Auditing Oversight: Where We’ve Been and Where We’re Going

Good afternoon. Thank you for the warm welcome and thank you to the Institute for inviting me. As some of you may know, I relocated from California 2-1/2 years ago to accept my position with the PCAOB. After having lived in Northern California for 30 years, I always welcome an opportunity to return to the greatest city in the world.

In the time I have with you, I would like to provide a brief update on the PCAOB, as well as discuss upcoming issues regarding auditor oversight that could impact your companies in the coming year. I will also talk about Section 404; your auditors’ responsibilities under that law; and recent activities by both my Board and the SEC that are designed to address concerns that we all have regarding first year implementation.

However, before I do this, I’d like to do two things: First, I must tell you that the views that I express today are my own and do not necessarily reflect those of the PCAOB, its members or staff.

Second, I’d like to tell you a short story.

In December of 1943, a handful of villages in South Hams, England were ordered to evacuate all civilians so that the US Army could conduct live ammunition exercises in preparation for the invasion of France[1]. Despite their protests, approximately 3,000 people – families that had owned and farmed the land for generations – were uprooted from their communities and transplanted to nearby villages so the Allied Forces could simulate the landing on Utah Beach in Normandy.

In a matter of months, the houses, farms, shops and pubs that had been near and dear to these people were literally under siege. Imagine what it would have been like for the residents of the area. However, the ability of the assault forces to conduct these exercises – known as the Assault Exercises at Slapton Sands – was invaluable.

In recognition of the importance of these exercises, on the 10th-anniversary of the D-Day invasion, the US Army dedicated a permanent memorial to those displaced persons. The inscription on the 20-foot granite monument reads:

This memorial was presented by the United States Army authorities to the people of South Hams who generously left their homes and their lands to provide a battle practice area for the successful assault in Normandy in June 1944. Their action resulted in the saving of many hundreds of lives and contributed in no small measure to the success of the operation.

In sum, the difficulties faced and sacrifices made by those 3,000 residents significantly aided the longer-term objective of invading France and winning World War II.

In mentioning this story, I do not mean to suggest that auditors, public companies, or any of the people and professions affected by the Sarbanes-Oxley Act should consider themselves to be displaced persons. But it is clear to me that, like the impact of the South Hams evaluation, the Sarbanes-Oxley Act and the reforms stemming from it have dramatically changed the lives of many. I also believe, however, that the reforms mandated by Sarbanes-Oxley were similarly necessary, and that the results will be the same – that a short-term sacrifice will lead to a long-term benefit – even though some rebuilding may be in order.

Rebuilding Confidence

One of the chief concerns expressed during the debate leading up to and through the enactment of Sarbanes-Oxley was that the investing public (which is more and more resembling the average American citizen[2]) had lost confidence in those who present financial numbers, and those who are charged with auditing them. Audit firms were perceived, rightly or wrongly, as being unable or unwilling to provide independent and objective scrutiny of their clients’ books. Moreover, these firms seemed unable to right their own ships through the then-existing self-regulatory system. This is the climate in which the PCAOB was born, and in which Congress gave us our mission: to oversee the auditing profession so as to help restore the confidence of investors and the public in the financial reporting process[3].

To do that, Congress provided the Board with the authority to:

  1. Register accounting firms that conduct audits of companies publicly traded in the US;
  2. Establish auditing and related professional practice standards that must be adhered to by these registered firms;
  3. Periodically inspect all registered firms to assess their compliance with auditing and accounting standards; and
  4. Investigate potential wrongdoing by the firms and their employees, imposing discipline as appropriate.

Let me give you a brief update as to our activities in each of these areas.

Sequentially, registration is the first function of the Board. It establishes the Board’s authority to supervise each firm and obligates a firm and those of its employees engaged in the audit practice (known as “associated persons” in our jargon) to cooperate with the Board and comply with its rules.

As of June 13, 2005, the PCAOB has approved the registration applications of 1,520 firms – considerably more than the four firms that everyone talks about. Of these registered firms, 935 are US-based, with the remaining 38% representing international firms from more than 75 different countries. Nine firms (eight in the US and one in Canada) have more than 100 US-traded clients; half of all registered firms have at least one, but less than 20 such clients, with over 70% of these having less than five. Notably, 46% of the Board’s registered firms have no clients of this type, but either “substantially participate”[4] in a public company audit or intend to do so in the future.

Once a firm is registered with the PCAOB, it is subject to periodic inspection. This is the key to our effectiveness as an oversight body. Inspections are mandatory quality control examinations designed to assess the auditing firm’s compliance with the rules of the Board and the SEC; GAAP; PCAOB auditing standards (formerly known as GAAS); and other PCAOB professional practice standards.

The Board’s inspections generally consist of two types of inquiry: (1) a review of the firm’s polices and procedures, and (2) a review of selected engagements. The first component looks at how a firm operates as a business: what behaviors by employees are rewarded? How are employees trained, and how is their performance monitored? What are the factors that go into determining whether to accept a new client, or continue a relationship with an existing one? During the engagement reviews, our inspectors are not only looking at how the auditors conducted the audit, but we are also looking at the underlying accounting treatment by the company. We do not re-audit the financial statements of selected clients, but instead are reviewing discrete accounting areas that, in our minds, represent the highest risk of error.

Upon completion of each inspection, the Board issues a report containing its findings. These reports, by law, are separated into two parts – a public section and a confidential section.[5] The public section includes general information about the inspection and may also include references to specific departures from GAAP or PCAOB auditing standards that were identified. We do not publicly reveal the name of any company whose engagement was reviewed.

The confidential portion of the report may contain criticism of or identify deficiencies within the audit firm’s system of quality control. According to the Sarbanes-Oxley Act, the Board must keep this information confidential for 12 months to allow the firm an opportunity to cure the defects. If the firm is able to do that, then the Board is prohibited from ever disclosing that information. That said, the entire report – both public and non-public components – is provided to the SEC and appropriate state licensing authorities.

Our third key responsibility is enforcement. Information about specific investigations prior to resolution is, of course, confidential. I can let you know that we have an active enforcement staff, and that the resolutions of those cases that have reached this phase to date are posted on our Web site ( It’s most important to know, however, that we view our enforcement authority as but one tool within our toolbox. It is not necessarily the most important tool in every case, nor the first one that we reach for in all circumstances. Rather, we believe that the ability to affect change in auditor behavior that derives from our inspection authority is the tool that will be used most pervasively and most effectively. Formal disciplinary proceedings will no doubt play an important role in addressing the most serious violations, but we will not evaluate our own effectiveness based on the number of enforcement “notches” gathered on our collective belt.


I’d now like to turn to perhaps the most public – or at least the most talked about – aspect of the Board’s responsibilities: standards-setting. Not surprisingly, I’d like to focus on our most complex and controversial standard to date – that is Auditing Standard No. 2 (“AS2”) concerning the audit of internal control over financial reporting.

But first, let me provide a little historical context. Immediately after the SEC authorized the Board to conduct business, the Board made two key decisions in this area. The first decision was to establish auditing standards itself, rather than delegate this authority back to the profession (as was permitted under Sarbanes-Oxley). With that decision, the Board embarked upon a process that marked a dramatic change from the then-status quo.

The second decision was to use an open, participatory process. As provided in the Sarbanes-Oxley Act, the PCAOB is a private, not-for-profit corporation, and thus is not obligated to follow the federal “sunshine” statutes. Nevertheless, the Board decided that the best way to operate in this area by being transparent and involving all key parties.

Each of the Board’s standards to date has been the subject of considerable public discourse. The Board has convened public roundtables made up of representatives from a myriad of business interests. These roundtables have included auditors, preparers of financial statements, investors, academics, lawyers and other interested groups.

The Board has also relied heavily on input from its Standing Advisory Group (“SAG”), which first convened exactly one year ago, yesterday. Like the participants of our roundtables, the membership of the SAG is quite diverse. We have approximately equal numbers of auditors (from firms of various size), preparers (representing companies across industries and market cap deciles) and investors.

The SAG meetings create an opportunity for the stakeholders in the financial reporting process to sit around a table and discuss those audit-related issues that are most important to them. Frequently, there is agreement among the participants. Often, there are differences of opinion. But, through this live give-and-take process, the Board gains a better understanding of competing priorities.

In addition to this public setting, all the Board’s rules, including auditing standards, are first exposed for comment following a proposal stage. A public comment period is open, after which the Board considers all comments and makes changes as it deems appropriate. Thus far, every proposed rule and standard has been improved in some fashion by this advice and comment process. After the Board adopts a final rule, it is then forwarded to the SEC for approval; this generally involves another open comment period. Once the SEC approves a PCAOB rule, it has the force and effect of law.

Internal Control

Let’s return to the subject that I am sure is on most of your minds: “Internal control over financial reporting”, a.k.a., “Section 404.” With apologies to Sir Winston Churchill, never in the field of human endeavor have so many been so stirred to emotion by so few words.

We all know what internal controls are. As applied to the financial reporting process, they are simply mechanisms designed to produce reliable financial statements, reducing the likelihood of material misstatement due either to error or fraud.[6] We also know that maintenance of an internal control system (or at least the concept of such a system) is neither a novel nor radical concept. Since 1941, the SEC’s regulations have required auditors to consider a company’s internal controls in planning the financial statement audit.[7] Auditors have repeatedly told me that 20 years ago, as part of their annual financial audits, they regularly “used to” do the same kind of work now mandated by AS2. Moreover, for almost 30 years the Securities Exchange Act has required that all public companies maintain an adequate system of internal accounting control.[8]

So, what’s the fuss? Why did a Wall Street Journal editorial recently call Section 404 the “most notorious part” of the Sarbanes-Oxley Act?[9] Well, we also know that, for many years, as companies have striven to identify and eliminate so-called non-productive costs, internal control systems may not have been well-maintained. Despite what I understand have been repeated calls from financial executives and internal auditors, some companies have chosen not to spend money to keep these controls current. We know too that, as price pressures continued to force accounting firms to reduce their audit fees during the ‘80s and ‘90s, the decision to streamline audit procedures was often at the cost of a more comprehensive review of internal control.

Then came Enron … WorldCom … Waste Management … Global Crossing … Tyco … Adelphia … [insert your favorite accounting scandal here]. Broadly speaking, through Section 404, Congress recognized that control effectiveness is closely linked to the reliability of financial reporting. To help restore credibility to the reporting process, Congress added two new legal responsibilities to the existing laws on this issue. First, companies must now annually test and certify to investors that their controls over financial reporting are effective.[10] Second, the independent auditor must also now publicly attest to the accuracy of the corporate certification.[11]

Much has occurred during the year since we adopted and the SEC approved AS2. All of the PCAOB Board Members have devoted considerable time to traveling the country (as well as outside the US) to hear from both auditors and companies about their experiences in implementing Section 404. We have heard from audit firms and companies of all sizes, across all industries, and within all regions. We have each heard many stories about both the level and quality of the audit work being performed. As we shared notes, our concerns coalesced around a few key points. It appeared that many auditors were simply spending too much time on low-level work, creating a risk that they might lose sight of those areas that pose the highest risk of potential fraud. It also appeared that many companies had identified “key controls” for testing that were not really “key,” thus causing both management and their external auditors to conduct unnecessary testing. It also appeared that some auditors were using similar approaches with all their clients, regardless of industry, business model, revenues, and other client-specific risk factors. These behaviors not only resulted in disproportionately high costs, but more importantly threatened to impair the quality of the Section 404 audit. Even more significantly, we heard that the quality and effectiveness of communication between auditors and companies was in serious jeopardy.

Let me pause for a moment. By expressing these concerns I do not intend to suggest a negative judgment about all auditor performance during 2004. I understand why auditing firms – under intense pressure to fundamentally change the way in which many of them operated as businesses while also trying to implement an entirely new and complex auditing standard – reacted as they did. In their place, I probably would have reacted much the same, and in fact believe that auditors deserve a lot of credit for the tremendous effort they put into first year implementation. Nonetheless, when we recognize that a practice can improve going forward, we have the responsibility to work toward that end.

As Will Rogers said, “Even if you are on the right track, you’ll get run over if you just sit there.”

In this vein, last month the PCAOB released additional guidance that responds to what we consider to be the unintended consequences of the implementation of AS2 during 2004. This guidance took the form of two documents: a Board Statement of Policy, and further Staff FAQs. These are available on our Web site. The SEC and its staff issued similar documents on this same day.[12] Before we look at the details of these documents and identify what behaviors we seek to discourage, I want to stress that none of the implementation guidance changes or in any way diminishes the auditor’s responsibilities under AS2. There is no “retrenchment,” and it would be a mistake to read this into what the Board or staff has said. Rather, I characterize our goals as “the 4 ‘Cs’”: we want to –

  • change overly mechanistic approaches;
  • correct misunderstandings;
  • confirm the need for balance, rationally applying AS2 to meet the unique circumstances at each company; and we will
  • continue to evaluate whether additional guidance or changes are necessary.

The Board’s Statement of Policy and Staff’s FAQs focus on six specific issues:

First, we need to ensure that – as intended and strongly encouraged in AS2 – the audits of financial statements and internal controls are integrated. With a fully integrated process, the independent auditor should be able to use the information obtained throughout the year as part of his or her internal control assessments to affect the nature and extent of testing required for the audit of the financials. Ideally, the same team of audit professionals would work on both audits, creating a single set of work papers. This type of integration should provide for greater efficiency in the planning and execution of both audits, saving time and resources for all. However, it is clear that, primarily because of time constraints and the heavy initial learning curve experienced by both auditors and their clients, this did not occur in 2004. We have every expectation that it will begin to occur in 2005 and thereafter.

Second, the SEC and PCAOB both stressed the need for the management assessment and the auditor attestation processes to be focused on higher risk areas, using a top-down approach. Both sets of Staff documents discuss the more technical aspects of how a “top-down” approach works, and how risk assessments affect the nature and extent of testing that must be performed. The use of untailored checklists is inimical to a risk-assessment model, and in the Board’s view is an early warning sign that the auditor is not exercising the type of professional judgment as would lead to a high quality audit (of either the financials or internal controls). I stress here that our goal in issuing this additional guidance was to promote high quality audits. We believe that a welcome side benefit of a risk-based model, using a top-down approach, will be to reduce unnecessary costs going forward. That was not, however, our primary objective in issuing this additional guidance.

Third, using a risk-based approach also leads to re-examining how auditors exercised the discretion that AS2 gave them to rely, under appropriate circumstances, on the work of others. As you recall, AS2 permits the auditor to rely on the work of others, so long as a few conditions are met[13]:

  • The auditor’s own work provides the principal evidence for the auditor’s opinion;[14]
  • The auditor personally evaluates controls in the control environment, including controls that are established to prevent and detect fraud that is at least reasonably possible to result in material misstatement of the financial statements;[15]
  • The auditor personally performs at least one walkthrough of each class of major transactions;[16] and lastly,
  • The auditor determines the extent of reliance based upon an evaluation of both the other party’s competence and objectivity, and the nature of the relevant control; this evaluation naturally leads to a greater ability to rely on others for work in the lower risk areas, and when competence and objectivity are high.[17]

In 2004, it is clear that many external auditors chose not to rely on the work of others, including well-structured and resourced internal auditors, to the degree to which they were permitted. I suspect that some of the reasons this did not occur are completely justifiable, and some perhaps are not. Nevertheless, going forward the Board hopes to encourage more reliance, while still staying within the parameters articulated in AS2. In the May 16 FAQs , our Staff clarified that the “principal evidence” provision does not require a mere quantitative test (e.g., the independent auditor must perform 51% of the work). Rather, it requires a primarily qualitative evaluation. Moreover, by giving more weight to the work the independent auditor conducts him or herself in the higher risk areas (including the control environment, and the walkthroughs), this will in most circumstances naturally result in the auditor having obtained the principal evidence to support his or her opinion.[18] Thus, the “principal evidence” provision should not ordinarily pose a barrier to the reliance on others.

Our fourth area of improvement concerns the quality of communication that occurred (or did not occur) during 2004 between the external auditor and management of the audit client. From what we understand, this communication was seriously stilted because both auditors and issuers were concerned about where the line would ultimately be drawn between constructive dialogue and the auditor becoming part of the company’s controls. The difference between these two ends of a spectrum potentially implicates the auditor’s independence, and may also suggest a material weakness in the company’s controls. To avoid getting anywhere close to a perceived “line” between the two, many auditors and financial executives simply stopped talking to each other during the financial statement preparation process. In our May 16 guidance, both the SEC and PCAOB were crystal clear: such a reaction is not called for by either AS2 or the SEC’s regulations implementing section 404(a) of the Act. There is no single “bright line” that can be applied in all circumstances to separate appropriate communication (on the one hand) from inappropriate behavior (on the other). Therefore, both auditors and management need to exercise sound judgment; just because a decision is tough, does not mean it shouldn’t be made. Moreover, to the extent this iron curtain on communication threatens to impair the overall quality of financial reporting, it is inconsistent with the Act and all regulations adopted under the Act.

Fifth, our Staff FAQs present a number of additional technical questions and answers about issues affecting the scope and extent of testing required under the auditing standard, hopefully re-focusing the independent auditor’s attention to those areas most likely to affect the effectiveness of internal controls over financial reporting.[19] Again, as a side benefit, we also believe these clarifications will do much to bring needed balance between the costs and benefits of AS2. I won’t go into detail about these technical issues now, but would be happy to answer questions at the conclusion of my comments.

Before I discuss the sixth and final issue addressed in our recent guidance, I believe that it is important to couple any discussion of Section 404 costs with a discussion of benefits, especially those that are already being realized. From a macro perspective, investors will have much more confidence in the reliability of a corporate financial statement – and thus on the integrity of the U.S. public equity market as a whole – if the company’s management demonstrates that it maintains adequate internal control over the preparation of its financial statements. Greater investor confidence ultimately reduces the premium demanded for incurring the risk of the equity market, thereby reducing the cost of capital. A soon-to-be published study concludes that the median increase in the cost of equity that occurs when a company is judged not to have had reliable audits is almost 50 basis points.[20] Although we have heard much about the Year 1 costs, investors continue to tell us – in very strong and unambiguous words – that they see themselves as the ultimate providers of the capital required to implement Section 404, and that they are willing to pay even the high costs experienced in 2004 to decrease the risk of more accounting scandals.[21] Investors understand that much of the Year 1 costs are one-time in nature, while the benefits are long-term.[22]

From a company perspective, a survey conducted in late 2004 by Oversight Systems, Inc. found that 79% of the financial executives surveyed reported that their companies have stronger internal controls after complying with Section 404. Seventy-four percent said that their companies benefited from compliance with the Act, and, of those, 33% said that compliance lessened the risk of financial fraud.[23] In a follow-up survey conducted three months later, this percentage increased significantly, to where almost 50% of the respondents said that compliance with the Act reduced the risk of fraud and errors. Forty-eight percent said that they now have more efficient financial operations.[24]

In another recent survey, over 60% of the responses from chief internal audit executives agreed that there have been improvements in their companies’ control environment, as well as anti-fraud awareness activities, that would not have occurred but for Section 404.[25]

I think that this type of impact, in just a little over a year since AS2’s adoption, is amazing.

This leads me to the sixth and final issue addressed in our May 16 guidance. We have heard, and I accept, that much of the hyper-conservatism by auditors in their implementation of AS2 comes from uncertainty as to how the PCAOB inspection process will hold them accountable for compliance. To address this issue squarely, the Board’s Policy Statement describes how we will conduct our 404 inspections. We will look for audits that suffer from poor planning and risk assessment; we will not use our own “compliance checklist”; and we will not second-guess good faith audit judgments. We are more interested in helping auditors to get this right than we are in chalking up a high volume of formal negative comments.

Our May 16 guidance does not represent the end of the PCAOB’s responsibility to ensure that Section 404 audits are conducted both effectively and efficiently. On June 8 and 9 we discussed with our SAG additional guidance that might be necessary. At this time, most companies, auditors and investors are advising us to wait until we learn more from our 404 inspections. We will, however, be keeping our eyes, ears and minds open.

Concluding Thoughts

I would like to conclude my remarks by again reflecting on the story of the South Hams evacuation. After the Army left the area, the returning residents remained quite bitter. A lot of damage had been inflicted and much rebuilding was necessary. Many questioned the costs and benefits. But, today the residents of those villages view the situation differently. They now see the importance of the evacuation in the larger scheme, and take pride in the role that they played in helping prepare the Allied Forces for D-Day.

I believe the same will be said of Sarbanes-Oxley and Section 404, in the larger context of restoring confidence in US financial markets. I also am confident it won’t take 60 years for us to get there! Thank you. I’d be pleased to answer any questions you might have.


[1] "Exercise Tiger," Operational Archives, Naval Historical Center (June 5, 2000)

[2] "Equity Ownership in America," Investment Company Institute and the Securities Industry Association, (October 2002).

[3] Sarbanes-Oxley Act of 2002, Public Law 107-204, Title I ("the Act")

[4] PCAOB Rule 1001(p)(ii)(2) states that "The phrase 'play a substantial role in the preparation or furnishing of an audit report' means to perform the majority of the audit procedures with respect to a subsidiary or component of any issuer the assets or revenues of which constitute 20% or more of the consolidated assets or revenues of such issuer necessary for the principal accountant to issue an audit report on the issuer."

[5] The Act , §104(g).

[6] AS2 7.

[7] Amendment of Rules 2-02 and 2-07 of Regulation S-X, Accounting Series Release No. 21, 11 Fed. Reg. 10921 (Feb. 5, 1941) (amending Regulation S-X to provide that "[i]n determining the scope of the audit necessary, appropriate consideration shall be given to the adequacy of the system of internal check and control. Due weight may be given to an internal system of audit regularly maintained by means of auditors employed on the registrant’s own staff.")

[8] Securities Exchange Act §13(b)(2) [15 U.S.C. §78m(b)(2)], enacted as part of the Foreign Corrupt Practices Act of 1977.

[9] "SOX and Stocks," Wall Street Journal at A20 (April 19, 2005).

[10] The Act, §404(a).

[11] The Act, §404(b).

[12] See

[13] See AS2 108-126.

[14] AS2 108-111.

[15] AS2 113-115.

[16] AS2 116.

[17] AS2 117-125.

[18] See Staff Questions and Answers, No. 54

[19] See Staff Questions and Answers, No. 54

[20] William Kinney, Christine Botosan, and Zoe-Vonna Palmrose, The Value of Financial Statement Audits: Do Benefits Exceed Costs? (synopsis of work in progress, May 19, 2005). (This conclusion was reached by looking at the cost of equity for Andersen clients at the time of that firm’s demise in early 2002; “this is assumed to conservatively measure the incremental cost of equity if financial statements were suddenly judged not to have had reliable audits”).

[21] See, e.g., Transcript of SEC Roundtable on Implementation of Internal Control Reporting Provisions (Apr. 13, 2005) ("Roundtable Tr."), Remarks of Mark Anson, Chief Investment Officer, California Public Employees' Retirement System; Remarks of Ann Yerger, Executive Director, Council of Institutional Investors, Roundtable Tr.; Remarks of Damon Silvers, Associate General Counsel, American Federation of Labor and Congress of Industrial Organizations, Roundtable Tr.; Letter from Laurie Fiori Hacking, Executive Director, Ohio Public Employees Retirement System, to William H. Donaldson, Chairman, SEC (Mar. 1, 2005); see also Remarks of Gregory Jonas, Managing Director of Accounting Specialists Group, Moody's Investors Service, Roundtable Tr.

[22] See Remarks of Ann Yerger, Executive Director, Council of Institutional Investors, Roundtable Tr.

[23] See Oversight Systems, Inc., 2004 Oversight Systems Financial Executive Report on Sarbanes-Oxley (December 2004).

[24] See Oversight Systems, Inc., 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley (April 2005).

[25] Larry E. Rittenberg and Patricia K. Miller, Sarbanes-Oxley Section 404 Work: Looking at the Benefits, (The Institute of Internal Auditors Research Foundation, January 2005).

Related Information