Compliance and the Audit: Of Relevance and Investor Protection

Good morning.

It is my great pleasure to be here with an audience of executives from issuers, with many of your companies operating in highly regulated industries and many of you living and working daily on the front lines of compliance. I must, of course, begin by reminding you that the views I express today are my own and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.

Indeed, I am impressed that you have given prominence on this first day to financial reporting, beginning the day with audit and audit-related issues and moving through the subject to conclude with presentations by my friends and colleagues at the FASB and the SEC Office of Chief Accountant.

As chief compliance officers, internal auditors and other compliance professionals, you all have a lot on your plate. You oversee your organization's global compliance programs. This is a complex undertaking, as these programs often include the development of policies and procedures to assure compliance with foreign as well as U.S. local, state and federal laws and regulations, the design and implementation of internal control frameworks, and the management of forensic audits and investigations into regulatory and compliance issues. You are the chief responsibility officers of your organizations. Your responsibility includes understanding risks, both internal and external, to your organization. This responsibility — risk assessment — is shared by auditors.

To address the scope and responsibilities of compliance, which is what this important event does each year, perhaps we should first permit ourselves to ask, "Why is compliance a central theme of our legal life?" To be sure, there are partisan political debates that swirl around that question, but the speakers who are appearing here will be stepping back from that vortex.

Perhaps we can begin the day by revisiting a document from the anthology of our nation's modern era: Theodore Roosevelt's renowned "Square Deal" speech to farmers in Syracuse in 1903. The speech is a ringing manifesto of faith in the decency of our people and the validity of our institutions in the face of economic stress and social pressures. Against the background of tough times, this is what Roosevelt said:

"Unfortunately, in this world the innocent frequently find themselves obliged to pay some of the penalty for the misdeeds of the guilty; and so if hard times come, whether they be due to our own fault or to our misfortune, whether they be due to some burst of speculative frenzy that has caused a portion of the business world to lose its head—a loss which no legislation can possibly supply—or whether they be due to any lack of wisdom in a portion of the world of labor—in each case, the trouble once started is felt more or less in every walk of life."

Does this dilemma sound, in any sense, timely and familiar?

Roosevelt continued his exhortation by saying that, "In a republic such as ours the only safety is to stand neither for nor against any man … because he is engaged in one occupation or another," and that, "We must treat each man on his worth and merits as a man…[and] see that each is given a square deal." He finished with the following, somber injunction:

"Finally, we must keep ever in mind that a republic such as ours can exist only by virtue of the orderly liberty which comes through the equal domination of the law over all men alike, and through its administration in such resolute and fearless fashion as shall teach all that no man is above it and no man below it."

Not a weak charter, I think, for you here today: you are, as I noted, on the front lines of corporate governance. You set the internal tone, inculcate the culture. You are the enemies of fraud, abuse and mismanagement of assets. That you are here speaks to your commitment and the commitment of your companies to that charter.

Theodore Roosevelt's historic speech, speaks directly to the question of "why compliance." Without it, there is no check, no backstop on the conduct of the few that injures the many.

And here, of course, is where the primacy of the auditor and the independent audit enters the picture. The auditor is there to fulfill Roosevelt's charter, to evenhandedly, objectively, resolutely and fearlessly question assumptions and assertions of fact, insist on sufficient confirming evidence, look for disconfirming evidence, and attest to reported financial results only when there is sufficient audit evidence to provide a basis for an audit opinion.

The PCAOB is deeply engaged in examining ways to enhance the relevance, credibility and transparency of the audit to better serve investors. Our initiatives will likely affect you and your companies. At the PCAOB our work often begins with considering those results through roundtables, public advisory committee meetings and similar outreach efforts.

I intend to focus my remarks today on three initiatives: 1) enhanced transparency of who performs the audit, 2) greater communication of what an auditor learns in the course of the audit, and 3) a greater focus on related party activities and significant and unusual transactions.

Transparency

Let me start by asking a simple question: Who performs your audit? If you thought of the firm whose name is at the bottom of the audit report, you are likely not entirely correct.

Most of you in the audience today work at a U.S.-based company. But it is likely that your company has operations or customers, or otherwise does business, abroad. Your audit will, therefore, inevitably have an international component.

Although your company's audit opinion was signed by a single audit firm, what you or, more importantly, your investors may not know is that much of the work that supports that audit opinion was done by many other firms, most of which are outside the United States.

As the world has become ever more interconnected, and business operations are driven less by geographic borders but by the ever greater need for efficiency and growth across a global platform, the audit has also had to adapt. It has gone from being executed by a single firm out of a local office near your company, to being executed by a series of globally affiliated network firms, under a single brand, with offices around the world.

Audits today, particularly of the largest U.S. companies having global operations, often have half or more of the audit performed abroad. In most such cases, that means the principal audit firm, whose name appears on the audit report, uses affiliates of the primary auditor and members of its network of firms to conduct the foreign portion of the audit.

More than 900 accounting firms based in 88 non-U.S. jurisdictions are registered with the PCAOB. Those foreign firms that regularly perform U.S. audits must be inspected at least once every three years. We have conducted more than 300 inspections of these non-U.S. affiliate firms in more than 35 jurisdictions to date.

Based on those inspections, the PCAOB knows that the challenges of managing a multi-national audit are great. It is important for you to know that, through this process, our inspectors have identified considerable room for improvement.

Of greater concern to the PCAOB is our inability to inspect firms located in certain jurisdictions in Europe, China and Hong Kong. The SEC's Division of Corporation Finance has begun to require this fact to be disclosed in an issuer's Management Discussion and Analysis Risk Factors. Some of these jurisdictions have experienced increased occurrences of financial reporting errors and fraud.

I remain hopeful that we will be able to resolve concerns raised by authorities in these jurisdictions that prevent our inspections of firms based there. This is not to say that we haven't made progress: we have in the last year reached agreements to perform inspections in the UK, Norway and Switzerland and recently conducted our initial inspections in Germany.

Based on the inspections that we have been able to perform and our inability to perform others, there are significant risk in audits performed in some of these foreign jurisdictions. This should be a concern for investors, and for those charged with corporate governance. The risk of fraud is greatest in the shadows.

To combat this risk and provide greater transparency as to who is actually conducting the underlying audits, the Board has proposed amendments to PCAOB standards that would require audit firms to disclose in their audit report the use of other public accounting firms, including foreign affiliates, and individual accountants not employed by the principal auditor that took part in the current-period audit. The proposed amendments would also require the audit opinion to include additional information about these other firms, such as their locations and the amount of work they performed.

There has been strong investor support for inclusion of this information in the auditor's report. Such information would make it possible to determine if the firm is registered with the PCAOB, whether the firm is subject to PCAOB inspection, and, if so, whether the firm has been inspected, and its inspection results.

This proposed standard has been through comment, and I would hope can be issued this year.

Communications

A fundamental objective of the Sarbanes-Oxley Act of 2002 was to strengthen the role of the audit committee. To accomplish this objective, the Act requires that audit committee members of public companies that are listed on an exchange be independent of management and take responsibility for the appointment, compensation and oversight of the work of the external auditor for the purpose of preparing the auditor's report. These requirements place the audit committee squarely at the center of the relationship between a public company and its auditor.

The provisions of the Act that deal with the audit committee's oversight of the audit are predicated on the idea that independent, informed and proactive audit committees can and should be key to protecting the interests of public company investors.

Building on this, the Board has proposed, for a second exposure, a new audit standard on what the auditor should communicate to audit committees in order to enhance the relevance and effectiveness of the information the auditor provides the audit committee. The proposed standard is designed to emphasize the importance of effective communications between the auditor and the audit committee.

The proposal addresses part of what investors found disquieting about the recent financial crisis. Investors have told us that they fear that audit committees and boards may have lacked the information necessary to assess whether better financial reporting and disclosure would have been appropriate. It is not necessarily a question of access to information, or volume, but of relevance and quality.

The audit committee can influence better financial reporting by demanding better practices, more responsible business judgment and improved conduct from management. But to do so, the audit committee must be well-informed about the salient facts and issues relating to accounting and disclosure matters. An audit committee that is well-informed is in a better position to make sure that such matters are resolved in the best interest of investors.

The proposed standard should benefit investors by enhancing the relevance and quality of the communications between the auditor and the audit committee. It should also help auditors perform their job by fostering thoughtful and engaged discussions between the auditor and the audit committee that, over time, arm the audit committee with the information it will need when a tough issue arises and the time comes to champion investor interests.

The proposed standard should also avoid burdening the audit committee with minutiae. But the audit committee and the auditors play more of a role than the PCAOB, or any audit standard, can in ensuring that their relationship is engaged and not a mere "check-the-box" exercise. Any measure can be reduced to a checklist if not thoughtfully undertaken. I believe auditors and investors alike expect audit committees to use sound judgment to not let that happen.

The proposed standard was specifically designed not to impose additional performance obligations on the auditor but to more effectively communicate what the auditor has learned in the course of conducting the audit.

During the course of audit, the auditor is uniquely positioned to gain valuable insights into many of the challenges and risks facing the company under audit. Although all this knowledge cannot be shared broadly with investors, the proposed standard would require the auditor to communicate to the audit committee the risk areas identified, including those relating to financial reporting, internal controls and fraud.

The proposed standard also requires the auditor to discuss any difficult or contentious issues that arose during the course of the audit, critical accounting policies, significant judgments and estimates, going concern considerations and the auditor's use of external experts. The proposal recognizes the importance of the auditor's professional judgment by requiring the auditor to bring any other matters that the auditor believes to be significant to the attention of the audit committee.

Some of this may be unnecessary for the highly experienced audit committee; however, experience levels vary widely among audit committees of public companies. Effective and candid communications between an auditor and an audit committee can assist in leveling the playing field for less experienced audit committee members by providing a window into the auditor's perspectives and experience. It will increase the transparency of the audit process to the benefit of not only the audit committee, but the investors whom they represent. This will assist the audit committee in performing its important oversight functions.

The communications are not exclusively one way: although the primary focus of the proposed standard is to establish what the auditor will provide as information to the audit committee, the standard should also foster the sharing of information relevant to the audit from the audit committee. Put differently, we want to see an ongoing, robust, candid and comprehensive two-way dialogue between the key gatekeepers of investors' interests. This will foster a dialogue in which the auditor and audit committee are actively engaged by providing information, probing further where appropriate, and listening effectively. This reproposed standard has been through comment, and I would hope can be issued this year.

Clearly I think these communications will have constructive implications for the operation of internal control structures and the effectiveness of compliance programs. My hope is that the audit committees will not be the only ones who will benefit from this increase in auditor communications.

Related Parties and Significant Unusual Transactions

You do not have to look further than the front pages of the business newspapers to understand the need for increased attention on related party transactions and significant unusual transactions. We can all recall the intertwined relationships between Enron and its management a decade ago, which spawned the Sarbanes-Oxley Act.

However, the risk of related party transactions is not a problem that has been lost to the pages of history. Today the risk is just as real—evidenced by the newspaper headlines.

In May 2010, an academic study sponsored by the Committee of Sponsoring Organizations noted "that either the chief executive officer or the chief financial officer were involved in 89 percent" of the SEC's fraudulent financial reporting cases from 1997 to 2008.^[1] According to that study, among the most commonly cited motivations for financial reporting fraud was the desire to increase management compensation based on financial results.^[2]

On February 28, 2012, the PCAOB issued a proposed auditing standard, Related Parties. The proposed standard would improve the auditor's evaluation of a public company's identification of, accounting for, and disclosure about its relationships and transactions with related parties.

In addition, the Board proposed amendments that, among other things, would improve the auditor's understanding of a company's financial relationships and transactions with its executive officers.

This standard describes the basic tools that good auditors have used for years to identify financial reporting risks. Among other things, it requires auditors to understand management's compensation as a way to understand management's motivations. For example, changes in performance metrics may well be an important clue to understand areas where management's story is weak. They offer the auditor insights that may not be gleaned otherwise, and our proposal encourages auditors to assess that information with the skepticism that should infuse all of their work.

The Board also proposed amendments to enhance the auditor's identification and evaluation of a company's significant unusual transactions, which are significant transactions that are outside the normal course of business or that otherwise appear to be unusual due to their timing, size or nature.

These types of transactions were at the heart of many of the most infamous financial frauds, including Enron, WorldCom and Refco. According to allegations in recent SEC complaints, today these names have been replaced with emerging market enterprises.

We were mindful to build the proposal on existing standards for risk assessment. As a result, the proposed changes are intended to make audits more efficient, more effective and integrated with the overall approach to assessing the accuracy and fairness of companies' financial statements.

Concept Releases on the Audit Reporting Model and Auditor Independence

The PCAOB has also issued two, important concept releases that I suspect many of you have heard about and that may affect your work in compliance.

The first, issued a year ago this month, discusses possible changes to the auditor's reporting model. The concept release reflects information and opinions solicited by the PCAOB over an extended period from investors, auditors, preparers, audit committee members and others.

Any change to the standard auditor's report model resulting from our process would still require the auditor to opine on the compliance of the financial statements with the applicable financial reporting regime and would still place the fundamental responsibility for the reported information on management. But, as we have heard from many parties, more information in the audit report may be beneficial. This initiative has broad support, including support from the audit profession, and has a counterpart in projects under consideration by our international counterparts. The PCAOB is aiming to issue a proposed standard in the third quarter of this year.

Another concept release—which is our formal means of eliciting comment and new ideas—was issued in August 2011. We asked for public comment on ways that auditor independence, objectivity and professional skepticism could be enhanced. We asked whether rotation of audit firms should be considered for companies that had been audited by the same firm for more than 10 years or for the largest issuer audits, and whether there are other measures that could meaningfully enhance auditor independence. More than 630 comment letters have been received, with both preparers and auditors predominantly opposing firm rotation.

The PCAOB is not alone in examining the issue of audit firm tenure and its effect on financial reporting for the use of investors. Audit and market regulators in Europe are considering regulation in this area. Those of you who work for multi-national companies may be aware of these initiatives.

This is not an easy subject. Some form of term limits may or may not provide more independence, but I believe we must explore the range of approaches available to free the auditor to think and act independently, to fulfill the high calling and perform the challenging role charted more than a century ago by Theodore Roosevelt in his vision of administration of the law.

The relevance, credibility and transparency of the financial audit are rooted in the core values of independence, objectivity and skepticism. These core values must be monitored, protected and enhanced in order to serve the public interest and protect investors in an ever more complex global business environment. This involves a thoughtful reflection by auditors, audit firms, regulators, audit committees, investor and yes, you, the compliance professionals.

* * *

I want to thank Compliance Weekly again for inviting me. The educational opportunities you provide to compliance professionals, including conferences such as this, will make a difference in the overall protection of the public interest. Thank you and I look forward to your questions and our discussion.