Guided by a Mission: Protecting Investors and Improving Audit Quality

Good afternoon. I would like to thank Liz Gantnier for hosting our session at the conference. Claudius and I are pleased to be back this year, but first we must say that the views we express are our own and should not be attributed to the PCAOB as a whole or any Board members or staff.

This is my favorite time of the year. It is a perfect time to stop, reflect and take stock. Take stock of the past, reflect on what it tells us and prepare for the future.

This couldn't be more true this year. We are in the midst of a swirl of changes. Political changes, technological changes, accounting standard changes, economic changes and the list goes on. Change, as they say, can bring a lot of promise, but it can also bring uncertainty.

We at the PCAOB Division of Registration and Inspections perform an important and statutory function in registering and inspecting accounting firms that do audits of issuers and brokers and dealers. Our mission is to protect investors and improve audit quality. That mission remains certain and does not change even when the government changes hands.

That statutory mandate is my guide — my North Star.

As I prepare the Division of Registration and Inspections for the coming year, my goal is steadfast: to improve audit quality, improve the audit profession and always keep investor protection at the forefront of our work. These are the very things that draw inspectors to the PCAOB, and drive us every day in what we do.

Whether you in the audience are a preparer of financial statements, an auditor of financial statements or an audit committee member – I know that we all share a common North Star – that of investor protection through quality audits.

I. A Fresh Look

With the looming start of a new year, we are taking a fresh look at what we are doing. Taking a fresh look demands diversity. I personally think diverse views matter and can infuse some element of new thought and different ways to think about things. We are fortunate at the PCAOB to have diverse views internally and from our external outreach. We have received valuable input and welcome ideas to further protect the quality of the audit and capital markets.

Audit Firms

Last year I reported about the significant changes firms have made over the last 13 years. While it has been significant, there is more room for improvement. Firms continue to take incremental actions in an effort to improve quality and to ensure their quality control systems work.

Yet there are examples of poor quality that exist and escape the system. We ask firms – how is it that these failures continue to happen? How does an individual auditor choose to not follow critical aspects of a firm's methodology or specific auditing standard requirements? Do some auditors not understand their firm's methodology or auditing standards? Why does a firm's message on audit quality not reach all individuals?

Firms need to continue to explore their practices to determine why recurring audit deficiencies continue and to challenge their current quality controls to determine whether further changes in these systems will drive improved audit quality.

I know that recurring audit deficiencies are not going to disappear overnight, but I do think we are approaching a critical point where without elimination or significant reduction of the most troubling recurring findings, firms should not expect that they will be able to satisfy remediation requirements easily.

Audit Firm Inspections

From the outset of our inspections program, we have strived to have a fair, flexible and adaptable inspection approach that allows for transparency to firms and others interested in the outcome.

We have focused on risk from the start by allocating our limited inspection resources to the areas of most concern. Identifying and addressing audit risk has been central to our approach.

This has allowed us to react to what we see in the environment and to focus our attention where we get the most bang for our buck.

This approach has evolved over time, for example:

  • We have refined our risk-based approach to further identify emerging audit risks and firm-specific risks. Today our approach is more targeted. This involves smaller and more specialized teams of inspectors focused on specific areas – be they smaller offices or financial reporting or industry areas.
  • We have refined our review of remediation. We dedicated staff to the remediation process and made them available to work with firms throughout the 12 month remediation period. We provided staff guidance to help firms through the process. We encouraged – and continue to encourage – firms to engage with us early and often. Today we continue to challenge firms to take prompt active steps to address deficiencies.
  • We have refined our review of the root causes of recurring audit deficiencies. We started by encouraging firms to explore this in-depth. Today this is a routine element of our inspections – our staff looks at what might be the cause of audit deficiencies. For the largest firms, our program looks at both positive (for example, audits with no inspection findings and those perceived as being higher quality) quality events and negative (for example, audits with significant inspection findings) quality events.
  • We have refined our inspection reports. Today our reports provide a wealth of information – from references to the auditing standards related to the audit deficiencies to a summary of the more significant findings for that firm to additional information about the issuers inspected.

This evolution does not stop. We continue to explore ways to further improve the inspections process. A few things we are considering:

Selections of Audits – Implementing Randomization

While I continue to believe that a risk-based approach to inspection is highly efficient, I am very interested in selecting a number of audits for inspection using a random approach which will allow us to draw an overall conclusion about audit quality and trends, incorporating inferences from what we have previously done on the risk-based side of things.

A number of years ago, we began selecting some audits for inspection that were not subject to our risk-based criteria. Results from those selections varied and varied by firm and by year. In some cases, the audit deficiencies were similar to those identified in engagements selected using the risk criteria and in others they differed in a meaningful way.

This foundation has been very helpful to us, as it has given us an indication of how a firm performs on those engagements that are not exhibiting the highest levels of risk, but it also helps inform our risk-based criteria and certainly whether there were other risks that we had not considered.

Right now we inspect about 50 audits at each of the largest firms each year. In 2017, we plan to allocate a portion of those selections to be determined on a random basis. In preparing for this, we have teamed with economists in the PCAOB's Center for Economic Analysis to assist us in designing a random approach. We are hopeful that the evolution in this approach will further inform us about the state of audit quality.

Even with this evolution though, our focus on risk will not go away – over 14 years, we have found that to be an efficient and effective way to target where audit risk may exist and to identify problems in audit areas.

The number of audits we select will remain consistent overall, but the number selected between those that are random and those that are risk-based may vary and may vary by firm.

Use of Data Analytics and Technology

Data analytics and technology are exciting developments for auditors and are also exciting developments for inspectors.

We have invested time during the last few years to assemble and organize our data for purposes of deeper analysis. This has been helpful for inspections, but also for other divisions of the PCAOB.

We will continue to consider how we too can use data analytics to design our inspections. Just as we are seeing with the audit itself, the ability to extract and analyze information will be something that will be the future of inspections. We will continue to explore how to use these new tools when we design our future programs. It may be a ways off, but it is something we have our eye on.

So let's take a look back at this past inspection cycle.

II. Preview of 2016 Inspection Results

Preliminary 2016 results of the annually inspected firms indicate the overall number of deficiencies has decreased compared to the results from the 2015 inspection cycle. We hope that this downward trend will continue.

Examples of areas where we continue to see improvement include:

  • Understanding of an issuer – Auditors have focused on developing a better understanding of issuers' processes, transactions, and controls;
  • Coaching – Firms continue to coach and provide support to teams – helping less experienced team members develop the knowledge and skills to be successful; and
  • Monitoring – We see this at both the individual engagement and firm level. Firms are encouraging engagement teams to perform certain procedures such as planning earlier in the audit process; and firms are evaluating the effectiveness of quality controls to ensure that they operate effectively.

The most frequent audit deficiencies continue to be in the key areas related to auditing internal control over financial reporting ("ICFR"), assessing and responding to risks of material misstatement and auditing accounting estimates, including fair value measurements.

ICFR

We continue to see significant deficiencies in the audit work for ICFR. Inspections staff observed some improvement in certain areas, such as the evaluation of control deficiencies and testing controls over the accuracy and completeness of system-generated data and reports used in the performance of important controls.

Despite improved audit quality in these areas, Inspections staff continued to identify deficiencies related to testing the effectiveness of controls that include a review element.

Specifically, some auditors did not sufficiently evaluate the procedures performed by management, including the criteria management used to identify matters for investigation and the steps involved in investigating and resolving such matters.

Many of these deficiencies related to testing controls over management's cash-flow forecasts or other assumptions that the issuer used in determining estimates related to business combinations, asset impairments, and other reserves.

Certain firms have indicated that a root cause of these deficiencies may be due to auditors not understanding the extent of procedures and evidence that needs to be obtained when they test controls with a review element.

The audit of internal controls is an area that has been subject to much outreach and discussion over the last year or so. While progress has been made, ongoing dialogue is necessary to continue making progress.

Assessing and Responding to Risks of Material Misstatement

In the area of assessing and responding to risks of material misstatement, preliminary 2016 inspection results indicate some improvement over 2015 and most notably in the auditors' procedures to test controls over system-generated data and reports that were used to support other important controls or substantive procedures in the audit.

Inspections staff continued to observe deficiencies in the area of responding to the risks of material misstatement. Auditors should continue to focus on whether the procedures that have been designed and performed are specifically responsive to significant risks, including fraud risks.

We also continue to see deficiencies related to auditors' evaluation of audit evidence. It is important for an auditor to take into account all relevant audit evidence, regardless of whether it corroborates or contradicts management assertions.

We have seen, for example, an auditor engage an external pricing specialist to test the valuation and classification of investments. When the specialist, however, indicated that certain of the investments' classification should have been hard-to-value or "Level 3," which contradicted the classification provided by management, the auditor supported the issuer's investment classification without performing sufficient procedures to evaluate this other evidence.

Auditing Accounting Estimates, including Fair Value Measurements

Complex estimates continued to be a focus of our Inspections staff due to the increased risk of material misstatement these may pose to the financial statements. Unfortunately, Inspections staff continued to identify significant deficiencies in these areas. Auditing deficiencies in this area commonly related to evaluating impairment analyses for goodwill and other long-lived assets, and the valuations of assets and liabilities acquired in business combinations.

While I mentioned earlier that we have seen improvements in auditors' understanding of business processes, Inspections staff continued to identify instances in which auditors did not fully understand how estimates were developed or did not sufficiently test the significant inputs and evaluate the significant assumptions used by management.

Certainly some firms have taken incremental remedial actions to enhance their methodologies in this area – often supplementing them with training, tools and coaching. Yet it is disappointing to continue to see this area remain near the top of the list of deficiencies and to have seen this be somewhat consistent with what we saw in 2015.

As you are aware, accounting estimates[1] are subjective and require management judgment, making them susceptible to management bias. Changes in financial reporting – especially the new standard for revenue recognition and the current expected credit loss model – will continue to give rise to complex accounting estimates.

Auditors need to continue to be vigilant in this area. Auditors should keep these deficiencies in mind when planning and performing procedures for their upcoming audits.

Audit firms should continue to challenge whether their remedial actions in this area produce significant or lasting change.

Related Parties

The PCAOB adopted AS 2410, Related Parties, in an effort to strengthen auditor performance requirements related to related parties, significant unusual transactions, and a company's financial relationships and transactions with its executive officers. These transactions could pose an increased risk of material misstatement in a company's financial statements.

During the 2016 inspections cycle, Inspections staff evaluated firms' implementation and compliance with this new standard. Inspections staff procedures included an evaluation of changes to firm methodologies, training, and implementation guidance provided to audit professionals, among other things.

In addition, our inspections of a number of audits of issuers and brokers and dealers included an evaluation of the audit procedures performed and whether they complied with the new standard. Inspections staff are encouraged to say that the preliminary 2016 inspection observations indicate that most firms inspected that audit issuers had incorporated the requirements of AS 2410 into their audit methodologies.

Unfortunately, Inspections staff still identified instances in which auditors did not comply with the requirements of the standard, and the deficiencies were more commonly identified in the audits of brokers and dealers.

Frequently identified deficiencies related to instances in which auditors did not test, or sufficiently test, that related party transactions were properly identified, accounted for and disclosed.

Examples of findings included instances in which auditors did not: (1) obtain an understanding of the business purpose of the relationship with the related party, (2) perform sufficient procedures to identify previously undisclosed relationships or transactions with a related party, as the audit procedures performed were limited to management inquiry, and (3) sufficiently test related party expenses allocated among affiliated entities.

Auditor Independence

An independent auditor plays a critical role when it comes to the reliability of an issuer's financial statements. Inspections staff continue to assess firms' monitoring systems to provide reasonable assurance that firms maintain independence from their audit clients, including whether and how those systems address the growth in consulting and other non-audit services, such as through acquisition of consulting firms.

Deficiencies observed related to non-compliance with PCAOB rules or SEC rules and regulations related to independence on issuer audits included: (1) insufficient communications to the audit committee regarding the scope of tax consulting services performed and the potential effects of all tax services on the independence of the firm, (2) services provided to the issuer as the lead engagement partner for more than five consecutive years, and (3) failure to make the required communications to the audit committee concerning independence.

Auditors should continue to assess their personal and professional activities to ensure compliance with applicable independence standards.

It is important to remember that lack of knowledge of the independence requirements does not excuse a breach. I encourage auditors to be well aware of the requirements and to consult when in doubt.

III. Looking Ahead to 2017

Our 2017 inspections will continue to have a focus on the troubling areas of recurring audit deficiencies - specifically, the areas discussed earlier: ICFR, assessing and responding to risks of material misstatement, and evaluating accounting estimates including fair value measurements.

Other areas of focus will include audit areas affected by economic trends and higher financial reporting risk, as well as a firm's overall system of quality control.

Risk Assessment

One area of specific focus for our Inspections staff will be auditors' processes for identifying and assessing risks of material misstatement at the financial statement assertion level. Proper identification of the risks of material misstatement, including the types of potential misstatements that can occur and the likely sources of those potential misstatements, is necessary when selecting appropriate controls to test, evaluating whether those controls adequately address the risks, and designing and executing substantive procedures.

Economic Risks

Our inspectors consider the current economic environment and related developments when planning their inspections. We expect that many of the economic risks that were present in the prior year will continue to exist in 2017, including continued fluctuations in oil and gas prices, the search for higher-yielding investment returns in a low interest rate environment and the high pace of mergers and acquisitions.

As I mentioned earlier, with the continued significant deficiencies related to complex estimates, Inspections staff will continue to take a close look at these areas.

Fair value measurements and other accounting estimates involve the potential for management bias, and the frequency of inspection findings in these areas suggests that, in many cases, auditors do not appropriately apply professional skepticism when testing estimates.

Financial Reporting Areas

Inspections staff also consider risks related to financial accounting areas when planning for inspections.

New Accounting Standards

The Financial Accounting Standards Board adopted new standards in recent years related to revenue and leases. Issuer clients may early adopt these standards. While the audit requirements have not changed as a result of the issuance of these new standards, Inspections staff expects to gain an understanding of changes firms have made in their audit methodologies and approach related to these standards.

Although I don't think we will see many examples of early adoption in our selected issuer inspections during 2017, at the individual audit file review level we will be discussing with the audit team how they are addressing the pending change with their clients.

We will want to understand whether the auditors have had discussions with their clients related to changes issuers may implement in their processes or controls, whether the auditor has remained independent in the process of client implementation of the standards, and whether the auditor is appropriately reporting any concerns about readiness or technical ability to the audit committee on a timely basis.

Going Concern

The auditor's evaluation of a company's ability to continue as a going concern will also be a focus of Inspections staff this coming year. While our prior experience has not indicated a significant number of audit deficiencies in this area, Inspections staff will evaluate whether changes have occurred with respect to audit procedures performed in light of the new accounting standards that have taken effect to further inform the PCAOB standard-setting process.

To me, going concern stands out as an area that has benefitted from the real time interaction of our standard-setting team with auditors and inspectors in the field.

Company Performance Measures

Many public companies supplement their communication of financial information prepared under GAAP with company performance measures that they believe are informative to investors and other users in assessing the company's performance and future prospects.

These company performance measures may be included in a company's annual reports, registration statements, earnings releases, or other communications, such as calls with analysts and information on the company's website.

It seems that more and more public companies are using non-GAAP measures to supplement their financial reporting. Inspections staff will gather information related to actions firms may be taking related to the review of these non-GAAP measures, including any changes that may occur in an auditor's assessment of the risk of material misstatement or audit approach for issuers that appear to use non-GAAP measures aggressively.

This information gathering will be very important to help inform standard setting certainly, but it is also important to our inspectors in preparing for an inspection.

New Auditing Standards - Transparency

The Board adopted new rules and related amendments to its auditing standards in 2015 that will provide investors and other financial statement users with information about engagement partners and accounting firms that participate in audits of issuers. These rules include having firms file a new Form AP to disclose this information publicly and will be effective for the 2017 inspections cycle. In 2017, Inspections staff will perform procedures to evaluate the firms' implementation of these new rules.

As an organization, we have held a number of teleconferences this year to answer questions from firms about the technology implementation of Form AP. We have also published staff guidance[2] to provide information on completing the form. The guidance also covers other provisions of the recently enacted rules.

I encourage firms to reach out to our staff if you have any questions about actually completing the forms – we are set up to help. Our contact information is the registration help desk ([email protected]) or our Office of the Chief Auditor staff.

Multinational Audits

With the European Union regulation on mandatory auditor rotation having taken effect, our Inspections staff is evaluating the potential risks and impacts to multi-location audits. It seems that many affiliate firms will experience significant changes in their client portfolios, and firms performing audits for multinational companies may work with other auditors that they have not worked with in the past.

Auditors will need to critically evaluate the objectivity and expertise of these other auditors, as well as perform a risk assessment to determine whether their prior extent of supervision and review of this work would need to change.

Firms will also need to closely scrutinize non-audit services that have been provided to issuers prior to accepting new audit engagements.

Root Cause Analysis

During the 2017 inspection cycle, there will be a continued focus by the Inspections staff to identify the potential root causes of audit deficiencies and positive quality events. Additionally, Inspections staff will evaluate the results from those firms that also perform their own internal root cause analyses.

Root cause analysis is an integral part of improving audit quality. I believe that the successes we are seeing in certain areas are driven by individual firms' performance of root cause analysis, which drives more successful remedial actions.

When firms can properly understand why a deficiency is occurring, they can better design remedial actions which address the root of the problem. As firms continue to enhance their own root cause analysis and as a result obtain a better understanding of what drives audit quality, we expect that firms will be able to more effectively drive their remedial efforts, and ultimately improve and sustain audit quality.

As I mentioned earlier, our approach here has evolved over the recent years. There have been some interesting developments both at the PCAOB and at firms. We now have a great deal more information and can see more clearly the effects of basic building blocks of the audit – when not done well they can cascade through an entire audit and firm. We hope to produce some more detailed reports on what we have seen so far, but this work continues.

Technology Risks

Risks also remain that cyber-attacks may affect issuer financial statement reporting, and as a result, Inspections staff view this as an evolving risk area that requires ongoing focus in 2017 and beyond.

Inspections staff continue to perform information gathering procedures that seek to understand the procedures performed and documentation prepared by auditors to determine whether certain cybersecurity risks pose risks of material misstatement to the company's financial statements, and whether modifications to the auditor's risk assessments and planned audit approach occurred or were necessary in response to these risks.

We are also reviewing firm audit software, recognizing that the integrity of the technology tools used by the firms themselves is critical to audit quality as well.

PCAOB Broker-Dealer Auditor Oversight

Our fifth annual report discussing audit deficiencies identified during the 2015 inspection cycle was released in August 2016. Inspections staff continued to observe a number of independence findings and audit deficiencies. These results were similar to what has been reported in prior years. Broker-Dealer auditors should read this report and take action to avoid these audit issues when planning and performing procedures for their upcoming audits and attestation engagements.

The 2016 inspection fieldwork is coming to a close this week and with that, we will have inspected 75 firms and portions of 115 audits and the related attestation engagements. This brings our totals, since we began our inspections of these firms late in 2011, to 334 inspections conducted and 514 audits covered during those inspections.

Preliminary results of the 2016 inspections of audits of brokers and dealers indicate that many of the audit deficiencies observed in the 2015 inspection cycle have also been identified during the 2016 inspection cycle. With these results, you can expect that our inspections during 2017 will continue to focus on these areas. We intend to again inspect 75 firms and portions of 115 audits and the related attestation engagements. We will also further prepare for a move to a permanent inspection program, while the interim program continues until the rules for a permanent inspection program take effect.

A rule proposal to replace the Board's interim inspection program of Broker-Dealer auditors with a permanent program is expected to be considered by the Board soon.

I also encourage auditors of brokers and dealers to join our webinar on December 13th. That webinar will focus on recent inspection findings in applying AS 2601 (currently AU Sec. 324), Consideration of an Entity's Use of a Service Organization.

International Audit Regulators

Our non-U.S. inspections program has also developed over the years. We could not do this without the incredible collaboration with our fellow audit regulators around the world. We have inspected in 48 jurisdictions since our start and performed many inspections jointly with other regulators.

We secured the renewal of the European Commission's adequacy determination, which allows us to continue to conduct joint inspections of PCAOB-registered firms with European audit oversight bodies. We also now have a protocol for joint inspections with Italian authorities. Only a handful of jurisdictions remain where we can't inspect.

This is great news for audit quality. Multinational audits rest on the quality of work in multiple jurisdictions. The ability to inspect and collaborate with other audit regulators is key to assessing and improving audit quality and ultimately to protecting investors.

IV. Navigating Change – Keeping an Eye on the North Star

What will be important to navigate change – what skills are necessary? What are the important elements?

First, judgment – it is important in the work of auditors and inspectors. Technology can assist – help make things more effective and efficient – but people will still need to know whether something makes sense in the circumstances. Technology cannot replace a proper risk assessment or evaluation of complex matters that require critical thinking. This is also an area where an auditor can bring true value.

Second, adaptability – just as the market ebbs and flows, auditors should continually monitor emerging risks, react timely, and consider adjusting their audit approach as appropriate. Responding to emerging risks with targeted actions is also key to investor protection and audit quality.

Third, challenge the status quo – how can we do what we do better. It is something we also think about in our inspections process and won't change here. We are focused on continuous improvement now and going forward.

So as we navigate change, here are my three takeaways:

  1. Embrace change – be it the environment, accounting or auditing standards, or technology, change brings opportunities and promise and new ways of looking at things.
  2. Make a difference – what can you do to make things better – think about your audit, the example you set, how you mentor your staff, colleagues and students? Each person is critical to protecting the quality of the audit – each person is critical to a system of quality control.
  3. Keep your eye on the investor – this is always our North Star, the guide that should help when making decisions. Core and central to everything we do. Make it your North Star.

[1] See AU Section 342, Auditing Accounting Estimates.

[2] Staff Guidance – Form AP, Auditor Reporting of Certain Audit Participants and Related Voluntary Audit Report Disclosure Under AS 3101, Reports on Audited Financial Statements (June 28, 2016).