PCAOB Update: Lessons Learned in 2004

Thank you. It’s a pleasure to be with you this morning. I spoke at an IIA conference in March of last year. At that time, I quoted an article that referred to internal auditors as “the new rock stars of corporate America.” Now that we have a full year of Section 404 experience under our belts: do you still feel like rock stars? Although we at the PCAOB are enjoying the challenges that we face, sometimes we feel like those people who are featured on “Hard Copy” or “Inside Edition”: we’re not quite sure what we did to deserve so much attention.

As we look back on the PCAOB’s activities 10 or even 20 years from now, the past two years will most likely be recognized as among our most significant. During 2003, we focused on activities that would set the tone for our brand-new organization: activities that would tell the world – and most importantly, those audits firms newly under our jurisdiction – how we would fulfill our mission of restoring investor confidence in the accuracy of audited financial statements. In 2004, we had to demonstrate that we would “walk the talk.”

2004 represented a year of tremendous challenges, change and growth for us, as we went from a staff of about 140 to 260. We also began our formal audit firm inspection process, while at the same time establishing our investigatory function and adopting what is widely considered to be the most significant auditing standard in decades (I’m speaking, of course, of Auditing Standard No. 2, concerning audits of internal controls over financial reporting).

While not quite half-way into it, it is clear to me that 2005 also represents unique challenges for the PCAOB. This year, we are being keenly observed and must demonstrate either that the decisions we made in 2004 were correct, or that we are smart enough to recognize the need for improvement. This is an important principle to take to heart when living in the Nation’s capital (although it’s probably equally applicable any many circumstances): if you are not willing to improve your own performance, there are many others who are more than willing to try to do it for you.

It is this overarching theme that I’d like to apply to the topic that you’ve asked me to address, “Lessons Learned in 2004.” While there is much that I can say about the lessons we have taken to heart in each of our core areas of responsibilities (that is, registration, standards-setting, inspections, and enforcement), I will focus on the subject that I suspect is most near to your hearts: PCAOB Auditing Standard No. 2 (AS2), concerning Audits of Internal Controls Over Financial Reporting.[1 ]Before I begin, however, I must note that the views I express today are my own, and not necessarily those of the Board, its other members or staff.

Internal Control

“Internal control over financial reporting”, a.k.a., “Section 404.” With apologies to Sir Winston Churchill, never in the field of human endeavor have so many been so stirred to emotion by so few words.

We all know what internal controls are. As applied to the financial reporting process, they are simply mechanisms designed to produce reliable financial statements, reducing the likelihood of material financial misstatement due either to error or fraud.[2] We also know that maintenance of an internal control system (or at least the concept of such a system) is neither a novel nor radical concept. Since 1941, the SEC’s regulations have required auditors to consider a company’s internal controls in planning the financial statement audit.[3] Auditors have repeatedly told me that 20 years ago, as part of their annual financial audits, they regularly “used to” do the same kind of work now mandated by AS2. Moreover, for almost 30 years the Securities Exchange Act has required that all public companies maintain an adequate system of internal accounting control.[4]

So, what’s the fuss? Why did a Wall Street Journal editorial recently call Section 404 the “most notorious part” of the Sarbanes-Oxley Act?[5] Well, we also know that, for many years, as companies have striven to identify and eliminate so-called non-productive costs, internal control systems have generally not been well-maintained. Despite what I understand have been repeated calls from internal auditors, some company executives have chosen not to spend money to keep these controls current. We know too that, as price pressures continued to force accounting firms to reduce their audit fees during the ‘80s and ‘90s, the decision to streamline audit procedures was often at the cost of a more comprehensive review of internal control.

Then came Enron … WorldCom … Waste Management … Global Crossing … Tyco … Adelphia … GE … [insert your favorite accounting scandal here]. Broadly speaking, the goal of the Sarbanes-Oxley Act of 2002 is to restore public confidence in financial reporting, confidence that was shattered by the behavior of dishonest corporate executives; by audit committees unable to understand increasingly complex financial engineering; by auditors who appeared to have been co-opted by the executives of their audit clients; and by numerous other agents and gatekeepers on whom investors counted to ensure that a company’s financial statements are worthy of reliance.

Through Section 404, Congress recognized that control effectiveness is closely linked to the reliability of financial reporting. To help restore credibility to the reporting process, Congress added two new legal responsibilities to the existing laws on this issue. First, companies must now annually test and certify to investors that their controls over financial reporting are effective.[6] Second, the independent auditor must also now publicly attest to the accuracy of the corporate certification.[7]

We knew all of this in October, 2003 when we first proposed AS2, and we still knew it when AS2 was adopted by my Board and approved by the SEC in 2004. But here is something that we – or I should say “I,” since I am not speaking for the Board or all of its members – did not know. I didn’t know the degree of fear that the very existence of the PCAOB had generated within the auditing profession, and I didn’t understand how much this fear would cause so many to behave in such a hyper-conservative manner.

What were auditors afraid of? I believe that they were (and in many respects still are) afraid of the unknown. Let’s step back and remember the chronology. One of the first things that the PCAOB did in 2003 after the SEC authorized us to conduct business was to decide that, although Sarbanes-Oxley gave us the power to do so, we would not delegate standard-setting responsibility to a professional group such as the Auditing Standards Board (ASB) of the AICPA. Instead, we announced that we were going to exercise this authority ourselves, a decision that surprised many within the audit community. Moreover, when we published our first proposed auditing standards, they were very different from what the profession expected. They didn’t provide safe harbor limits on auditor responsibility and generally lacked “bright lines,” offering instead standards that are largely principles-based. Furthermore, when we considered public comment to our proposed standards, we agreed with many comments and made appropriate changes to the final rules – suggestions not just from auditors, but from issuers and investors as well.

Next, we proceeded to inspect the audit firms (starting with the Big 4), and we also did this in a manner that was very different from the familiar peer review process.[8] We did not let the firms know in advance what issues we were going to look at, and we looked more at how the firms performed their audits than whether the audits were consistent with firm procedures. We looked at companies’ application of GAAP as well as whether the firms reviewed such application in accordance with what was formerly known as “GAAS.” We also looked at previously sacred issues: partner compensation and the behaviors that the firms chose to reward. Most importantly, we actually found many issues to comment upon, and some of the comments were quite strong. In addition, most of the comments were made in a public report. Although the provisions of Sarbanes-Oxley require a public report to follow each inspection, I believe the firms were surprised at how narrowly the Board chose to construe those provisions of the law that require certain issues be reported only on a confidential basis.

Looking at these events, it’s no wonder that – as the profession tried to grasp the implications of moving from a self-regulatory to an independent oversight model – many were uncertain as to how much they needed to change existing practices so as not to run counter of the PCAOB. (Let me stress here that, in my opinion, every firm that we have encountered to date – through our inspection work and other activities – has demonstrated a sincere effort to understand what the new regulatory model expects of them and to respond appropriately. None have demonstrated a “dig-in-your-heels” mentality, and for this I think the profession as a whole deserves high praise. I am not sure that my own profession, lawyers, would have reacted in such a positive manner.)

At the time that AS2 was both proposed and adopted, I understood that the auditing profession felt uneasy about its relationship with the PCAOB. I did not, however, fully appreciate how this uncertainty would manifest itself when auditors were faced with exercising the considerable degree of judgment given to them by AS2.

In my opinion, this manifestation can be summarized quite simply: many auditors did more low-level work than was necessary under AS2, but more importantly, some auditors didn’t do the “right” work – that is, they lost sight of those areas that posed the highest risk of potential fraud. These auditors also often caused their audit clients to use a similar approach. I believe that this behavior was directly related to auditors’ uncertainty – and the fear that that uncertainty created – regarding how the PCAOB will hold them accountable for compliance with AS2, and the impact that a negative PCAOB assessment might have on the firms’ continued business viability. It also largely contributed to the overriding concern expressed by the business community, that is that Year 1 costs were simply too high to be sustainable, and that they exceeded anticipated benefits.

When I say that many auditors did more low-level work than was necessary, or didn’t always do the “right” work, I don’t intend to suggest a negative judgment about all auditor performance during 2004. I understand why auditing firms – under intense pressure to fundamentally change the way in which many of them operated as businesses while also trying to implement an entirely new and complex auditing standard – reacted as they did. In their place, I probably would have reacted much the same, and in fact believe that auditors deserve a lot of credit for the tremendous effort they put into first year implementation. Nonetheless, when we recognize that a practice can improve going forward, we have the responsibility to work toward that end. As Will Rogers said, “Even if you are on the right track, you’ll get run over if you just sit there.”

In this vein, a week ago today the PCAOB released additional guidance that responds to what we consider to be inappropriate and unintended implementation of AS2 during 2004. This guidance took the form of two documents: a Board Statement of Policy, and further Staff FAQs. These are available on our Web site (Standards). The SEC and its staff issued similar documents on this same day.[9] Before we look at the details of these documents and identify what behaviors we seek to discourage, I want to stress that none of the implementation guidance changes or in any way diminishes the auditor’s responsibilities under AS2. There is no “retrenchment,” and it would be a mistake to read this into what the Board or staff has said. Rather, I characterize our goals as “the 4 ‘Cs’”: we wanted to –

  • change overly mechanistic approaches;
  • correct misunderstandings;
  • confirm the need for balance, rationally applying AS2 to meet the unique circumstances at each company; and we will
  • continue to evaluate whether additional guidance or changes are necessary.

Where can we all improve? The Board’s Statement of Policy and Staff’s FAQ’s focus on six specific issues:

First, we need to ensure that – as intended and strongly encouraged in AS2 – the audits of financial statements and internal controls are integrated. With a fully integrated process, the independent auditor should be able to use the information obtained throughout the year as part of his or her internal control assessments to affect the nature and extent of testing required for the audit of the financials. Ideally, the same team of audit professionals would work on both audits, creating a single set of work papers. This type of integration should provide for greater efficiency in the planning and execution of both audits, saving time and resources for all. However, it is clear that, primarily because of time constraints and the heavy initial learning curve experienced by both auditors and their clients, this did not occur in 2004. We have every expectation that it will begin to occur in 2005 and thereafter.

Second, the SEC and PCAOB both stressed the need for the management assessment and the auditor attestation processes to be focused on higher risk areas, using a top-down approach. Both sets of Staff documents discuss the more technical aspects of how a “top-down” approach works, and how risk assessments affect the nature and extent of testing that must be performed. The use of untailored checklists is inimical to a risk-assessment model, and in the Board’s view is an early warning sign that the auditor is not exercising the type of professional judgment as would lead to a high quality audit (of either the financials or internal controls). I stress here that our goal in issuing this additional guidance was to promote high quality audits. We believe that a welcome side benefit of a risk-based model, using a top-down approach, will be to reduce unnecessary costs going forward. That was not, however, our primary objective in issuing this additional guidance.

Third, using a risk-based approach also leads to re-examining how auditors exercised the discretion that AS2 gave them to rely, under appropriate circumstances, on the work of others. As you recall, AS2 permits the auditor to rely on the work of others, so long as a few conditions are met[10]:

  • The auditor’s own work provides the principal evidence for the auditor’s opinion; [11]
  • The auditor personally evaluates controls in the control environment, including controls that are established to prevent and detect fraud that is at least reasonably possible to result in material misstatement of the financial statements; [12]
  • The auditor personally performs at least one walkthrough of each class of major transactions;[13] and lastly,
  • The auditor determines the extent of reliance based upon an evaluation of both the other party’s competence and objectivity, and the nature of the relevant control; this evaluation naturally leads to a greater ability to rely on others for work in the lower risk areas, and when competence and objectivity are high.[14]

As you may also recall, when the Board adopted AS2 in March of 2004, several Board members (including me) made public statements concerning this portion of the Standard, and its impact on internal auditors. I said:

…[W]e believe that internal audit programs that are both highly competent and independent from company management represent a valuable long-term tool for increasing financial reporting reliability. I hope, through the revisions [to the proposal] in this area, that we encourage companies to strengthen their internal audit departments; if they do so, the auditor should be able to rely more readily and extensively on these internal experts, thus reducing the external auditor’s fee.[15]

More specifically, 121 of AS2 says:

Internal auditors normally are expected to have greater competence with regard to internal control over financial reporting and objectivity than other company personnel. Therefore, the auditor may be able to use their work to a greater extent than the work of other company personnel. This is particularly true in the case of internal auditors who follow the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors. If internal auditors have performed an extensive amount of relevant work and the auditor determines they possess a high degree of competence and objectivity, the auditor could use their work to the greatest extent an auditor could use the work of others….

In 2004, it is clear that many external auditors chose not to rely on the work of others, including well-structured and resourced internal auditors, to the degree to which they were permitted. I suspect that some of the reasons this did not occur are completely justifiable, and some perhaps are not. Nevertheless, going forward the Board hopes to encourage more reliance, while still staying within the parameters articulated in AS2. In the May 16 FAQs, our Staff clarified that the “principal evidence” provision does not require a mere quantitative test (e.g., the independent auditor must perform 51% of the work). Rather, it requires a primarily qualitative evaluation. Moreover, by giving more weight to the work the independent auditor conducts him or herself in the higher risk areas (including the control environment, and the walkthroughs), this will in most circumstances naturally result in the auditor having obtained the principal evidence to support his or her opinion.[16] Thus, the “principal evidence” provision should not ordinarily pose a barrier to the reliance on others.

Our fourth area of improvement concerns the quality of communication that occurred (or did not occur) during 2004 between the external auditor and management of the audit client. From what we understand, this communication was seriously stilted because both auditors and issuers were concerned about where the line would ultimately be drawn between constructive dialogue and the auditor becoming part of the company’s controls. The difference between these two ends of a spectrum potentially implicates the auditor’s independence, and may also suggest a material weakness in the company’s controls. To avoid getting anywhere close to a perceived “line” between the two, many auditors and financial executives simply stopped talking to each other during the financial statement preparation process. In our May 16 guidance, both the SEC and PCAOB were crystal clear: such a reaction is not called for by either AS2 or the SEC’s regulations implementing section 404(a) of the Act. There is no single “bright line” that can be applied in all circumstances to separate appropriate communication (on the one hand) from inappropriate behavior (on the other). Therefore, both auditors and management need to exercise sound judgment; just because a decision is tough, does not mean it shouldn’t be made. Moreover, to the extent this iron curtain on communication threatens to impair the overall quality of financial reporting, it is inconsistent with the Act and all regulations adopted under the Act.

Fifth, our Staff FAQs present a number of additional technical questions and answers about issues affecting the scope and extent of testing required under the auditing standard, hopefully re-focusing the independent auditor’s attention to those areas most likely to affect the effectiveness of internal controls over financial reporting.[17] Again, as a side benefit, we also believe these clarifications will do much to bring needed balance between the costs and benefits of AS2. I won’t go into detail about these technical issues now, but would be happy to answer questions at the conclusion of my comments.

Before I discuss the sixth and final issue addressed in our recent guidance, I believe that is very important to recognize the benefits of Section 404, especially those that are already being realized. From a macro perspective, investors will have much more confidence in the reliability of a corporate financial statement – and thus on the integrity of the U.S. public equity market as a whole – if the company’s management demonstrates that it maintains adequate internal control over the preparation of its financial statements. Greater investor confidence ultimately reduces the premium demanded for incurring the risk of the equity market, thereby reducing the cost of capital. Although we have heard much about the Year 1 costs, investors continue to tell us – in very strong and unambiguous words – that they see themselves as the ultimate providers of the capital required to implement Section 404, and that they are willing to pay even the high costs experienced in 2004 to decrease the risk of more accounting scandals.[18] Investors understand that much of the Year 1 costs are one-time in nature, while the benefits are long-term.[19]

From a company perspective, a survey conducted in late 2004 by Oversight Systems, Inc. found that 79% of the 222 financial executives surveyed reported that their companies have stronger internal controls after complying with Section 404. Seventy-four percent said that their companies benefited from compliance with the Act, and, of those, 33% said that compliance lessened the risk of financial fraud.[20] In a follow-up survey conducted three months later, this percentage increased significantly, to where almost 50% of the respondents said that compliance with the Act reduced the risk of fraud and errors. Forty-eight percent said that they now have more efficient financial operations.[21]

A recent survey by your own organization’s research foundation is also quite telling. Over 60% of the 171 responses from chief audit executives agreed that there have been improvements in their companies’ control environment, as well as anti-fraud awareness activities, that would not have occurred but for Section 404.[22]

I think that this type of impact, in just a little over a year since AS2’s adoption, is amazing.

This leads me to the sixth and final issue addressed in our May 16 guidance. As I mentioned earlier, I believe that auditor uncertainty as to how the PCAOB inspection process will hold them accountable for compliance with AS2 contributed greatly to 2004’s hyper-conservatism. To address this issue squarely, the Board’s Policy Statement describes how we will conduct our 404 inspections. We will look for audits that suffer from poor planning and risk assessment; we will not use our own "compliance checklist"; and we will not second-guess good faith audit judgments. We are more interested in helping (advising, prodding, demanding) auditors to get this right than we are in chalking up a high volume of formal negative comments.

While we believe that our May 16 additional guidance will go far toward improving implementation of AS2, it is not the end of our efforts to ensure that the benefits of Section 404 are sustainable over the long-term. In just 2-1/2 weeks, our Standing Advisory Group will convene to discuss additional implementation issues, issues for which we need more input before determining an appropriate response. (Our Standing Advisory Group – or SAG – consists of approximately 30 people, composed with roughly equivalent numbers of auditors [from firms of various size], issuers [both big and small, across industry sectors] and investors [both institutional and individual]. The SAG’s charter is to advise the PCAOB Board on priorities and other issues relevant to standard-setting.)

Among the issues that the SAG will discuss on June 8 and 9 are:

  • Implementing the definitions of "deficiency." "significant deficiency," and "material weakness";
  • The decisions that resulted from using the "strong indicators" of material weaknesses;
  • Experiences with the required written communications between the auditor and audit committee; and
  • Strategies for testing controls at companies with many individually insignificant locations (such as a large restaurant chain).

In addition, our Section 404 inspections began earlier this month. We expect to receive valuable input from our inspection teams as to how AS2 implementation worked well during 2004, and when it did not. This input will contribute to our continuing evaluation of the effectiveness of audits over internal control.

Thank you for your attention. I look forward to responding to your questions.  

Endnotes

[1]See AS2.

[2]AS2 7.

[3]Amendment of Rules 2-02 and 2-07 of Regulation S-X, Accounting Series Release No. 21, 11 Fed. Reg. 10921 (Feb. 5, 1941) (amending Regulation S-X to provide that “[i]n determining the scope of the audit necessary, appropriate consideration shall be given to the adequacy of the system of internal check and control. Due weight may be given to an internal system of audit regularly maintained by means of auditors employed on the registrant’s own staff.”)

[4]Securities Exchange Act §13(b)(2) [15 U.S.C. §78m(b)(2)], enacted as part of the Foreign Corrupt Practices Act of 1977.

[5]"SOX and Stocks," Wall Street Journal at A20 (April 19, 2005).

[6]Sarbanes-Oxley Act of 2002 (hereafter "the Act"), §404(a).

[7]The Act, §404(b).

[8]For a discussion of the PCAOB inspection process, and to view public inspection reports, see Inspections.

[9]See SEC Statement on Implementation of Internal Control Reporting Requirements.

[10]See AS2 108-126.

[11]See AS2 108-111.

[12]See AS2 113-115.

[13]See AS2 116.

[14]See AS2 117-125.

[15]See Statement of Kayla J. Gillan (March 9, 2004), Adoption of Auditing Standard for Internal Control Over Financial Reporting.

[16]See Staff Questions and Answers, No. 54.

[17]See Auditing Internal Control Over Financial Reporting, May 16, 2005 (Questions 38 – 55). 

[18]See, e.g., Transcript of SEC Roundtable on Implementation of Internal Control Reporting Provisions (Apr. 13, 2005) ("Roundtable Tr."), Remarks of Mark Anson, Chief Investment Officer, California Public Employees' Retirement System; Remarks of Ann Yerger, Executive Director, Council of Institutional Investors, Roundtable Tr.; Remarks of Damon Silvers, Associate General Counsel, American Federation of Labor and Congress of Industrial Organizations, Roundtable Tr.; Letter from Laurie Fiori Hacking, Executive Director, Ohio Public Employees Retirement System, to William H. Donaldson, Chairman, SEC (Mar. 1, 2005); see also Remarks of Gregory Jonas, Managing Director of Accounting Specialists Group, Moody's Investors Service, Roundtable Tr.

[19]See Remarks of Ann Yerger, Executive Director, Council of Institutional Investors, Roundtable Tr.

[20]See Oversight Systems, Inc., 2004 Oversight Systems Financial Executive Report on Sarbanes-Oxley (December 2004).

[21]See Oversight Systems, Inc., 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley (April 2005).

[22]Larry E. Rittenberg and Patricia K. Miller, Sarbanes-Oxley Section 404 Work: Looking at the Benefits, (The Institute of Internal Auditors Research Foundation, January 2005).