Audit Essentials for 2015

Good morning. Claudius and I are excited to be back at the conference, and share our thoughts, and we must warn that the views we express are our own and should not be attributed to the PCAOB as a whole or any Board members or staff.

With just 21 days to go this year, I assume many of us are focused on reflecting on accomplishments and planning for the challenges to come in 2015. I am a list maker, and that is what I have been doing — so I am here today to share some of my lists with you. If you have come prepared with lists of questions, or those occur to you during my remarks please send them forward, I always learn a lot from your questions and find them helpful in planning what we need to better focus on.

Professor Jacob Soll, who wrote an exciting book on the history of accounting and why it matters, made a very important point earlier this year when he said, "If we are going to get to the point where we can have a serious debate about financial accountability, we first need to learn some essentials."^[1]

… And what could be more essential than the audit and the auditors. So what are those essential things that should be top of mind for auditors and audit committees heading into year-end 2014 (at least according to my lists!).

Inspections Staff See Some Promising Improvements in Audit Work Performed

Inspections Staff are wrapping up the 2014 inspections cycle and starting to draft inspection reports:

• We've already finalized reports on about one-third of the triennial inspections we did this year.
• We're in the evaluation and drafting stages for the reports on the largest inspections — expect those to be released beginning in the second quarter of 2015.

Our 2014 inspections have shown some promising improvements in the audit work performed at certain firms. We have seen remedial actions taken by certain firms begin to take hold, and as a result we have found fewer situations where a firm failed to support the opinion it issued. This result is not across all firms — deficiencies still remain and many reflect recurring deficiencies.

But the results are encouraging - firms that are taking prompt, substantive and decisive actions to address underlying issues, rather than simply addressing the symptoms of problems, are beginning to see better results.

Whether this downward trend in findings will continue remains to be seen, but we believe firms are up to the challenge and will continue to dig deeper so that they can make meaningful changes that can result in lasting improvements to audit quality.

Audit Quality Improvement Cycle and Root Cause Analysis

Different firms are at different points in this analysis and we are encouraged by the serious efforts being taken. As I mentioned last year, we perform our own root cause analysis, which we expanded to specific quality events, both negative (for example, audits with significant inspection findings) and positive (for example audits with no inspection findings where the inspection team recognized some anecdotal assessment of higher quality work).

We analyze selected quality events using causal analysis techniques. This analysis involves reviewing the many complex interrelationships that exist between each cause and each effect with a goal of identifying the various contributing causes of these events, including measures of audit quality within each firm's processes.

I encourage all firms to perform similar analyses to understand what went right and what went wrong. Over the long term, I expect a firm's analysis to lead to the identification of the underlying causes of deficiencies and the development of specific and effective corrective actions designed to address the identified causes.

I think that this could create: (1) a higher degree of confidence and success rate in the remedial actions, as they would become more proactive in nature, rather than simply reactive; (2) an articulation of what constitutes quality by identifying specific measures thereof; and (3) real-time monitoring and measurement of the effectiveness of remedial actions and measures of audit quality. In an evolved and fully implemented state, these concepts could induce sustained improved audit quality.

It was great to have had an in-depth conversation with members of our Standards Advisory Group in June as we explored further ways to improve our root cause analysis.^[2] The dialogue was affirming and helpful.

Increased Global Cooperation

We have made tremendous progress internationally. We have inspected in more than 20 jurisdictions this year and many times jointly with other regulators. These inspections are vital to protecting the interests of investors — not only for investors of those issuers located in non-US locations that access US markets but also for investors of issuers that are multi-national and retain multiple firms in their audits.

Inspections staff routinely inspect portions of multiple-firm audits, including the audit work performed by both domestic and non-U.S. firms that played a role in the audit, commonly referred to as referred work. In 2013, our inspectors identified in more than a third of referred work engagements inspected, findings that were so significant that they appeared in Part I of the inspection report.

This statistic is significant and concerning — more needs to be done to ensure that all the component auditors involved get it right. Many of these deficiencies related to the testing of revenue and inventory, including testing of controls over those accounts, and insufficient substantive procedures in response to risks of material misstatement.

A main lesson to be learned from our multiple-firm inspections is that communication along with supervision and review leads to a better audit.

Communication between the principal auditor and the other auditor is important to ensure a proper review of matters affecting the consolidating or combining of accounts in the financial statements.^[3]

Proper supervision and review of the procedures performed by the other auditor should not only include the review of the audit documentation, but also a review to ensure the other auditor's professional reputation and independence. In some situations it may be necessary for the principal auditor to visit the other auditor and discuss the audit procedures followed, the results and the related audit documentation.^[4]

I am pleased at our progress in this area — and in particular, the increased focus on the controls within a global network. We have been looking closely at this and asking firms to look at their global controls. This is important to how they ensure that the audit professionals allocated to perform referred work are qualified, independent and appropriately trained.

These inspections are of course facilitated through our cooperation with 18 other regulators around the world. We are actively involved in the International Forum of Independent Audit Regulators ("IFIAR"). We have many inspection findings in common around the world — problems with audits of internal control and fair values topping the list.

Outreach and Improved Communication

We are constantly focused on improving our processes to inform auditors, investors, audit committees and other stakeholders of our findings, which is important feedback and information that can ultimately result in further improvements in audit quality.

This year we expanded the inspection reports to include links to each deficiency in Part I of our reports with the related auditing standards. We are not stopping there. We continued to reach out to audit committees, investors and academics to get input on how to further improve our inspection reports. We have received valuable feedback.

Audit Areas that Need Particular Attention

As you move into the 2014 year-end audits, what should you focus on? As I reflect on what we have seen in the most recent inspections cycle, which generally examined 2013 year-ends, I want to share a few thoughts and questions that I think auditors, preparers and audit committees should consider as they aim to have a quality audit.

• Do you understand the flow of transactions, the points within that flow where a misstatement could occur and how internal controls are designed to address those risks? Are the controls designed and operating at a level that is effective to detect a material misstatement? ^[5]
• Are there audit procedures designed to identify the risks of material misstatement? And will those procedures be effective? ^[6]
• Do you understand the assumptions and methods that have been used to develop estimates, including fair value measurements? Has the information that management or a specialist used in developing these measurements been audited? ^[7]
• Are audit procedures designed to test data and schedules produced by the company that are used as part of the procedures? How does one know the data is complete and accurate?^[8]

The more frequent findings we have seen this season have been in the financial statement areas related to revenue recognition, inventory, goodwill, intangible assets and business combinations. Specifically, some of the preliminary 2014 deficiencies we've seen by auditing standard are:

1. Audits of internal control over financial reporting ("audits of internal control")

Inspections staff have observed significant auditing practice issues in the past three years related to audits of internal control. The 2014 inspection cycle was not an exception. This audit area continues to challenge auditors and represents the area with the highest number of audit deficiencies. Inspections staff have seen some improvement as firms have taken active steps to improve and clarify the methodology, guidance and tools they provide to their engagement teams, but more needs to be done.

Broadly speaking, the audit deficiencies identified were consistent with those reported by us in a general report^[9] two years ago and that document remains a valuable resource. A few areas to highlight:

• Audit engagement teams often did not obtain an understanding of a company's flow of transactions in order to identify and select the appropriate controls to test.^[10] This was more commonly identified when the auditors were testing revenue and inventory. In certain cases, Inspections staff observed that auditors selected controls to test that were not responsive to the fraud risks that they had identified.

• Audit engagement teams continue to struggle with the testing of management review controls. While many engagement teams have improved aspects of their audit work in this area -- for example, some engagement teams improved their evaluation of the criteria used by management to identify items for investigation — in too many instances they did not evaluate whether the management review controls operated at the necessary level of precision that would address the assessed risk of material misstatement. In other cases, we have seen engagement teams rely on management review controls as a way to compensate for other identified deficiencies without fully understanding or appropriately testing whether that management review control operated effectively.^[11]

• Inspections staff continued to see instances where audit engagement teams did not test the controls over the accuracy and completeness of the system-generated data or reports used in the operation of controls that the teams were testing.^[12] In some instances, firms have revised their methodology and guidance in this area, and Inspections staff saw fewer related audit deficiencies.

Our standards group issued an Alert^[13] last fall related to audits of internal control to remind auditors of the requirements and provide examples and we encourage you to read it.

2. Assessing and responding to risk

Assessing and responding to risk are two critical components of an audit. Inspections staff found that audit engagement teams often did not effectively respond to the assessed risk of material misstatement, particularly with respect to revenue when significant risks, including fraud risks, were involved.^[14]

3. Auditing accounting estimates including fair value measurements and disclosures

Auditing accounting estimates often warrant more audit attention because they involve subjective factors and judgments, which make them susceptible to management bias.^[15] We find that auditors at times fail to understand how an estimate was determined^[16] — what assumptions and methods were used and whether the assumptions used made sense in the circumstances.

Some engagement teams do this well — they understand the assumptions and methods used and evaluate them to be reasonable but then they fall short by neglecting to examine the data that was used to develop the estimate or fair value. In some cases, they don't perform any testing beyond inquiry with management. Inquiry alone, of course, is not sufficient. ^[17]

We have seen some positive remediation steps here — we have seen some firms centralize valuation processes, require more detailed information for asset classes and provide additional tools to their audit teams. As a result, we have seen a decline in inspection comments related to the use of pricing services. Despite improvements in that area, remedial actions for the remaining issues in testing of estimates including fair value are still necessary and unfortunately, we still see many inspection comments related to how controls over the process have been tested.

Keep a focus on how you audit allowance for loan losses, inventory reserves, and tax-related estimates and how you go about identifying and evaluating indicators of asset impairments — be they long-lived assets, or goodwill and/or other intangible assets. This will be particularly important if mergers and acquisitions activity continues at the pace predicted.

Engagement Quality Review

The engagement quality review, when properly executed, can serve as an important safeguard against insufficiently supported audit opinions because it can identify significant audit deficiencies before the audit reports are issued.^[18]

Firms have taken steps to provide engagement quality reviewers with additional tools (including checklists). Inspections staff, however, continue to find instances where an audit deficiency should have been identified by the engagement quality reviewer.^[19] Inspections staff have been performing more in-depth procedures and preliminary indications are that some engagement quality reviewers:

• Lacked a sufficient understanding of the internal control testing performed by the engagement team. This may not be surprising, given the persistent recurring deficiencies around audits of internal control.
• Did not demonstrate professional skepticism, especially when using firm specialists.
• Used assistants but did not effectively supervise and review the work performed by the assistants.
• Did not devote sufficient time to the review or performed the review too late to have an impact.

Prompt and Active Steps to Address Deficiencies Critical to Reducing Deficiencies

Firms are tackling some very challenging audit practice problems — professional skepticism, supervision and review and the audit of estimates are recurring themes. Some firms have failed to take satisfactory remedial actions in the past to address problems in these areas.

We recognize that remedial actions vary based on the size and complexity of a firm's practice. What we've found to work for all firms, though — small or large — is that the remedial actions are more successful when the firms perform a robust root cause analysis of what caused a deficiency. This entails performing a critical analysis of what caused a deficiency; implementing timely actions; and monitoring whether an action is effective and self-correcting if necessary.

I also urge firms to engage with us early and often during the process. We have dedicated staff to the remediation process and they are available to work with a firm throughout the 12 month remediation period.

I encourage you to review the staff guidance we issued last year concerning the remediation process — it is a helpful tool. To be successful — a remedial action will meet five key criteria — change, relevance, design, implementation, and execution and effectiveness^[20].

• Change: Does the remedial step represent a change to the firm's system of quality control that was in effect at the time of the conduct that resulted in the quality control criticism? Depending upon the circumstances, relevant change may involve supplementing or replacing previous guidance, policies, or procedures or taking steps to increase the technical competence and proficiency of the firm's personnel.
• Relevance: Is the remedial step responsive to and does it specifically address the quality control criticism described in the inspection report; and, does it help satisfy compliance with the Board's quality control standards? If the root cause of the underlying quality control criticism is unclear, did the firm perform an appropriate root cause analysis in developing the remedial action?
• Design: Is the remedial step appropriately designed (either individually or in combination with other actions) to remediate the quality control criticism?
• Implementation: To what extent was the remedial step put in operation by the close of the 12-month remediation period? If not fully implemented, has the firm demonstrated an appropriate level of diligence and reasonable progress in addressing the criticism during the 12-month period?
• Execution and Effectiveness: Has the remedial step achieved (or, if sufficient time has not passed to measure results, is it expected to achieve) the proposed effect that it was designed to achieve? If available, what do the subsequent firm monitoring procedures and external inspection results suggest about the effectiveness of the remedial step?

And again, engage us early and engage us often.

Looking Ahead to 2015

Inspections staff are in the midst of planning the 2015 inspections. We consider a number of factors as we scope our inspections. We consider the 2014 deficiencies, and we intend to see how firms are addressing past problems. You should be looking to these deficiencies that I cited and taking steps to prevent these same problems. In addition to the typical risk areas that we focus on I want to highlight some newer areas for this cycle: —

1. Environmental risks

First, environmental risks. The world changes rapidly. Environmental developments have a significant effect on financial reporting risks. Some factors that we will take into account include:

• Merger and acquisition activity - High cash levels, low interest rates, and shareholder pressure for growth have stimulated merger and acquisition (M&A) activity.^[21] This high pace of M&A activity heightens financial reporting risks for both sellers and buyers and auditors should be attuned to this. In the past, we have seen auditors place reliance on controls around business combinations only to not test them. Many engagement teams believe that if they tested the business combination that they tested the controls — that does not necessarily follow. In other situations we have seen auditors not test data produced by the company — especially data used to prepare cash flow projections used to support valuations. If your client is buying or selling — it is important to consider these pitfalls.
• Income taxes - Income taxes continues to be a hot topic. As U.S. issuers continue to grow their profits in lower tax jurisdictions, the spotlight on undistributed earnings and cash held overseas raises the risk in this area. We have seen audit issues in the past inspection cycle in this area — most commonly related to controls over these aspects of income tax accounting and disclosures.
• Investment returns - Auditors should continue to be attuned to risks in investment portfolios. The valuation of financial instruments — especially hard to value securities — has been an ongoing and recurring audit deficiency in the past inspection cycles — something I have spoken about here the last two years.
• Falling oil prices — The recent decline in oil prices can have varying effects — for some, positive and others not so. Consider whether this is affecting the client you are auditing and how your audit will approach this risk.
• Statement of Cash Flows — similar to what Kirk Crews highlighted on Monday, we too will be focused on the basics, including the statement of cash flows. Did the issuer and auditor appropriately identify and address all significant transactions that might have a meaningful impact on the statement?

2. Big data and move to testing full populations

The advent of big data and the move to testing full populations will provide firms with opportunities. Inspections staff will be looking to understand:

• What controls firms have in place to ensure that the software used to test the data works.
• What steps firms have taken to ensure that they audit engagement teams understand how to use big data and how they are developing their critical thinking.
• What steps firms are taking to ensure that they develop the professional skepticism skills and professional judgments skills of their audit engagement teams in light of the technology advances?

A lot of opportunities, but also a lot of risks that need to be addressed.

3. Cyber-security risks

Cyber-security risks continue to be prominent. Inspections staff will be considering how engagement teams evaluate cyber-security risks and consider those in the integrated audit.

4. PCAOB Broker-dealer standards

We are continuing with the interim program and are currently inspecting some audits that have been performed under PCAOB standards — standards that became effective for audits with fiscal years ended on or after June 1, 2014. So this is a big change for some — prepare yourselves. If you have questions, give us a call.

We are also taking a careful and informed approach towards establishing a permanent inspection program for broker-dealer auditors. We are continuing to obtain and evaluate information. Our staff are working to develop a rule proposal for the Board to issue during 2016 to establish a permanent inspection program and its scope, which will address whether to exempt any category of registered public accounting firm.

What Concerns Me

If you ask me what concerns me — here are three areas:

1. Independence

I have two concerns in this area - The recent business activity that has been occurring with audit firms buying consulting businesses has raised concerns with how it will be operationalized. We are paying particular attention to the services provided (both attest and consulting) — on a global level — in order to evaluate whether firms are maintaining their independence in both fact and appearance. We are particularly concerned with how this will affect the quality of the audit.

For broker-dealers, I continue to have concerns about the number of auditors that are preparing financial statements and other activities that create independence problems. We have communicated this issue with firms — we have raised this issue in each of our forums and our progress reports. We are dismayed at how some firms continue to have a problem in this area. Claudius will soon speak about some of the enforcement actions that have been taken.

2. Initiatives to Boost Profits

Firms take various actions to combat fee pressure and price competition around the world including expanding non-audit and related services and outsourcing audit work to off-shore locations. These all pose various risks that we continue to look at.

I want to see an audit profession that is healthy, profitable and innovative, and I hope that firms will continue to invest in the health of their audit practice. Offshoring offers great opportunities — as does the advent of new technology. But I ask — how do firms ensure that staff at all levels and especially those at the early levels are being trained in the most fundamental areas of the audit? How will they develop their professional judgment and experience that is needed to solve complex problems? How will you supervise and train them?

We have seen firms struggle with remediating how they supervise and review audit work, how they apply their professional skepticism and how they audit estimates. These areas pose a lot of risks, many of which are long term. Firms need to be diligent in addressing these pressing issues as they move towards the audit of the future. With all these issues in play, firms need to consider whether their current staffing model is meeting needs.

3. International

We have been blocked from doing inspections in a number of jurisdictions including certain locations in Europe and China. We have made a great deal of progress but the lack of access continues to be a concern. For example, the market capitalization of issuers audited by firms registered in China and Hong Kong exceeds $1 trillion.^[22] This concerns me and should concern you. Without the benefit of PCAOB inspections investors face additional risks and auditors lack valuable input which can lead to improved audit quality. I look at the significant progress and improvement made in the US in the last decade and worry that the quality of work in other parts of the world will continue to lag until rigorous cross-border inspections can be put into place. I hope and expect that our progress to expand our agreements with counterparts in other jurisdictions will continue.

Significant Audit Deficiencies Persist But Promising Improvements

Twelve years after the establishment of the PCAOB, it concerns me that we continue to find significant audit deficiencies in the riskier audit areas that we select for inspection. In these cases, auditors issued unqualified opinions where they should not have — and that should be very concerning to all. No, it does not imply that there material errors in the financial statements, but it leaves the investors without the confidence they deserve.

Even accounting for the fact that we selects audits and areas of inspection focus that are most likely to pose risk -- and while there are improvements at some firms -- the high number of audit deficiencies continues to concern me. The nature and extent of deficiencies appears to change over time, reflecting improvement in certain areas by some firms and new risks and continuing challenges in other areas.

When significant audit deficiencies exist, there is a risk that auditors will not detect material misstatements. Over the years, firms have performed additional audit procedures in response to the significant audit deficiencies identified in our inspections that resulted in a restatement of financial statements. Fortunately, these have been few but these risks are not insubstantial and that is why performing a high quality audit in each case is necessary to prevent such events.

It is particularly important for the engagement partner and senior engagement team members to focus on the critical audit areas — for example, those involving complex areas of the financial statements, management's most difficult or subjective judgments, controls addressing complex processes or areas of high risk — in order to address the risks with the audit.

It is also critical for the engagement quality reviewers to keep these matters in mind when performing their engagement quality reviews.

So — what are my take-ways from 2014 -

• The most common deficiencies relate to audits of internal control, assessing and responding to risk of material misstatement, audits of fair value measurements and estimates and testing of data and reports.
  • It is critical for the auditor to understand an issuer's operations, including how transactions flow and the controls in place to detect a risk of material misstatement.
  • Firms are most successful in addressing problems with audit quality when they assess the underlying root causes in a timely and balanced fashion and tailor their responses to address those causes

The audit profession has a solid and valuable underpinning. So let's build on that foundation by using our experience and lessons learned to build a better future audit.