What the PCAOB Expects for the Coming Year and Beyond
Thank you for inviting me to speak today. It is an honor to be here at what I understand is the 39th occasion for this conference.
Let me begin by saying that the views I express are my own and should not be attributed to the PCAOB as a whole or any other members or staff.
I would like to spend my time this morning on some of the challenges facing our financial reporting system, and the role the profession can and should play in addressing those challenges. I will also cover recent inspection results, and what I think the PCAOB should expect of auditors. Finally, I just returned Friday from a symposium of international audit regulators in Toronto. So I thought I'd talk today about some themes affecting the regulation of global audits.
I. Extraordinary Challenges
We are experiencing extraordinarily challenging times, and change driven by external events and circumstances as well as change inside the profession.
In the United States, we have lost not just one, but several, titans of the U.S. financial industry, an industry that we had thought secured the economic well-being of our nation.
There are some signs we may be emerging from this initial shock. Whether our footing is firm and our legs steady going into the next round is the question that occupies us all. The Euro zone continues to reel from a debt crisis founded in a lack of transparency, threatening investor confidence everywhere. The emergence of a "Euro Crisis Deal" — last week's headline — is not, of course, the same thing as being safely back on the ground after a turbulent plane flight!
Which means the work you do is more important than ever. The financial crisis has only augmented the incentive for companies to engage in off-balance sheet treatment of complex financial instruments and risk, to report unduly favorable but hard-to-verify valuation of financial instruments, and to use complicated and confusing disclosures to put off reckoning with bad news.
Experience tells us that these tendencies are not the consequence of management's beginning with fraudulent intent. And "Occupy-the-City-of-Your-Choice" movements that think bad accounting is bred in the bone of capitalism are simply naive.
We know that markets have demanded more real time access to information, that the relevant information carries more uncertainty, and that such uncertainty involves volatility and risk.
Consider, for example, the recent pricing volatility in the CDO-swap market, which has accompanied the efforts of institutions to spread valuation risk: this business strategy, which is designed to implement prudent risk management, is virtually certain to make life more difficult for auditors. But unless disciplined by the audit, management's business techniques for risk-spreading can replicate the Katzenjammer Kids' (or Dennis the Menace's) basement chemistry experiments.
The financial audit is the linchpin for restoring confidence.
If the story, if the numbers, are too good to be true, you are supposed to call it.
And you do. For all the reports of colossal investor damage that could have been avoided but for missed opportunity, auditors do enforce the rules. Audits do avoid disasters. They do protect investors.
Before I go any further, let me speak forthrightly to the auditors among you. I want to make clear that I appreciate, based on a lifetime of admiring auditors' skill and professionalism, that auditors are the good guys in the fight for the public interest. The matters I will discuss today, and that PCAOB staff will discuss as the conference progresses, go to making you the best defenders of the public interest you can be.
I have no question that you are up to the task. Yours is a learned profession. You have not achieved your positions by merely serving time. I cannot promise that every reform that advances the public interest in strong, independent audits will come easily. But I will wager on every one of you, that you can make a difference.
II. Auditor Skepticism is the Foundation for Investor Confidence in Financial Reporting.
Our job at the PCAOB, working with audit regulators around the world, is to make sure that audits are as consistently reliable as possible. We inspect many hundreds of audits a year to check. And those inspections show that there is work to do in this regard.
PCAOB inspection reports have each year pressed firms to improve quality control in various respects. The Sarbanes-Oxley Act gives firms 12 months following the report to demonstrate satisfactory progress to address any concerns.
The Board takes very seriously the importance of firms making sufficient progress on quality control issues. Particularly with the largest firms, which are inspected annually, the Board devotes considerable time and resources to critically evaluating whether the firm did in fact make sufficient progress in that period. As has recently become apparent publicly, the Board can and does make the relevant criticisms public when a firm has failed to do so.
Moreover, our most recent reports related to the 2010 inspection cycle, including reports on inspections of some of the largest firms, show a significant and concerning increase in inspection findings.
I continue to be asked whether we have raised the bar, to pump up Part I reporting with volume at the expense of quality. We have not. To the contrary, as our risk-based selection of engagements and firms has developed, and our inspection techniques have improved, I consider that we are doing exactly what you and the public urged us to do and expected of us. We are finding and reporting more relevant areas where audits can and must improve.
For example, in an area critical to public concern, inspectors have found that firms failed to understand the assumptions and valuation methods used in determining the fair value of financial instruments. They have also failed to consider the effects of significant differences between the fair value measurements they obtain themselves and the issuer's recorded fair value.
Internal control audits are not always carried out in a way that delivers the early warnings of the risk of misstatements in financial reporting that they are meant to be. Too often, auditors rely on imprecise business processes that are inapt as financial reporting controls. Or they have failed to understand the flow of transactions in order to identify the points within a client's processes where a material misstatement could arise.
These are important examples of where audits need to improve, but there are others. While our 2011 inspection cycle is not yet complete, preliminary results show that the number of deficiencies identified continues to be high.
In many cases, these flaws were found at firms that are clearly comprised of highly competent and ethical professionals. This leads me to the question of skepticism.
Skepticism is what makes the auditor's work relevant to investors and the financial system more broadly. Auditor skepticism is the foundation for investor confidence in financial reporting. But it can fail in spite of both fundamental competence and high ethical standards.
Because skepticism is a state of mind, objectivity a silent success, their absence is rarely documented and can be particularly difficult to detect. But too often, audit failures identified by PCAOB inspectors do not appear to be explainable by any lack of knowledge, on the auditor's part, about what audit steps are required in the circumstances.
Regulators outside the U.S. have raised concerns about skepticism as well. I have been struck by the consistency of international results. The Canadian Public Accountability Board recently compiled a summary of results from Canada, the U.S., the U.K., and Australia. They concluded that "Insufficient Professional Skepticism . . . is undoubtedly the most common finding — that auditors are too often accepting or attempting to validate management evidence and representations without sufficient challenge and independent corroboration."[1]
I am encouraged when large firm managers and private sector standard setters confirm, as they did last week in Toronto, that the profession knows it can and must do more to train auditors in such basics as: (i) the techniques of auditing management judgments and estimates, (ii) the detection and evaluation of disconfirming evidence, and (iii) the correct way to document a critical matter of evidence and the reasons for accepting a management estimate.
These Canadian colleagues of yours are working on how to better document the presence of skepticism in the audit process with better evidence in the audit file.
III. The PCAOB's Policy Agenda to Enhance the Relevance, Credibility and Transparency of Audits
The PCAOB has been deeply engaged in new initiatives to enhance the relevance, credibility and transparency of audits. As you likely know, we have three major projects underway, and I thought some comment on each could be useful.
A. The Auditor's Reporting Model
First, the PCAOB initiative on the form and content of the standard auditor's report: in June, we issued a concept release on potential changes to the auditor's reporting model to respond to investors' call for more insights based on the auditor's work.
There are a number of practical challenges to making the audit report more informative for investors. We need to think hard about what firms should be expected to be able to produce for general use within the filing periods that obtain.
The alternatives described in the Board's concept release are focused on enhancing the relevance of the auditor's communication to investors. They would not change the fundamental role of the auditor to perform an audit and attest to management's assertions as embodied in management's financial statements.
They are not intended to put the auditor in the position of reporting financial information for management. But they are intended to explore how the auditor's report can be more useful to investors.
Firms today provide to their venture capital and other private equity clients (including large pension funds) detailed analyses of management's stewardship of their investments.
Those reports may not be suitable for public companies if they cannot be produced in a consistent manner to afford investors a basis of comparison. But they show that, when one thinks of the investor as the client, providing insights is possible. What kinds of insights could be provided to public investors?
We have received more than 150 comment letters to date. In addition, in September we held a public roundtable to foster further discussion.
Here again, one is struck by an evident emerging consensus on some matters —
- The audit report should change and auditors most of all worry that unless it does they will issue an opinion no one reads or needs.
- The fundament of the binary opinion should survive.
- Both an information gap and an expectation gap exist and should be addressed.
- Relevance is desirable, uncertainty unavoidable, and boiler plate should be averted in any event if possible.
- Both an Auditor Discussion and Analysis and an audit of MD&A contend with an expanded and required use of emphasis paragraphs.
It will be readily apparent that these are not really guiding principles, but rather validly competing goals and considerations that the Board will need to weigh. For example, if the auditor's role expands into more relevant involvement of the attest function in the quarterly reporting and earnings release process, what is the potential for delay and is that retardation effect justified by a benefit to investors?
I should not leave this discussion of the issues to be resolved here without acknowledging the constructive and thoughtful approach taken in the comment letter submitted by the Center for Audit Quality and Cynthia Fornelli.
We are considering comments received. Our next step will be to develop a proposed response — probably in the form of new or amended standards — which would be issued for another round of public comment.
The Board has many decisions to make in determining the nature and extent of any changes. The proposal is expected to be issued in the second quarter of 2012.
B. Auditor Independence
The PCAOB is also focused on auditor independence. In August, the Board issued a concept release to seek public comment on how to enhance it, including whether audit firms should be subject to term limits. We asked particularly for comment on terms of more than ten years, and on the suitability of rotation for the largest issuers.[2]
There are, of course, considerable implementation challenges associated with mandatory term limits. These changes can be dramatic, and yet there are examples of how they can be managed. Some institutions do have fixed term limits for their auditors. In some countries, auditors are used to taking term-limited engagements.
How do auditors and companies manage these changes? What do auditors, and the audit committees that appoint them, do to make sure the new auditors are in a position to provide reasonable assurance in the early years of an engagement?
Auditors are generally opposed to the idea of term limits. It's understandable that such a change would be hard to welcome. But I want you to think about it.
You tell me: When you've found a potential problem in an engagement, do you think about how important retaining a client is to your own career or standing in your firm? You doubtless consider it unfair of a rehabilitating securities lawyer like myself to ask that: but here is the question that I believe you must answer: If you don't think term limits would reduce the pressures that lurk, threatening to undermine your independence, then what would?
As many of you doubtless noted, on November 30 the European Commission released Minister Barnier's proposals for regulation "on the quality of audits of public interest entities." These included —
- an engagement term limit of six years (with a possible extension of two years with certain approval),
- extension of the term to nine years if joint audits are performed (with a possible extension of three years with certain approval),
- mandatory tendering to consider at least one next tier firm, and
- a ban on most non-audit services, with large firms required to locate their non-audit services in a separate legal entity.
This development has, of course, been anticipated. But as with many anticipated events, the details, timing and implications of these proposals for our own process will require thoughtful evaluation.
And, as with changes to the audit reporting model, in the area of auditor independence we are mindful of the role of the independent audit committee. Nothing we do in the independence area should undermine their authority or diminish their role. The Board's raising the questions of the Concept Release does not suggest that the establishment of the independent audit committee and their statutory oversight of the audit process should be called into question.
This is not an easy subject. We have had a long comment period. It is coming to a close on December 14. But we will then hold a public meeting to further discuss the subject in March of 2012. At this meeting, we will ask for further comment and provide participants an opportunity to bring their ideas and concerns directly to the Board.
Comments have been flowing in. Please submit yours. We are looking for candid information specifically from auditors such as yourselves.
C. Audit Transparency
The third policy initiative the PCAOB has mooted relates to audit transparency. This is an important matter for investors, who want to know about the work that stands behind individual audits.
In October, the Board proposed amendments to its auditing standards to improve audit transparency by enhancing disclosure about the participants in audits, including disclosure about the partner in charge of the audit, as well as other firms involved in the audit.
The proposal stems from a concept release that the Board issued in July, 2009, to obtain comment on whether the Board should require engagement partners to sign audit reports.
Engagement partner disclosure is an unfamiliar practice for many auditors, and thus has been met with some apprehension. The names of audit engagement partners are also disclosed in many countries, but to this point not in the United States. The referenced EC proposals would continue to requiresignature by the "statutory auditor(s) carrying out the statutory audit on behalf of the audit firm."[3]
Our proposal to identify the engagement partner does not involve any change in engagement partner responsibilities, but rather merely provides for disclosure.
The proposal would also provide investors disclosure about other accounting firms and certain other participants in the audit. The idea is to provide enhanced transparency into the composition of cross-border audits, so that should help investors gain a better understanding of how an audit was conducted and make more informed decisions about how to use the audit report.
Our comment period for this proposal extends through January 9, 2012.
IV. Joint Inspections of Global Audits by National Audit Regulators are Taking Hold.
I've touched on global audits, but let me turn now to discuss them more directly. These are the audits that are relied upon by the greatest percentage of the investing public, because they involve the largest companies whose shares figure prominently in many investors' savings plans. For that reason, these audits need to be good. When they aren't, everyone loses: investors, the broader financial system, the audit firm involved. Everyone.
Audit reports for such companies are usually signed by one audit firm. But many have chosen to plan and perform their audits by dividing the work among affiliated firms in countries where the audit client has operations. Those affiliates are typically separate legal entities. And if they audit or play a substantial role in an audit of an issuer, they will be separately registered with the PCAOB.
To best protect investors, inspections of cross-border audits need to be as seamless as the audits are supposed to be. Within the last few months, the PCAOB has reorganized its inspection division with this objective in mind.[4]
This new organization allows inspectors to better identify trends among firms in a network. It also facilitates inspection of multi-national issuer audits and gives us a more complete understanding of the quality control mechanisms used by the firms to determine whether they are effective.
We have seen first hand the benefits of evaluating the various pieces of audits — or, "referred-work" engagements — performed by different registered firms in multiple jurisdictions.
PCAOB inspectors have reviewed portions of numerous components of audits that principal auditors had determined were necessary and instructed affiliates to perform. If you are involved in multi-national audits, this should be of significance to you: in many cases, inspectors determined that the affiliate failed to accomplish the objectives of the instructions provided by the principal auditor, sometimes in multiple respects.
These deficiencies were identified both abroad and here in the U.S. That is, some were in situations where the principal auditor was outside the U.S., but the subsidiary auditor was in the U.S., and the rest vice versa.
Inspectors have found obvious errors that could have, and should have, been picked up by the principal auditor, if communication between the two auditors had been more robust. For example, inspectors have found unresolved audit issues between affiliates.
One inspection team found a situation where the affiliate consistently failed to perform audit procedures, unbeknownst to the principal auditor until our inspectors conducted their review. Once the problem came to light, the firm arranged for the team to be removed. But it fell to the PCAOB to find the problem.
In several cases, inspectors discovered that an affiliate had failed to appropriately audit revenue, even though the affiliate reported to the principal auditor that it had.
These findings demonstrate why it's so important that we look at the parts of the audit not performed by the principal auditor, whether the principal auditor was in the U.S. or elsewhere. Indeed, they should be — and are — of concern to audit regulators everywhere.
This leads me to the urgency of regulatory cooperation. We are now inspecting in 37 jurisdictions. In nine of those jurisdictions, we inspect jointly with the local regulator. [5]
I am pleased to announce that earlier today — European time, that is — the PCAOB concluded a pact with the Netherlands securities regulator to begin joint inspections of Dutch audit firms registered with the PCAOB.
This is a significant step. We have worked through the concerns of local data protection authorities, as we did earlier this year with U.K. authorities. It is my hope that other countries that have hesitated because of data protection concerns will now soon follow suit.
Joint inspections require effort on both sides. They have also required our counterparts to stick their necks out and press their lawmakers on our behalf. But this process yields concrete benefits for investors globally, as inspection teams work side-by-side and reinforce each other's mandates.
There is now considerable momentum for joint inspections in Europe. I look forward to announcing more joint inspection arrangements in the near future.
I hope Chinese authorities will also embrace joint inspections. I view this as an urgent matter. There is considerably less transparency into the quality of referred-work performed by Chinese affiliates of the global networks for principal auditors in the U.S. and elsewhere.
In emerging markets generally, risk assessment in the engagement is critical. If you are on such an engagement team, ask yourself what your basis for relying on affiliate teams is. Are you placing undue reliance on the mere fact that they are in your network? What are you doing to ensure yourself that the work is reliable?
The Chinese government has recently announced the new leadership among financial regulators. We have corresponded and remain in communication with the new Chairman of the CSRC, Guo Shuqing, and look forward to working with him and his staff early in the new year.
* * *
I have laid a heavy burden on you this morning. Our financial system faces many risks. The accounting profession must be a voice for integrity, analytical care, and expertise in furtherance of the public interest. As a profession, as leaders in governing an open society, and as protectors of the public interest, we must challenge ourselves to challenge our culture.
I am mindful that culture does not change quickly. I am also mindful that change is not comfortable and can be painful. But the profession must prosper in this world, and that is going to require your commitment to change.
There is no virtue in nostalgia for a simpler time. Auditing is not a job you can go home and forget about at night. You know this too well. But it is a profession you are rightly proud to be a part of, in no small part because it involves societal responsibilities that transcend the interests of the individual. The challenge we face together is to work continuously to find ways to best address those responsibilities.
[1] See Canadian Public Accountability Board, Auditing in the Decade Ahead: Challenge and Change, Audit Quality Pre-Reading Materials, at 36.
[2] The concept release invites study and consideration of whether there are ways to mitigate the challenges of rotation. But the reason to consider the idea is to resolve the question to which the discussion of independence, skepticism and objectivity always seems to return:
will term limits, set at some appropriate length, with due regard for implementation complexities, reduce the pressures auditors face to develop and protect long-term client relationships to the detriment of investors and our capital markets?
[3] The EC proposal would also require that, "Where the statutory audit was carried out by an audit firm, the report shall identify each member of the audit engagement team and shall state that all members remained completely independent and had no direct or indirect interest in the audited entity." See European Commission, Proposal for a Regulation of the European Parliament and of the Council, No. 2011/0359, at Art. 22.2(q). In addition, Article 22 of the EC proposal would expand the content of the auditor's report, to include (i) a greater discussion of the audit methodology used, (ii) the amount of substantive testing performed versus reliance on compliance controls testing, (iii) materiality levels used, the auditor's views on key areas of risk of material misstatement, and (iv) the extent to which the audit was designed to detect fraud.
[4] We now have a global network firm inspection program. It covers inspections of the largest U.S. firms and their foreign affiliates, to the extent those affiliates participate in the audits of issuers that file financial statements with the SEC. Currently there are approximately 190 non-U.S. registered firms that we consider to be affiliated with the largest global networks and are subject to triennial inspection because they have issued an audit report on an issuer within the last three years.
[5] We conduct joint inspections with regulators in Australia, Canada, Korea, Norway, Singapore, South Africa, Switzerland, Taiwan, and the United Kingdom.