Seeing Through the Regulatory Looking Glass: PCAOB Inspection Reports
Thank you, Sandy [Peters] for the kind introduction.[1]
It is a pleasure to have an opportunity to speak with you today. CFA Institute members have always been a key constituency for the Public Company Accounting Oversight Board (PCAOB) because of your thoughtful and practical perspectives on the capital markets, investors, and the approach taken by regulators. We learn a great deal from you, and I hope, after this talk, we will learn even more.
Before I continue, I want to remind you that the views I share today are my own and do not necessarily reflect the views of the PCAOB, my fellow Board members, or the staff of the PCAOB.
All of us spend a tremendous amount of time focusing on quality. We all want to purchase high-quality goods and services. We strive for quality time with our family and friends, perhaps even more so in an era of COVID-19. Quality is also critical to the financial reporting process. The independent audit is a big part of ensuring that the information investors receive is reliable and high quality.[2]
Information on audit quality can come from a variety of sources, including management of the company, audit committees and independent auditors. The information can also come from regulators like the PCAOB. We provide you and other investors in the market with information that can be relevant to the quality of audits conducted by audit firms. We do this mostly by issuing public reports for firms that we inspect.
While we are legally required to make our inspection findings public, the form and content of the reports are mostly left to the PCOAB's discretion. Back in the early days of the PCAOB, the Board determined what should go into these public reports. A decision was made to include only limited categories of audit deficiencies, to not reveal the identity of the public company where the audit firm's deficiencies occurred, and to not provide observations or descriptions about an audit firm's system of quality control.
Recently, this Board reconsidered one of those early decisions. In June of this year, we issued public inspection reports for the six largest firms using a revised template.[3] The template included a new section that disclosed additional types of deficiencies uncovered during the inspection process. The information provides investors and the public with additional insight into the inspection process and audit quality. But other early decisions about the content of the reports were not changed and, in my opinion, bear re-examination.
Today, I want to talk about the PCAOB's recent trip through the regulatory looking glass and our resulting decision to become more transparent about our inspections. While we undertook revisions to our inspection reports, there are more lessons to be learned and additional ways to make these reports useful to investors and those who rely on them.
I'll begin by telling you those "Impossible Things to Know Before Breakfast," those things that an investor should understand about PCAOB inspections. Then I'll relate how the first Board created the early reports and came up with a framework for the information to be included, a framework that resulted in disclosure of some findings from an inspection but left others on the cutting room floor.
Next I'll talk about our decision to revisit one of these early decisions and, while perhaps "Late for a Very Important Date," how, after 15 years, we decided to alter the content of these reports to make them more useful to investors and the public.
Finally, in what may seem "Curiouser and Curiouser," I will discuss other aspects of the reports that went unchanged and would benefit from additional discussion. And as "No Fish Would Go Anywhere Without a Porpoise," I will end by talking about how decisions to disclose additional data should always be accompanied with thoughts about increasing accessibility.
Impossible Things to Know Before Breakfast: What Investors Should Understand About Inspections
As you know, public companies and broker-dealers registered with the SEC must obtain an independent audit of their financial statements from a firm registered with the PCAOB. Our inspections program looks over the shoulder of the auditors. I have observed a number of these inspections in person. The fieldwork conducted by PCAOB inspectors is intense and professional and can last anywhere from a few days to a few weeks depending on the size and complexity of the engagement.
We typically inspect over 160 firms that audit issuers and 60 or so firms that audit broker-dealers each year. We inspect annually the firms that issue audit reports with respect to more than 100 issuers in the prior year.[4] Many of these firms have a global presence with affiliates all over the world. We inspect those affiliates as well, visiting approximately 30 different countries each year.[5] Smaller firms, those that do not audit more than 100 issuers in any of the three prior years, must be inspected on at least a triennial basis.[6]
With each inspection, we don't usually look at every audit engagement undertaken by the firm.[7] Instead, we select a handful of public company engagements based on a risk assessment that also can factor in market capitalization and random selection. For the largest firms, we examine around 50 to 55 of their public audits each year.[8]
In conducting an inspection, our teams typically focus on high-risk areas of the audit.[9] When examining the relevant areas, we may review the relevant SEC filings and other sources of public information, a category that can include news articles, and the company's press releases and quarterly earnings calls and the work papers and related documentation. The teams may also interact with the audit engagement team.[10] To the extent the audit firm attests to a public company's internal control over financial reporting (ICFR), we also may consider some of this work as well.[11]
The inspection does more than examine the audit evidence supporting an opinion on the financial statements or the internal control over financial reporting. The inspection team also assesses compliance with other standards. For example, depending upon the audit engagement, we may look at communications with the audit committee or the fraud inquiries undertaken by the firm. Further, our inspection teams may assess compliance with our new disclosure standards, such as the auditor's reporting on certain audit participants[12] and communicating critical audit matters.[13] The inspection team also may review the role of the engagement quality reviewer.[14]
Down the Rabbit Hole: Creating the First Report Card
Once we have completed an inspection of a firm, we issue a public report. Decisions were made in the early days of the PCAOB that the public portion of an inspection report would include only the most serious categories of deficiencies.[15] Our reports, therefore, have largely been limited to findings that were "of such significance" that the firm was considered to have "issued an opinion without obtaining sufficient appropriate audit evidence that the financial statements were free of material misstatement and/or the issuer maintained effective ICFR."[16] In other words, the reported deficiencies had to be so serious that, in our view, the audit firm could not provide reasonable assurance that the financial statements were free from material misstatement due to error or fraud.
The public report includes some but not all of our findings from an inspection.[17] Other inspection findings were left on the cutting room floor or not included in the public portion of the report. Firms typically learned about these deficiencies, either directly from the inspection team or when discussed in the non-public portion of the report. Investors and the public, in contrast, were either not made aware of the deficiencies or sometimes made aware in anonymized reports that did not identify the audit firm where the deficiency occurred.[18]
I'm Late, I'm Late for a Very Important Date: PCAOB's Inspection Report Card 2.0
These early content decisions remained in place for more than a decade.[19] In June 2020, we issued new inspection reports for the six largest firms using a revised template. The new format seeks to improve readability and accessibility by making greater use of plain English, reducing jargon, including an executive summary, and providing comparative charts and tables.
We have also for the first time "characterized" the inspection findings[20] using a relatively objective but modest classification system.[21] We clustered the audits inspected by the PCAOB into three categories: (1) those that included an accounting violation (e.g, U.S. GAAP or IFRS) that resulted in a restatement or the withdrawal or modification of an ICFR report;[22] (2) those that involved multiple deficiencies,[23] or (3) those with a single deficiency.[24]
In my view, and recalling Justice Louis Brandeis' admonition that sunlight is the best disinfectant,[25] our most important step with respect to the revised template was the addition of a new section that provides greater transparency on our inspection process and the quality of audits.
In addition to the traditional category of findings that we have always disclosed,[26] a new Part I.B includes additional deficiencies that have previously been missing from public reports. The June 2020 reports reveal a number of instances where audit firms did not comply with our rules that were unrelated to the sufficiency and appropriateness of audit evidence or ICFR testing. Examples of this new information include:
- The failure to make certain required communications to the audit committee;
- The failure to make required inquiries of the audit committee concerning fraud;
- The failure to lock down a complete and final set of audit documentation within the required time frame;
- The failure to file an accurate or timely Form AP, the form that requires disclosure of the engagement partner and the other firms used in the audit;[27] and
- The failure to document discussions with audit committees about the audit firm's independence, including the potential effects of certain permissible tax services.
We also specified the number of audit engagements where a deficiency occurred based upon the review.
In short, the new Part I.B says more about the type and number of deficiencies uncovered during the inspection. In doing so, the new report gives investors and the public additional insight, or sunlight, into the quality of audits performed by audit firms.
I think it is safe to say that the contents of this section may change as our framework continues to evolve. The creation of a new section may provide all kinds of interesting possibilities. I encourage all interested investors and the public to share with us with their thoughts on what this section might include.
Moreover, new Part I.B may also increase investor awareness about our inspection process. A lack of disclosure in Part I.B of deficiencies under a standard that is particularly important to investors may occur because no issue is uncovered during the inspection process, because we don't disclose those types of deficiencies, or because we don't review compliance with that particular standard. After more experience with Part I.B, investors may have questions about whether our inspections process adequately focuses on those standards that do not concern the sufficiency or appropriateness of audit evidence that they consider to be of particular importance.
It's No Use Going Back to Yesterday: The Future of PCAOB's Inspection Reports
The addition of Part I.B is an important step forward. It reflects a willingness to reexamine decisions made in the early days of the PCAOB. More, however, can be done to improve the quality of these reports and to make the information easier to integrate into investment and voting decisions.
There are a number of areas that would benefit from reevaluation and additional discussion. I want to suggest three of them:
(1) revealing the identity of the public companies where audit deficiencies occurred;
(2) describing a firm's system of quality control; and
(3) improving the accessibility of PCAOB data.
Curiouser and Curiouser…
In the early days of standing up the PCAOB,[28] the Board opted to omit from the inspection report, apparently with some disagreement,[29] the identity of any specific issuer where a deficiency occurred.[30] Instead, the PCAOB anonymized the names by using alphabetic references.[31] Our new template continues to rely on this early protocol.[32]
The anonymization of issuer names has significant consequences with respect to the relevance and usefulness of our reports.
First, audit committees, in their oversight role, may never know about the deficiencies uncovered during an inspection. Audit committees may ask, and audit firms may answer, but this is not required.[33] Without disclosure of the identity of the issuer in the public portion of the report, therefore, audit committees may be denied important information in exercising effective oversight.[34]
Second, investors making investment decisions or resolving voting matters at public companies will not know about possible concerns over the quality of the audit where the deficiency occurred.
The information is also relevant in the communication process between investors and directors. Investors know that a deficiency in an audit does not necessarily mean that the financial statements were wrong. At the same time, however, the matter may spur discussions about audit quality and audit oversight.
Third, the information about a deficiency by an affiliate audit firm used by the lead auditor in a group audit may not be known to the lead auditor.[35] The affiliate may voluntarily inform the lead auditor or someone from the global network may attend the inspection, become aware of the deficiencies, and communicate them to the lead auditor. But this is neither required nor guaranteed. Identifying the issuer in the inspection report would ensure that the lead auditor learns of the deficiencies.
Fourth, the inability to identify the issuer reduces the value of the information to academics. [36] Academics mine public data and develop observations about audit quality. They can provide a sort of a report card on the effectiveness of the PCAOB, including our inspection and enforcement programs.[37] They can also provide insights that can be used to conduct inspections, augment or amend the standards, or otherwise exercise oversight in an appropriate and cost-effective manner. Without disclosure of the identity of the issuer, we lose the benefits of this free and insightful research.
Nondisclosure is also an uncomfortable place to be for an organization charged with promoting audit quality for the benefit of investors and the public. We are keeping the information secret even though disclosure could positively affect audit quality. Let's face it. No firm wants a report that publicly identifies deficiencies in a particular client's audit. The main way to avoid this is for the firm to reduce the number of deficiencies.[38]
Finally, the potential "harm," if any, from disclosure to issuers seems negligible. Our deficiency determinations are not based upon a finding of problems with the underlying financial statements.[39] Disclosure that a firm had deficiencies in an audit of a specific company, therefore, does not automatically raise issues with the financial statements of the company. Moreover, this type of disclosure frequently occurs in SEC enforcement actions with little apparent harm.[40]
To the extent we were to reconsider our determinations in this area, there are a variety of possible approaches that could be taken.
First, the PCAOB could disclose in the inspection reports the identity of issuers where the audit deficiencies occurred.
Second, the PCAOB could disclose in the inspection report for each firm a complete list of the issuers whose audits were inspected that year.
Third, we could at least publish on a regular basis (every three years, for example), a list of all public companies whose audits are inspected. This would at least provide insight into our engagement selection process and provide greater accountability to investors and other stakeholders.
"Who am I? Now that's the Great Puzzle": An Audit Firm's System of Quality Control
As we know, the key to sustained quality is a robust system of quality control. The safety of our planes, the quality of our medicine, and the health of our food supply depends upon the system of quality control. Unfortunately, the public portion of the PCAOB's inspection reports do not address the system of quality control implemented by the audit firm.
We are statutorily prohibited from disclosing "criticisms of or potential defects" in a firm's system of quality control unless the audit firm fails to remediate the deficiency within 12 months after the Board issues the report.[41] So long as we don't cross that line in our public reports, we are allowed under our enabling statute to talk about other quality control matters. The fact that we do not is, therefore, a policy decision.
In certain respects, ironically, a decision to address the system of quality control in an inspection report would entail a return to the past. In the first set of reports issued by the PCAOB with respect to the Big Four in 2004, we examined certain attributes of a firm's system of quality control and included our observations.[42] In addition, the reports also discussed "the consistency with which the practice offices applied the policies and procedures established by the national office, and evaluated whether communication from the national office were effective and were reinforced within the practice offices."[43]
In ultimately deciding to drop discussions of these systems from the public portion of the report, the Board did so for practical reasons.[44] As the Board explained at the time:
This limitation [in the statute] has led the Board to decide, as a policy matter, that the public portion generally will also not include any other discussion of a firm's quality control systems. The Board is concerned that discussing aspects of a firm's quality controls, in a context where criticisms and potential defects cannot be discussed, may create a distorted and misleading impression.[45]
With significant additional experience and feedback from investors, we have perhaps arrived at the moment when we should consider whether to revisit this decision. Certainly, investors have, in connection with our concept release,[46] asked for greater transparency about a firm's system of quality control.[47] Additional transparency could come directly from the relevant firm. In addition, the PCAOB could also contribute to the increase in transparency through discussions in the public portion of the inspection report. The logistical problems expressed in 2004, it seems to me, are surmountable.
Including disclosure about an audit firm's system of quality control would have the added benefit of conforming with what Congress intended in adopting the Sarbanes-Oxley Act. Under the statute, a firm is expressly required to describe, as part of its registration process, the quality control policies for its accounting and auditing practices.[48] The disclosure in the registration application can, with time, become out of date and stale.[49] Public disclosure of updated information on a firm's quality control policies in an inspection report, therefore, would help provide investors and the public with more current information as the system of quality control evolves over time.
No fish would go anywhere without a porpoise: Data Accessibility
What we disclose is important, and so is the ease of accessing and analyzing the information. The PCAOB is in a unique position to provide useful information and data about audit firms to investors, audit committees, preparers, and the public. Our website publishes a collection of different types of information relating to registered audit firms and their associated persons. This includes information provided by audit firms, whether the initial registration applications, annual and special reports, and the forms filed following completion of each engagement disclosing the other auditor and identifying the engagement partner on Form AP. In addition, the PCAOB posts inspection reports and enforcement cases.
Accessing this information could be easier. We made important progress in improving data accessibility with the launch of AuditorSearch database.[50] With the structured data, download feature and other functions, this resource is user-friendly and facilitates public access and research. AuditorSearch, however, is limited to Form AP data only and does not incorporate the other PCAOB regulatory data on our website.
Currently, registration applications, annual and special reports, inspection reports, and enforcement matters are all posted in PDF format. They are unstandardized and lack clear identifiers, which often requires time-consuming manual review. In addition, different types of regulatory information (i.e., registration, inspection, and enforcement) are scattered among different databases on our website. As a result, searches can take an investor considerable time and effort.
Simplifying and centralizing access to the PCAOB's public data would enhance accessibility and further investor knowledge on audit quality. There are several ways for potential improvement.
First, we could create an integrated database for all PCAOB's public regulatory data. This database would incorporate all of our registration, inspection, and enforcement data. It would allow investors to conduct advanced searches to obtain all relevant information relating to a firm through a centralized search feature.
Second, we could make the data available in a structured format that facilitates research and analysis.
Third, we could include a download feature that would facilitate the use of the database by those conducting research.
"We must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that."
Our new template for inspection reports represents a meaningful step forward in providing more information about audit quality. Taken together with our disclosure standards for audit firms – including the audit firm's tenure, the name of the engagement partner, and the inclusion in audit reports of critical audit matters – the revised approach demonstrates a serious commitment by the PCAOB to improve the quality of information available to investors and the public.
We are making progress but we should keep pushing forward. The content of inspection reports should evolve with changed circumstances and the needs of investors. In deciding how to do this going forward, we need to hear from investors and the public. For example, we describe Part I.B as including "other instances of non-compliance." That's an amorphous description. Help us determine those "other instances."
In addition, as I have discussed, there are other types of information that could be added, whether the identities of the relevant issuers or information about quality control matters. Your thoughts on how to improve the quality of inspection reports is very much needed. They will help in any future discussions by the Board and the staff at the PCAOB on additional ways to make these reports more useful.
Thank you for listening. Again, CFA Institute members have always provided thoughtful and meaningful insights to regulators. I look forward to furthering our relationship.
[1] Board Member, Public Company Accounting Oversight Board, see PCAOB, J. Robert Brown, Jr. (available at https://pcaobus.org/About/Board/Pages/J-Robert-Brown.aspx). This speech is based upon remarks given to the Corporate Disclosure Policy Council and the Capital Markets Policy Council of the CFA Institute on July 23, 2020, at a virtual session. I want to thank Austin McComb, an intern in my office during the summer of 2020, for his valuable work in this speech.
[2] See DeFond & Zhang, A Review of Archival Auditing Research, 58 J. Acct. & Econ. 275-326 (2014) (defining audit quality as "greater assurance of high financial reporting quality").
[3] PCAOB, PCAOB Issues Six Largest U.S. Firm Inspection Reports in New User-Friendly Format, Guide to Reading Reports, June 1, 2020 (available at https://pcaobus.org/News/Releases/Pages/PCAOB-issues-six-largest-US-firm-inspection-reports-new-user-friendly-format-guide-to-reading-reports.aspx).
[4] We inspected 12 such firms in 2019. See PCAOB, Inspected Firms (available at https://pcaobus.org/Inspections/Pages/InspectedFirms.aspx).
[5] See PCAOB, Firm Inspection Reports (available at https://pcaobus.org/Inspections/Reports/Pages/default.aspx) (showing affiliates inspected when filtering for "international" and by year). See also PCAOB, 2018 Annual Report, at 3 (available at https://pcaobus.org/About/Administration/Documents/Annual%20Reports/2018-PCAOB-Annual-Report.pdf).
[6] See Inspected Firms, supra note 4. We can and do sometimes inspect the smaller firms on a more frequent basis.
[7] PCAOB, PCAOB Inspection Procedures: What Does the PCAOB Inspect and How Are Inspections Conducted? (available at https://pcaobus.org/Inspections/Pages/PCAOB-inspection-procedures-what-does-PCAOB-inspect-how-inspections-conducted.aspx).
[8] See, e.g., PCAOB, Release No. 104-2020-009: 2018 Inspection, Ernst & Young LLP, at 4 (Apr. 28, 2020) (available at https://pcaobus.org/Inspections/Reports/Documents/104-2020-009-Ernst-Young-LLP.pdf).
[9] See PCAOB Inspection Procedures, supra note 7 (stating that the inspection team "generally focuses our attention on audit areas we believe to be of greater complexity, areas of greater significance or with a heightened risk of material misstatement to the issuer's financial statements, and areas of recurring deficiencies").
[10] See PCAOB Inspection Procedures, supra note 7.
[11] 15 U.S.C. § 7262.
[12] PCAOB, Form AP — Auditor Reporting of Certain Audit Participants (available at https://pcaobus.org/Rules/Pages/Form-AP-Instructions.aspx).
[13] PCAOB, AS 3101: The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion, at ¶ .13 (available at https://pcaobus.org/Standards/Auditing/Pages/AS3101.aspx) (requiring auditors to disclose critical audit matters in their reports). See also PCAOB, Staff Guidance, Implementation of Critical Audit Matters: A Deeper Dive on the Communication of CAMs, May 22, 2019 (available at https://pcaobus.org/Standards/Documents/Implementation-Critical-Audit-Matters-Deeper-Dive-Communication-of-CAMs.pdf).
[14] PCAOB, AS 1220: Engagement Quality Review, at ¶ .04 (available at https://pcaobus.org/Standards/Auditing/Pages/AS1220.aspx) (requiring that engagement quality reviewers must have "competence, independence, integrity, and objectivity"). The engagement quality reviewer has a crucial role in the audit process by determining whether the engagement team was sufficiently responsive to significant risks and supporting the findings of the engagement team where appropriate. Id. at ¶ .09-11.
[15] The first reports for the Big Four did not follow what would become the standardized report. See, e.g., PCAOB, Release No. 104-2004-005: Report on 2003 Limited Inspection of PricewaterhouseCoopers LLP (Aug. 24, 2004) (available at https://pcaobus.org/Inspections/Reports/Documents/2003_Pricewaterhouse_Coopers.pdf) ("In those inspections, the Board identified significant audit and accounting issues that were missed by the firms, and identified concerns about significant aspects of each firm's quality controls systems").
[16] The Board issued a statement explaining the content of inspection reports in 2004. See PCAOB, Release No. 104-2004-001: Statement Concerning the Issuance of Inspection Reports (Aug. 24, 2004) (available at https://pcaobus.org/Inspections/Documents/Statement_Concerning_Inspection_Reports.pdf). See also PCAOB, Release No. 2007-010: Report on the PCAOB's 2004, 2005, and 2006 Inspections of Domestic Triennially Inspected Firms (Oct. 22, 2007) (available at https://pcaobus.org/Inspections/Documents/2007_10-22_4010_Report.pdf) ("The discussion in this report of any deficiency observed in a particular audit reflects information reported to the Board by the inspection team and does not reflect any determination by the Board as to whether the Firm has engaged in any conduct for which it could be sanctioned through the Board's disciplinary process"); PCAOB, Release No. 2012-003: Information for Audit Committees About The PCAOB Inspection Process (Aug. 1, 2012) (available at https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf) ("Part I – describes audit deficiencies where inspection staff found that the auditor failed to gather sufficient audit evidence to support an audit opinion").
[17] In determining the content of these reports, we are constrained by our enabling statute. We are not allowed to make public any "criticisms of or potential defects in" a firm's system of quality control unless the firm fails to remediate the deficiencies to the satisfaction of the Board within 12 months after issuance of a report. 15 U.S.C. § 7214(g)(2). For a list of the firms where all or portions of the criticisms of or potential defects in a firm's system of quality control were disclosed, see PCAOB, Firms that Failed to Address Quality Control Criticisms Satisfactorily (available at https://pcaobus.org/Inspections/Reports/Pages/FirmsFailedToAddressQCSatisfactorily.aspx). As a result, unless the firm fails to satisfactorily address the quality control criticism, this type of information is generally seen only by the firm and other regulators.
[18] The Board sometimes issues reports under Rule 4010. See PCAOB, Rule 4010 (available at https://pcaobus.org/Rules/Pages/Section_4.aspx) (providing that "the Board may, at any time, publish such summaries, compilations, or other general reports concerning the procedures, findings, and results of its various inspections as the Board deems appropriate"). For a list of such reports, see PCAOB, Board General Reports and Statements (available at https://pcaobus.org/Inspections/Pages/PublicReports.aspx). The staff also may issue anonymized reports. For example, in 2018 staff observed that a common audit deficiency was that "[a]uditors did not test the accuracy and/or completeness of company data used to determine the fair value [of their financial instruments." PCAOB, Staff Inspection Brief, May 6, 2019, at 4 (available at https://pcaobus.org/Inspections/Documents/Staff-Preview-2018-Inspection-Observations.pdf). Further, a staff inspection brief issued in 2016 discussed concerns with "deficiencies with engagement quality reviews." PCAOB, Staff Inspection Brief (Apr. 2016) (available at https://pcaobus.org/Inspections/Documents/Inspection-Brief-2016-1-Auditors-Issuers.pdf#search=staff%20inspection%20brief) (In some cases, the Inspection Staff found that the EQR "did not perform the review required with due professional care. For example, some reviewers may have conducted the review through discussion without reviewing audit documentation" or "satisfy the "cooling off" qualification requirement, because of having served as engagement partner on the audit in one or both of the two preceding audits").
[19] Incremental changes to the reports have been made over time. Early reports for smaller firms did not break down deficiencies by issuer. In 2013, the reports began to include citations to the specific standard implicated by a deficiency. The following year, the PCAOB added, for the largest firms, the industry of the issuer where the deficiency occurred. See, e.g., PCAOB, Release No. 104-2015-122: 2014 Inspection of PricewaterhouseCoopers LLP, (June 30, 2015) (available at https://pcaobus.org/Inspections/Reports/Documents/2015_PwC.pdf).
[20] Until the implementation of this approach, we would rank issuers based upon the perception of the significance of the deficiencies. As we state in our inspection reports: "Issuer audits are generally presented in the order of significance of the deficiencies identified in the inspections of those audits; severity is assessed based on extent of the deficiencies identified in the audit, financial statement accounts affected, and/or potential consequences of the audit deficiency." Thus, from the perspective of the PCAOB, Issuer A had the most serious deficiencies while the last issuer had the least serious deficiencies. Our new classification changes this approach.
[21] The system is, at best, a modest effort at categorizing our findings. We have not tried to subjectively determine the seriousness of each separate deficiency. Nor have we attempted to assign a score that could become a shorthand for quality. Nonetheless, the framework does provide a method of differentiating the findings.
[22] PCAOB, Release No. 104-2020-008: 2018 Inspection, Deloitte & Touche LLP, at 12 (Apr. 28, 2020) (available at https://pcaobus.org/Inspections/Reports/Documents/104-2020-008-Deloitte-Touche-LLP.pdf) ("This classification includes instances where an audit deficiency was identified in connection with our inspection and, as a result, an issuer's financial statements were determined to be materially misstated, and the issuer restated its financial statements. It also includes instances where an audit deficiency was identified in connection with our inspection and, as a result, an issuer's ICFR was determined to be ineffective, or there were additional material weaknesses that the firm did not identify, and the firm withdrew its opinion, or modified its report, on ICFR").
[23] PCAOB, Release No. 104-2020-011: 2018 Inspection, KPMG LLP, at 11 (Apr. 28, 2020) (available at https://pcaobus.org/Inspections/Reports/Documents/104-2020-011-KPMG-LLP.pdf) ("This classification includes instances where multiple deficiencies were identified that related to a combination of one or more financial statement accounts, disclosures, and/or important controls in an ICFR audit.")
[24] PCAOB, Release No. 104-2020-012: 2018 Inspection, PricewaterhouseCoopers LLP, at 11 (Apr. 28, 2020) (available at https://pcaobus.org/Inspections/Reports/Documents/104-2020-012-PricewaterhouseCoopers-LLP.pdf) ("This classification includes instances where a single deficiency was identified that related to a financial statement account or disclosure or to an important control in an ICFR audit.").
[25] Louis Brandeis, Other People's Money And How the Bankers Use It 92 (1914) (available at https://archive.org/stream/otherpeoplesmone00bran#page/n7/mode/2up).
[26] See Information for Audit Committees About The PCAOB Inspection Process, supra note 17 ("Part I – describes audit deficiencies where inspection staff found that the auditor failed to gather sufficient audit evidence to support an audit opinion").
[27] Form AP requires disclosure of the name of the engagement partner and the other auditors participating in an audit. Form AP - Auditor Reporting of Certain Audit Participants, supra note 12. That's how one would know, for example, that a firm used another auditor in another country such as China.
[28] In the context of enforcement actions, the PCAOB also made decisions on whether to disclose the names of issuers in the settled orders. See J. Robert Brown, Jr., Board Member, PCAOB, Issuer Disclosure in Settled Enforcement Actions at the PCAOB (Sept. 6, 2019) (available at https://pcaobus.org/News/Speech/Pages/Brown-Issuer-Disclosure-in-Settled-Enforcement-Actions-at-the-PCAOB.aspx) (stating that "the violation of our documentation standards or the failure to cooperate" would not lead to the disclosure of an issuer's identity in settled orders).
[29] David Hilzenrath & Nicholas Trevino, How an Agency You've Never Heard of Is Leaving the Economy at Risk, POGO, Sept. 5, 2019 (available at https://www.pogo.org/investigation/2019/09/how-an-agency-youve-never-heard-of-is-leaving-the-economy-at-risk/) ("Kayla Gillan, one of the first board members, told POGO that [disclosure of the issuer] was a matter of interpretation on which the original board was divided. Gillan said she favored disclosure. The SEC, which held sway, opposed naming the affected companies and worried that naming them would hurt their stock prices, Gillan said").
[30] Release No. 104-2004-001: Statement Concerning the Issuance of Inspection Reports, supra note 16 ("In the context of an inspection report, the Board generally will maintain as nonpublic any otherwise nonpublic information that the Board obtained concerning the firm or its clients (except where disclosure is incident to disclosure of a quality control defect that the firm has not addressed to the Board's satisfaction). This restriction, however, does not prevent the Board from publicly describing its observations about apparent failures or deficiencies in a firm's actual performance of audits (discussed in section B below). So while the public portion of inspection reports will generally include discussion of observations arising out of the review of specific audit engagements, the reports will not identify the issuers in question").
[31] Reports of the largest firms used this configuration first. Reports of the smaller firms followed this approach in later years.
[32] There are statutory limitations as to what we can include in the public portion of the inspection reports. 15 U.S.C. § 7214(g)(2). In addition, Section 7215(b)(5)(A) provides that "all documents and information prepared or received by or specifically for the Board, and deliberations of the Board . . . in connection with an inspection . . . or with an investigation shall be confidential and privileged as an evidentiary matter" and must remain confidential until "presented in connection with a public proceeding". § 7215(b)(5)(A). The provision appears designed primarily to protect confidential information received from audit firms. See S. Rep. No. 107-205, at 9 (July 3, 2003) ("The reports will also be made public, subject to appropriate protection of confidential or proprietary information"). See also id. at 10 ("Under the bill, any information gathered in the course of an investigation is to be confidential and privileged for all purposes (including civil discovery), unless and until particular information is presented in connection with a public proceeding"); On the Legislative History of the Sarbanes-Oxley Act of 2002: Accounting Reform and Investor Protection Issues Raised by Enron and Other Public Companies, Hearings Before the S. Comm. on Banking, Hous., and Urban Aff., 107th Cong., at 684 (Mar. 6, 2002) (statement of Shaun F. O'Malley, Chairman, 2000 Public Oversight Board Panel on Audit Effectiveness (O'Malley Commission); Former Chairman, PricewaterhouseCoopers; Past President, Financial Accounting Foundation) ("In this regard, if the new body is created by statute, the Congress should provide statutory confidentiality protection for the materials, interviews, and findings developed as part of the new organization's peer review, investigatory, and disciplinary functions"). The list of issuers that we inspect is something we create from a wide array of information and includes some selected randomly. Moreover, firms already disclose their clients in the annual report filed with the PCAOB on Form 2. The statute does not, therefore, appear to prohibit our disclosure of the identity of issuers where a deficiency occurred. The legislative history makes this clear. See S. Rep. No. 107-205, at 58 (July 3, 2003) ("Corporate managers and others affected by the bill are already subject to extensive reporting requirements under the federal securities laws"). Finally, we effectively identify and acknowledge an ongoing inspection when we interview directors on the audit committee. See S. Rep. No. 107-205 infra note 43.
[33] See Release No. 104-2004-001: Statement Concerning the Issuance of Inspection Reports, supra note 16 ("the Board does not view the statutory provisions [Sections 104(g) and 105(b)(5)(A)] as restricting a registered public accounting firm from disclosing any portion of a report"). See also Information for Audit Committees About The PCAOB Inspection Process, supra note 16 ("The audit firms themselves have copies of this part of the report and are not prohibited by law from releasing this information at any time, though there may be other reasons they decline to do so").
[34] Audit committees may be left unaware of deficiencies in their own audits unless told by their auditor on a voluntary basis. See Information for Audit Committees About The PCAOB Inspection Process, supra note 16.
[35] See generally PCAOB, AS 1305: Communications About Control Deficiencies in an Audit of Financial Statements (available at https://pcaobus.org/Standards/Auditing/Pages/AS1305.aspx).
[36] Academics are less able to conduct research on inspection results. See Daniel Aobdia, The Impact of the PCAOB Individual Engagement Inspection Process – Preliminary Evidence 11 (PCAOB 2016) (available at https://pcaobus.org/News/Events/Documents/10222015_CEA/Impact-of-PCAOB-Inspection-Process-Aobdia.pdf) ("The Part I Finding pinpoints the area of the audit where the engagement team failed to gather sufficient evidence to support their opinion. However, the name of the issuer is masked. In addition, the specific engagements selected for inspection are not publicly disclosed. Consequently, an important part of the inspection process is not disclosed to the public and only aggregate inference can be made with publicly available data").
[37] See, e.g., Hilzenrath, supra note 29; Colleen Honigsberg, The Case for Individual Audit Partner Accountability, 72 Vand. L. Rev. 1871 (2019); Katherine A. Cody, Critical Audit Matters: Improving Disclosure Through Auditor Insight, 18 U.C. Davis Bus. L.J. 259 (2018); Jacqueline Nutile, XII. Auditing Update: Academic Study and the PCAOB's Report on Engagement Quality Review, 33 Rev. Banking & Fin. L. 535 (2014).
[38] Blanking out issuers also raises fairness concerns. For firms with only a small number of issuer clients, the identity of the relevant issuers may be easy to surmise. Audit firms must file an annual report with the PCAOB disclosing the issuers that they audit. See PCAOB, Form 2 - Annual Report Form, Item 4.1 (available at https://pcaobus.org/Rules/Pages/Form_2.aspx).
[39] Our findings are conclusions based upon aspects of the audit. See Release No. 104-2020-010: 2018 Inspection, Grant Thornton LLP, at 3 (Apr. 28, 2020) (available at https://pcaobus.org/Inspections/Reports/Documents/104-2020-010-Grant-Thornton-LLP.pdf) ("When we review an audit, we do not review every aspect of the audit. Rather, we generally focus our attention on audit areas we believe to be of greater complexity, areas of greater significance or with a heightened risk of material misstatement to the issuer's financial statements, and areas of recurring deficiencies. We may also select some audit areas for review in a manner designed to incorporate unpredictability").
[40] See generally SEC, Division of Enforcement, Enforcement Manual (available at https://www.sec.gov/divisions/enforce/enforcementmanual.pdf).
[41] See also S. Rep. No. 107-205, at 48 (available at https://www.congress.gov/congressional-report/107th-congress/senate-report/205) ("Portions of an inspection report which deal with criticisms of or potential defects in the quality control systems of a firm will not be made public if the defects are addressed to the satisfaction of the Board within 12 months of the date of the report. In certain cases interim Commission review of certain inspection-related disputes is available").
[42] See, e.g., PCAOB, Release No. 104-2004-005, Report on 2003 Limited Inspection of PricewaterhouseCoopers LLP, (Aug. 26, 2004) (available at https://pcaobus.org/Inspections/Reports/Documents/2003_Pricewaterhouse_Coopers.pdf) ("The staff conducted its review of the seven functional areas primarily at PwC's national office, but also completed certain procedures at the four practice offices. . . . . These actions were performed in order to understand PwC's policies and processes in the seven functional areas, evaluate their design and operation, and test compliance on a limited basis with those policies and procedures").
[43] PCAOB, Release No. 104-2004-002, 2003 Limited Inspection of Deloitte & Touche LLP, 16-18 (Aug. 26, 2004) (available at https://pcaobus.org/Inspections/Reports/Documents/2003_Deloitte_and_Touche.pdf) ("[S]ome of the audit engagements reviewed were found to involve some degree of departure from PCAOB standards or Deloitte's own quality control policies"); PCAOB, Release No. 104-2004-003, 2003 Limited Inspection of Ernst & Young LLP, 16-18 (August 26, 2004) (available at https://pcaobus.org/Inspections/Reports/Documents/2003_Ernst_and_Young.pdf).
[44] Release No. 104-2004-001: Statement Concerning the Issuance of Inspection Reports, supra note 16.
[45] Release No. 104-2004-001: Statement Concerning the Issuance of Inspection Reports, supra note 16.
[46] PCAOB, Docket 046: Quality Control, Dec. 17, 2019 (available at https://pcaobus.org/Rulemaking/Pages/docket-046-quality-control.aspx).
[47] PCAOB, Comment Letters for Docket 046, (available at https://pcaobus.org/Rulemaking/Pages/Docket046Comments.aspx).
[48] See 15 U.S.C. § 7212(b)(2)(C). Part IV of Form 1, the form that an audit firm is required to file publicly with the PCAOB when it applies for registration, requires a firm to furnish a description of the quality control policies for its accounting and auditing practices, including procedures used to monitor compliance with independence requirements. PCAOB, Form 1 - Application for Registration, Part IV (available at https://pcaobus.org/Rules/Pages/Form_1.aspx).
[49] Under the Sarbanes-Oxley Act and the PCAOB rules, a registered public accounting firm is required to submit an annual report to the PCAOB to update the information contained in its application for registration and any additional information as the PCAOB or the SEC may specify. See 15 U.S.C. § 7212(d); PCAOB, Rule 2200: Annual Report (available at https://pcaobus.org/Rules/Pages/Section_2.aspx). The Annual Report on Form 2 does not, however, require a firm to update information on the firm's quality control policies and procedures. That is not true for other portions of the registration statement. The application also must include information about professional staff, which must be updated on a Form 2, and information about disciplinary proceedings, which must be updated on a Form 3. See § 7212(b)(2); PCAOB, Form 3 - Special Reporting Form, (available at https://pcaobus.org/Rules/Pages/Form_3.aspx).
[50] PCAOB, AuditorSearch (available at https://pcaobus.org/Pages/AuditorSearch.aspx).