This speech reviews some of the things the Public Company Accounting Oversight Board has done since it was created in 2002 and some elements of its agenda for 2005. The speech also highlights aspects of the Board’s work that may be of interest to lawyers who counsel public companies.
Currently there are 1,395 accounting firms registered with the Board. Eventually, registration applications and periodic reports will be available on the Board’s Web site, subject to firm requests for confidential treatment. An audit committee may, as part of its “due diligence,” wish to review some of the registration information the Board requires of the auditor. This might include the firm’s description of its quality controls; the list of other public companies for which the firm acts as auditor; litigation and disciplinary actions involving the firm; and accounting disagreements with public company
A company and its counsel should be aware that a Board inspection of the auditor may trigger questions about a public company’s financial reporting. Also, audit committee chairs are interviewed during inspections concerning the relationship between the auditor and the committee. At the end of an inspection, the audit committee will want to ask the auditor what the PCAOB concluded about the firm’s quality controls, how any quality control defects the Board identified might affect the company’s audit, and what the firm is doing to remedy those problems.
Contrary to what is sometimes suggested, Auditing Standard No. 2 (which governs internal control audits) does not erect “a wall of silence” between auditors and clients. Open auditor-management communications concerning financial reporting and internal control issues are still permissible. AS No. 2 does, however, impose some important new obligations on audit committees. Audit committees will need to have a working understanding of what constitutes a material weakness and a significant deficiency in controls. Committees should understand why the auditor characterized each deficiency as it did, compare management’s evaluation of deficiencies with the auditor’s, and understand management’s remedial plan.
At a public meeting tomorrow, the Board will propose rules concerning auditor tax services for public company clients and independence. Regarding this issue, the speech states: “I hope that the Board can put some of the controversy and uncertainty in this area to rest by drawing clear lines as to what tax services are permissible and which are not. I also believe that we should give some guidance to audit committees concerning the kinds of things they should consider when determining whether to retain the auditor to perform tax services that are not prohibited.”
The PCAOB has now been a feature of the regulatory landscape for about two years. We opened the doors for business at our headquarters in Washington on January 6, 2003. Since then, we have grown from a start-up to an organization of over 250 people with seven offices around the country. Along the way --
- The Board’s electronic registration system for accounting firms went live in July, 2003. We received the first application a few weeks later. We now have almost 1,400 registered firms from roughly 75 countries.
- In 2003, we conducted limited inspections of the Big Four firms. This year, we conducted about 100 more inspections. Next year, that number will probably climb by another 200.
- We have adopted interim auditing standards and three new permanent auditing standards. We have an ambitious standard-setting agenda for 2005.
I want to briefly review some of the specific things the Board has done so far and some of the things on the agenda for 2005. The Board’s basic job is, of course, to oversee the auditing profession. However, many of the things we do also affect SEC-reporting companies, and I will highlight some aspects of our work that should be of special interest to lawyers who counsel public companies.
Before I begin, I should remind you that the views I express are my own and not necessarily those of the Board’s other members or staff.
I. Board Basics.
The Board is a rather unique creation, so let me start with some of the basics.
The Sarbanes-Oxley Act says that the Board’s mission is to oversee the audits of public companies, protect the interests of investors, and further the public interest in the preparation of informative, accurate, and independent audit reports. That same task -- maintaining confidence in public company financial reporting -- has long been one of the SEC’s jobs, and the Board operates under SEC oversight. But, while the Board was established by a federal law and is overseen by a federal agency, the members and staff of the Board are not government employees. Instead, the Board is a Congressionally-chartered, private, not-for-profit corporation -- like the Boy Scouts.
As a private body with regulatory powers, the Board is, in some ways, similar to the New York Stock Exchange and the NASD. However, unlike the exchanges, we are not a self-regulatory organization, since the accountants we regulate are not our members.
Although the Board performs a public function and regulates a profession, it is not funded by either the taxpayers or (except to a minor extent) by the firms it oversees. Instead, the Board is supported by assessments levied against the public companies that issue audited financial statements, based on their market capitalization. Our annual budget, like other Board determinations, must be approved by the SEC.
Congress gave the Board four primary responsibilities -- registration, inspection, investigation, and standard-setting. I want to touch briefly on each area.
II. Registration of Public Accounting Firms.
Registration is the event that brings an accounting firm under the Board’s authority. Since October 22, 2003, it has been illegal for any U.S.-based accounting firm to issue an audit report with respect to an SEC-reporting company, or to participate in such an audit, unless the firm is registered with the Board. Foreign firms that participate in audits of companies that trade in the U.S. markets were required to register by July 19, 2004.
Registration with the Board has proven remarkably popular. As of yesterday, 1,395 firms had registered with the Board. Roughly 880 are U.S. firms and the remaining 500 or so are foreign. However, not all of these firms were actually engaged in public company auditing at the time that they registered. Indeed, about 400 did not have SEC clients.
Our next task in the area of registration is to develop reporting requirements so that the Board is kept up-to-date regarding developments at registered firms. Eventually, registration applications and periodic reports will be available on the Board’s Web site, subject to firm requests for confidential treatment of proprietary information. An accounting firm’s registration application, and its annual reports, will provide information that has not previously been easily accessible to the public.
That fact suggests one of the ways in which the Board’s registration and reporting responsibilities may affect the work of audit committees and should therefore be of interest to companies and their counsel. When making a decision to engage an auditor, or a decision concerning whether to retain the existing auditor, an audit committee may wish to review some of the information the Board requires, such as --
- the description of the firm’s quality controls;
- the list of other public companies for which the firm acts as auditor;
- criminal, administrative, and disciplinary actions involving the firm and its associated accountants and audit-related civil litigation against the firm; and
- accounting disagreements with public company audit clients.
Reviewing the firm’s public filings at the Board’s Web site may suggest areas in which the audit committee will wish to ask questions as part of its “due diligence” of the auditor.
Once a firm is registered, the Sarbanes-Oxley Act requires the Board to inspect it periodically. For firms that audit more than 100 public companies, inspections must occur annually. For the other firms that have at least one SEC client, inspections must take place at least once every three years.
The focus of Board inspections is on two things -- how the firm seeks to maintain audit quality and instill professionalism in its practice, and how it conducted specific public company audit engagements. For corporate counsel, four aspects of our reviews of specific audits may be of particular interest.
First, engagements are selected in part based on our assessment of audit risk and difficulty and in part at random. In 2004, we reviewed about 500 audits. In the case of the four largest firms, we looked at around five percent of their public company engagements.
Second, in addition to focusing on audit procedures, the review of an audit is also inevitably a review of the audited company’s financial statements. One of the key things that an auditor does is to review the accounting judgments that underlie the financials. And, because of their access to audit work papers, our reviewers are able to focus on GAAP issues in greater depth than can the SEC in routine filing reviews.
As a result, a Board inspection may have the effect of triggering questions about a public company’s financial reporting. We understand that at least 20 companies filed restatements with the SEC as a result of GAAP issues identified by the Board’s staff in the 2003 inspections. When our inspectors conclude that the financial statements of an inspected firm’s client may not conform to GAAP, they first inform the audit firm. This affords the auditor an opportunity to review the issue and to discuss it with our inspection team. If there is still a disagreement regarding the accuracy of the financials, the firm has, of course, a professional obligation to inform the public company. The Board does not have authority over public companies, and the auditor and its client must determine whether the issues the Board has raised require a restatement or other action. In appropriate cases, the Board will, however, inform the SEC of its views. The Commission, not the Board, is the final arbiter of a company’s compliance with GAAP.
Third, as part of reviewing an audit engagement, the Board also looks at the auditor/audit committee relationship. That includes interviewing audit committee chairs. These interviews, which are voluntary, are usually conducted by telephone. We are not trying to assess the audit committee. The interviews aim to learn what the committee expects of the auditor and how it evaluates the auditor’s performance. The inspectors are interested in hearing about auditor communications with the committee and the committee’s philosophy with respect to non-audit services.
Fourth, at the end of an inspection, the Board issues an inspection report describing the results. These reports have both a public and a non-public portion. The Sarbanes-Oxley Act prohibits the Board from making public disclosure of criticisms of a firm’s quality controls, unless the firm fails to correct those deficiencies within 12 months. Therefore, we are forced to confine those types of observations to the non-public part of the report.
However, while the Board is precluded from disclosing criticism and deficiencies, there is nothing to prevent the firm from discussing them with its clients. The Board’s evaluation of the accounting firm and of the strengths and weaknesses in its audit practice should be of considerable interest to the inspected firm’s clients. These reports are not intended as “report cards” by which firms can be compared to one another. However, audit committees will want to ask their auditor what the PCAOB concluded about the firm’s quality controls, how any quality control defects the Board identified might affect the audit, and what the firm is doing to remedy those problems.
The Board’s third area of responsibility is enforcement.
Many of the specific auditing problems the Board identifies will be dealt with through comments in inspection reports. However, inevitably, situations will arise from inspections or otherwise in which merely requiring better performance in the future is inadequate. Therefore, the Board is also building an investigation and enforcement program.
While the Board’s authority to discipline extends only to accountants, our enforcement activities, like our inspections, may also affect public companies. Obviously, in order to determine whether the auditor did his or her job properly, it will often be necessary to review the audit client’s records and possibly to talk to its personnel -- possibly including in some cases directors. We will be working closely with the SEC, and when we believe that we have uncovered a securities law violation by a public company or its employees, we will refer the matter to the Commission.
The Board’s enforcement staff has several investigations on its agenda already. While there is nothing in this field that I can talk publicly about today, I suspect that, at future conferences like this one, Board enforcement cases will be a major topic of discussion.
V. Auditing Standards.
Let me turn to the Board’s fourth responsibility. Congress charged the PCAOB with establishing auditing and other professional standards (such as quality control and ethics) to govern public company audits. The Board can also issue independence rules to implement the Act’s prohibition against certain non-audit services.
A. Interim Standards
During the past year, we have taken some important steps in the area of standard setting.
We adopted interim auditing standards. In effect, the Board adopted generally accepted auditing standards as they existed in April, 2003 as standards of the Board. At the same time, the Board announced that it would review all of the interim standards and would determine, standard by standard, whether they should be modified, repealed, or made permanent. This will, of course, be a long-term project.
B. Permanent Standards
The Board has also adopted three new auditing standards.
PCAOB Auditing Standard No. 1 changes the wording of the auditor’s opinion. Instead of the familiar statement in the opinion that the audit was conducted in accordance with generally accepted auditing standards, future audit opinions filed with the SEC now must say that the review was conducted in accordance with the standards of the PCAOB.
PCAOB Auditing Standard No. 3 deals with audit documentation. It requires the audit work papers to contain enough information so that an experienced auditor, having no previous connection with the engagement, can understand the work performed, who performed it and when, and the basis for the conclusions reached. Adequate audit documentation is an important support for our inspection program.
C. Auditing Standard No. 2
I saved Auditing Standard No. 2 for last because it is undoubtedly the most famous of the Board’s new standards. It addresses the auditor’s review of internal control over financial reporting. Section 404 of the Sarbanes-Oxley Act requires management reporting on the effectiveness of internal controls and requires auditor reporting on management’s conclusions. Auditing Standard No. 2 fulfills the Board’s obligation to develop a standard to govern how auditors perform that task.
A couple of basic things about Auditing Standard No. 2 --
- It refers to the auditor’s review as an “audit” of internal control. In effect, the auditor will be conducting two audits at once -- one of the financial statements and the other of the controls over financial reporting.
- These two audits are “integrated” -- that is, it is not possible to perform an internal control review under the new standard separate from an audit of the financial statements.
- The auditor will be rendering three opinions -- one on the financials, one on management’s assessment and one on the controls.
- The standard is not prescriptive -- although it is long. There is a lot of room for judgment.
A complete discussion of Auditing Standard No. 2 would take most of the morning and would probably be of interest primarily to auditors. Let me just mention three additional things that companies and their counsel should keep in mind.
First, contrary to what is sometimes suggested, Auditing Standard No. 2 is not intended to erect a wall of silence between auditors and clients. Auditors have long advised public companies on accounting issues and on internal control matters; Auditing Standard No. 2 does not preclude that kind of advice and discussion. Of course, management needs to perform its own control evaluation; it can’t delegate that responsibility to the auditor or treat the auditor as part of the controls by relying on it to catch errors. Conversely, the auditor needs to reach his or her own independent judgments, and not negotiate its views with management. But, within these limits, free and open auditor-management communications concerning financial reporting and internal control issues are still permissible.
Second, AS No. 2 has the effect of imposing some important new obligations on audit committees.
It requires detailed audit committee involvement in the retention of the auditor to provide any internal control-related services, such as assisting in documenting controls. Stated differently, it prohibits category-based audit committee approval of non-audit services related to internal control; any engagement to provide internal control-related services for an audit client must be specifically pre-approved by the audit committee.
- It requires the auditor to evaluate audit committee effectiveness. The standard lists some facts that the auditor should consider in determining whether the audit committee is effectively overseeing the company’s external financial reporting and its internal control over financial reporting. However, at bottom, this is a judgmental exercise. I believe, however, that it will not be burdensome one -- in most cases, auditors already have a good sense of which clients have dysfunctional audit committees. Communicating that judgment may often be more difficult than making it.
- The auditor is required to inform the audit committee in writing of all significant deficiencies and material weaknesses in internal control. Obviously, the committee will then have an obligation to consider that information and act on it as necessary. This means that audit committees will need to have some working understanding of what constitutes a material weakness and a significant deficiency. Under Standard No. 2, there is a three-tiered hierarchy of internal control deficiencies -- deficiencies, significant deficiencies, and material weaknesses. There are elements of judgment in drawing the lines between each type.
Committees should probe the auditor to understand why it characterized each deficiency as it did and compare management’s evaluation of deficiencies with the auditor’s. Committees also need to understand management’s remedial plan. Auditing Standard No. 2 provides that a significant deficiency that remains uncorrected after “a reasonable period of time” is a strong indicator of a material weakness. That is, left unaddressed, significant deficiencies become material weaknesses.
Finally, just as it has been under the securities laws for 70 years, clear and informative public disclosure is still the over-riding goal of auditing. Opinions vary widely concerning how many material weaknesses will be uncovered in the first year of public reporting. The market impact of adverse reports is also difficult to predict. In order to avoid unwarranted stock price gyrations, it will be important to clearly explain the significance of any material weakness and the company’s plan to correct the problem. It is critical to make sure that disclosures concerning material weaknesses are understandable and complete so that the markets will not over- or under- react.
D. What’s Next with Respect to Standard-Setting?
Board standard-setting is just getting started. While we have a long agenda, three areas are at the top of the list.
1. Independence and tax services.
At a public meeting tomorrow, the Board will propose new rules concerning auditor tax services for public company clients. We held a public roundtable on this issue last summer. Some issues that were discussed include the marketing of tax-driven strategies to audit clients, tax work for company executives, and auditor involvement in transactions the IRS has listed or of which it requires reporting. We also heard that, when an auditor cooks up a novel, too-good-to-be true, tax strategy and recommends it to an audit client, there is a high potential to undermine independence. Reviewing the resulting tax accrual puts the auditor in the position of auditing its own work, and the possibility of an IRS challenge means that the auditor may become an advocate for the client. On the other hand, plain vanilla return preparation and tax compliance assistance are traditional services that have never been viewed as inconsistent with independence.
I hope that the Board can put some of the controversy and uncertainty in this area to rest by drawing clear lines as to what tax services are permissible and which are not. I also believe that we should give some guidance to audit committees concerning the kinds of things they should consider when considering whether to retain the auditor to perform tax services that are not prohibited.
2. Audit Committee Communications.
The Board may codify in a new professional standard all of the auditor’s obligations to communicate information to the audit committee. SOX expanded these responsibilities, and it seems useful to have a single standard that deals with auditor/audit committee communications. In addition to merely collecting and updating the existing requirements, a new standard might require an auditor to discuss with the committee the overall quality of the financial statements. That type of presentation would provide a more in-depth understanding of the choices and judgments that went into the company’s reporting.
3. Fraud detection.
The Board is also considering clarifying the auditor’s obligation to look for fraud. Existing standards in this area have been strengthened during the past several years. However, they can still be read to limit the auditor’s duty to address the possibility of management fraud. In contrast, investors have told us that, from the perspective of financial statement users, assurance that management has not intentionally manipulated the financial statements should be a primary purpose of the audit. This is an example of an area where we may be able to draw on the findings of our inspectors to guide Board standard-setting.
I believe that the Board has made tremendous progress during the last two years in turning the blueprint that Congress gave us for a new model of auditor oversight into a reality. We still have a long way to go.
Thanks for your attention and I would be happy to answer any questions.