Furthering Our Special Relationship
Good morning. I would like to thank Patricia Wellmeyer for the kind introduction.
I am pleased to join you for the 10th annual Audit Committee Summit. This summit is a wonderful opportunity for audit committee members to discuss complex issues and exchange innovative ideas.
Before I proceed further, I need to remind you that the views I express this morning are solely my own and may not necessarily reflect the views of my fellow Board members, or the staff of the PCAOB.
Audit committees are vitally important to our capital markets--both to the public companies seeking capital and to the investors who provide that capital. And, for a number of reasons, the Public Company Accounting Oversight Board (PCAOB) and audit committees have a special relationship that contributes to the integrity of the capital markets. This morning, I want to provide some perspectives on our shared purpose: protecting investors and maintaining the integrity of our capital markets.
The U.S. capital markets continue to be the largest, deepest, and most liquid in the world. They fuel innovation and help propel our economy. Over half of US households’ own equities (52.6%), and our debt markets supply a stable source of non-bank financing that simply cannot be found in many other countries.
The continued success of our capital markets is largely due to investors and companies believing these markets are fair and efficient. The confidence of both investors and the management of public companies, as well as vigorous competition, cutting-edge innovation, and sometimes lessons learned from market failures, are all contributing factors to this success.
The Origins of Our Special Relationship
This morning, I want to talk about the principles of our special relationship. As many of you know, the audit committee’s necessity for “the proper functioning of a corporation” has long-been recognized. And since that time in the 1940s, the role and responsibilities of the audit committee have continued to evolve and grow in importance.1
Revelations from the U.S. Securities and Exchange Commission’s (SEC or Commission) investigation of the McKesson & Robbins, Inc. scandal in 1939 led to several corporate governance reforms, including the formation of audit committees. The SEC’s investigation found that McKesson’s independent auditor did not discover the fraud and “failed to employ that degree of vigilance, inquisitiveness, and analysis of the evidence… necessary in a professional undertaking.” The SEC concluded that the auditor would have discovered that the company’s president was perpetuating a substantial and long running fraud “through [audit] procedures involving regular inspection of inventories and confirmation of accounts receivable…”
The auditors, however, denied responsibility explaining that the person committing the fraud also decided “the scope of the audit.” The SEC recognized the lack of independence, noting: “[W]e do not feel that [the practice of management appointing the external auditor] insures to the auditor, in all cases, that degree of independence which we deem necessary for the protection of investors.”2
Both the NYSE and the SEC recommended that public companies establish a committee made up of non-executive directors to nominate the external auditing firm and set the parameters of its engagement.
While the early audit committee’s initial scope was indeed narrow, it would evolve and change over time through recommendations and the adoption of best practices. For example, in the 1970s, again in response to corporate malfeasance, the SEC turned to the audit committee.
In public statements and through the issuance of enforcement proceedings, the Commission signaled the audit committee’s role in detecting and deterring questionable or illegal corporate payments. It also wanted audit committees “to conduct investigations related to carrying out its duties and to approve settlements of certain litigation involving the company’s officers.” The SEC outlined expectations of audit committees, such as,
- Protecting shareholders and the public from “haphazard or fraudulent disclosure;”3
- Arranging the audit and the scope of the audit (including determining fees and services);4
- Strengthening of internal accounting controls; and
- Resolving disagreements between the auditors and management.”
In 2002, the Sarbanes-Oxley Act-- or as originally titled the “Public Company Accounting Reform and Investor Protection Act”5 built on this history
on the advice of legal, market, and investment professionals, adopting a responsibility framework for corporate reporting that recognized that a dependable corporate reporting system required "strong, competent audit committees with real authority,”
independence, and expertise standing between the independent auditor and management.
As required by the Act, audit committees became a necessary component of public company oversight and “directly responsible for the appointment, compensation, and oversight” of their company’s independent auditor. They also were made responsible for the resolution of disagreements involving financial reporting, and the oversight and monitoring of employee complaints about financial reporting matters.
Congress passed this legislation in response to a series of historically unprecedented corporate frauds and a seemingly never-ending parade of announcements by hundreds of public companies that their financial statements should not be relied upon because they were riddled with material errors.6 There were no early warnings. There were no alarm bells.
The assurance of financial statements by independent public accountants that were supposed to detect false or misleading financial reports failed. Audit report after audit report did not do so. They did not provide investors and others with red, or even yellow, warning lights of impending failures or provide any context other than a passing report card.7 Consequently, confidence in financial reports plummeted and markets fell precipitously.
One of the other most essential elements of Sarbanes-Oxley was the creation of a new organization – the Public Company Accounting Oversight Board - to oversee the work of the auditors of public companies.
In taking these steps, the Sarbanes-Oxley Act fundamentally changed the oversight of the independent external audit and created a new financial reporting ecosystem with two essential elements: reliance on strengthened public company audit committees and a new, independent organization called the Public Company Accounting Oversight Board (Board or PCAOB).
Congress told the PCAOB that its mission was “to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.” The PCAOB was tasked with regulatory oversight of public company auditors. This included:
- Registering audit firms-- only registered firms may play a substantial role in the audit of public companies;
- Setting forth the auditor’s responsibilities through rules and standards (e.g., standard setting);
- Evaluating and reporting on whether auditors are meeting their professional responsibilities (e.g., inspections); and
- Disciplining auditors for evasion or breaches of the rules or the parts of the federal securities laws relating to audit reports (e.g., enforcement).
Despite our separate and distinct origins, both the audit committee and the PCAOB arose as innovations in response to threats to the credibility of financial reporting.
Our financial reporting ecosystem has many participants-- preparers, audit committees, auditors, standard setters, and regulators. Investors and the public rely on the rigor of each of these participants’ responsibilities. However, we cannot ignore our interconnectedness, and, in some cases, our symbiosis.
The Sarbanes-Oxley Act gave the PCAOB and audit committees complementary responsibilities in overseeing the public company auditor. In many ways, this is the basis of our special relationship. Moreover, audit committees and the PCAOB are united in our interest to improve the quality of those audits.
All of us continue to change and evolve in response to an ever-changing business environment – the pace of which is unprecedented. In fact, audit committees have demonstrated incredible agility in their oversight of the financial reporting and disclosure process. The audit committee’s oversight of the effectiveness of internal controls, the accuracy and completeness of corporate reporting, and the independent audit, have become instrumental in setting a tone at the top for the quality of an issuer’s reporting to investors and other users of the company’s reports.
Our Relentless and Shared Focus on Driving Improvements in Audit Quality
Like the work of audit committees, the PCAOB’s work is continuing to evolve. A little over a year ago, the Board issued a new Strategic Plan, which calls for us to “Modernize our Standards,” “Enhance our Inspections,” and “Strengthen our Enforcement.”
Modernizing Our Standards
The PCAOB is updating the auditor’s responsibilities through modernizing the legacy auditing standards, many of which were authored by the AICPA (American Institute of Certified Public Accountants) over 40 years ago – a different corporate era dominated by filing cabinets and fax machines.
In this corporate era, the accounting profession defined the auditor’s responsibilities for itself,8 before widespread use of the internet, before the dot-com bubble, before the accounting failures at Enron and World Comm, before the 2008 Financial Crisis—and, importantly, before Congress ushered in a new era in corporate reporting responsibility and investor protection.
In setting forth a new era of corporate reporting responsibility, Congress instructed the PCAOB to revise the auditor’s responsibilities with an independent assessment of investors’ needs. And it is for this reason that the Board is determined to revamp many of the outdated legacy auditing standards written in the days of mainframe computers, not personal computers, or mobile devices.
Our standard-setting agenda includes, among other things, modernizing our quality control standards (authored by the accounting profession in the 1970s and 1980s), outlining the basic principles for the audit (originating in the 1940s through the 1970s), clarifying the auditor’s responsibilities for identifying a company’s material misstatements resulting from violations of the law (authored in 1977), and addressing weaknesses in auditing procedures, such as those focused on obtaining audit evidence through the confirmations process (written over 30 years ago).
Enhancing Our Inspections
Evaluating and reporting on whether auditors are living up to their responsibilities is foundational to the current and future state of audit quality. Our PCAOB inspectors review select portions of the audits of approximately 700 public companies a year. This involves looking at the work of about 100 registered audit firms in more than 30 jurisdictions every year. Our inspectors assess the audit firm’s compliance with PCAOB standards and rules and the relevant parts of the securities laws. 9
The largest audit firms - those that regularly provide audit reports for more than 100 public companies -- are inspected each year. All other audit firms are inspected every three years. These inspections are largely risk-based and focus on a discreet set of issues within those audits. Last year, the PCAOB obtained access to fully inspect audit firms in China for the first time.
Our inspection reports are the inspectors' observations – or report card so to speak – on how well auditors are fulfilling their responsibilities. I believe each of you has an interest in that question. The report summarizes deficiencies found in the selected audit engagement and other violations of PCAOB rules.
Our inspection reports provide a wealth of information that can aid an audit committee’s role in supporting audit quality and financial reporting. These inspection reports can provide important insights and opportunities for discussions with your auditor. These include:
- Looking at the nature of the audit deficiencies and how an audit firm responds to the report;
- Comparing results of different audit firm reports to gain an understanding of how one firm is performing relative to others; and
- Going through the inspection report with the audit partner to dig deeper into the findings and get a sense of what the firm is doing to remediate any deficiencies.
Earlier this year, we also announced improvements to the format of our inspection reports. The redesign is aimed at making it easier to read and providing more information about our inspection results. In particular, we have added a new section on instances of noncompliance with PCAOB rules regarding Independence.
The importance of auditor judgment and objectivity cannot be overstated. Accordingly, auditor independence is a shared responsibility of the management of a public company, its audit committee, and the auditor. All three should proactively monitor for any potential impacts to auditor independence, both in fact and in appearance, throughout the engagement period, and as companies negotiate potential transactions with third parties. And of course, even permitted non-audit services can require audit committee preapproval.
Inspection findings are a key factor in the larger landscape that contributes to an audit firm’s overall state of audit quality, and disappointingly, our 2022 inspection results show us that deficiencies have increased in nearly every category of audit firm that the PCAOB inspected.
The findings also indicate a continuing trend of audit firms’ failures to obtain sufficient appropriate evidence to support their audit reports. This means a growing number of inspections show that firms are signing off on their audit reports without completing the required amount of work.
As I mentioned earlier, last year, the PCAOB performed initial inspections of some of the audits performed by Chinese affiliates of the Big Four audit firms. The findings, which include insufficient basis to support an auditor’s assessment of the financial statements or internal controls over financial reporting, are concerning.
More broadly and related to the information that the audit committee receives, PCAOB standards set forth certain minimum requirements for an auditor’s discussion with audit committees. This is an area of focus, and our inspections continue to identify recurring deficiencies in the auditor’s communication with the audit committee. We observed deficiencies in over 130 inspection reviews in 2021 for those reviews where we looked at audit committee communications.10
I encourage each of you to engage in effective two-way communication and ask questions throughout the audit engagement. For example, “What business risks that could lead to a material misstatement did the auditor identify?”
Those Inspection reports are available on demand on our website, which identifies resources for “Audit Committees.”
Strengthening Enforcement
Our oversight program seeks to encourage auditors to perform audits in accordance with our auditing, quality control, ethics, and independence standards. Our inspections program identifies deficiencies that should be quickly and effectively remediated.
In an ideal world, the PCAOB would not need to maintain an enforcement component of its oversight program. However, a capable enforcement and disciplinary program is necessary to address egregious or persistent violations of standards or rules and to support the standard-setting and related compliance.
I agree with Chair Erica Williams’s statement that “We intend to use every tool in our enforcement toolbox and impose significant sanctions, where appropriate, to ensure there are consequences for putting investors at risk and that bad actors are removed.”
You might be particularly interested in knowing that the Board recently brought disciplinary proceedings against five audit firms that failed to provide required information to audit committees.11 Depriving audit committees of essential information will not be tolerated.
Outreach and Interaction
We, like you, are navigating the rapidly evolving business world, and are focused on understanding more about the environment in which we operate. Our Investor Advisory Group, and our Standards and Emerging Issues Advisory Group (SEIAG), meet several times a year to contribute perspectives from investors and other stakeholders regarding our work. Two of the members of the SEIAG are members of public company audit committees, and we would love to have more.
Like you, we must understand the rapid changes in technology. Accordingly, my fellow Board member, Christina Ho, is currently chairing a Technology Innovation Alliance Working Group to advise the Board on the use of emerging technologies by auditors and preparers and their potential impact on audit quality.
Furthering Our Special Relationship
The Summit’s theme, “the audit committee’s role during times of uncertainty,” is certainly appropriate. Your work involves understanding the new complexities of your company’s business, responding to economic disruptions around the world, overseeing risk assessment processes, and anticipating these with unprecedented agility. The pace and the magnitude of structural shifts require you not just to adapt, but to embrace change.
How and where business is done has radically changed over the last several decades. Cloud servers have replaced paper filing cabinets. Today’s business happens instantaneously, unimpeded by geographic borders, in an unseen digital dimension – a digital dimension where both capital and data flow at the speed of light.
Not surprisingly, as business has changed, so have the responsibilities of Boards and of their audit committees. Public company operations span the globe with increasing complexity of both subsidiaries and supply chains. The risks companies face range from sudden shifts in demand, to cybersecurity, and now include the use of generative algorithms or artificial intelligence (AI).
A recent survey on AI use by the Society for Corporate Governance noted that most members responding have not expressly permitted or prohibited the use of AI tools by employees. About one in three are allowing the use of AI tools, and for those that delegate oversight of AI to the full Board or audit committee, most are delegating responsibility to the audit committee.12
I suggest that audit committee members and the PCAOB face the same challenges in dealing with those technological advances--how to understand them, how to trace their impact, and how to adapt accordingly. Your presence at this summit today shows your commitment and care toward the important work that you do. You are staying aware of the changes that are happening, and gaining knowledge and tools that will help you address the challenges of today’s business environment. You also will be better prepared to take advantage of the opportunities that change can bring.
Business risks also are changing dramatically. Audit committees face greater challenges in ensuring appropriate risk management across the organization. Auditors must conduct an independent, comprehensive, and complete risk assessment and design and execute audit responses for business risks that could result in a material misstatement of the financial statements.
Importantly the SEC’s Chief Accountant, Paul Munter, recently issued a statement that cautions on conducting risk assessments “too narrowly” on “risks that directly impact financial reporting” rather than company or entity-level issues.
Risk can arise from external or internal sources, emerge from events or changes in circumstances, and evolve in response to risk mitigation techniques and protocols, such as cyber risks. As gatekeepers, auditors are responsible for objectively ensuring that management meets its burden in addressing risks that could impact the company’s financial reporting.13 Auditors should discuss these matters with the audit committee and in the audit report if they are critical audit matters. In fact, I encourage audit committee members to have robust conversations with your auditor about their exercise of auditor judgment and to understand what your auditor is identifying and deciding are critical audit matters.
I would like to end with the same thought with which I began: Audit committees of public companies and the PCAOB share fundamental goals: Protecting Investors, Improving Audit Quality, and Contributing to the Overall Integrity of the US Capital Markets.
While the audit must be effective, it must also be perceived as effective in identifying material misstatements. As the Supreme Court noted, "It is [] not enough that financial statements be accurate; the public must also perceive them as being accurate.”
The public’s faith in high quality and reliable financial reporting is highly dependent on views of the auditor’s ability to be objective (independence) and audits performed in accordance with auditing standards.
In your oversight of the external audit, you appoint the auditor, approve audit and non-audit services performed by the auditing firm, and oversee the audit and the resolution of any disputes. To do all of this you must engage in effective two-way communication with the auditors throughout the audit engagement.
The current trend of increasing deficiencies that I discussed should be troubling to audit committees. How do the latest PCAOB inspection observations for the audit firm affect actual or perceived audit quality? Does the firm effectively remediate deficiencies? For deficiencies that relate to an audit firm’s independence, how does the audit committee determine that such deficiencies do not impair the audit?
We all benefit by furthering our special relationship. The PCAOB can provide you with helpful and relevant information to help you further deeper conversations with auditors contributing to an overall improvement in audit quality through your individual engagement oversight.
In that regard, the Board has also appointed a Director of Stakeholder Relations, Todd Cranford, to be a contact and resource for stakeholders, including audit committee members. Please feel free to contact him if you have questions about the work of the PCAOB.
Thank you for all that you do to continue to make our capital markets the envy of the world, and I hope you enjoy the rest of the Audit Summit.
1 Loomis, Philip A. 1978. "Audit Committees - The American Experience." London: US Securities and Exchange Commission, Nov 3. https://www.sec.gov/news/speech/1978/110378loomis.pdf.
2 In the matter of McKesson & Robbins, Inc., File No. 1-1435: Securities Exchange Act of 1934, Section 21 (a); Summary of findings and
conclusions, “The fraud was engineered by Frank Donald Coster, president of McKesson & Robbins…in 1926. In reality, Coster was Philip M. Musica who, under the latter name,
had been convicted of commercial frauds.;” “All appointments of Price, Waterhouse & Co. as auditors … were made [Coster…] by letter… near the close of the year to be audited. The testimony of the directors
is that with rare exceptions members of the board had no part in arranging for the audit and did not know the content either of the letters of engagement or of the [audit] report addressed to Coster...”
3 In the matter of National Telephone Company, [SEC, January 1978], “Finally, the facts developed during this investigation demonstrate
the need for adequate, regularized procedures under the overall supervision of the Board to ensure that proper disclosures are being made. Such procedures could include, among other things, a functioning audit committee with authority over
disclosure matters, or any other procedure which involves the Board of Directors in a meaningful way in the disclosure process. With such procedures, the corporation’s shareholders and the public should be more adequately protected from
haphazard or fraudulent disclosure.”
4 Ibid. “lt is desirable for all public companies to have audit committees composed of independent directors and ways are
being considered by which such committees might be encouraged or required. The Commission believes that objectivity and independence are enhanced if the auditor deals with an audit committee of independent directors or the board of directors
in determining services and fees. In order to provide investors with knowledge of whether the board of directors or audit committee has approved all services provided by the auditors, the
Commission proposes to require disclosure of whether such approval has taken place.”
5 The Sarbanes-Oxley Act was an overwhelmingly bipartisan effort (99-0 in the Senate; 334-90 in the House) to strengthen our capital markets.
President George W. Bush signed the bill into law, which was characterized as “the most far-reaching reforms of American business practices since the time of [the Securities Act].”
6 See Accounting Reform and Investor Protection, Hearings Before the S. Comm. on Banking, Hous., and Urban Aff., 107th Cong. (Feb. 12, 2002) (Statement by Senator Shelby) (“Regrettably, Mr. Chairman, growing doubt is replacing investor confidence regarding the accuracy of financial information. The trend of restatements and audit failures has put the independence and objectivity of outside auditors in question. In far too many cases, the numbers have just not added up.”); see also GAO-03-138 Financial Restatements, October 2002
7 See U.S. v. Arthur Young & Co, 104 S. Ct 1495, 1503 (1984). In 1995, Congress (in overriding a presidential veto) again called on the independent public accountant to assume the “role analogous to that of a detective, charged with the responsibility to ‘ferret out fraud’ and other illegal acts. See Andrew W. Reiss, Powered by More Than GAAS: Section 10A of the Private Securities Litigation Reform Act Takes the Accounting Profession for a New Ride, 25 Hofstra L. Rev. 1261 (1997), available at http://scholarlycommons.law.hofstra.edu/hlr/vol25/iss4/5.
8 148 Cong. Rec. S6332 (2002) (Statement by Senator Sarbanes) (quoting David Walker, Comptroller General of the US) (available at https://www.govinfo.gov/content/pkg/CREC-2002-07-08/html/CREC-2002-07-08-pt1-PgS6327-7.htm) (“History has shown that the AICPA and the SEC have failed to update their independence standards in a timely fashion and that past updates have not adequately protected the public’s interests.”).
9 SPOTLIGHT Staff Update and Preview of 2022 Inspection Observations, PCAOB, July 2023, staff-preview-2022-inspection-observations-spotlight.pdf (pcaobus.org)
10 Deficiencies are broadly ranged across all firms and include instances where the auditor did not communicate to the public company’s
audit committee. They include certain or (in limited cases) any of the required communications; Significant risks identified during the auditor’s risk assessment procedures, including fraud risks; Overall audit strategy and timing of
the audit. The auditor’s evaluation of, and conclusions about, the qualitative aspects of significant accounting policies and practices of the public company’s financial reporting; A complete list of material weaknesses identified
during the audit prior to the issuance of the auditor’s report; The auditor’s evaluation of the public company’s ability to continue as a going concern; The uncorrected and corrected misstatements identified by the auditor;
Continuing issues with the critical audit matter rules; The engagement team’s evaluation of the public company’s identification of accounting for, and disclosure of its relationships and transactions with related parties.
11 PCAOB Sanctions Five Firms for Violating PCAOB Rules and Standards Related to Audit Committee Communications
13 The Importance of a Comprehensive Risk Assessment by Auditors and Management, Paul Munter, Chief Accountant, U.S Securities and Exchange Commission, Aug 25, 2023, “Auditors are responsible for ensuring that management: “(1) take[s] a holistic approach when assessing information about the business and avoid[s] the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks; (2) design[s] processes and controls that are responsive to identified risks; and (3) effectively identif[ies] information that issuers are required to communicate to investors.”