Careers
SubscribeAuditor Oversight, Corporate Boards and the Benefit for our Capital Markets
Introduction
I appreciate the opportunity to be with you today to share my views on the complementary roles of the Public Company Accounting Oversight Board (or PCAOB) and boards of directors of public companies, and the positive effects we jointly can have in rebuilding investor confidence in our capital markets. I plan, in addition, to share my perspective on where the PCAOB is heading on a couple of key initiatives.
Before I go further, I must note that the views I express today are my own, and not necessarily those of the Board or of its other members or staff.
The selection of your conference venue resonated with me. That is, it is notable that you should choose to locate your conference on corporate governance here in Washington, DC rather than in one of the capital market centers. I imagine that the NACD chose Washington not because you are Redskins fans, nor because you are hoping to watch a World Series game. You are also six months early (or late) for cherry blossoms. Clearly your choice of Washington for the NACD’s annual corporate governance conference is a recognition that corporate governance issues are increasingly impacted by public policy decisions made here in Washington.
In the United States, we have always assumed that it is in the nation’s public interest for commerce and markets to be free and open. This approach has proven to foster the greatest amount of competition, innovation and a broad generation of wealth. This assumption is based on a belief that markets work. Yet, the U.S. approach to corporate governance also reflects the reality that markets work imperfectly at times. When that occurs, confidence (i.e., investor participation) in commerce and markets can be negatively impacted.
Restrictions on commerce and markets typically occur in this country when corporate behavior is perceived to be outside the general public interest, and laws and financial regulations are often developed in order to steady the course. Thus, the U.S. regulatory environment has developed over time through a series of responses to identified problems and, as a result, might be viewed as a measure of social values in the United States. The Sarbanes-Oxley Act of 2002 follows this pattern.
The Sarbanes-Oxley Act of 2002
Though it has been only a few years, it is useful to recall the events leading up to the passage of the Sarbanes-Oxley Act. For much of the 1990s, debate ensued over the limitations of GAAP accounting to capture value in an environment where the most valuable corporate assets – such as human and intellectual capital – did not appear on corporate balance sheets. What was not challenged during that time period was the certainty that the financial reporting that did exist could be relied upon. When Enron, WorldCom and other corporate accounting scandals shook that fundamental confidence, Congress chose to act.
In passing Sarbanes-Oxley, Congress sought to restore investor confidence and address serious gaps in the U.S. regulatory framework that were identified through those scandals of 2001 to 2002. Among other things, there was an increased recognition of the need to bolster internal controls over financial reporting and bring an enhanced focus to corporate governance.
The Sarbanes-Oxley Act enhanced the corporate governance role of corporate directors. Through the Act, as you have experienced, Congress required corporate governance responsibilities for boards of directors, including those related to the oversight of the company’s external auditor. Audit committees, in particular, have moved to the front-line, charged with enhanced responsibility for the quality of financial reporting and oversight of internal and external audits within their companies.
The PCAOB
As you well know, the Sarbanes-Oxley Act of 2002 also established the PCAOB as the independent auditor oversight body. The PCAOB’s mission is to oversee the auditors of public companies, protect the interests of investors, and further the public interest in the preparation of informative, accurate, and independent audit reports. The PCAOB does this through its inspections, standards setting, and enforcement programs. Since the PCAOB opened its doors in January 2003, it has registered more than 1,700 accounting firms that audit, or wish to audit, U.S. public companies. Once registered, these firms become subject to the PCAOB’s regulatory programs and must use PCAOB standards when they audit public companies.
In its fourth year of operation, the PCAOB is moving from a start up to a steady state environment and thinking strategically about how the PCAOB should execute its mandates in the immediate- and longer-term. In carrying out its mandates, the PCAOB cooperates closely with the Securities and Exchange Commission, not only because the SEC oversees the PCAOB’s activities, but because the PCAOB and the SEC share the mutual objective of investor protection. The PCAOB continues to explore ways to improve its audit requirements and their implementation by audit firms, while preserving the intended benefits. For example, at the moment, the SEC and the PCAOB are closely coordinating work on implementing Section 404.
Section 404
As you have experienced first-hand, the Sarbanes-Oxley Act included provisions regarding internal control over financial reporting (or ICFR). The term “internal control over financial reporting” refers to a company’s system of checks and processes designed to ensure that it protects corporate assets, keeps accurate records of those assets as well as its financial transactions and events, and prepares accurate periodic financial statements. As we know all too well, Section 404 of the Act requires public companies annually to provide investors an assessment of their ICFR, accompanied by an auditor’s report on the same subject. Section 103 of the Act mandated that the PCAOB issue an audit standard regarding ICFR.
It is worth noting that the concept of the need for internal control over financial reporting was not born with Sarbanes-Oxley. Congress has acted in this area more than once, notably by mandating internal controls through the Foreign Corrupt Practices Act of 1977 and the FDIC Improvement Act of 1991, before the more recent Sarbanes-Oxley Act of 2002. That said, the Sarbanes-Oxley Act’s requirement for quarterly management certifications, annual management assessments of controls, and independent auditor attestations of those assessments did, however, raise corporate responsibilities for internal control over financial reporting to a higher level.
Almost two years ago now, the PCAOB issued Auditing Standard No. 2 (AS2), implementing Sections 103 and 404(b) of the Act. Almost from the start, the cost of implementing Section 404 and AS2 has been – and remains - on the top of agendas from Congress to Wall Street to boardrooms in the United States and abroad. Since I joined the PCAOB as its Chairman in July, I have had the opportunity to meet with several CEOs of public companies, most of which are entering their third year of compliance. Virtually without exception, these CEOs have remarked that the internal control framework has made them better companies. But, virtually all also believe that the incremental cost to date has exceeded the incremental benefit. In my opinion, this underscores the need for the PCAOB to take another look, and build into its standard clearer guidance regarding efficient, risk-based, scalable implementation. I am grateful that my predecessors – Bill McDonough and Bill Gradison – were on top of and had already begun to address this issue.
Revising Auditing Standard No. 2 (AS2)
Since the PCAOB adopted AS2, it has been focused on the standard’s successful implementation. The PCAOB is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control. This determination has driven the PCAOB to explore ways to improve its audit requirements and accounting firms’ implementation of them, while preserving the intended benefits. In addition to considering changes to its standard, the PCAOB has also designed its 2006 inspections of registered public accounting firms to examine how efficient firms’ internal control audits have been, as measured by PCAOB’s past guidance.[1] The PCAOB expects these inspections to drive more efficiency into audits.
While the PCAOB has provided additional guidance to facilitate and streamline implementation, it also decided on May 17, 2006, to propose and seek comment on amendments to AS2 to focus auditors on areas that pose higher risk of fraud or material error.[2] The PCAOB is well on its way to proposing a new version of its standard later this fall.
It is the PCAOB’s intention that the amended standard will achieve four goals:
- First, the PCAOB plans to propose changes to make the standard simpler to read, easier to understand and more clearly scalable to companies of any size. At the same time, by emphasizing core principles, the new proposal is expected to focus auditors on the areas of greatest importance.
- Second, the PCAOB is critically evaluating every area of the audit to determine whether the existing standard encourages auditors to perform procedures that are not necessary to achieve the intended benefits of the audit.
- Third, the PCAOB plans to propose changes that would make explicit in the standard the PCAOB’s past guidance on how to make internal control audits as efficient as possible.
- Fourth, the proposal should emphasize the importance of a company’s control environment, and how it can impact the risk of financial reporting fraud or other material failure, in order to focus auditors on what really matters, which is identifying material weaknesses in a company’s system of internal control before those weaknesses result in material misstatements in the company’s published financial statements.
I mentioned a moment ago that AS2 and Section 404 of the Sarbanes-Oxley Act are areas where the PCAOB and the SEC are collaborating closely. While the PCAOB is revisiting its standard with the aim to release a proposal later this fall, the SEC simultaneously is in the process of developing risk-based management guidance for implementing Section 404. The SEC recently announced that it will hold an open meeting on December 13th to consider recommendations regarding Section 404. Because there is great deal of value in these two initiatives being available for public consideration concurrently, the PCAOB is coordinating with the SEC so that the comment periods for the PCAOB’s revised AS2 and the SEC’s management guidance overlap sufficiently.
Smaller Firms and Smaller Issuers
As I just mentioned, the PCAOB is determined to make internal control audits as cost-effective as possible for companies that are required by the SEC’s rules to obtain an audit report on internal control. We are particularly focused on the burden on smaller issuers. Among other things, based on the experience of small companies and auditors who have been – and are currently going – through the process of establishing and evaluating internal control, the PCAOB is working with practitioners to develop implementation guidance for auditors of smaller public companies.
The guidance contemplated will emphasize the scalability of internal control audits at a practical level and provide audit firms with examples of how the internal control audit process can, and should, be scaled to fit the relative sizes of small companies, from those that are on the cusp of accelerated filer status down to those that have merely a handful of employees. In addition, the PCAOB is exploring various means of facilitating training for auditors of smaller public companies on auditing internal control. With constructive, practical guidance, and with the SEC’s recent announcement extending the time frame for implementing the Act’s internal control requirements, the PCAOB hopes that smaller companies and their investors will be able to achieve the benefits of internal control reporting without unnecessary costs.
Trends in ICFR reporting
Over the last few years, as auditors of large, established public companies– which the SEC refers to as accelerated filers - have been required to assess and obtain an audit of ICFR, we have seen companies make the shifts necessary to comply with the internal control and other related provisions of the Act.[3] We understand that many of you have made significant investments in order to come into compliance with these requirements.
Due to the passage of time since the enactment of the requirements, for the first time, information on the quality of internal controls over financial reporting and disclosures is available to the public. The availability of this information is itself directly because of Sarbanes-Oxley’s requirements for quarterly certifications by management of disclosure controls, and annual management certifications of internal controls over financial reporting and independent audits thereof.[4]
The problems identified by accelerated filers in the first two years of reporting tell us a great deal about the progress made already. Our analysis of these data indicates encouraging trends:
- The overall rate of opinions on ICFR that describe material weaknesses in ICFR has declined from 15.8 percent of all opinions filed for the first year to an estimated 9.6 percent for the second year.
- Although the number of qualified ICFR opinions that reference either restatements or material year-end adjustments continues to be high as a percentage of total qualified ICFR opinions, there has been a shift from those referencing restatements of previously issued financial statements to those referencing current year errors. This may imply that errors are being identified earlier than in the past.
While these results are promising, it is worth taking a look at the nature of the material weaknesses that are being reported. The areas of staffing, training or competence continue to be the most commonly reported weaknesses. The qualified ICFR opinions that included material weaknesses related to these staffing areas, as a percentage of total qualified ICFR opinions, increased from 48.1 percent in the first year to 52.8 percent in the second year.[5] In addition, exceptions related to improper segregation of duties remained high at a total of 14.3 percent of all qualified ICFR reports. We can expect that number will be even more significant for non-accelerated filers.
In terms of the types of errors in accounting referenced in ICFR reporting, the percentages have not changed significantly in the two years. Revenue recognition, tax accounting and inventory accounting issues remain the highest in frequency.
The PCAOB Inspections and Audit Committees
Sarbanes-Oxley requires the PCAOB to conduct annual inspections of any registered accounting firm that audits more than 100 public companies, and to regularly (at least once every three years) inspect other registered firms that audit public companies. PCAOB inspections are risk-based and designed to identify auditing problems at an early stage and focus firms on correcting them. In short, we are taking a supervisory approach to our inspection program. Our approach emphasizes a constructive exchange between the firm and the PCAOB, and concerns that our inspectors identify during inspections are often promptly addressed by the firm being inspected.
In addition to the constructive exchange and progress that occurs during an inspection, the PCAOB also carries out the important task, required by the Act, of preparing a report on each inspection. To date, the PCAOB has issued more than 300 inspection reports, including two reports on each of the four largest firms. To comply with restrictions set out in the Act, Board inspection reports frequently include portions that the Board does not disclose publicly. Publicly available portions of the reports, however, are posted on the Board's Web site and provide a summary description of any significant deficiencies identified by the Board's inspectors in the audits they reviewed. Nonpublic portions of a report may include, among other things, criticisms of a firm's quality control system. If the nonpublic portion of any particular report does include quality control criticisms, the Act allows the firm 12 months to address those criticisms, and provides as incentive a statutory requirement that those criticisms must remain nonpublic if the firm adequately addresses them in those 12 months.[6]
I encourage directors, particularly those that are members of the audit committee, to discuss the results of PCAOB inspections with their auditors. In some instances, for example, such a dialogue may assist audit committee members that are seeking to better understand their audit firm’s quality controls. If quality control criticisms are identified, the audit committee should inquire whether the firm has remedied them or what the firm is doing to remedy them.
You should also be aware that PCAOB inspectors may select the audit of your company as part of a routine inspection of an auditor. The focus of these inspections is on the quality of the audit performed and, in most cases, the inspector's comments will be targeted at areas where the auditor's performance of the audit was not satisfactory. In some cases, however, audit committees have found that they are faced with accounting issues as a result of questions raised by the PCAOB inspection team. Over the last few years, a number of restatements have resulted from GAAP issues identified in PCAOB inspections, or from auditing deficiencies that, when remedied by the auditor, focused the auditor and the issuer on a GAAP error.
It is important to stress that the PCAOB is not the authority on disclosure or GAAP issues in SEC filings – that is the purview of the SEC. However, our inspections must look at how and why the auditors made the calls they did on difficult accounting issues in client financials, which may lead to the identification of potential GAAP issues. In such circumstances, the inspectors will review the potential issues with the audit firm. If it appears to the PCAOB that financial statements may materially depart from GAAP, or were prepared by an auditor that was not independent, the PCAOB will describe that in the inspection report and inform the SEC.
Market Data
It has been four years since the corporate scandals that led to the passage of the Sarbanes-Oxley Act. Many in business, government and academia are busy evaluating the cost and overall impact of Sarbanes-Oxley. Some are focusing their research on the extent to which investors are recognizing improvement in the reliability of financial reporting by U.S. public companies. Others are looking at whether Sarbanes-Oxley has adversely affected capital markets and capital formation in the United States. Studies of these issues are difficult to conduct and, as a result, the conclusions can be misleading or contradictory.
For example, we continue to hear concern that the costs associated with Section 404 of Sarbanes-Oxley is leading some capital-seeking companies away from U.S. securities markets. On this point, critics look to the recent growth in non-U.S. markets.
To be sure, many markets outside of the United States have risen to become global players. As a result, companies today are presented with more options when they are determining where to raise capital, whether it be on a non-U.S. market or through private capital. The U.S. markets have never been the low cost alternative, however. Therefore, we should bear in mind all the factors that impact the competitiveness of the U.S. capital markets. Increasingly, many are viewing private litigation as the most significant force working against U.S. competitiveness. Also, a recent study conducted on behalf of the London Stock Exchange observed that relatively higher costs of issuing equity in the United States was mainly due to the systematically higher underwriting fees charged for U.S. transactions.[7]
The same LSE study observed that regulatory and corporate governance frameworks can be received by investors as a positive signal to investors. While there may be lags in time before benefits of regulation can be fully appreciated, having the right balance of oversight and regulation protects the reliability, stability and depth of U.S. capital markets, so they can continue to attract investors and issuers worldwide.
Critics of Sarbanes-Oxley often point to the growing percentage of IPOs issued outside of the United States. That claim needs to be considered in historic context.
At the start of the 1990s, the U.S. markets were on an upward trend. Markets for equity securities, particularly in the United States, experienced an unprecedented increase in value and activity. There also was a significant spike in the number of IPOs that peaked in the United States in 1996. Then things began to turn at a rapid rate through 2001. A number of factors, including the dot.com bubble and the terrorist attacks of September 2001, led to a substantial loosening of monetary policy and interest rates, and an increase in equity risk premiums. The resulting flood of cheap liquidity into capital markets led to an increase in highly-leveraged private equity transactions that continues to this day. It is important to point out that these developments occurred well before Enron, WorldCom or Sarbanes-Oxley.
This perspective helps in scrutinizing some of the data that is being used to implicate Sarbanes-Oxley. For example, with regard to the downward trend in U.S. IPOs that is frequently associated with the burden of Sarbanes-Oxley, while it is true that the largest IPOs in the last three years have chosen to list on non-U.S. exchanges, analysis of these listings indicates that most of them have resulted from privatization of large state-owned companies through sales of minority interests. It should not be a surprise that the choice of jurisdiction may be more limited for IPOs of state-owned companies. We should also not lose sight of the fact that the U.S. share of world IPO activity has been on a downward trend since 1996, which I mentioned a moment ago.
In contrast, while IPO numbers may appear unfavorable, listings on U.S. markets continue to command a valuation premium.[8] Indeed, in the two years since companies have been reporting and obtaining audits on their internal control, the amount of capital raised by non-U.S. companies on U.S. exchanges has grown, not shrunk as it did in the years directly after the scandals.[9] The liquidity and depth of the U.S. markets remain unsurpassed. I expect that we will see a continued dominance of U.S. capital markets, particularly in the long term.
Conclusion
In conclusion, it is worth reiterating the importance of your role as corporate directors, which has, without a doubt, been strengthened due to several provisions within Sarbanes-Oxley. I appreciate that the net effect of these requirements, combined with the heightened expectations of the market, have resulted in increased reputational risk for board members of public companies.
While defining additional responsibilities of the audit committee, the Act also transformed the dynamic between public companies and their auditors. The PCAOB and the SEC understand that additional guidance is warranted in order to assist companies and their auditors to fully transition. On this point, I encourage you and your management teams to carefully review the proposed SEC management guidance and the proposed PCAOB revisions to AS2 in the coming months and provide feedback.
This morning I have addressed how public policy and corporate governance intersect. I have also addressed how there are efforts underway to bring the cost and benefit of the internal control requirement back into alignment. I have not specifically addressed the significance of tone at the top, which may be the single most important role of corporate directors. If you are a non-accelerated filer, and you have taken my remarks this morning as meaning you have time before moving toward Section 404 compliance, or if you are an accelerated filer, and you have taken my remarks as meaning it is merely a time for adjusting the cost and benefit, I encourage you to step back and re-think the fundamentals of internal controls. Regardless of whether you are an accelerated or non-accelerated filer, as a corporate director you should focus on understanding the risk profile of your company…and work with your management to ensure that they design controls that are consistent with your risk profile.
Thank you again for your time today.
[1] See PCAOB Release No. 104-2006-105, Statement Regarding the Public Company Accounting Oversight Board’s Approach to Inspections of Internal Control Audits in the 2006 Cycle (May 1, 2006), available at http://www.pcaobus.org.
[2] Previous guidance has included five sets of interpretive guidance issued by the PCAOB staff in the form of answers to frequently asked technical questions on the implementation of AS2. These questions and answers are available at Auditing Standard 2. Guidance has also included a policy statement issued by the PCAOB on May 16, 2005, describing ways auditors can make their internal control audits as effective and efficient as possible, adding an emphasis, among other things, on risk-tailoring the audit, using a top-down approach, and using the work of others. See PCAOB Release No. 2005-009, Policy Statement Regarding Implementation of Auditing Standard No. 2 (May 16, 2005). With regard to the May 17, 2006 announcement, See PCAOB News Release, Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements (May 17, 2006), available at http://www.pcaobus.org.
[3] The initial assessments and audits for accelerated filers were required by SEC regulations to be included in their annual Form 10-K filings for fiscal years ending after November 14, 2004.
[4] Data compiled by Audit Analytics for reports on internal controls filed as of August 14, 2006 indicate that 2874 issuers have filed their second report on ICFR. An additional 374 issuers have filed their first report, bringing the total to 3,248 filers. These filers are primarily those required to file as a result of their qualification as U.S. accelerated filers. Accelerated filers are those issuers with market capitalizations in excess of $75 million.
[5] Source: Audit Analytics.
[6] See Section 104(g)(2) of the Act. The legislative approach reflected in Section 104(g)(2) rests on the premise that firms could be genuinely motivated to improve their quality controls by the prospect of keeping the Board’s criticisms confidential. The Board’s early experiences with the process generally validate the wisdom of that premise. See PCAOB Release No. 104-2006-078 , Observations on the Initial Implementation of the Process for Addressing Quality Control Criticisms within 12 Months After an Inspection Report, March 21, 2006, available at http://www.pcaobus.org; see also PCAOB Release No. 104-2006-077 , The Process for Board Determinations Regarding Firms’ Efforts to Address Quality Control Criticisms in Inspection Reports, March 21, 2006, available at http://www.pcaobus.org
[7] See Oxera Consulting Ltd., The Cost of Capital: An International Comparison (June 2006), at 4, available at http://www.londonstockexchange.com/NR/rdonlyres/B032122B-B1DA-4E4A-B1C8-42D2FAE8EB01/0/Costofcapital_full.pdf .
[8] Remarks of Noreen Culhane, Executive Vice President, Global Corporate Client Group, New York Stock Exchange, printed in Ernst & Young, Accelerated Growth: Global IPO Trends 2006, at 26 (An “underlying motivation for most companies listing in the U.S. is the valuation premium (average 30 percent) that accrues as a result of adhering to high standards of governance.”).
[9] See Cowan, Lynn, “Foreign Companies Cash in on U.S. Exchanges, Wall Street Journal, August 28, 2006, at C6.