Progress and Evolution in Audit Oversight to Protect Investors and the Public Interest

I am honored to be here today at the 15th Annual Financial Reporting Conference, sponsored by the Robert Zicklin Center for Corporate Integrity. I congratulate Baruch College and the Zicklin Center for hosting this conference focused on current developments in financial reporting and auditing. Clearly, reliable financial reporting and high quality auditing are critical to investor protection and the overall integrity of our capital markets and financial system.

The last time I spoke at this conference was in 2012, when I was nine weeks into my term as Board Member at the PCAOB. I am very happy to be back, four years later, to provide an update on key mission activities at the PCAOB, along with some of my thoughts on the potential future direction for some of those activities.

Before I go further, let me say that the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.

Today, one of the big questions about audit oversight and audit quality is, "Are we there yet?" This is one that I'd like to talk about today because audit quality has improved.

Generally, audit firms have made significant improvements, and PCAOB inspections have helped drive those improvements.

Let me be clear that I think the firms have a way to go in strengthening their quality control systems and their own monitoring to prevent audit deficiencies. But we should hold firms to this standard. Investors would benefit if firms can up their game and strengthen quality control to prevent audit deficiencies in the first place.

As we see improvements in audit quality, we should never be complacent and think that the job is done; that we have made sufficient progress or completed the necessary actions to achieve and maintain high quality into the future. But we should also recognize that improvement has been made and consider the impact of those improvements on the approach to audit oversight going forward.

So maybe the correct question is, "What's next?"

In my view, as the firms make progress in improving audit quality we need to consider how our inspection approach should also adapt and evolve. In that regard, we are currently exploring the potential for more random selections of audits and audit areas to inspect.

Also, in my optimistic view, we could see a time when a large firm improves its quality control system so that it prevents audit deficiencies. In such a scenario, a PCAOB inspection could change its focus from the current detailed level of inspecting aspects of individual audits to looking more deeply at that quality control system that is so critical for supporting and maintaining high audit quality. Such an approach could be highly efficient and effective at catching quality control weaknesses early, with a focus on preventing audit deficiencies. This is an aspiration at this point, albeit a worthy and achievable one.

I will discuss both of these inspections scenarios in more detail later.

I am also happy to say that we are currently embarking on a major effort to improve the efficiency and effectiveness of our standards setting approach. Our enforcement program also continues to evolve.

PCAOB's Mission and Progress

As you know, in response to a serious loss of confidence in the role and performance of auditors as gatekeepers in the system of public company financial reporting, the PCAOB was established by the Sarbanes-Oxley Act of 2002 to oversee the audits of public companies in order to protect the interests of investors and further the public interest.

The PCAOB began its operations in 2003, and its authority was expanded by the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010 to regulate auditors of SEC-registered brokers and dealers.

The overarching vision of the Board in its first year was "restoring confidence." The Board, with SEC oversight, was responding to a serious crisis of confidence and lack of trust in the capital markets.[1]

As the PCAOB gained experience in developing its programs and tackling key policy matters, it began to refine and evolve its approach. In the recent past, Board members and others have referred to the PCAOB as being a "regulator in adolescence." In my view, the PCAOB is probably trying to emerge from adolescence at this point.

I've seen tremendous progress during my term on the Board, but a number of PCAOB processes and program activities still need refinement.

Audit Quality

While the PCAOB continues to evolve, it remains steadfastly focused on protecting investors and advancing the auditing profession's service to the public trust.

It is clear that audit quality has significantly improved since the passage of the Sarbanes-Oxley Act and the implementation of audit regulatory oversight in the U.S. and around the world. But there is still need for improvement. The larger firms are at different points on this journey, and unfortunately, we still find a number of smaller firms each year that just don't get it.

PCAOB's Director of Registrations and Inspections (DRI), Helen Munter, reported last year that, overall audit quality is "better" after 13 years. She also described areas in which we've seen improvements and areas where challenges remain.[2]

Director Munter identified five key areas where we have seen firms improve: firm leaders' "tone at the top;" targeted and focused training; new practice aids and checklists; coaching and support to teams; and monitoring the quality of work performed. However, she also reported five areas that continue to be challenging for firms with further improvements needed: recurring audit deficiencies in certain key areas; the processes at some firms for remediating quality control criticisms identified in PCAOB inspections; implementing and maintaining "root cause analyses" of audit deficiencies throughout firms and their global networks; consistent execution of audit methodology and approach around the globe by networked firms; and monitoring auditor independence issues.

Inspection results represent an important indicator about where firms are in their journeys to improve audit quality. And although audit deficiencies remain high overall, I'm encouraged by the scope of remediation efforts in many firms and the corresponding improvements in quality control.

Current Inspections Status and Approach

There is no doubt in my mind that PCAOB's inspection program has been a strong driver of the improvements that firms have made to their quality control systems in recent years. Those changes are starting to yield results in terms of reduced numbers and severity of audit deficiencies that we detect during our inspections.

For three of the Big 4 firms, the percentage of inspected audits with deficiencies declined from the 2013 to 2014 inspection cycles (those reports were issued in 2014 and 2015 respectively).[3] Our reports on the 2015 inspections will be issued this year and we expect to see a further decrease in findings for the Big 4 firms as a group, with differentiation among individual firms in terms of the number and nature of deficiencies. I also expect to see progress and improvements in the other large firms that we inspect annually.

I am encouraged by the progress I've seen in the remediation efforts in many of the largest firms and the corresponding improvements in quality control. This process takes significant time and effort to yield results and each firm is at a different point in this journey.

For the smaller firms, progress is more nuanced and challenging to gauge across the board, as a different group of firms is inspected each year over the triennial cycle. In addition, each year new firms join this group while others no longer perform work that would require a PCAOB inspection.

PCAOB's inspection approach is generally designed based on a risk-based selection of audits that involves selecting for inspection the audit work on the most difficult or inherently uncertain areas of the financial statements.

The results of these individual inspections, along with a review of certain of the firm's practices, policies, and processes related to managing the audit practice, are used to help identify any systemic quality control problems.

The Board's inspection reports and other communications about inspection results heavily caution that inspection reports are not intended to be representative and are not intended to serve as balanced report cards or overall rating tools.

The non-public portion of a PCAOB firm inspection report (part II) describes any criticisms – systemic weaknesses or potential defects – in the firm's overall system of quality control.[4]

The Board publicly releases any quality control criticisms only if a firm fails to remediate these criticisms to the Board's satisfaction within 12 months of issuance of the inspection report.

The vast majority of registered firms take this remediation process seriously and attempt to fix their quality control weaknesses within that time period.

The Board has publicly disclosed a number of quality control deficiencies, including some for each of the largest audit firms.[5] Through March of this year, the Board has made publicly available quality control criticisms included in 235 inspection reports.

The Board has explained its overarching goal in the current approach to inspections as a remedial one — "Board inspections are designed to identify and address weaknesses and deficiencies related to how a firm conducts audits."[6] The Board has also stated that through the quality control remediation process, it "seeks through constructive dialogue to encourage firms to improve their practices and procedures."[7]

Considerations for Future Inspections

In light of significant improvements that some firms are seeing in their inspection results and related progress in their remedial efforts, we need to ask whether and how the inspection approach could or should evolve to leverage and test those improvements.

One potential change the PCAOB is exploring is selecting audits for inspection on a broader basis than the current risk-based selection approach (potentially random selections). Increasing the selection of audits or audit areas outside of the risk-based selection approach could help us assess firms' compliance with standards in the types of audits and areas that PCAOB inspections have not focused on in the past. This may provide information about how firms' quality control systems are operating across a wider span of issuer audits.

I've heard differing views from various stakeholders about the potential results of inspecting audits outside of the current risk-based selection approach. Some have speculated that the less risky audits may have lower incidences of audit deficiencies due to less complexity inherent in those audits, while others speculate that audit deficiencies could actually be higher in that group due to less focus and attention being placed on those audits by the firms.

Another potential future change could involve evolution in the focus of inspection procedures between inspecting individual audits and testing of a firm's quality control system. Currently, inspection staff assess whether a firm has weaknesses in its quality control system based on the number and types of deficiencies identified in individual audits, combined with the results of testing certain aspects of the quality control system.

In an optimistic scenario of a large firm improving its quality control system so that it is effective in preventing audit deficiencies—in other words if a large firm strengthens its quality control system to the point that it has very few or no Part I audit deficiencies in the individual audits inspected by the PCAOB— then it may make sense to increase the inspection focus on testing the firm's quality control system while potentially decreasing the number of audits inspected. This follows the same theory used in an audit when considering the effectiveness of internal controls in determining the level of substantive testing that is needed.

Such an approach could be highly efficient and effective at catching quality control weaknesses early, with a focus on preventing audit deficiencies. I would see this as a very positive evolution in audit quality and regulatory response. As I said earlier, I must caution that this is aspirational at this point, but all firms should be dedicating themselves to effectively preventing audit deficiencies. In the past, PCAOB inspectors have often discovered systemic quality control problems after-the-fact at individual firms even before the firms did. But I do see a glimmer of hope for getting to the more evolved scenario with the large firms, perhaps one firm at a time, or maybe even two firms at a time.

There are many other things we can do as well, as our inspection function evolves. We can further explore PCAOB reporting approaches and communications about inspections results to provide individual firms, investors, audit committees, and the public with timely and meaningful information about the results of our inspections. In our outreach to audit committees, investors, and others, we continue to hear calls for additional transparency and useful information about inspections.

A final note on inspections-- the staff continues to carry out the PCAOB's interim inspection program for audits of brokers and dealers, analyze results from those inspections, and develop potential approaches for a permanent inspection program for the Board's consideration. The Board hopes to consider a staff proposal by year-end.

Enforcement Program

One of the ways that the Board fulfills its critical mission to protect investors and enhance audit quality is through a dynamic and active enforcement program. The PCAOB's enforcement program works to protect investors by identifying appropriate matters for Board disciplinary action and, where appropriate, seeking fair and reasonable sanctions. The program's objective is to improve audit quality by achieving deterrence and accountability.[8]

The Board's program continues to evolve in light of new and emerging risks, and the PCAOB Division of Enforcement and Investigations (DEI) works with the Board to apply new approaches and techniques.

In 2013, the Board implemented a new policy to give firms credit for extraordinary cooperation, such as self-reporting and taking remedial corrective actions. For the first time last year, the Board applied that policy and did not commence disciplinary action against an audit firm based on that credit.

The Board also issued its first order in which a settling respondent admitted to a disciplinary order's facts, findings and violations. All prior Board settled orders have noted that the settling respondents neither admitted nor denied the Board's findings.

During the past year, DEI also focused on conducting a number of critical enforcement sweeps -- specifically for independence and engagement quality reviews. The Board has recently announced settled disciplinary orders related to these efforts.

In addition, the DEI continues to enhance its use of data analytics in its processes for identifying potential matters and prioritizing and coordinating cases with the SEC and other regulators.

Since launching its enforcement program in 2004, the Board has brought a number of notable enforcement actions involving audit failures, independence violations, and failures to comply with Board orders and rules.

Through March 31, 2016, the Board has publicly announced the resolution of 160 enforcement proceedings -- including 125 sanctions against firms, with 64 revocations of firm's registrations with the Board and 112 sanctions against associated persons, resulting in 86 bars and 11 suspensions.[9]

Of the 64 revocations of firm registrations, 36 are permanent and 28 include the right to petition the Board to terminate the revocation. To date, the Board has not acted on any petition to terminate a revocation. Of the 86 bars against individuals associating with a registered firm, 29 are permanent and 57 include the right to petition the Board to terminate the bar. To date, the Board has granted only two petitions to terminate a bar.

Prioritizing to Address Risks, Including Cross-Border Audits

For 2016, the Board's enforcement program has a robust pipeline of cases. DEI is currently focused on the following priority areas involving serious audit deficiencies:

  • lack of independence and integrity of the audit;
  • lack of professional skepticism associated with serious audit deficiencies;
  •  non-cooperation with the Board's inspection process or enforcement proceedings; and
  •  violations of the Board's standards and rules in cross border audits.

I would like to spend a few moments discussing the important work that DEI is doing in one of its priority areas – cross border audits. As a result of globalization, audits have become more complex, and with complexity come additional risks. The Board's enforcement proceedings included 18 with respondents outside the United States in countries including as Australia, Denmark, Hong Kong, India, Indonesia, Israel, Italy, Japan, Malaysia, Nicaragua and Spain.

Enforcement staff has recently uncovered evidence of instances of misconduct involving improperly deleting, adding, or altering audit documentation at a range of firms, including firms affiliated with global networks. Addressing these matters is a higher priority. Just two weeks ago, the PCAOB issued Staff Audit Practice Alert No. 14, Improper Alteration of Audit Documentation, articulating staff concerns about auditors improperly altering audit documentation in connection with PCAOB inspections or investigations.

Coordination with the SEC

DEI coordinates closely and cooperates with the SEC's Division of Enforcement, which also has jurisdiction over registered firms and their associated persons. Over the years there have been numerous matters where the PCAOB has led the investigation of the auditors while the SEC focused its efforts on the issuer and its management; SEC and PCAOB staffs regularly coordinate their case matters. Our Inspections and Enforcement Divisions routinely make referrals to the SEC, including reports to the SEC under PCAOB Rule 4004, which authorizes the Board to report to the Commission possible violations of the securities laws or professional standards discovered during a Board inspection. DEI also shares tips that it receives from the public that raise issues within the SEC's jurisdiction.

As many of you know, one major distinction between the SEC's enforcement program and the Board's enforcement program is that in PCAOB enforcement cases in which litigation is initiated, the PCAOB is prohibited by the Sarbanes-Oxley Act from publicly disclosing the allegations and proceedings unless the Board finds good cause to make them public and all parties consent to open them to the public. The PCAOB routinely seeks the consent of the parties to litigated disciplinary proceedings to make the proceedings public. To date, no party has provided such consent.

Historically, about 35 percent of the Board's enforcement matters are contested or litigated. As of the end of last year, Board disciplinary proceedings involving formal allegations of misconduct involving 16 firms and individual auditors were pending.

Standards

In the area of auditing standards, I'm pleased to report that we are making progress in moving some of the standards projects that have been on the standard-setting agenda for years. We are also working to improve the standard-setting process to make it more efficient and effective.

Finally, we continue to work to integrate economic analysis more formally into the process in order to better define the problems we are trying to solve. Also, we are conducting more robust and refined research and analysis to guide the process of considering alternatives and potential costs and benefits of various actions before developing a proposal for new or amended standards.

Transparency about Participants in the Audit

In December of last year, the Board adopted new rules and amendments[10] to PCAOB auditing standards that will provide investors and other financial statement users with information about engagement partners and accounting firms that participate in the audits of issuers. If approved by the SEC, these rules and amendments will take effect next year. They will require accounting firms to file a new PCAOB form—Form AP, Auditor Reporting of Certain Audit Participants – for each issuer audit, disclosing:

  • the name of the engagement partner;
  • the name, location, and extent of participation of each other accounting firm participating in the audit whose work constituted at least 5 percent of total audit hours; and
  •  the number and aggregate extent of participation of all other accounting firms participating in the audit whose individual participation was less than 5 percent of total audit hours.

The information filed on the new Form AP will be available in a searchable database on the Board's website.

Supervision of Audits Involving Other Auditors

Three weeks ago, the Board issued a proposal[11] to strengthen the requirements for lead auditors and provide a more uniform approach to supervision in audits that involve other auditors. The proposal would amend existing requirements in the areas of supervision, planning, documentation, and engagement quality review. The Board is also proposing a new standard for circumstances in which the lead auditor divides responsibility with another firm. The Board is seeking comment on the proposal until July 29.

Auditor's Reporting Model

The staff plans to recommend a reproposal in the coming weeks to expand the auditor's report. The Board's initial proposal, issued in August 2013, proposed to expand the auditor's report to provide more information to investors and others about difficult areas of the audit through disclosure of "critical audit matters" in the auditor's report. The proposal also included expanded auditor's procedures and reporting related to other information outside the financial statements that is contained in documents that include the audited financial statements and the related auditor's report.

The proposed other information portion of the project will be separated from the auditor's reporting standard proposal. The staff will make a recommendation to the Board at a later date regarding next steps on the project.

Other Projects

The staff continues to make progress on the other projects on the standard setting agenda.

Project Project Direction
1. Auditing Accounting Estimates, Including Fair Value Measurements Anticipated proposal to revise current standards in the fourth quarter of 2016.
2. The Auditor's Use of the Work of Specialists Anticipated proposal to revise current standards in the fourth quarter of 2016.
3. Quality Control Standards, Including Assignment and Documentation of Firm Supervisory Responsibilities Staff is conducting research and outreach activities exploring whether to recommend changes to PCAOB quality control standards.
4. Going Concern Staff is continuing research and considering next steps.

Review and Improvement of Standard Setting Process

As we continue to mature as an organization and improve and enhance our systems, the Board recognizes that our standard-setting process needs to be more efficient and effective. We've been working closely with the SEC staff and have engaged a consultant to facilitate a top-to-bottom review of the PCAOB standard-setting process.

The staff is currently implementing new tools to facilitate the process of conducting environmental scans, research, and consideration of alternative approaches when considering possible standards projects. These tools should help facilitate Board involvement throughout the process, with an early determination of whether there is a problem that needs to be solved through standard setting and, if so, the nature and extent of that problem along with alternative actions that the PCAOB could take.

The Board is also looking at how to improve evidence gathering and research and engagement with stakeholders throughout the standard-setting process, including a broad cross-section of investors, preparers, auditors, members of the academic community, and the Board's Standing Advisory Group and Investor Advisory Group.

In addition, staff is placing increased emphasis on coordinating and engaging effectively with other regulators and standard-setters across the globe, including the International Auditing and Assurance Standards Board (IAASB).

Recently, the PCAOB staff formalized a process for conducting economic analysis in standard-setting, and the Board continues to enhance the use of economic and other research in PCAOB's standard-setting and other regulatory oversight programs.[12]

Economic and Risk Analysis and Research

Today I've focused on the Board's statutory programs. I don't want to close without also mentioning the sophisticated analysis and research functions that have developed over the years the PCAOB. The Board's statutory programs and policy decisions are supported by extensive research and analysis conducted by PCAOB's Office of Research and Analysis (ORA) and the Center for Economic Analysis (Center).

Some of ORA's ongoing efforts include: exploration of innovative technological approaches to data analytics to support and guide PCAOB's inspection, enforcement and standard-setting programs; analysis of risks and emerging trends that may lead to increased audit risk; study and analysis of the risks posed to audit quality resulting from the business models of the large audit firms; and outreach, analysis and engagement with stakeholders regarding Audit Quality Indicators.[13]

The Center, which began operations in 2014, studies and advises the Board and PCAOB staff on the role of the audit in capital formation and investor protection and leads the preparation of economic analysis included in the Board's rulemaking. The Center's activities include preparing economic analysis to for standard setting and other PCAOB rulemaking; fostering economic research on audit-related topics; and developing economic and statistical tools for use in PCAOB oversight programs.

Concluding Remarks

In its brief existence, the PCAOB has made significant progress in driving improvements in audit quality that have resulted in restoring investor confidence. But we can't be complacent. More work needs to be done to achieve high audit quality and maintain investor confidence in the audit profession now and into the future.

We can be sure that financial reporting and auditing will come under stress again in the future as the business environment and related risks change, and the system needs to be strong enough to withstand those pressures.

The entire system of financial reporting, auditing, and regulation must be guided by the fundamental principles of having the right incentives to encourage key parties to do the right thing and adequate transparency to help ensure that the right things will happen, accompanied by full accountability. And the regulatory system must proactively assess and address risks within the system that threaten those fundamental principles.

We all collectively have a responsibility to ensure that the core values of investor protection and safeguarding the public interest remain front and center so that the essential objectives of audit independence, high audit quality, and reliable financial reporting are not compromised, especially when the system comes under stress.

We will never be "done" and can't ever declare victory when it comes to ensuring high- quality financial reporting and auditing to protect investors and the public interest. Our regulatory agenda should continue to evolve in light of new conditions and relevant data.

I thank all of you for your continued efforts to advance and improve the integrity of financial reporting and auditing.

[1] See PCAOB, Restoring Confidence: 2003 Annual Report, June 2004; see also, William J. McDonough, PCAOB Chairman, Testimony Concerning the PCAOB before the U.S. Senate Committee on Banking, Housing, and Urban Development, Sep. 23, 2003; Daniel L. Goelzer, PCAOB Board Member, Restoring Public Confidence, Sep. 15, 2003.

[2] Helen A. Munter, Director, Division of Registration and Inspections, PCAOB, The State of Audit Quality, Dec. 11, 2015.

[3] PCAOB inspectors include audit deficiencies in Part I of the PCAOB inspection report when they are of such significance that it appeared to the inspection team that the Firm, at the time it issued its audit report, had not obtained sufficient appropriate audit evidence to support its opinion that the financial statements were presented fairly, in all material respects, in accordance with the applicable financial reporting framework and/or its opinion about whether the issuer had maintained, in all material respects, effective internal control over financial reporting ("ICFR").

[4] Such matters are included in the report as a criticism of the firm's system of quality control when they raise "doubts that the system provides reasonable assurance that professional standards are met." PCAOB, Release No. 2012-003, Information for Audit Committees about the PCAOB Inspections Process, pg. ii (Aug. 1, 2012). Quality control criticisms may be inferred from observed audit deficiencies or identified in testing certain aspects of the firm's system of quality control. Audit deficiencies, whether alone or when aggregated, may indicate areas where a firm's system has failed to provide reasonable assurance of quality in the performance of audits. When evaluating whether identified deficiencies in individual audits indicate a defect or potential defect in a firm's system of quality control, the inspection team considers the nature, significance, and frequency of deficiencies; related firm methodology, guidance, and practices; and possible root causes.

[5] See http://pcaobus.org/Inspections/Reports/Pages/FirmsFailedToAddressQCSatisfactorily.aspx.

[6] PCAOB, 2014 Annual Report: Protecting Investors, pg. 5. See PCAOB, Release No. 2012-003, Information for Audit Committees about the PCAOB Inspections Process. Accordingly, "[t]he review of a firm's work on issuer audit engagements typically focuses on the firm's engagements, and areas of those engagements, that PCAOB staff have identified as presenting the more significant risks of financial reporting misstatements, related auditing challenges, and audit deficiencies." Release No. 2012-003, at A-1, A-2. Deficiencies in the uninspected areas of audits may be present, raising the possibility that some potentially systemic issues may go unidentified.

[7] PCAOB, The Process for Board Determinations for Regarding Firms' Efforts to Address Quality Control Criticisms in Inspection Reports, Release No. 104-2006-077 (Mar. 21, 2006). The Board's remediation process incentives firms to design and implement actions that address quality control weaknesses at their practices to the satisfaction of the Board to "avoid exposure of them." Ibid., at 2. Accordingly, the Board's approach "avoids attempting to manage firms' quality control systems through overly prescriptive remedies. The Board's process is based on the proposition that each firm knows best how to manage its operations and to define the specific methods by which it can address a particular quality control criticism." Ibid., at 6-7.

[8] PCAOB, 2015-2019 Strategic Plan: Improving the Quality of the Audit for the Protection and Benefit of Investors, pg. 13 (Nov. 30, 2015); see PCAOB, 2003 Annual Report, at 14.

[9] Sanctions also have included censure, remedial undertakings, and civil monetary penalties.

[10] PCAOB, Improving the Transparency of Audits: Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form and Related Amendments to Auditing Standards, Release No. 2015-008 (Dec. 15, 2015).

[11]PCAOB, Proposed Amendments Relating to the Supervision of Audits Involving Other Auditors and Proposed Auditing Standard—Dividing Responsibility for the Audit with Another Accounting Firm, Release No. 2016-002 (Apr. 12, 2016).

[12] See Jeanette M. Franzel, The PCAOB's Interests in and Use of Auditing Research (Jan. 15, 2016).

[13] On July 1, 2015, the Board issued a Concept Release on Audit Quality Indicators. The concept release and summaries of the outreach are available on the PCAOB's web site at http://pcaobus.org/EconomicAndRiskAnalysis/ORA/Pages/AQI.aspx.