The PCAOB: A Two-Year Report Card

Date:
Oct. 18, 2004
Speaker:
Kayla J. Gillan, Board Member
Event:
National Association of Corporate Directors 2004 Annual Corporate Governance Conference
Location:
Washington, DC

Thank you, Gerry, for that gracious introduction. It’s a pleasure to be here this morning, and to see so many familiar faces.

It’s hard to believe, but in just one week the PCAOB will be celebrating its second birthday. The founding Board members were appointed by the SEC on October 25, 2002, and we opened our doors for business 2 and ½ months later, on January 6, 2003. I’m proud to say that we have gone from essentially a start-up with eight employees on day #1 to an organization of over 250 people.

Our Chairman, Bill McDonough, spoke to you a year ago, at this very conference, and I know that he told you that the PCAOB is a private-sector, non-profit corporation, and that we are under the oversight of the SEC. I also know that many of you have followed the PCAOB closely, and so I won’t repeat the basic facts of who and what we are. Instead, I want to give you a “report card,” so to speak, of what’s been accomplished during the past 22 months, and what still lays ahead. In doing this, I hope to focus particularly on the impact of the Board’s work on audit committee members.

Before I begin, I should note that the views I express are my own, and not necessarily those of the Board, its other members or staff.

Let me start with a brief review of the Board’s responsibilities, as Congress laid out in Title 1 of the Sarbanes-Oxley Act.

  • The Act says that the Board’s mission is to oversee the audits of public companies, protect the interests of investors, and further the public interest in the preparation of informative, accurate, and independent audit reports.
  • The Board’s responsibilities generally fall into four broad categories.

    1. The first is registration. We created an on-line system for all public accounting firms that audit “issuers” to register with us.
    2. Second, we are required to inspect these registered firms.
    3. Third, we are charged with establishing auditing, quality control, ethics, and independence standards for the auditors of public companies.
    4. And lastly, we must investigate registered firms for possible violations of the Act, relevant rules, or professional standards, and we must use enforcement tools when necessary.

I will touch briefly on what the Board has done in each of these four areas, what is next on our agenda, and how public companies and their directors will be affected by our work.

Registration of Public Accounting Firms

Since October 22, 2003, it has been illegal for any U.S.-based accounting firm to issue an audit report with respect to an SEC-reporting company unless the firm is registered with the Board. Foreign firms were required to register by July 19 of 2004.

Registration is important because it forms the foundation for the Board’s authority over the profession – that is, only registered firms are required to comply with our standards, and are subject to our inspection and enforcement authority.

Over 1,300 auditing firms have registered with the Board. Roughly 850 of those are U.S. firms and the remaining 450 or so are foreign.

  • According to a recent GAO report, four firms – the so-called Big Four – audit over 78 percent of all public companies and nearly 99 percent of public company sales revenue.
  • Nine firms (8 U.S. firms and one Canadian) have at least 100 audit clients that are SEC registrants. The great majority of the remaining registered firms have fewer than 5 public company clients, and about 150 registrants have none at all.

A list of registered firms – along with copies of Board releases, comment letters, speeches, and auditing standards – is on the Board’s Web site at www.pcaobus.org.

Inspections

Once a firm is registered with us, the law requires the Board to inspect it.

  • Inspections assess compliance with the Sarbanes-Oxley Act, with Board and SEC rules, and with professional standards.
  • In the case of the firms that audit more than 100 public companies, these inspections must be annual. (As noted, there are 8 such firms in the US, and 1 in Canada.)
  • For the other registered firms that have at least one SEC client, inspections will take place at least once every three years. (We do not plan to inspect firms with no SEC clients.)

Although the regular inspection cycle just began this year, we launched our inspection program in 2003 with “limited procedure” inspections of the Big Four firms. The focus of these first-year inspections was on both how the largest firms conducted selected audit engagements, and on how the firms operate as businesses.

With respect to specific audit engagements, our inspectors reviewed at least 16 engagements for each firm. These engagement reviews were in depth – they involved both review of the workpapers and interviews with the audit staff involved. Our inspection staff does not “re-audit” the financial statements, but rather focuses on specific areas it views as higher risk (either because of the issue or the personnel involved). We hope to eventually expand the scope of our reviews to roughly 10 percent of the major firms’ public company engagements.

With respect to firm operations, some of the things that our inspectors looked at included:

  • The “tone at the top”; what ethical culture is firm management seeking to infuse into the organization?
  • How (and for what) are partners compensated and promoted?
  • How does the firm seek to assure uniform audit quality and worldwide compliance with U.S. standards when SEC-registered clients are partially audited by the firm’s foreign affiliates?
  • How does the firm internally inspect its own practice?
  • How does the firm decide to accept a new client, or retain an existing one?
  • How does the firm monitor its activity to ensure compliance with the independence rules?

A couple of points may be of special interest to audit committee members, concerning our inspection process:

  • As part of reviewing specific audit engagements, our inspectors look at how the auditors made tough calls on the application of accounting principles in client financial statements. Because of their access to audit work papers, our reviewers are likely to be able to focus on GAAP issues in greater depth than can the SEC in routine filing reviews. Inevitably, the review of an audit engagement is a review of both the auditor’s procedures and the client’s financial statements.
  • As part of reviewing audit engagements, we also look at the auditor/audit committee relationships. In the 2003 limited inspections, the inspection teams interviewed about 50 audit committee chairs to assess the accounting firm’s relationship and communications with the committee. Remember: we are not trying to assess the audit committee. The Board can’t compel an audit committee member to speak with the inspection staff, but none of the 50 or so audit committee chairs contacted refused. In fact, many expressed support for the Board and its work.

These interviews have focused on such matters as:

  • The frequency and nature of discussion between the auditor and the audit committee;
  • The audit committee’s expectations and evaluation of the auditor;
  • Auditor communications regarding critical accounting judgments, including revenue recognition policies;
  • Communications about audit adjustments, related party transactions, and sensitive management estimates; and
  • Audit committee philosophy regarding approval of non-audit services.

If your company’s engagement is selected for review as part of the Board’s inspection of your auditor, please don’t panic and don’t assume it means the Board thinks your audit was “risky.” Remember that it is the audit firm, not the client that is being inspected. I urge you to view this as an opportunity to gain additional insight into the job your auditor is doing.

On August 26, 2004, the Board issued inspection reports describing the results of the 2003 Big Four inspections.

  • The reports have both a public and a non-public portion. The public portion is available on the Board’s Web site.
  • The Sarbanes-Oxley Act prohibits the Board from disclosing criticisms of a firm’s quality controls, unless the firm fails to correct those deficiencies within 12 months. (The SEC and the appropriate state regulators get the whole report.)

Three key points for directors to bear in mind about the reports:

  • It is important not to draw definitive conclusions from such small samples.
  • The public portions give a sense of the impact that review of GAAP compliance is likely to have. At least 20 issuers filed restatements as a result of GAAP issues identified in the 2003 inspections.
  • Audit committees are likely to be interested in the Board’s assessment of the quality controls at their audit firm. As I mentioned earlier, the Board cannot make these comments public unless 12 months have passed and the firm has failed to satisfactorily address our concerns. But, there is nothing to prevent the firms themselves from sharing these non-public comments with their clients (redacting, of course, identifying information about their other clients.) I would advise audit committees to question firm-authored summaries of these non-public portions of an inspection report, to ensure that summaries do not amount to comment cherry-picking.

This year, our inspections are no longer “limited.” We are inspecting the largest 8 US firms, plus between 80 and 100 smaller firms. Our reports will not be issued en mass, as was done for 2003 reports. Rather, they will be released in groups, likely beginning near the end of the calendar year.

Auditing Standards

Congress also charged the PCAOB with establishing the auditing and other professional standards (such as quality control, ethics and independence) that govern public company audits.

During the past year, we have taken some important steps in the area of standard setting.

First, we adopted interim auditing standards. In effect, the Board adopted as our own standards, those “generally accepted auditing standards” that existed in April, 2003 as standards of the Board. At the same time, the Board announced that it would review all of the interim standards and would determine, standard by standard, whether they should be modified, repealed, or made permanent. As my colleague, Dan Goelzer, said at the time of our adoption, these interim standards should be considered to have been written in “disappearing ink.”

In addition, the Board has also adopted three new auditing standards.

  • PCAOB Auditing Standard No. 1 requires the auditor’s opinion to refer to the Board’s authority. Instead of the familiar statement in the opinion that the audit was “conducted in accordance with generally accepted auditing standards," audit opinions filed with the SEC now must say that the review was “conducted in accordance with the standards of the PCAOB.”
  • PCAOB Auditing Standard No. 2 governs the auditor’s review of internal control over financial reporting. I will talk more about Standard No. 2 in a minute.
  • PCAOB Auditing Standard No. 3 governs audit documentation. Work papers must contain enough information so that an experienced auditor, having no previous connection with the engagement (such as successor auditors or our inspectors), can understand the work performed, who performed it and when, and the basis for the conclusions reached.

What’s Next with Respect to Standard-Setting?

Some of the areas we are considering for upcoming standard-setting projects include: 

  • Fraud: There is still much that we can do to strengthen the auditor’s responsibilities to detect fraud. We have discussed this issue with our Standing Advisory Group, and have heard how important investors continue to view this issue. Auditing of revenue recognition and of related party transactions are problem areas in this field.
  • Auditor Independence: Investors continue to tell us that this is their number one concern. We held a roundtable on this issue in early August to explore independence issues related to tax services, and are continuing to digest all the input we have received.
  • Audit Committee Communications: There are a number of existing statutes, rules, and auditing standards that require auditors to communicate certain things, in specific ways, to audit committees. It is likely that we will try to combine all of these existing requirements into one professional standard, if only to ensure a greater likelihood of compliance.

Enforcement

The Board is also building an investigation and enforcement program.

  • I believe that many of the auditing problems the Board identifies will be dealt with through a combination of inspection reports and standard setting. However, inevitably, situations will arise in which those tools are inadequate. There will be cases in which there are serious violations of Board standards or the securities laws by auditors under our jurisdiction. In those cases, the Board has the power to conduct investigations and to impose disciplinary sanctions, which can include fines, suspensions and bars from auditing public companies.
  • The Board has recently launched a tips hotline to accept tips and complaints concerning auditing and financial reporting matters.

Impact of the Board’s Standard on Auditor Review of Internal Control over Financial Reporting

Let me turn once again to Auditing Standard No. 2, concerning the auditor’s review of internal control over financial reporting. I want to touch on some of the ways in which Standard No. 2 will affect directors, particularly audit committees. First, some background.

Background of PCAOB Auditing Standard No. 2

Section 404(a) of Sarbanes-Oxley requires public company managements to file a report annually with the SEC stating management’s conclusions regarding the effectiveness of the company’s internal controls over financial reporting. (Remember also that companies have been required, since the adoption of the Foreign Corrupt Practices Act in the late ‘70’s, to have effective internal controls. Section 404(a) simply now requires the company to annually assess the effectiveness of the controls, and publicly report on material weaknesses.)

Section 404(b) requires that the company also file a report of its outside auditor attesting to management’s report. The auditors must prepare their report in accordance with Auditing Standard No. 2. This marks a sea-change in the way that auditors review controls. Previously, auditors reviewed internal control, but only as part of planning the financial statement audit in order to determine the extent to which they could rely on controls in the audit. Now, the review will be from a different perspective – to determine whether the system of internal control is effective in providing reasonable assurance that financial reporting is accurate and in accordance with GAAP. In effect, there will be two audits at once – one of internal control effectiveness and one of the financial statements.

While the direct effect of the standard will be to impose requirements on public company auditors, it also has significant indirect effect on audit committees. Among other things, the standard:

  • Provides that an ineffective audit committee is, per se, a “significant deficiency” in the controls and a “strong indicator” of a material weakness.
  • Requires the auditor to communicate certain information regarding controls to the audit committee and to consider the effectiveness of the audit committee as part of the auditor’s review of the overall control environment.
  • Requires audit committee pre-approval of internal control-related services.

Thoughts for Directors Going Forward

A. Internal Control:

  1. Expect deficiencies:
  • You are required to be informed (in writing) of all significant deficiencies and all material weaknesses; the auditor is required to disclose to investors all material weaknesses.
  • You are also required to be informed when the auditor identifies for management any deficiency; you may want to know about these as well (but beware of information overload).
  • Especially during this first year, it would be extremely unusual for a company to have no deficiencies, and probably no significant ones.
  1. Understand the significant deficiencies, and management’s remedial plan.
  2. Assure yourself that auditors are comfortable with the characterization of each deficiency (i.e., weren’t browbeaten to lower the significance)
  3. As I mentioned, one of the responsibilities of the auditor, in assessing the effectiveness of the overall control environment, is to assess the effectiveness of the audit committee, with respect to its oversight of the financial reporting system.
  • Take this as an opportunity to tap into the auditor’s experiences with numerous other audit committees, and to learn about what the auditor sees as “best practices.”
  1. Probe to ensure that controls (including documentation) are maintained.
  • Much of the costs incurred during year 1 won’t have to recur, so long as sufficient resources are dedicated to ongoing maintenance.
  1. There is a possibility that a company will receive a clean audit opinion on the financials, but an adverse opinion on internal controls. This will effectively be a message to the market (and to you as directors) that although the current financials do not contain material misstatements, there is more than a remote likelihood that – given existing controls – a material misstatement will occur in the future.
  • Reassure the market (and yourselves) that meaningful corrections to control deficiencies will take place – hopefully before the next quarterly reports! Don’t ask the market to read between the lines of some boilerplate disclosure; the more information the company gives, the more likely it is that investors (and others, including rating agencies and D&O carriers) will respond responsibly.

B. Your relationship with your independent auditor

  1. Understand that, over the past decade, auditors – partly in response to your hard negotiations on fees and partly simply to increase their own margins – have streamlined procedures.
  • Since the audit profession controlled its own standards, its own quality reviews, and its own disciplinary proceedings, they were free to do this even if it meant a diminution in the degree to which investors (and boards) could rely upon the audit to detect material misstatements.
  • Those days are over. The very presence of the PCAOB, as an independent overseer, is causing auditors to increase the level of their testing and the scope of their procedures.
  • This is resulting in increased fees. Although we are on the look-out for any evidence of gouging, you should understand and accept some increase in audit fees.
  1. Audit committees are ultimately responsible to your shareowners for maintaining the independence of the auditor. Set the tone from the top.
  • Will the quality of the audit be improved for the auditor to perform this additional service?
  • Can another vendor perform this service at comparable costs? Are any benefits derived (e.g., by cost savings) from having the auditor perform the service offset by the loss of investor confidence in the auditor’s independence?
  • Given high investor sensitivity, is this additional service really worth it?
  1. If your auditor “fires” you, find out why. Have a meeting (with no staff present) and insist on candor.

C. If your company becomes part of a PCAOB inspection…

  1. Understand that it is the auditor that is being inspected, not you.
  2. If a GAAP error is detected, ask not only how to correct it, but also how to prevent similar errors in the future.

Thank you for your attention. I look forward to responding to your questions.

Related Information