediately and have been in place for some time, the participants in the financial reporting process are now implementing one of the most challenging but also most promising provisions of the Act.
Specifically, Section 404 of the Act requires public companies annually to provide investors an assessment of the quality of their internal control over financial reporting, accompanied by an auditor’s attestation on the same subject. In the simplest terms, investors can have much more confidence in the reliability of a corporate financial statement if corporate management demonstrates that it maintains adequate internal control over bookkeeping, the sufficiency of books and records for the preparation of accurate financial statements, adherence to rules about the use of company assets and the possibility of misappropriation of company assets. Companies have been required to have internal control over their accounting since the Congress enacted the Foreign Corrupt Practices Act in 1977. There is no doubt, however, that the Sarbanes-Oxley Act’s requirement for annual assessments, and auditor attestations to those assessments, took corporate responsibilities for internal control over financial reporting to an entirely different level.
A. The Act’s Internal Control Requirements Have Fundamentally Changed the Way Public Company Audits are Conducted
As directed by Section 404, in June 2003 the Securities and Exchange Commission established rules describing the required assessments by public companies, and in March 2004 the PCAOB followed with a new auditing standard – Auditing Standard No. 2 (“AS No. 2”) – providing for an integrated audit of both internal control over financial reporting and the financial statements
themselves. [3]
We are now in the midst of the first round of annual assessments and attestations. For large, established companies – which the SEC calls accelerated filers – the initial assessments and attestations were required by SEC regulations to be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004. Calendar-year companies were thus required to file their reports on or before March 16 last month. The SEC has allowed accelerated filers with market capitalizations below $700 million an additional 45 days to file their internal control reports. [4] For non-accelerated filers – which are essentially the smallest public companies – and foreign companies with securities traded in the U.S., Section 404 reporting will begin in 2006. [5]
Although the term “internal control over financial reporting” has only recently entered our common parlance, internal control is a familiar concept to most auditors. As auditing evolved from a process of detailed examination of individual transactions and account balances toward a process of testing samples, greater consideration of a company's internal controls became necessary in planning an audit. [6] If an internal control had been adequately designed and was operating effectively, then longstanding auditing standards permitted the auditor to rely on less costly and time-consuming procedures. [7] Conversely, if an auditor determined that a control was inadequate in its design or operation, then the auditor could not rely upon that control. [8] In this event, the auditor would take a considerably more detailed approach by relying almost exclusively on detailed tests of account balances and transactions.
Sections 103 and 404 of the Act, and the PCAOB’s Auditing Standard No. 2, changed that audit model. Today, auditors of companies subject to Section 404 must not only obtain an understanding of internal control, but they must also examine the design and operating effectiveness of internal control sufficient to render an opinion as to that effectiveness, as required by Section 103(a)(2)(A)(iii). In order to reap the most benefit from this examination, and to make the overall audit process as efficient as possible, we designed in Auditing Standard No. 2 an integrated audit model.
An integrated audit combines an audit of internal control over financial reporting with the audit of the financial statements. In an integrated audit, the auditor’s examination of internal control is validated by the auditor’s findings in the audit of the financial statements. In addition, the auditor’s findings and conclusions reached in the audit of internal control help the auditor better plan and conduct the auditing procedures designed to determine whether the financial statements are fairly presented. The two processes are mutually reinforcing. In this way, the integrated audit helps to achieve the Congress's intention to improve the quality and integrity of both corporate controls over financial reporting and of independent financial statement audits.
We adopted the integrated audit model in March of 2004, and it was approved by the SEC in June 2004. For the past year we have been working with auditors and issuers to understand the challenges they encounter and, where appropriate, to provide additional interpretive guidance and rules to facilitate implementation. [9] Since March 2004, the PCAOB staff has issued four sets of interpretive guidance that answer 37 frequently asked technical questions on the implementation of Auditing Standard No. 2. Moreover, the Board has embarked on two additional rulemakings. First, the Board adopted a temporary rule to complement a Commission rule that provides companies that are considered accelerated filers but have market capitalizations of less than $700 million with an additional 45 days to file their internal control reports. The Board’s rule provides auditors extra time to complete their internal control audits of those companies. [10] Second, just last month the Board proposed a new auditing standard that would permit auditors to attest to company managements’ assertions that they have corrected material weaknesses in between annual assessments. [11]
In addition, on April 13, 2005, we participated in the SEC’s daylong roundtable discussion with issuers, auditors, investors and others about the challenges of implementing Section 404 requirements. As I announced after that meeting, we will issue additional guidance to respond to the matters raised there on May 16. Finally, we will also devote the entirety of our next meeting with our Standing Advisory Group – on June 8 and 9 – to this topic, to further explore implementation issues.
While the first internal control reports have just begun to be released over the last month, public companies and their auditors have been hard at work to prepare for these first assessments and attestations. For many public companies, this has meant major efforts to improve their internal controls over financial reporting. For auditing firms, this has meant a major effort to develop new audit methodologies and train staff to perform a different kind of audit.
In light of this work, many companies have already reaped benefits from the internal control reporting process. For example, 79 percent of 222 financial executives recently surveyed by Oversight Systems reported that their companies have stronger internal control after complying with Section 404. Seventy-four percent said that their companies benefited from compliance with the Act and, of those, 33 percent said that compliance lessened the risk of financial fraud. [12] Preliminary analyses show that eight percent of companies’ 2004 annual assessments filed as of April 5, 2005, reported material weaknesses in their internal control over financial reporting. [13] By identifying material weaknesses before financial reporting failures occur, these companies are reducing their risk of future loss of shareholder value, as well as personal risks to their board members and managers.
In addition, investors in our capital markets now, for the first time in our history, have the benefit of both management’s assessment, and the independent auditor’s opinion concerning, the effectiveness of internal control over the preparation of the financial statements. This should increase investor confidence in the reliability of those reported results. [14] And that, in turn, should reduce the cost of capital for companies with effective internal control over financial reporting.
B. PCAOB’s Efforts to Address Cost and Other Concerns
Although enhanced internal control has the potential to bestow significant benefits, there have been concerns about the cost of those enhancements and about whether those enhancements create counterproductive, unintended consequences. No doubt you have heard complaints that the way auditors have implemented the new requirements has exacerbated some of these concerns. We have an opportunity, in our inspections of registered firms, to assess whether auditors implement new standards appropriately. As described above, however, we are not waiting for our inspections to guide auditors away from inappropriate implementation when we learn of it. Throughout this first year of implementation of Section 404, we and our staff have carefully monitored implementation issues as they have arisen and, where appropriate, have issued additional guidance to promote consistent and rational implementation.
For example, some have charged that auditors are implementing Auditing Standard No. 2 with a “check-the-box” mentality about control testing that focuses on minutiae that are unlikely to affect the financial statements. Auditing Standard No. 2 requires testing of controls that are designed to make it probable that the financial statements are fairly presented in all material respects. While it is necessary for the auditor to understand the overall control system and to “walk through” the operation of all significant control processes, the focus should indeed be on what is material to the financial statements, not on the trivial. Auditors should not allow an unthinking emphasis on computer systems, for example, to distract them from the more qualitative risks of misconduct by top management. Further, while Auditing Standard No. 2 does not ignore overall systems, it expressly permits the auditor considerable flexibility to rely on the work of others, including, for example, by “us[ing] internal auditors to provide direct assistance in the audit of internal control over financial reporting.” [15]
In addition, some smaller companies have charged that they are disproportionately burdened because auditors are not tailoring their audit procedures to the nature and complexity of the client. Smaller, less complex businesses typically need less complex controls, and the work of the auditor should reflect that fact. Auditing Standard No. 2 is no different from any other auditing standard in that it does not prescribe detailed audit programs for specific sizes of companies. For as long as the profession has established auditing standards, auditors have used those standards to fashion audit plans in a manner that addresses the nature and complexity of the audit client. The fact that the Sarbanes-Oxley Act did not expressly establish classes of audit clients in no way limits the auditor's ability – indeed, responsibility – to use judgment to plan an audit that is appropriate to the circumstances. In the case of small companies, this should include the special considerations outlined by the Committee of Sponsoring Organizations of the Treadway Commission (also referred to simply as “COSO”) for internal control in such companies.
As Chairman Oxley has said, “Today’s small companies are tomorrow’s large ones, and it’s important that all of us work together to address their specific needs and to properly guide them toward compliance.” [16] I believe strongly in that maxim. In that regard, we stressed in both the proposing and adopting releases for Auditing Standard No. 2 that auditors should tailor their audit programs to suit the size, complexity and nature of the audit client, [17] and my fellow Board members and I have stated publicly that we will use our inspection program to make sure that smaller companies are not subjected to needless cost and burdens.
While we are committed to giving interpretive guidance where we can, we expect auditors and issuers alike to exercise judgment in applying Auditing Standard No. 2 in a manner that is appropriate given the context of the audit. Our goal in providing implementation guidance is not to create a detailed checklist for conducting an audit. Rather, our goal is to help auditors and others better understand the principles underlying the standards and better appreciate why it is important that they use judgment in applying them.
Another area of concern for us is the misconception that companies may no longer look to their auditors for advice on difficult accounting issues. Auditing Standard No. 2 provides that an auditor’s detection of a material misstatement in financial statements is a “strong indicator” of a material weakness in internal control. In addition, the prospect of PCAOB inspectors enforcing longstanding rules on auditor independence, which prohibit the auditor from preparing a client’s financial statements and from making financial reporting decisions on behalf of management, [18] seems to have led some to conclude that management and the auditor should not consult on accounting and internal control questions.
Auditors have long advised public companies on accounting issues and on internal control matters, however, and Auditing Standard No. 2 does not preclude that kind of advice and discussion. Be assured that we have no intention of discouraging discussion and debate between corporate managements and auditors through a game of “gotcha”; rather, our inspection program for reviewing integrated audits calls for inspectors to look for and encourage robust substantive discussions among the auditor, management and the audit committee. To help dispel confusion on this issue, our staff has issued specific guidance on this point, making clear that, in fact, “information-sharing on a timely basis between management and the auditor is necessary.” [19]
Before leaving this subject, I want to emphasize the unique importance of the PCAOB’s inspection function in connection with our ability to monitor the implementation of Auditing Standard No. 2. We have numerous channels for feedback about how issuers, auditors and others feel Section 404 implementation is going, including our informal working groups, the SEC’s recent roundtable discussion, our Standing Advisory Group’s meetings, and other ad hoc meetings. [20] No one else, however, has the opportunity and mandate that the PCAOB has to see how auditors are implementing the standard first-hand by reviewing individual engagements in our inspections. Our inspections and standards-setting functions are in a continual feedback loop, so to speak. The Congress showed great wisdom in structuring the Board in this fashion. This structure gives us the opportunity to investigate what we have heard anecdotally. Through inspections we can assess claims that auditors do not seem to be making good decisions, ascertain the cause, and then do something about it. On the other hand, we may – and I expect we will – find evidence that the best practices of some auditors have helped to reduce the risk of financial reporting failures.
III. The Impact of Independent Oversight on the Auditing Profession
Although public attention to the work of the PCAOB has recently focused most intensely on the PCAOB’s role in implementing Section 404, the more significant, long-term effects of our work will be the product of our oversight activities. The Act requires all accounting firms that prepare or issue audit reports on the financial statements of public companies to be registered with the PCAOB. [21] Once registered, the public company auditing practices of such firms are subject to periodic inspection by the PCAOB and, when necessary, to PCAOB disciplinary proceedings to enforce applicable auditing and related professional practice standards as well as other relevant laws.
PCAOB oversight has already changed the environment of registered public accounting firms and their partners and staff that participate in audits and triggered a profound shift in the overall character of public company auditing. Most important, our oversight has changed auditors’ attitudes toward their accountability. Under the old system, which relied primarily on the enforcement tools of federal and state regulators after a problem had already occurred, the risk that an auditor’s failure to identify and address a financial reporting error would come to the attention of regulators was relatively low. If such a problem did come to a regulator’s attention, the consequences were grave – often ending the careers of auditors involved if not the practice of the firm itself. The risk of detection, however, was too often not sufficient to motivate firms and auditors to take the tough stance necessary to head off potential misstatements in financial reports. This was especially true when the firm and the issuer could, at least in the early going, rationalize the problem away as involving only immaterial amounts.
Under the new system, auditors understand that their work is much more likely to be reviewed within months or even weeks by the PCAOB’s well-experienced, full-time inspectors. Last year, we reviewed portions of more than 500 audits performed by the largest eight firms. We chose those audits, and the particular aspects we reviewed, on the basis of our own assessment of the risk of material misstatements or significant auditing deficiencies. We also often select additional audits during the course of the inspection, enabling our inspectors to follow leads to the root causes of poor auditing. For example, if we find a poor quality audit that passed the muster of a firm’s own internal quality control reviews, we will review additional work performed by the same audit partner and engagement team. We will also review other work performed by the internal reviewers who missed the reviewed partner’s errors. Not surprisingly, we have found that this approach leads to uncovering additional problems. It also gives auditors a good bit more anxiety, and correspondingly greater incentive to stay on their toes, than a mere random sample of engagements.
Another important catalyst for change in the new system is that, unlike traditional enforcement models that focus on punishment after financial reporting and auditing failures become exposed, our inspections provide new tools to identify and resolve problems early in their development. First, when our inspectors find potential material accounting errors or significant auditing deficiencies, we invite the auditing firm to comment on the accounting and auditing work involved. This assessment process not only helps us to verify our own assessments, but it also helps the firm to identify the causes and scope of the problem. Second, throughout this comment process, our inspectors discuss the problems we identify with representatives of the firm, including members of the engagement team, the firm representative responsible for the firm’s handling of the inspection, national office experts, and ultimately, the managing partner or chief executive of the firm. Although serious problems that we identify are ultimately described in our inspection reports, it is our discussions with the firms that drive them to redress the problems on the spot, through performing missed auditing procedures, enhancing internal quality control requirements, discussing the problem with the client involved, and other actions.
Two years of inspecting the audits of the Big Four accounting firms [22] has done nothing to shake my view that these firms, operating at their best, are capable of the highest quality auditing. But it has also done nothing to shake my view that the Congress acted wisely in creating independent oversight of the profession to help move firms in the direction of consistently operating at their best. Through our inspections, we have already identified, and encouraged appropriate resolution of, numerous accounting and auditing problems. And we feel confident that we are, as the Congress intended, helping to move the profession steadily in the right direction – toward reducing the risks of material misstatements or unreliable auditing. I cannot say – and I do not believe that you would expect to hear – that after only two inspection cycles we have identified and uprooted all the causes of recent auditing failures and all the risks of future auditing failures. Nor would it be prudent, given the time that regulatory, judicial, or law enforcement processes can take, to assume that auditing firms are necessarily beyond the possibility of repercussions for pre-Sarbanes-Oxley failures. But between our preliminary limited inspections and our first full inspections, we have plainly made a start that amply vindicates the decision the Congress, and this Committee, made in creating the inspection process.
Although our inspections work to-date has focused primarily on the largest firms’ annual inspections, over the last year, we have devoted considerable effort to developing appropriate oversight that takes into account the diversity of the auditing firms that have registered with the Board. As of April 21, we have registered 1,488 firms, including the nation’s largest firms, hundreds of medium-sized regional firms and small firms, and 567 non-U.S. firms. We are working hard to structure our inspections program so that it is equipped to efficiently and effectively address this universe.
Our oversight programs cover three distinct groups of firms: the eight largest U.S. firms, all of which audit more than 100 U.S. public companies and therefore are subject to inspection on a continuous annual basis; 913 small U.S. audit firms, 715 of which audit the financial statements of fewer than five public companies and 313 of which audit no public companies; and 567 non-U.S. firms that wish to be positioned to audit – or play a substantial role in preparing audit reports on – the financial statements of U.S. public companies, including both foreign private issuers and U.S.-based multinational companies. Under the Act and the Board’s rules, firms that have more than 100 public company audit clients are subject to annual inspections. Firms that have between one and 100 such audit clients are subject to regular inspections every three years. [23]
While the Big Four accounting firms audit most public companies, [24] they have reduced their public company audit client base over the past two years. [25] At the same time, the next four and even smaller firms have increased the number of public companies that they audit. [26] Early after the enactment of the Sarbanes-Oxley Act some expressed concerns that the Act’s requirements for oversight of accounting firms might pose a barrier to small firms’ ability to compete for public company audit clients. In fact, however, a number of these small firms have actually increased the number of public companies that they audit, as the larger firms have reduced their number of smaller public company clients. [27] According to one study:
Small accounting firms were the winners of market share in 2004. While small accounting firms in general vehemently opposed the passage of SOX, it appears that in reality, they may be one of the largest beneficiaries of the Act. The larger firms appear to be more selective these days in accepting smaller companies to audit, perhaps as they typically involve much lower revenue and profit
potential. [28]
Accordingly, we expect to see smaller firms seizing opportunities to expand their business by taking on new clients appropriate to the size and sophistication of the firms’ practices. At the same time, we know that for that growth in their business to be fully successful, the firms must understand, and know what is expected of them within, the Sarbanes-Oxley and PCAOB framework. We recognize that, for smaller firms, the adjustment to that framework gives rise to many issues and questions of a different nature than those of principal concern to the larger firms.
To try to address those questions, we embarked in late 2004 on an ambitious outreach effort directed toward small registered public accounting firms. Specifically, we have conducted six two-day discussion sessions with small firms and their audit clients, focusing on the topic “Auditing in the Small Business Environment.” I have asked Board member Kayla Gillan to spearhead this initiative.
These Forums have fostered a robust dialogue that has given us valuable insights we will apply in developing our programs. I believe the Forums have also better equipped the firms that have attended with useful information to address the challenges of the new regulatory environment. So far, we have held these Forums in northern and southern California; Atlanta; Dallas; Chicago; and northern New Jersey. We will be holding additional events soon in Denver, Pittsburgh, Orlando and Boston.
In addition to conducting this outreach, we also inspected 91 small firms in 2004. For some of these firms, our inspections provided the first serious glimpse of external oversight. We have seen first-hand how some small firms distinguish themselves by performing high-quality audits. At the other end of the spectrum, we have seen some small firms that simply must do better. We identify for them the areas in which they must do better, and we use the tools specifically provided by the Act – the incentive of keeping deficiencies from being made public and, ultimately, the incentive of not having their registration revoked – to motivate them to do better. In this way we do what we can to give such firms every chance to rise to the occasion of serving and protecting the investing public. Over time, however, we expect to eliminate from the ranks of registered firms those auditors who are incapable of – or indifferent to – serving the public interest.
Finally, as I mentioned earlier, 567 non-U.S. firms have registered with the
Board. [29] Although under Section 106(a) of the Act, non-U.S. firms are subject to the Act and to the rules of the Board "to the same extent as a public accounting firm that is organized and operates under the laws of the United States," oversight of the audits of U.S. public companies conducted by these firms poses unique challenges.
To craft an oversight program that addressed such challenges, we have developed a framework under which the Board may conduct its oversight in cooperation with local regulators of our registered non-U.S. firms, by relying, to an appropriate degree, on the inspection work of those local regulators. [30] Over the past 18 months, we have engaged in a constructive dialogue with relevant regulators in certain key non-U.S. jurisdictions. As we speak, PCAOB inspectors are sitting side-by-side with inspectors from the Canadian Public Accountability Board, reviewing the audits of the Canadian registered public accounting firms that we will inspect together in this first year of our international program. We are also far along in working out similar arrangements with authorities in the United Kingdom, Australia, France and Japan. This dialogue has demonstrated that the Board and its non-U.S. counterparts share many of the same objectives, including to protect investors from inaccurate financial reporting, to improve audit quality, to ensure effective and efficient oversight of accounting firms, and to help to restore public trust in the reliability of audit reports. Underlying this convergence of views is the global nature of the capital markets – the effects of a corporate failure in one country tend to ripple through the financial markets of another, potentially causing substantial economic damage. Together with our counterparts, we hope to do what we can to reduce overall risk to investors in securities markets throughout the world that have devoted resources to investor protection.
IV. Building a Strong Foundation
While our vision and form as an organization have significantly matured since I was last before this Committee, we will still spend much of 2005 building the key programs that underlie our ability to protect the investing public. The PCAOB began operations in 2003 with four Board members and a handful of staff members in a single suite of offices; it began 2004 with five Board members and a staff of 116 in five cities. At the end of 2004, the PCAOB staff numbered 260 in eight cities. By the end of 2005, we expect to have approximately 450 staff. Our main growth area will continue to be the ranks of our experienced accountants who serve as inspectors, as well as enforcement investigators.
We also plan to develop our Office of Financial Analysis and Risk Assessment, which collects, analyzes and assimilates information from multiple sources to provide us with assessments of risks related to the financial reporting process. For example, our risk specialists – who combine backgrounds in financial and statistical analysis, forensic accounting, and economics, among other disciplines – may start with a known accounting problem at one company and comb through SEC filings, other public information, and our own internal data sources, to ascertain whether other companies are applying the same accounting treatment. Working closely with our inspectors, these specialists also help to select other audits to review. In addition, they provide crucial insights to our standards-setters and enforcement investigators – as well as to the Board itself – about potentially dangerous trends in financial reporting.
Our standards-setting initiatives rely heavily on information about such trends, in addition to trends in auditing practices that need improvement. This year, we expect to develop several standards designed to improve audit quality. First, we will soon consider adopting rules on auditor independence and tax services, based on a proposal we issued for public comment in December 2004. That proposal garnered support from a variety of corners, including investors, auditors, and issuers. The public comments have helped us see certain specific areas in which the proposal could be improved and we are working now to fashion those improvements.
In addition, in the coming months we will likely propose for public comment a new auditing standard on engagement quality reviews. Such a standard is required under the Act. [31] In developing this standard, we are using the full panoply of tools available to us. The proposed standard will therefore draw upon information we gather in our inspections about weaknesses in reviews by “concurring partners” under the existing professional standards, examples of improvements developed by other standards-setters, and advice from our Standing Advisory Group of experts with experience as investors, auditors, financial statement preparers, academics, and others. Our staff also is evaluating the communications that should take place between the auditor and the audit committee and developing a related standard that would reflect the post-Sarbanes-Oxley relationship between auditors and public companies.
Finally, we will also continue to work toward our mandate of inspecting registered public accounting firms. We will inspect the largest eight U.S. firms again this year, as well as the single non-U.S. firm that has more than 100 public company audit clients, KPMG’s affiliate in Canada.
Conclusion
During the last two years, we have established a strong operational foundation for our statutory programs, but we still have many challenges ahead. Some of our most significant challenges in the next year will be to hire the 80 or so additional inspectors we need to help us examine close to 300 registered public accounting firms; to continue to oversee appropriate implementation of Section 404 of the Act in the second year of internal control audits for accelerated filers, as well as in first year of such audits of small public companies and foreign private issuers; and to establish cooperative oversight programs with our counterparts in other countries. We work hard to push toward the realization of the objectives the Congress set for us, with passage of the Act, and using this framework we hope to do our part to reduce overall risk to investors in U.S. securities markets. We have an aggressive agenda ahead, and we are pleased that the Congress entrusted the PCAOB to confront these challenges.
Thank you.
[1] Marianne A. Hilgert and Jeanne M. Hogarth, "Household Financial Management: The Connection between Knowledge and Behavior," Federal Reserve Bulletin July 2003, at 317.
[2] Sarbanes-Oxley Act, Section 101(a).
[3] See Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Securities Act Release No. 8238 (June 5, 2003); PCAOB Auditing Standard No. 2 (“AS No. 2”).
[4] See Order under Section 36 of the Securities Exchange Act of 1934 Granting an Exemption from Specified Provisions of Exchange Act Rules 13a-1 and 15d-1, Exchange Act Release No. 50754 (Nov. 30, 2004); see also PCAOB Rule 3201T (temporarily permitting auditors of certain issuers not to date theirs reports on internal control the same date as their reports on financial statements).
[5] See Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports of Non-accelerated Filers and Foreign Private Issuers, Securities Act Release No. 8545 (March 2, 2005).
[6] Accounting Series Release No. 21, 11 F.R. 10921 (Feb. 5, 1941) (amending Reg.S-X to provide that “in determining the scope of the audit necessary, appropriate consideration shall be given to the adequacy of the system of internal check and control. Due weight may be given to an internal system of audit regularly maintained by means of auditors employed on the registrant's own staff.”).
[7] See AU Section 317.03. Effective April 16, 2003, the PCAOB adopted, on an initial, transitional basis, temporary rules that refer to pre-existing professional standards of auditing, attestation, quality control, ethics, and independence (the “interim standards”), including AU Section 317. These standards, originally codified by the American Institute of Certified Public Accountants, are reproduced on our Web site at Interim Standards.
[8] See AU Section 317.04.
[9] PCAOB staff have formed informal, ad hoc working groups of auditors and issuers to assist the staff in understanding the challenges both auditors and issuers face. In addition, the Board has held public discussions with its Standing Advisory Group to consider implementation and other issues related to internal control reporting.
[10] See PCAOB Rule 3201T.
[11] See PCAOB Release No. 2005-002 (March 31, 2005).
[12] “Financial Executives Call Sarbanes-Oxley Compliance a ‘Good Investment,’ According to Oversight Survey,” Press Release of Oversight Systems, Inc. (December 14, 2004).
[13] Source: Audit Analytics; see also Remarks of SEC Chairman Donaldson at Roundtable on Implementation of Sarbanes-Oxley Internal Control Provision (April 13, 2005), available at http://www.connectlive.com/events/secicrp/. So far, the types of material weaknesses we are seeing suggest that the process leads to disclosure of meaningful information for shareholders. For example, according to Compliance Week, approximately 50% of the material weaknesses disclosed in both 2004 and 2005 related to financial systems and procedures, including problems with the financial close process, account reconciliation, or inventory processes. Another significant area is personnel problems, including poor segregation of duties (which can lead to employee misappropriations in addition to financial reporting problems), inadequate staffing and expertise, and related training and supervision problems. See “Material Weakness, Deficiency Disclosures in February 2005,” Compliance Week (Apr. 2005), at 22. When companies provide robust disclosure about the relationship between a reported weakness and the reliability of the financial statements, in addition to disclosure about the company’s efforts to correct the weaknesses, report users have shown confidence in the company’s actions. See Special Comment, Section 404 Reporting on Internal Control: Our Early Experience, Moody’s Investors Services (Ap. 2005) (“In general, despite material weaknesses, we are finding that rating actions are not needed in many cases because: control problems appear to be specific, localized and correctable within a short period; the rating already reflects our impression of control weakness; or management’s plan for remediating the control problem appears credible.”)
[14] According to Moody’s Investors Service, strong internal control is key to restoring investor confidence:
We believe that reports on internal control are a significant development in restoring investor confidence in financial reporting, which has been badly shaken in recent years. We perceive that companies are strengthening their accounting controls and investing in the infrastructure needed to support quality financial reporting. Most of the control problems disclosed in the reports do not appear to be new, and are coming to light because of closer scrutiny – not because new problems are occurring.
Special Comment, Section 404 Reporting on Internal Control: Our Early Experience, Moody’s Investors Services (Ap. 2005), at 1.
[15] Staff Questions and Answers: Auditing Internal Control over Financial Reporting (rev. Nov. 22, 2004), Q&A No. 36 at 12-13; AS No. 2, 108.
[16] Sarbanes-Oxley: Making the Investment, Reaping the Rewards, Remarks by Chairman Michael G. Oxley, House Financial Services Committee, at Georgetown University Law Center Corporate Counsel Institute (March 10, 2005).
[17] See PCAOB Release No. 2003-17 (Oct. 7, 2003) (“Internal control is not ‘one-size-fits-all,’ and the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. . . . For a smaller, less complex company, the Board expects that the auditor will exercise reasonable professional judgment in determining the extent of the audit of internal control and perform only those tests that are necessary to ascertain the effectiveness of the company’s internal control.”; see also PCAOB Release No. 2004-001 at 9 (March 9, 2004) (“In smaller companies, or in companies with less complex operations, the ethical behavior and core values of a senior management group that is directly involved in daily interactions with both internal and external parties might reduce the need for elaborate internal control systems.”).
[18] See SEC Regulation S-X, Rule 2-01(c)(4)(i) (stating that an auditor is not independent of an audit client if it “prepar[es] the audit client’s financial statements”); Rule 2-01(c)(4)(vi) (stating that an auditor is not independent of an audit client if it “perform[s] any decision-making, supervisory, or ongoing monitoring function for the audit client”); see also Meeting of PCAOB Standing Advisory Group, February 16, 2005, available at Webcast.
[19] Staff Questions and Answers: Auditing Internal Control over Financial Reporting (rev. July 27, 2004), Q&A No. 7 at 5. This guidance explains that AS No. 2 requires an auditor to judge whether, once all applicable controls have operated, the company is able to prepare financial statements that are free of material misstatements. This means that the auditor’s own involvement, including “the results of auditing procedures[,] cannot be considered when evaluating whether the company’s internal control provides reasonable assurance that the company’s financial statements will be presented fairly in accordance with generally accepted accounting principles.” Id. In addition, the guidance suggested ways that company management can share and discuss draft financial statements without confusion as to whether the auditor’s own work served as a part of the control process, by engaging in “clear communications (either written or oral) with the auditor about the . . . state of completion of the financial statements; [the] extent of controls that had operated or not operated at the time; and [the] purpose for which the company was giving the draft financial statements to the auditor.” Id. At 6.
[20] In addition, one of our Board members, Daniel L. Goelzer, has been named as an observer to the SEC’s Advisory Committee on Smaller Public Companies, which has been convened to examine the impact of the Sarbanes-Oxley Act and other aspects of the federal securities laws on smaller companies.
[21] Sarbanes-Oxley Act, Section 102(a).
[22] In 2003, we conducted limited procedures on the Big Four accounting firms’ audit practices. The firms submitted to these procedures on a voluntary basis, before any firm was required to be inspected. In 2004, we commenced our first round of regular inspections of the largest eight firms.
[23] See Sarbanes-Oxley Act, Section 104(b); PCAOB Rule 4003.
[24] According to the Government Accountability Office, as of 2003 the Big Four firms audited more than 78 percent of all U.S. public companies, and their clients produced almost 99 percent of public company sales revenue. See United States General Accounting Office, Report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services, Public Accounting Firms, Mandated Study on Consolidation and Competition, July 2003, GAO-03-864.
[25] See Yellow Card Trend Alert, Glass, Lewis & Co., at 1 (Feb. 15, 2005). According to this study by Glass, Lewis & Co., in 2004, Big Four firms reduced their public company audits by 400, the next four firms added overall, net, 117 public company audit clients, and all other accounting firms had a net gain in public company clients of 217.
[26] See id.
[27] See id. at 1 (“Big Four firms continued to remove smaller companies from their client list. The Big Four were dropped as auditors for 357 companies with less than $100 million in revenues while picked up for only 77 audits of such issuers.”).
[28] Id. at 17.
[29] Title I of the Act is directed toward the auditors of public companies that seek to raise capital in U.S. markets. In the United States, the Act directly affects as many as 15,000 U.S. public companies. Those companies are headquartered in the United States, but they often have significant operations in other countries as well. The securities of about 1,200 non-U.S. public companies trade in U.S. securities markets, and so those companies must also follow many of the requirements of the Act, including the requirement to file with the SEC financial statements audited by a registered firm.
[30] See Briefing Paper on the Oversight of Non-U.S. Public Accounting Firms, PCAOB Release No. 2003-020 (Oct. 28, 2003). The Briefing Paper was followed by the proposal and adoption of rules by the Board which generally articulated the Briefing Paper’s framework. See PCAOB Release No. 2004-005 (June 9, 2005). Under these rules, the degree of reliance to be placed on a non-U.S. system will be based on a “sliding scale” and will depend on the Board’s assessment of the independence and rigor of the non-U.S. oversight system. The more independent and rigorous the non-U.S. system, the higher the Board’s reliance on that system. Conversely, the less independent and rigorous, the lower Board’s reliance on that system. These rules were approved by the Securities and Exchange Commission on August 30, 2004.
[31] Sarbanes-Oxley Act, Section 103(a)(2)(A)(ii).