Audit Regulations 2025 & Beyond – Restoring Trust in Public Company Audits and Capital Markets

Remarks as prepared for delivery

It is a pleasure to be here with you today. I want to first make clear that the views I express today are my own and do not necessarily reflect the views of the Public Company Accounting Oversight Board (PCAOB), other PCAOB Board Members, or PCAOB staff.

I believe that regulation and supervision of public company and broker-dealer audits play an important role in U.S. economic growth and capital formation. Congress established the PCAOB over 20 years ago to provide that function with a singular mission of investor protection which can best be fulfilled by improving audit quality. However, I believe that the PCAOB over the past 3+ years has done little to improve audit quality and has possibly harmed future audit quality, even though there has been no shortage of messaging that mentioned investor protection and audit quality. To make matters worse, the PCAOB has also created confusing public narratives to sow distrust in public company audits and U.S. capital markets. I am therefore thankful to have the opportunity today to share some of my thoughts about how I would go about reorienting PCAOB programs and activities to improve audit quality.

What is audit quality in the context of investor protection? PCAOB defines audit quality as compliance with PCAOB auditing standards. Our auditing standards have been criticized as being out of date. They also focus primarily on the auditing process, which is historically manual and linear. While process is important, the ultimate purpose and the final output of an audit is an evaluation of and an opinion on the reliability of a public company’s financial statements. As a result, audit quality must consider the quality of the audit opinion, and not just the quality of the auditing process. PCAOB programs all seem to be anchored on the assumption that a “check-the-box" process on compliance with PCAOB auditing standards is the “be all and end all,” which I believe is a flawed approach. If I were building a house, I would not just focus on the construction process. Most importantly, I would focus on the quality of the actual house. Is it safe? Is it aesthetically pleasing? Is it durable? Unfortunately, the PCAOB operates with a narrow “check-the-box” approach, where if it cannot check a certain box then there is a problem, regardless of the overall quality of the final output in the form of an opinion providing reasonable assurance on the reliability of the financial statements. I am concerned that the PCAOB, being so focused on small details, regardless of their impact and materiality to the reliability of the financial statements, is causing it to miss the bigger picture, and that its “can’t see the forest for the trees” approach is doing a disservice to investors and U.S. capital markets and in some cases misleading investors, who just want to know whether they can rely on a company’s financial statements. So, what would I do about that?

Promoting Innovation

First and foremost, I would promote innovation in public company and broker-dealer auditing, particularly through the PCAOB’s audit standards or other guidance. The PCAOB has claimed to be technology-neutral in that PCAOB standards have neither encouraged nor discouraged the use of any existing or nascent technologies. That might have been acceptable in the past when technological innovation was slower paced, relatively speaking. In fact, being neutral in this digital age is akin to discouraging the use of technology because our current standards do not address the benefits and risks of technology like Artificial Intelligence (AI), and our punitive inspection approach demands rigid adherence to a set of auditing standards that may be unfit for the paradigm of new technology like AI.

Consider this hypothetical scenario involving the inspection program. An audit firm used an AI tool to test 100% of the journal entries, as opposed to taking a manual sampling approach. One scenario is that PCAOB inspectors would recognize that 100% testing is an improvement over the manual sampling approach, because it provides more audit coverage. The second scenario is that the lack of clear PCAOB standards and guidance on what constitutes acceptable AI-based audit evidence and how compliance is to be assessed, results in inspectors seeking unreasonable levels of detail from the audit firm about its AI model and the associated procedures performed. This approach of requiring the firm to “turn over every rock” results in the firm deciding to return to manual sampling, because it had to spend so much time explaining and justifying its procedures to the inspection team that returning to manual sampling would mitigate compliance risks and costs. Does this second scenario protect investors? Absolutely not.

The likelihood of this second scenario is recognized in a recently released and groundbreaking academic paper titled “Artificial Intelligence, Audit Risk, and Regulatory Uncertainty: A Refined Analytical Model of Auditor and Client Decisions under PCAOB Scrutiny.”¹ The paper explores implications of client-driven AI sophistication, auditor AI investments, and the importance of regulatory clarity from the PCAOB on the audit risk model. The authors observed, “regulatory clarity … is central to achieving efficient, high-quality audits. By setting transparent, stable standards for how AI tools should be documented, tested, and interpreted, the PCAOB aligns market participants’ incentives toward an equilibrium that leverages technology effectively…. [W]hen clarity is lacking, uncertainty leads auditors either to over-invest in unnecessary, costly tools or to underutilize beneficial technologies, both of which are distortions that reduce overall audit quality…. Clear standards on what constitute acceptable AI-based audit procedures, how such procedures should be documented, and how compliance will be assessed can significantly reduce the volatility in auditor behavior. This can usher in a stable environment conducive to innovation, cost reduction, and ultimately better financial reporting outcomes.”  

AI is evolving at break-neck speed. This means that the PCAOB can no longer just sit on the sidelines in our standard setting approach when it comes to technology. The PCAOB must instead try to keep up with or even get ahead of the technology curve, and drive change in the use of technology by audit firms large and small. At the same time, the PCAOB should also heed the words of SEC Commissioner Uyeda by “. . . avoid[ing] an overly prescriptive approach that can lead to quickly outdated, duplicative rules, a ‘check the box’ approach to compliance, and impediments to innovation. . . .  [R]egulators should be engaging with innovators, technology providers, market participants, and others”²  One way to heed Commissioner Uyeda’s advice is for the PCAOB to focus on technology-driven standards that can first be tested before adoption by conducting pilots with large, medium, and small firms, among others. Such engagement would bring together multiple yet diverse perspectives to help set technology-driven standards that improve audit quality and protect investors. To paraphrase SEC Commissioner Peirce’s remarks at the recent SEC Roundtable on Artificial Intelligence in the Financial Industry, every auditor is truly a wonder on her own, and together we can accomplish even more. We also can accomplish yet more by combining auditors’ professional judgment and skepticism with AI.³

There is both good news and bad news on this front. First the good news. The PCAOB has laid some of the initial groundwork for technology-driven standards through its Technology Innovation Alliance Working Group or “TIA.”  In a November 30, 2022, news release, the PCAOB announced the formation of the TIA whose official activities have since concluded.⁴  While not specifically mentioned in the news release, the TIA provided two deliverables to the PCAOB. The second deliverable is most relevant with the PCAOB having tasked TIA with providing recommendations by May 2024, on how PCAOB programs might address the use of emerging technologies by auditors and preparers relevant to audits. The TIA’s recommendations addressed the use of technologies, such as structured data and AI, by auditors and preparers in financial statement preparation and presentation and by audit firms in conducting public company audits.

Now the bad news. The PCAOB has taken no concrete action over the past year that has yielded any demonstrable results with regard to technology-driven standards. The PCAOB lists “Data and Technology” as a research project, but its outputs to date have not come close to “touching the needle” much less “moving the needle.”⁵ Specifically, the only data and technology output since the TIA presented its recommendations last year has been a staff update on outreach activities related to the integration of GenAI in audits and financial reporting.⁶ A year is a terrible amount of time to waste when AI is evolving at unprecedented speed. As such, the PCAOB must pull its head out of the sand and act with alacrity. Talk is cheap and time is expensive, and the PCAOB has lost a lot of time. If I have any say, I will have the PCAOB talk less and do more by authorizing the public release of the TIA’s recommendations and dedicating resources to evaluating and implementing the recommendations.

Rightsizing PCAOB Regulations

The second area where the PCAOB needs to reorient its programs and activities is with regard to “rightsizing” its regulations. Almost one year ago, I laid out my regulatory vision which consists of the following three pillars: (1) regulations should only be adopted when necessary; (2) regulations should be well-designed and in proportion to the problem to be solved; and (3) regulations should facilitate trust and innovation.⁷ 

I want to touch briefly on the second pillar – regulations should both be well-designed and in proportion to the problem to be solved. I have dissented on several PCAOB proposed and final rules and standards, because I believed they ran afoul of this second pillar. Specifically, they were extreme in that they impose or proposed to impose unnecessary or unworkable burdens on audit firms without sufficient direct linkages to improving audit quality.

The PCAOB Board’s standard setting approach has focused in no small part on process and reporting, which is asking firms to take more of a compliance-oriented “check-the-box” approach, that SEC Commissioner Uyeda warned against. And I believe it does a disservice to real investors, because it neither improves audit quality nor does it meet what real investors need and want. Specifically, real investors want public company auditors to do two things: (1) perform adequate procedures to test the reliability of the financial statements; and (2) provide reasonable assurance on the reliability of such statements. I want to adopt technology-driven standards that help improve audit quality and meet the needs and wants of real investors.

In addition, auditing standards adopted by this Board are more likely to hurt rather than improve audit quality because of their volume and close-in-time effective dates. Smaller firms do not have the same capacity as larger firms to implement multiple standards over a relatively short time period. To provide context, the PCAOB’s “Other Auditors” standard took effect for audits of financial statements for fiscal years ending on or after December 15, 2024. Similarly, the “AS 1000” standards took effect for the most part for audits of financial statements for fiscal years beginning on or after December 15, 2024. The Confirmations standard amendments go into effect for audits of financial statements for fiscal years ending on or after June 15, 2025.  The Quality Control (QC 1000) standard goes into effect on December 15, 2025. The “Technology Assisted Analysis” standard goes into effect for financial statement audits beginning on or after December 15, 2025.  These dates suggest that the PCAOB wants to have it both ways. On the one hand, it demands quality audits - and rightfully so. On the other hand, the pace and volume of our newly adopted standards require smaller firms to continuously dedicate time gearing up to comply with multiple new standards, which means these smaller firms have less time to focus on their existing public company audit engagements. It seems like the PCAOB has a “heads you lose,” “tails you lose” approach where it is setting up smaller firms to fail because personnel in smaller firms can only work so many hours in a day without negatively impacting the quality of their audit work.

So, what’s the solution going forward? PCAOB should conduct an evaluation of the integrated impact, aggregated effects, and cumulative costs versus real benefits of all the new standards, with a primary focus on audit quality. If the PCAOB believes, like I do, that audit quality is job one, then we need to determine whether the effective dates of our new standards will increase or hurt audit quality in both the short and long term. Another potential solution I would explore is to recognize that there will be a learning curve during the inspection process, where inspectors will provide feedback, if necessary, to help the firms improve. However, there could be a grace period before reporting deficiencies in inspection reports. This provides a good segue to the PCAOB inspections program.

The Division of Registration and Inspections or “DRI” is the PCAOB’s largest division. I believe the inspections program should be revamped so that it is more useful both to the firms being inspected and to those investors who read inspection reports. Specifically, the PCAOB’s publicly available inspection reports identify firm audit deficiencies, but there are no severity ratings, meaning an investor cannot read inspection reports to discern whether a deficiency is material or not and whether a deficiency or deficiencies in the aggregate cast doubt on the reliability of a public company’s financial statements. Moreover, some deficiencies may reflect a disagreement between PCAOB and firms on the firm’s exercise of professional judgment, where in many cases reasonable minds can disagree. Because our statutory mission is to protect investors, our inspections program must first focus on identifying deficiencies that are material to the reliability of the financial statements, and second, clearly distinguish in the inspection reports material deficiencies from deficiencies that are not material. 

The concern I have about PCAOB inspection reports not distinguishing between material deficiencies and deficiencies that are not material, extends to the management of the PCAOB’s enforcement program. On May 1, 2025, the PCAOB Chair gave a speech in which she stated that “[t]he cases we investigate and ultimately decide to enforce involve complex and serious matters, including audit failures in cases involving financial statement fraud, taking on client work that firms can’t complete, altering work papers, and not performing sufficient work before signing audit opinions.”⁸ This sounds good, but unfortunately the numbers tell a different story.  Between January 1, 2022, and March 31, 2025, approximately 27% of the PCAOB’s enforcement orders consisted of “traffic violations;” for example, failures by firms to comply with PCAOB reporting requirements.⁹ Let me give you a recent example. In a November 19, 2024, news release, the PCAOB announced sanctions on five firms. One of the firms failed to file multiple forms timely but ultimately did so. Two firms failed to file multiple forms timely but ultimately did so after being notified of the delinquency by PCAOB staff. The sanctions for these three firms included civil money penalties of $25,000, $50,000, and $25,000 respectively. The news release stated that “[f]ailures to make required disclosures undercut the PCAOB’s ability to protect investors, and firms must not take these obligations lightly.”¹⁰ While I am not excusing these firm reporting failures, I believe the news release goes overboard when it describes these failures as undercutting the PCAOB’s ability to protect investors. If I were a Cleveland, Ohio resident and if the Cleveland police department spent 27% of its resources on traffic violations as opposed to fighting violent crimes, I would not feel very safe. The PCAOB should re-focus its enforcement program where less time is spent on traffic violations, and more time is spent investigating and taking enforcement action against firms for material violations that carry a real risk of harm to the investors the PCAOB is sworn to protect.

Increasing Cost Efficiency

Lastly and briefly, under this Board, the PCAOB budget has ballooned by 40% from the 2020 budget of $284.7M. Our annual budget of $400M now is larger than the Commodity Futures Trading Commission’s (CFTC) budget and the CFTC has a broader regulatory scope. For example, CFTC regulates the U.S. derivatives market which comprises trillions of dollars and has tens of thousands of market participants. Since joining the Board, I have consistently called for responsible stewardship and greater fiscal restraint each year but to no avail. I believe that there are significant cost savings that can be achieved while more effectively executing our mission by reorienting our programs in the ways I mentioned earlier. As someone who successfully led the governmentwide implementation of a major reform bill, the Digital Accountability and Transparency Act of 2014 (“DATA Act”) on time and under budget,¹¹ I know firsthand that innovation, talent, and focused leadership can generate extraordinary results. The Congressional Budget Office estimated that it would cost federal agencies $300 million over five years to implement the DATA Act,¹² but we achieved it at a fraction of that cost estimate. Doing more with less is not only possible, it is essential.

I studied accounting in college, and my first job out of college in 1993 was as an auditor. Twenty-eight years later, I became a regulator of the public company auditing profession. Most people would consider that the ultimate achievement. While I am proud of all my accomplishments, my deepest conviction in life is to speak truth to power and to give a voice to the voiceless. It has been an honor for me to be able to do that in the past few years. A lot is happening in Washington and specifically the PCAOB. Uncertainty during periods of transition always brings opportunities. I believe that this is a pivotal moment for the profession, investors, and the capital markets. Earlier this week, I was talking to someone about why auditing was a noble profession. I realized that auditing is a profession of courage because it calls upon auditors to speak the truth against our self-preservation instinct when it is necessary to protect the public interest. Doing so may require sacrifices in the forms of financial loss, career reputation, political setback, retaliation etc. I believe that most people in this profession will answer this noble calling, and I am committed to using my expertise and influence to help the PCAOB: (1) be more technology driven in its standard setting approach; (2) ensure that its regulations and programs are well-designed and do not overreach; and (3) be more efficient, in order to restore trust in public company audits and capital markets.    

If time permits, I would be delighted to answer any questions. Thank you.