PCAOB Impact on Financial Executives: Standards and Inspections

Good Afternoon,

Thank you for inviting me to join you at this important conference. I am honored to be included among such an impressive group of speakers, and I have enjoyed reconnecting with and meeting many of you over the last two days.

I would like to spend my time this afternoon talking a little bit about the relationship of the work of the Public Company Accounting Oversight Board ("PCAOB") to the work that many of you do on a daily basis in the area of financial reporting. As you know, while the PCAOB does not have any regulatory authority over public companies, our work in the area of public company auditing does have the potential to impact all of you. We are very conscious of that potential impact and consider it carefully in determining the scope of and approach to our oversight activities.

Let me begin by providing a little bit of background about PCAOB inspections and how our efforts there may be affecting some of you. But before I go further, I should note that the views I express today are my own and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.

Background

As you know, the PCAOB began operations in 2003, and one of its first priorities was to design an inspection program consistent with the requirements of the Sarbanes-Oxley Act of 2002 (the "Act"), which, among other things, established the PCAOB. Since that time, we have conducted over 2600 inspections of audit firms that audit public companies, including annual inspections of the largest firms that issue over 100 audit reports each year. We have conducted inspections in 45 jurisdictions around the globe and reviewed thousands of audits of companies of all sizes and industries.

One prong of our inspection program involves looking carefully at the most risky audits and honing in on the most difficult audit areas in order to determine the level of compliance of firms with applicable auditing standards and other rules and regulations. These so called "engagement reviews" have identified a wide variety of audit deficiencies. Some are problems with very basic audit procedures or a complete lack of documentation in simple audits. At the other extreme, we find deficiencies involving difficult and judgmental audit areas relating to large multi-national corporations and complex accounting and disclosure questions. In recent years, in our inspections of the larger firms, we have seen frequent deficiencies in the following areas, among others:

  • Auditing internal control over financial reporting (ICFR)
  • Assessing and responding to risks of material misstatement
  • Auditing accounting estimates, including fair value measurements
  • In cross-border audits, deficient "referred" work — work performed by other audit firms and used by the signing audit firm

Areas of the financial statements with frequent auditing deficiencies include revenue recognition, business combinations and impairment of goodwill and other assets, investment valuations, and allowances for doubtful accounts or loans.

In addition to inspecting particular audit engagements, the PCAOB also is also required by the Act to "evaluate the sufficiency of the quality control system" of each firm inspected.[1] Consistent with that requirement, our inspections include a review of firms' practices, policies, and procedures concerning, for example, audit performance, training, compliance with independence standards, client acceptance and retention, and the firms' tone at the top, partner management, use of the work of foreign affiliates, and internal firm processes for monitoring audit performance. For the larger firms, the quality control reviews are customized to each firm, based on factors such as the firm's structure, procedures performed in prior inspections, past and current inspection observations, and an assessment of risk related to each area, among others.

We make public the audit performance deficiencies identified in connection with our inspectors' review of particular audit engagements – without identifying the issuers involved – in what we refer to as "Part I" of each firm's individual inspection report. The Act requires, however, that we maintain as confidential any "portions of the inspection report that deal with criticisms of or potential defects in the quality control systems of the firm."[2] These non-public portions of the inspection reports – which we refer to as Part II – may be made public only if the firm does not address the cited criticisms or defects to the satisfaction of the Board no later than twelve months after issuance of the inspection report. For most firms, this incentive to "remediate" the identified deficiencies is very powerful. I believe the changes to the firms' practices as a result of remediation efforts have been the biggest driver of change to improve audit quality in the past decade.

In the context of these quality control reviews, PCAOB inspections staff has identified, over time, a variety of weaknesses or deficiencies in certain firms' systems of quality control. The Board's findings in these areas have varied widely, with some firms receiving "clean" inspection reports while others have extensive deficiencies in many or most aspects of their quality control systems. The Board's inspection staff has frequently identified quality control deficiencies based on particular audit engagement deficiencies that demonstrate a firm's inability to ensure quality work in the respective audit areas. Thus, audit areas where we have observed the most Part I engagement findings, such as in the areas of internal control and accounting estimates, have resulted, in some cases, in parallel quality control criticisms. Likewise, the staff has identified systemic deficiencies or weaknesses in firms' quality control policies and procedures not directly linked to particular engagement deficiencies, including, for example:

  • Firm management whose tone at the top does not promote or support audit quality;
  • Deficiencies in the degree of objectivity and professional skepticism demonstrated by firm personnel;
  • Practice management and policies that create incentives for auditors to focus on goals inconsistent with audit quality;
  • Ineffective internal inspection programs;
  • Lack of compliance with independence requirements;
  • Client acceptance and continuance policies resulting in the acceptance or retention of audit clients that present unreasonable risks or for whose audit the firm is not sufficiently qualified; and
  • Insufficient supervision and review of audit staff and other auditors at other firms or affiliates.

Remediation of Quality Control Deficiencies

In connection with the Board's determination of whether firms have appropriately remediated the relevant quality control deficiencies within twelve months, the Board's rules allow firms to submit evidence – for actions taken no later than twelve months after the issuance of the Board's inspection report – to demonstrate that they have improved their quality control systems and remedied any defects identified by the inspections staff. In making its determination, the Board focuses on whether the firms have identified appropriate steps to remediate the deficiency and whether the firms have made substantial progress toward achieving their quality control objectives.

Approximately two years ago, after conducting inspections and reviewing remediation efforts for almost a decade, the staff of the Board's Inspection Divisions provided additional information about the criteria used to evaluate firms' remediation determinations. These include whether:

  • The firms' actions represent a change from its prior system of quality control;
  • The action is relevant to the deficiency and designed appropriately to remediate that deficiency; and
  • The firm implemented its measures on a timely basis with the result that it achieved or is expected to achieve the quality control objective.[3]

The vast majority of quality control deficiencies identified over the last decade have been deemed by the Board as having been adequately remediated by firms within the twelve month period. However, over 150 firms – some more than once – have either failed to provide any evidence of remedial actions or have received Board determinations that their actions did not sufficiently address some or all of the cited quality control deficiencies. Among the largest U.S. audit firms, the Board has made public certain unremediated quality control deficiencies that include, for example:

  • Failure to appropriately apply professional skepticism, such as by insufficiently evaluating contradictory or potentially inconsistent information, including where circumstances might indicate management bias or in areas where the firm had identified a risk of fraud;
  • Ineffective internal inspection programs that failed to identify significant audit deficiencies, including in some cases deficiencies which were subsequently identified by PCAOB inspections
  • Inadequate engagement quality reviews;
  • Insufficient supervision and review requirements, including instances where a lack of audit procedures or documentation was not caught in the supervision and review process;
  • Insufficient quality control over audit performance in the areas of internal controls, fair value measurement and impairment, and accounting estimates (including evaluation of the reasonableness of assumptions and testing of data).

In order to improve the quality of their audits and to remediate PCAOB Part II findings, and in some instances in response to the disclosure by the PCAOB of unremediated quality control deficiencies, firms have taken a variety of actions. While the Act and Board rules do not permit me to discuss the specific actions described by firms in their remediation responses, many firms, including the U.S. member firms of the largest global network firms, have publicly discussed their quality initiatives, including, in some cases, those intended to respond to PCAOB inspection findings.

In the area of "tone at the top," for example, firms have publicly described their efforts to ensure that the importance of quality is a message that is delivered to audit professionals frequently and consistently and is supported by consistent actions. Several firms have indicated that professional skepticism, in particular, has been a key message and something on which the firms have increasingly focused their training, including by stressing the need for auditors to more objectively evaluate management representations and to more thoroughly consider the implications of contrary or inconsistent evidence. Many firms have taken steps designed to better hold their professionals accountable for quality, including by basing compensation in part on quality results, such as internal or external inspection findings. Likewise, firms have improved their audit methodologies and enhanced training, making it both more rigorous and more specific to identified deficiencies in their compliance with PCAOB audit standards.

With respect to the supervision of audit staff and the review of audit procedures and documentation, firms have increased the time spent by partners or other experienced staff members on reviewing the work of less experienced audit staff and have imposed more specific review and supervision requirements. Hand in hand with this effort, firms have reported measures to enhance the effectiveness and timeliness of their engagement quality reviews, building on their implementation of AS 7 (now AS 1220), Engagement Quality Review, which became effective in 2010. The efforts relating to EQR have included monitoring and balancing partner time spent on EQR activities, increasing staff available to work on assisting the engagement quality reviewer, and providing new guidance and training to audit professionals who conduct such reviews.

Consistent with the fact that one of the PCAOB's evaluation considerations for remedial efforts is a firm's efforts to monitor its own actions and results, many firms also have enhanced their internal inspection systems, both by increasing the resources dedicated to this work and by imposing more rigorous requirements. Some firms have reported increases in internal inspection findings in the wake of these enhanced internal inspections, which hopefully will help drive improvements in their audit practices.

A number of firms have supplemented the internal inspection efforts by instituting more targeted reviews of audit work performed for certain companies or in certain high risk audit areas before the audit opinions for the respective audits were issued. These pre-issuance reviews – which sometimes begin as early as the audit planning process – have helped firms to identify areas of weakness and to determine whether newly implemented methodologies are appropriately applied. In addition, these actions may have provided an opportunity for audit teams to supplement their work before issuing what might otherwise have been unsupported audit opinions.

Several firms have reported increases in the number and experience of staff resources available for internal consultation on difficult auditing questions. While firms historically have had strong processes in place for internal consultation on questions relating to accounting or financial statement disclosure, they have more recently increased the focus on internal consultations on auditing matters. Firms have reported increasing resources for such consultations and implementing additional guidance or requirements about when auditors should consult their national office or local office specialists.

Perhaps more directly relevant to financial executives, however, are the firms' remedial actions to respond to some of the most frequent PCAOB inspection findings where auditors issued unsupported audit opinions. These findings have given rise to Part II inspection findings – such as those publicly disclosed by the Board for several firms in recent years – that firms do not have sufficient quality controls over audit work in these areas, including internal controls. Audit performance deficiencies in more recent inspections have included insufficient work by auditors to understand a company's flow of transactions and inadequate testing of management review controls and of the completeness and accuracy of system-generated data or reports. Our inspections division has analyzed potential underlying reasons for these frequent findings. The staff believes that, in some cases, firms' audit methodologies and guidance required enhancement, while other causes included audit staff turnover and insufficient supervision. Our inspectors also have heard from auditors that, in some cases, the quality of an issuer's processes and controls, and the scope and nature of management's documentation, can affect how effectively the auditor is able to audit internal controls.

In 2012 and 2013, the PCAOB's inspections of the largest firms identified audit deficiencies in audits of internal control in respectively 36 and 39 percent of the integrated audits inspected.[4] Of course, as I mentioned earlier, our inspectors look at the most difficult areas of the riskiest audits, so these percentages logically are probably higher than they would be for a random sample of their audits. Nevertheless, this area clearly remains a huge challenge for firms. Not surprisingly then, the processes around the auditing of internal controls have been a focus for firms as they attempt to enhance audit quality. For example, firms have explained that, as part of their quality initiatives, they are requiring audit staff to gain a more thorough understanding of the company's control environment and business processes, including, in particular management review controls. They have imposed increased testing requirements for certain controls and demand increased documentation of the work performed by audit staff in this area to align with the requirements of AS 5. Likewise, in order to address deficiencies identified in auditing fair value and other management estimates, firms have enhanced requirements for audit evidence, testing of management's processes and assumptions, and the evaluation of inconsistent or contrary evidence to comply with the relevant PCAOB standards.

Impact on Issuers

These remedial activities appear also to have affected the information sought by audit teams from audit clients, in some cases requiring substantial additional effort by financial reporting staff to provide additional information or create different types of documentation. This, not surprisingly, has been a source of concern among some financial statement preparers. We have heard that management of some public companies believes the nature and extent of information more recently required by auditors imposes unreasonable burdens without enhancing auditor assurance or corporate controls. Examples include extensive documentation requests related to internal controls, including, in particular management review controls.

Many of you in the room have told me directly that you believe your processes are effective in detecting potential material misstatements, because you know what actions you and your team take to review a monthly reporting package, and you know that your staff will follow up on questions raised during this process. The auditors, however, are telling you that they cannot accept your sign-off as evidence of the control's effectiveness. And in fact, while auditors may be able to accept a sign-off when testing a simple process level control that does not involve much judgment (like matching a purchase order, shipping document and invoice), that does not suffice for management review controls. AS 5 specifically states that inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control. [5] The actual procedures needed for a particular management review control will depend on, among other things, the nature of the control, the risk associated with the control, the information used in the control, and the evidence of the control's operation. AS 5 gives examples such as observation, inspection of relevant documentation, and re-performance of a control. One of my mentors early in my career frequently said "you can't just audit by conversation, you need to audit the support for what management tells you." Those words from over 30 years ago still apply today to controls testing.

We also hear concerns about excessive audit work information requests related to transactions that are viewed as immaterial and not relevant to the auditor's assurance on the financial statements.

In response to these and other comments, Chief Accountant Jim Schnurr mentioned earlier today that we have met, along with members of his staff from the Securities and Exchange Commission, with representatives of companies who have expressed concerns. Based on our discussions, it appears that some of the additional work being performed by auditors and the additional efforts required of management in some cases have increased management's focus on and understanding of controls and resulted in improvements in the control environment. At the same time, we hear that some audit teams may be requiring the creation of documentation by management that does not provide useful information or lead to increased assurance about the effectiveness of internal controls We have also met with audit firms to better understand their approaches to auditing internal controls and how their methodologies and documentation requirements have evolved.

We also have taken a careful look at our inspections process to ensure that inspectors are reviewing audit work against the requirements of applicable auditing standards, including the top down approach, risk assessment focus and scalability set forth in Auditing Standard No. 5 (now AS 2201), An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. We are comfortable that our inspectors are not imposing new auditing requirements through inspections.

Nevertheless, we cannot rule out that firms' concerns about the frequency of our findings in this area and their efforts to remediate the related quality control deficiencies have not caused some audit teams to do more work, and possibly the wrong kind of work, resulting in unnecessary burdens on management. Ultimately, this is an area where the PCAOB, the SEC, audit firms, and financial reporting management need to continue to monitor events in order to achieve an appropriate balance between auditors' doing sufficient and meaningful audit work to gather the right amount and the right type of audit evidence, while not imposing unnecessary burdens on management or causing needless delays in the financial reporting process. In other words, we need to be mindful about whether the audit effort pendulum has swung too far. The meetings held so far in 2015 are a great start to what I hope is regular continuing dialogue on these important topics

Other PCAOB Projects

Also related to the concept of remediation of quality control deficiencies are the efforts by some firms, in their pursuit of audit quality, to try to identify and measure indicators of audit quality. Several firms, as well as the Center for Audit Quality, have been studying this area and have begun to define certain data points that they believe may be helpful, especially to audit committees, in measuring audit quality. The PCAOB also has been active in this area. In late 2012, we announced our intention to study the feasibility of establishing quantitative measures of audit quality, and we have conducted extensive formal and informal outreach on this topic for the past several years.

In July of this year, the Board issued a concept release to seek public comment on the content and possible uses of a group of 28 potential audit quality indicators.[6] Some of the indicators are relatively straightforward, and the information is currently available, often tracked by firms and sometimes discussed with audit committees. Examples include staffing leverage, audit hours, workload, expertise and experience of auditors, independence information, inspection results and several others. Other indicators may require affirmative steps to produce data — such as the suggested survey of firm personnel to gauge tone at the top — and yet others raise difficult questions of how to measure audit quality, for example based on the auditors detection of fraud or financial reporting quality. Some of the indicators raise difficult practical questions, while others implicate legal issues including the larger disclosure framework under applicable securities laws.

We received 47 comment letters in response to the release, and, just last week, our Standing Advisory Group held a discussion to provide further input on this important topic. The feedback was mixed, with some commenters supporting the project but advocating that we should let practice develop on a voluntary basis. Other commenters supported the project and urged us to act quickly to mandate public disclosure of certain audit quality indicators. Our staff will digest all of this feedback, and I hope that we will be able to determine the most practical and useful next steps and a further narrowing of the most promising potential indicators.

Other projects currently on our agenda include several standard setting projects, including the supervision of "other auditors," the use of specialists and audits of fair value and other estimates, as well as the auditor's reporting model.

I am hopeful that the Board will release sometime early next year a proposed standard to improve the auditing standards that govern the planning, supervision, and performance of audits involving other auditors, for example, in cases where an auditor refers portions of the audit to an affiliate or non-affiliate firm in another jurisdiction. This is an important area in light of the increase in companies with global operations, requiring the use of auditors around the world. Under current standards, there are multiple approaches for the oversight of such other firms or auditors, and the Board has observed varying levels of audit quality in the work performed by other auditors and varying degrees of supervision by the firm issuing the audit report.

We also have been reviewing our standards governing accounting estimates and fair value measurements along with those addressing the supervision of specialists — including valuation specialists, lawyers, actuaries, geologists and other non-auditors that provide information relevant to the audit. We have issued staff consultation papers to seek input in both of these areas and we discussed potential approaches with our Standing Advisory Group and Investor Advisory Group on a number of occasions. This year, we focused some of our SAG discussions and other research on better understanding the way in which auditors and companies currently interact with specialists. Because many specialists used by auditors are valuation specialists, it is important that our work on the supervision of specialists be closely coordinated with our work on standards governing the auditing of management estimates, to ensure maximum effectiveness and efficiency in affected audits. We continue to consider relevant input, and I expect that the Board will issue proposed standards in both areas sometime in 2016.

Finally, one of our highest profile projects relates to the auditor's reporting model. After conducting extensive outreach and concluding that investors and the public would like auditors to provide more information about the audit, we issued a proposal in August 2013 to require auditors to discuss in their reports so-called "critical audit matters."[7] These were defined in the proposed standard as those matters addressed during the audit that (1) involved the most difficult, subjective or complex auditor judgments; (2) posed the most difficulty to the auditor in obtaining sufficient appropriate evidence; or (3) posed the most difficulty to the auditor in forming the opinion on the financial statements.

We received hundreds of comment letters on this topic and held a public round table discussion in April 2014 to facilitate further discussion about a possible way forward. In commenting on the proposal, some suggested the requirements do not go far enough to require the auditor to report the information that investors want. Others suggested that most of the matters to be discussed in the audit report would largely duplicate disclosures already included in the financial statements or management's discussion and analysis; while yet others expressed concern that the auditor might disclose original information about the company that applicable SEC rules and regulations do not require or explicitly allow the preparer not to disclose. Finally, some skeptics wondered if the end result of the changes to the auditor's report will be limited to the addition of new "boilerplate" language to the report that ultimately will not be helpful to investors. And many ask whether this requirement would simply add to what some already consider information overload in public company disclosures.

Currently, the PCAOB is considering the comments received on our auditor's reporting model proposal, as well as monitoring auditor reporting in other countries under the new requirements. I expect that we will issue a re-proposal of a standard governing the auditor's report in 2016. It is likely that our revisions will result in a narrower, more focused requirement that would facilitate the disclosure of only the most relevant information about the audit, while not crossing the line into areas that are within management's responsibility.

Let me conclude by reiterating the importance of the Board's dialog with all of our stakeholders, including financial executives. While the relevance of the PCAOB's activities to your work, particularly the more technical aspects of auditing standards, may not always be immediately clear, my experience has been that our oversight of auditors can and does have an impact on issuers. In most cases, I believe that impact has been positive, providing for more rigorous audits and overall improvements in financial reporting, internal controls, and the assurance provided by effective auditing. Nevertheless, maintaining an open dialog will help us understand the potential impact of our work on public companies and, hopefully, allow us to take appropriate measures if unintended consequences result in unreasonable burdens on audit clients.

With that, thank you again for having me and I look forward to your questions and comments.