Good afternoon. Thank you for inviting me to reflect on the PCAOB’s activities to drive consistently high-quality financial statement audits for the benefit of investors.
Walking around this beautiful campus today has brought back great memories from when I was a student way back in the early 1980s. While there have been, of course, some notable changes over the decades, like the much expanded business campus here on the south quad, one thing has remained steady: U of I has consistently ranked at or near the top of the nation’s accounting and auditing schools. I commend Dean Brown and all of the current and former administration, faculty, and students for this distinctive track record.
I am pleased to be here addressing you, the next generation of Fighting Illini auditors, accountants, and business leaders. The education you receive here will prepare you well for entry into a profession that has long been and remains of critical importance to our capital markets.
Today I want to provide you some of my perspectives on the importance of high quality auditing, the progression of audit oversight and audit quality over time, and how I believe a renewed focus on audit firms’ systems of quality control will further drive audit quality improvement in the future. I will also have time after my prepared remarks to address any of your questions or comments.
Before I go further, though, please let me note that the views I express here today are my own and do not necessarily represent the views of the PCAOB Board, any individual PCAOB Board Member, or the PCAOB Staff.
The Importance of Audits to our Capital Markets
Like oil for a car engine, capital is the life-blood of our economy. Likewise, relevant and reliable financial information is core to the functioning and integrity of our capital markets. High quality financial reporting supports well-informed investment decisions, thereby facilitating the efficient formation and deployment of capital.
Independent and consistently high quality audits are an essential tool in helping ensure trustworthy financial reporting, giving investors from Wall Street to Main Street added confidence when pursuing market opportunities.
As you know, management is primarily responsible for the integrity of a company’s financial reporting. Management is responsible for adopting sound accounting policies and for establishing and maintaining effective internal control over financial reporting (ICFR). While management certifies to the accuracy of the financial statements and the effectiveness of ICFR, investors value added assurance from the auditor through its independent audit opinions.
Investors value this added assurance from the auditor, in part because it helps to mitigate certain problems that may arise given the economic principal-agent relationship between investors and management—problems driven by the separation between investor ownership and management control.
For example, investors usually have limited visibility into a company’s ongoing activities and results; whereas management has direct knowledge of and control over a company’s transactions and financial condition. Economists refer to this relationship as information asymmetry. Similarly, management’s interests may not always align with investors’ interests, which economists refer to as moral hazard. For instance, management may inappropriately seek to increase their compensation and job security through earnings management by applying accounting practices that do not most fairly reflect the company’s underlying economics.
The auditor is in a position to help mitigate the potentially negative implications of these relationships. With direct access to the company, and as an objective and independent party, the auditor is able to provide the investor with better insight and more confidence as to the reliability of management’s reported financial statements. In this way, independent and high quality audits serve to foster public trust in our capital markets.
Assessing the Quality of an Audit
Despite the audit’s foundational importance to the capital markets, it can be challenging to discern and assess the quality of audits.
For one thing, there is no single blueprint or recipe for conducting an audit. Investors and other stakeholders generally understand that auditors perform their audits of US public companies in accordance with PCAOB auditing standards and other applicable rules and regulations. PCAOB auditing standards, though, are in many areas “principles-based,” whereby the audit procedures performed are not prescribed, but instead are appropriately subject to the professional judgment of the auditor. As such, investors and other users of audit reports have little transparency into the nature and extent of procedures performed by the independent auditor.
Investors and other users of the audit report cannot evaluate the quality of the completed audit in the same way consumers of other products and services often can. A driver can ascertain the quality of her car by its driving performance. An Uber or Lyft ride share customer can readily assess the quality of the service by whether he gets to his destination safely and timely. In contrast, an investor may not have any indication as to whether an audit was performed well or poorly unless there is a restatement of the audited financial statements. And restatements by themselves are not a complete indicator of audit quality, given an auditor can poorly execute an audit on high quality financial statements where restatement is not warranted.
Going forward, investors will have some increased transparency into audit quality pursuant to a new PCAOB auditing standard provision. Starting in 2019 and extending through year-end 2020, auditors will begin including in their public company audit reports new information—critical audit matters, commonly referred to as CAMs. The objective is to make the auditor’s report more informative and relevant to investors. The auditor will explain how material financial statement account or disclosure matters that were communicated to the audit committee and involved especially challenging, subjective, or complex auditor judgment were addressed by the auditor. The reporting of CAMs is intended to provide investors with new insights on audit quality through transparency as to the nature and extent of the auditor’s procedures in especially judgmental areas of the audit.
Oversight to Drive Audit Quality
While audit quality is often not readily apparent to audit report users, there are oversight mechanisms in place to help better promote audit quality.
Oversight and regulation of the profession has expanded over time, often in response to high profile financial crises or corporate failures involving low quality or sometimes fraudulent financial reporting not uncovered by the auditor.
Initially, the profession was self-regulated and the profession established its own accounting and auditing standards through the American Institute of Certified Public Accountants (AICPA).
Over time, often in response to the threat of congressional action to regulate, the profession enhanced its self-oversight approaches. For example, in the 1970s, the AICPA established a voluntary firm peer review program. The AICPA made this program mandatory for firms auditing public companies when the profession came under renewed scrutiny by Congress in the 1980s during the savings and loan financial crisis.
A watershed moment came in the early 2000s when the profession was rocked by dramatic corporate and accounting scandals, such as Enron and WorldCom, which resulted in significant financial losses for investors. In a 2004 interview, US Senator Paul S. Sarbanes estimated that, because of these and other scandals, the market lost “hundreds and hundreds of billions, indeed trillions of dollars in market value.” As a result, investor confidence in our capital markets and public trust in the accounting profession substantially deteriorated. Indeed, the loss of public trust significantly contributed to the demise of Arthur Andersen, which audited Enron and WorldCom and previously had been one of the world’s most respected public accounting firms.
The loss of public trust drove Congress to implement various capital market reforms through passage of the Sarbanes-Oxley Act (the “Act”), which was signed into law by President George W. Bush on July 30, 2002. President Bush called the Act “the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt,” and the Act effectively ended self-regulation of the accounting profession.
The Act strengthens the integrity of our capital markets through newly mandated financial reporting, disclosure, corporate governance, auditor independence, and regulatory oversight requirements. Violations of these requirements are subject to sanctions ranging from censure to time in prison.
In addition to requiring the CEO and CFO to certify their financial disclosures and for management to establish, maintain, assess, and report on ICFR, the Act makes it unlawful for any company officer or director to improperly influence the conduct of an audit for the purpose of rendering financial statements that are materially misleading.
The Act also requires the audit committee of the board of directors to be independent from management and responsible for the appointment, compensation, and oversight of the independent auditor.
In addition, the Act restricts the non-audit services an auditor may provide to its public company audit clients, and requires all audit and non-audit services to be pre-approved by the audit committee.
And of particular relevance for today’s discussion, the Act established the PCAOB to oversee and regulate public company audit firms.
The mission of the PCAOB is to oversee the audits of public companies and SEC-registered brokers and dealers in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.
We accomplish this mission through three primary responsibilities:
First, we establish and maintain the auditing and related attestation, quality control, ethics, and independence standards to be followed by public company auditors;
Second, we assess the degree of auditor compliance with these standards by inspecting individual audit engagements and the quality control systems of registered firms; and
Third, we investigate and discipline firms and individual auditors for violations of our standards and other related rules and regulations.
Through these activities, we advance our mission of protecting investors through a combination of prevention, detection, deterrence, and remediation.
With our mission serving as a guiding beacon, the Board is laser focused on how we can further drive the profession to produce higher levels of audit quality. The results of our inspections and other oversight activities have indicated that audit quality indeed has improved over the past 16 years. The overall numbers and rates of deficiencies identified in our issuer inspection program generally have decreased and the nature and extent of the identified deficiencies have narrowed in certain areas. As another potential indication of improved audit quality, the number of public company restatements in 2018 fell to an 18-year low, according to a recent report by Audit Analytics. I believe that the reforms under the Act, including creation of the PCAOB, have played an important role in such improvement.
Nevertheless, in our inspections we continue to identify various deficiencies in firms’ individual audit engagements and within firms’ quality control systems. For the U.S. global network firms for whom we have issued our 2017 reports, we identified firm Part I deficiency rates ranging from approximately 20% to 50% in the audit engagements we inspected. Further, certain types of deficiencies have been recurring at some firms over multiple years, such as in the auditing of significant accounting estimates or of management review controls.
So more needs to be done to drive audit quality to the next level, and I believe both the firms and the PCAOB should increase their focus on the firms’ quality control systems as an important driver in achieving sustainable, higher quality auditing.
Quality Control Standards
Audit standards have long included requirements for firms to maintain appropriate quality control systems. Under the PCAOB standards, an audit firm is required to design and implement a quality control, or QC system that provides reasonable assurance that the firm’s personnel comply with applicable professional standards.
Under our current standards, firms’ quality control systems should address five important and interrelated elements: auditor independence, integrity, and objectivity; professional talent management; client acceptance and continuance; audit engagement performance; and quality control system monitoring.
As part of our inspections program, the PCAOB evaluates a firm’s quality control system. As mandated in the Act, the PCAOB initially does not publicly report identified QC system deficiencies. Instead, a firm has one year to effectively remediate such deficiencies. To the extent the firm’s remediation efforts are insufficient, the PCAOB then reports the QC deficiencies publicly.
I believe this framework has over time incentivized firms to remediate deficiencies and further improve their QC systems. Of course, there are important business reasons for firms to design and maintain effective controls to ensure high quality audits, helping them manage their reputation, litigation, and regulatory risks, remain competitive and fulfill their public interest accountabilities.
I have been somewhat surprised, then, since joining the PCAOB to observe that the maturity of firm QC systems is not as far along the curve as I would have expected. That said, over the past several years, firms (especially the larger firms) have devoted increased attention to their quality control systems. Firms are reassessing their governance models; their audit policies, methodologies, and tools; their engagement performance and monitoring; and their talent management practices. The firms’ increased focus on quality control is certainly positive, but the focus is inconsistent across firms, and firms are not always considering quality from a risk-based, integrated systemic perspective.
Upon its formation in 2003, the PCAOB adopted on an interim basis the AICPA’s then existing quality control standards, and since then the PCAOB has made little changes to these standards. The profession has learned much over these past 16 years about how to better ensure and control audit quality, and it is time for our standards to catch up and require firms to consistently incorporate such learnings into their practices.
I am pleased, then, that the PCAOB staff recently announced it is developing a concept release for the Board's consideration later this year to seek public comment on possible amendments to the PCAOB QC standards, which I hope will ultimately result in more robust quality control at the firms.
I am passionate about this potential standard-setting project because I have seen first-hand how a well-designed and effectively operating control framework can drive higher quality, in my case related to the quality of financial reporting.
As the corporate controller for 10 years of a Fortune 100 company, I had responsibility for ICFR and the control evaluation and testing program in support of management’s required annual control certification.
Consistent with my own experience, I believe there is wide-spread consensus across key financial reporting eco-system stakeholders that the increased focus on ICFR under the Act has significantly contributed to improvements in financial reporting quality over time.
Similarly, I believe an increased focus by audit firms on their quality control systems will drive sustainable, improved audit quality.
Opportunities to Strengthen Our QC Standards
In assessing potential updates to our QC standards, we will be considering an array of audit quality control approaches and practices, some of which firms have already implemented to varying degrees, especially the larger firms. In our deliberations, I believe it will be important that we keep two overarching factors in mind.
First, while we certainly should hold firms accountable to establish effective quality control practices, our standards should not be unnecessarily prescriptive. Although there are key quality objectives we will expect all firms to achieve, our standards should allow firms to adapt in how they achieve such objectives based on the specific risks to audit quality for their specific audit practices. A risk-based, objectives-focused approach is similar to the approach under the COSO Integrated Framework, which many companies use as a basis for their systems of internal control over financial reporting. This approach supports scalability, so that firms of different sizes and with different client bases can tailor their quality control practices commensurate with applicable quality risks.
Second, the International Auditing and Assurance Standards Board (IAASB) is also engaged in reassessing its quality control standards, with three exposure drafts currently subject to public comment. Many firms either perform, or belong to networks with affiliate firms that perform audits under both PCAOB and IAASB standards. Further, we increasingly see regional and global firm networks centrally establishing uniform, standardized quality control practices across all the firms in their networks. Ideally, then, we would not require firms performing audits under both PCAOB and IAASB standards to comply with fundamentally different quality control frameworks. It is important the PCAOB and IAASB be cognizant of the approach each is taking, and I believe as we progress our project at the PCAOB, we should perhaps use the IAASB proposal as a starting point, and we should thoughtfully assess the need for and nature of any significant differences.
With those overarching considerations in mind, I would like to highlight for you certain quality control system elements and practices that I believe warrant our consideration, including in areas of firm governance and structure, QC system risk assessment and monitoring, continuous improvement, and transparency.
To begin with, we should assess whether our QC standards should more directly address firms’ cultures, governance models, organizational structures, decision-making processes, and/or leadership roles and accountabilities. Appropriate governance models, structures, and practices can help firms set the right tone at the top, emphasizing to the organization the importance of auditing to our capital markets. They can also help, for example, ensure adequate resources are devoted to a firm’s audit practice or promote consistency of quality across regional or global firm networks.
In addition, we should consider mandating a risk-based QC system assessment framework. For instance, we could require the firms to perform an annual risk assessment to identify conditions, events, or circumstances that may increase the likelihood that audits are not performed in accordance with specified quality objectives. The firms could then take actions or put in place controls to mitigate such risks, and could regularly monitor and evaluate the effectiveness of such risk mitigation responses. Firm leadership could also annually evaluate the effectiveness of its overall QC system, and report its conclusions to the firm’s Board, the PCAOB, its clients’ audit committees, and/or the public.
One specific risk firms should consider is associated with emerging technologies. Many firms are leveraging transformational technologies and advanced data analysis capabilities to establish more standardized and robust audit methodologies, tools, work flows, and testing procedures. These capabilities should promote more consistent audit execution, and have the potential to provide more relevant and reliable evidence to better inform auditor judgments. At the same time, such advances may necessitate development of new professional staff competencies, such as advanced analytics or project management skills, or of implementation of strengthened internal controls over firm systems, programs and data, including cyber security controls.
Monitoring is another important element of an effective QC system. Our standards should continue to reinforce the importance of firms monitoring the quality of their overall audit practices as well as of individual audit engagements. At the engagement level, for example, today many firms have internal inspections programs whereby professionals independent of the engagement team review the quality of the audit work to self-identify audit deficiencies.
Furthermore, we should also focus on practices that drive continuous improvement in audit quality. For instance, firms can implement formal “root cause” analysis frameworks to assess the underlying causes of deficiencies and to identify and implement corrective actions to help prevent similar deficiencies in the future. Firms can also identify key drivers of audit quality, and develop related performance measures or metrics for use in setting targets, tracking actual results, and responding to performance shortfalls. As one example, as firms have found that quality tends to suffer if too much audit work is compressed in the period after the balance sheet date, many firms are now formally tracking as a performance metric the proportion of audit procedures performed before year-end.
Finally, increasing the transparency of a firm’s audit quality should also be a priority. While some firms today publicly issue audit quality reports, they are not required by the PCAOB, and there is no standard approach to facilitate comparisons across firms. Should there be certain standard metrics, or audit quality indicators, that all firms should be required to measure and report publicly so audit committees, investors and others can better differentiate between firms based on quality?
Each of the elements and practices I have just described could play a meaningful role in driving higher quality auditing, and I believe they all warrant our attention as we consider revisions to our QC standards. I look forward to hearing and considering other perspectives the PCAOB Staff and Board will contribute in our deliberations.
In wrapping up, it is important that the PCAOB bring its QC standards up to date. As I have highlighted today, effective QC systems play a key role in helping ensure firms deliver consistently high quality audits. Of course, the most important contributor to a high quality audit is the individual auditor—which is where you come in. The critical thinking, the analytical and communication skills, the business acumen, and the ethical values you cultivate here while at U of I will prepare you well for making the high quality professional auditing judgments on which investors are relying and our capital markets depend.
With that, thank you, and I am happy to address any questions or comments you may have on quality control or other topics.
 Audit Analytics, 2018 Financial Restatements an Eighteen Year Comparison, August 2019