PCAOB Update: A Year-Three Progress Report and 2006 Challenges
Thanks. It’s great to be here in Denver.
Three years ago today, Bill Gradison and I were tramping through the remains of an unusual -- for Washington -- early December snow storm looking for office space for the newly created Public Company Accounting Oversight Board. In one of the great ironies, we did find office space that was perfect for us and had recently been unexpectedly vacated by its prior tenant -- Arthur Andersen.
Now, three years later, the PCAOB has grown from nothing to over 400 employees and eight regional offices. We have conducted several hundred inspections of auditing firms, and issued four new auditing standards. The Board is well on its way. I want to briefly touch this morning on what the Board is, what it has done, and what its challenges and priorities are for the coming year.
Before I begin, I think it is worth remembering why the Board was created. A series of financial reporting scandals rocked the securities markets in the early years of this decade. Companies like Enron and WorldCom and their CEOs became household names. After the stock market euphoria of the 1990s, stock prices plunged and with it investor confidence in the inherent transparency and fairness of the markets.
In this superheated environment, Congress enacted the Sarbanes-Oxley Act. SOX does many things, including requiring CEO/CFO certifications of SEC filings, protecting whistle-blowers, forbidding loans to top corporate officers, and a host of others, some of which are more controversial today than when the legislation was passed in 2002. It is worth remembering, however, that the Sarbanes-Oxley Act began as a bill to create federal oversight of auditors -- everything else was an add-on. Congress, sought to restore confidence in the auditor’s opinion on the financial statements in four ways.
First, largely building on actions the SEC had already taken, it sharply restricted the auditor’s ability to render non-audit services to audit clients. Second, it made the audit committee, composed of independent members, rather than management, the focal point of the auditor-client relationship. This was an attempt to deal with the ultimate conflict -- while the auditor owes duties to the public, management retains and pays the auditor. Third, and much less noticed at the time and much more noticed now, it required the auditor to render a second public opinion, in addition to the traditional opinion on the financial statements. The Act requires the auditor to opine on the effectiveness of the company’s internal control over financial reporting. Finally, it ended the profession’s long tradition of self-regulation and peer review and replaced it with federally created oversight. The Act established the Public Company Accounting Oversight Board to oversee auditors of public companies, including periodic inspections, and to set auditing standards.
This regulatory climate change raises a host of challenges. For the PCAOB, the challenges boil down to using the tools Congress has given us to restore and sustain public confidence in audited financial reporting without either squelching auditor judgment and turning auditing into a defensive, check-the-box exercise or adding so many requirements that the cost of auditing becomes prohibitive. I think we have made a lot of progress toward those goals. I want to review with you what we have done and what we hope to do next.
Before I go further, I should warn you that I come with the usual inside-the-beltway disclaimer: The views I will be expressing are my own, and not necessarily those of the PCAOB’s other members or staff.
I. Three Year Progress Report
Let me start with just a quick reminder of what the Board is: The Board is a congressionally chartered, private, not-for-profit corporation. Our mission, like that of the SEC, is to protect the interests of investors, and to further the public interest in the preparation of informative, accurate, and independent audit reports.
While the Board was established by a federal law, the members and staff of the Board are not government employees. While this may sound like a rather technical point, being a private organization has a profound impact on the Board’s culture and flexibility. At the same time, we are under the oversight of a federal agency, the SEC, and of course work closely with the Commission.
What are we doing to accomplish our mission?
II. Inspections
Inspections is the Board’s core function. It is the fundamental tool Congress gave the Board to restore public confidence in audited financial reporting. It’s also a mammoth job that drives both our budget and staffing.
SOX requires the Board to periodically inspect all registered firms that actually engage in public company auditing. In the case of the nine firms that audit more than 100 public companies, these inspections must be annual. For the other registered firms that have at least one SEC client, inspections must occur at least every three years.
A. The Inspections Universe: Registered Public Accounting Firms
All accounting firms, foreign and domestic, that issue audit reports on public companies that file with the SEC, or that substantially participate in public company audits, must register with the Board. 1,587 auditing firms have done so. 945 of those are U.S. firms, and the remaining 642 are foreign. Nine registered firms (8 U.S. firms and one Canadian) have at least 100 SEC registrant audit clients. The great majority of the remaining registered firms (1,356) have five or fewer public company clients. A list of registered firms, Board registration denial orders, and the registration application forms of most firms are available on the Board’s Web site at www.pcaobus.org.
The inspections program is gathering momentum. In 2003, the Board conducted “limited procedure” inspections of the largest four U.S. public accounting firms. In 2004, we launched our regular inspection program of all registered public accounting firms and conducted inspections of the eight largest firms and 91 smaller accounting firms. In 2005, the Board again inspected the eight largest U.S. firms, in addition to one Canadian firm mentioned earlier, and 270 smaller firms.
As of today, we have issued 68 2004 inspection reports, including at least one report on six of the eight largest firms. More are appearing on almost a weekly basis.
B. The Inspection Process
Broadly speaking, Board inspections focus on two things – firm quality controls and how the firm conducts selected audit engagements.
The object of an audit is to express an opinion on whether the client’s financial statements are fairly presented, in accordance with GAAP. Therefore, inevitably, the inspection staff looks, not just at how the audit was conducted, but also at the GAAP compliance of the financials. This brings the issuer into the picture. In some cases, the Board’s inspection starts a process that results in the filing of restated financials with the Commission. However, the Commission, not the Board, has the authority over a company’s financial statements. If a company and its auditor disagree with the Board’s view of an accounting treatment, they can take the issue to the SEC. The SEC is the final arbiter of GAAP compliance in SEC filings.
The engagement inspections are the key to the Board’s impact on auditing. The knowledge that, in the case of any particular audit, PCAOB inspectors who are themselves experienced auditors but who are not “peers” may review the work-papers and form their own judgment on how well the audit was conducted has had a very significant effect on how auditors do their work. While there is a place for enforcement proceedings and a place for liability to private parties who are injured by bad auditing, in my view a well-thought-out inspection is more likely to improve the day-to-day quality of auditing than are those other, blunter tools.
C. The Inspection Reports
The Board has now issued over 150 inspection reports. The reports have both a public and a non-public portion. The Sarbanes-Oxley Act prohibits the Board from disclosing criticisms of a firm’s quality controls, unless the firm fails to correct those deficiencies within 12 months. Therefore, such criticisms appear only in the non-public portion of the report. Nonetheless, public portions of the 2004 and 2005 inspection reports reveal some interesting information, including areas in which firms missed GAAP issues in financial statements, failed to obtain sufficient evidence to support the audit opinion, or otherwise did not follow the auditing standards in a way that cast doubt on their opinion.
In the case of the smaller firms, some of the most common problems include --
- Independence. (Particularly in smaller firms, auditing and assisting the issuer in preparing its financial statements are too often mixed.)
- Auditing of fair values, including the valuation of intangibles.
- Related party transactions. (This is often combined with valuation problems, as in cases where the company issues stock to an insider in return for some difficult-to-value asset.)
- Prohibited loans to executive officers.
- Revenue recognition. (This is of course a perennial favorite area for SEC financial reporting enforcement.)
- Inadequate second partner review. (Frequently, it will appear to our inspectors that major issues were missed by both the audit team and the review partner.)
- Going concern evaluations.
- Control of issuer use of reports. (With surprising frequency, smaller issuers take it upon themselves to file audit opinions with the SEC on which the auditor has not signed off. This is so common that we are thinking of making it a reporting item.)
I certainly don’t mean to paint a bleak picture. The bottom line is that the caliber of auditing in the U.S. is high. Certainly, the major firms, which audit the vast majority of the revenues, assets, and market capitalization of SEC registrants, are fully capable of performing the highest quality audits. The largest firms have sophisticated quality control, training, and professional development systems. While they do make mistakes, they have considerable infrastructure devoted to assuring the quality of their practices.
In the case of smaller firms, some are excellent -- and have clean PCAOB inspection reports to prove it. Some, however, are not. We need to make sure that our inspection program recognizes the differences between firms and fosters the widest possible range of auditor choice for public companies without compromising the protection of the public.
III. Enforcement
The Board also has the power to conduct investigations and to seek disciplinary sanctions, which can include fines, and suspensions and bars from auditing public companies, against registered public accounting firms and associated persons. In 2005, the Board announced four settled disciplinary proceedings.
Two of those cases, which were related, involved efforts to mislead our inspection staff by creating false work papers and billing records. Those cases illustrate that protecting the integrity of our own processes is a top priority. They also illustrate that we reward whistle-blowing and cooperation. The firm’s partners who had a change of heart and brought the misconduct to the Board’s attention were dealt with much more leniently than the partner who did not.
One of the other two cases also arose from an inspection. The auditor involved had conducted audits that deviated sharply from the professional standards. I don’t think anyone would view this case as involving innocent errors or second-guessing of professional judgment.
That brings me to the fundamental point I would like to make regarding our enforcement program. The Board’s enforcement philosophy is modeled on what we have called the “supervisory approach” to regulatory oversight. As long as we believe that an auditing firm is acting in good faith and is capable of and willing to conduct audits in accordance with the PCAOB’s standards, we will generally use our authority to make non-public inspection recommendations, rather than our authority to bring disciplinary actions. For firms that seem unwilling or unable to follow the rules, we will take the harsher enforcement approach.
IV. Auditing Standards
The other area of Board responsibility that I want to mention is the setting of auditing standards. The Board sets the standards by which public company audits are conducted -- we assumed that responsibility in 2003 from the Auditing Standards Board.
The Board has tried to make sure that we have access to the kind of experience and expertise necessary to do this complex job. The Board appointed an advisory group to ensure that we have access to all of the perspectives that are affected by new auditing standards. This body, which we call the Standing Advisory Group or SAG, is currently comprised of 32 members, including practicing auditors, financial statement preparers, and investors. It meets publicly with the Board several times a year.
A. New Auditing Standards
The Board has adopted generally accepted auditing standards as they existed in April 2003 as interim standards of the Board. The Board has also adopted four new standards and new rules governing auditor independence and tax services.
1. PCAOB Auditing Standard No. 1.
PCAOB Auditing Standard No. 1 changes the wording of the auditor’s opinion. Instead of the familiar statement that the audit was conducted in accordance with generally accepted auditing standards, audit opinions filed with the SEC must say that the audit was conducted in accordance with PCAOB standards.
2. PCAOB Auditing Standard No. 2.
Auditing Standard No. 2 deals with the audit of internal control required by Section 404 of SOX. It addresses the auditor’s review of internal control over financial reporting. Section 404 of the Sarbanes-Oxley Act requires management reporting on the effectiveness of internal controls and requires auditor reporting on management’s conclusions. Auditing Standard No. 2 fulfills the Board’s obligation to develop a standard to govern how auditors perform that task.
This is the most controversial standard the Board has adopted, and I will say more about it in a moment.
3. PCAOB Auditing Standard No. 3.
PCAOB Auditing Standard No. 3 deals with audit documentation. It requires the audit work papers to contain enough information so that an experienced auditor, having no previous connection with the engagement, can understand the work performed, who performed it and when, and the basis for the conclusions reached. Adequate audit documentation is an important support for our inspection program.
4. PCAOB Auditing Standard No. 4.
Finally, in response to requests from public companies, last July the Board adopted a standard under which the auditor could issue a report on the remediation of a previously disclosed material weakness in internal control. Currently, the auditor can only report on the effectiveness of the entire system of controls. This standard -- if it is approved by the SEC -- would permit auditors to give public comfort that a specific weakness has been cured without performing an entire internal control audit.
B. Independence/Tax Services Rules
In addition to setting auditing standards, the Board has authority over ethics and non-audit services. The most significant thing the Board has done in this area is to adopt rules on independence and tax services rules.
These rules deem an accounting firm as not independent if the firm provides assistance in marketing, planning, or opining in favor of certain aggressive tax transactions, in two categories — transactions with tax-advisor imposed conditions of confidentiality and transactions that were initially recommended by the firm; a significant purpose is tax avoidance; and does not have at least a 51 percent chance of being allowable. The rules also treat a public accounting firm as not independent if the firm, or any affiliate of the firm, during the audit and professional engagement period provides any tax services to a person in a financial reporting oversight role at the audit client, or an immediate family member of such person.
We felt that these rules were a balanced narrow response to a difficult and controversial problem. In general, they would not interfere with traditional auditor tax services, but would put an end to the auditor’s role in helping audit clients skirt the lines. The SEC has not yet published these rules.
V. Challenges for 2006
I would like to close with some comments on two priorities for 2006. These challenges are to make sure that internal control auditing is implemented in an effective and efficient way, and to integrate our standard-setting and inspections programs. Let me explain what I mean by each of these.
A. Making AS No. 2 Work Effectively.
First, internal control. Sarbanes-Oxley’s required audits of internal control have added an important and complex new dimension to the auditor’s work. The auditor is required to develop a more complete understanding of the strengths and weaknesses of the client’s financial reporting systems than would necessarily be required in a financial statement audit. In the long run, I believe this focus on controls will profoundly strengthen the reliability of financial reporting and of public confidence.
However, nothing good is free, and internal control auditing has come at a steep price. One of the Board’s top priorities is to ensure that AS No. 2 audits focus on real risks, not merely on endless testing of process-level controls so that the promise of this new requirement can be achieved on a cost-effective basis.
1. AS No. 2 Disclosures
Before I turn to how we are trying to do that, let me make a couple of comments about what was learned during the first year of internal control reporting. Section 404 of SOX and Auditing Standard No. 2 have resulted in, not just a sea-change in the way managements and auditors view internal controls, but also in a flood of new disclosures regarding control weaknesses.
The Board’s Office of Research and Analysis, using information from Audit Analytics, has reviewed 404 disclosures.[1] So far, 3,386 ICFR opinions have been filed. [2] Of these, 502 (14.8 percent) reported material weaknesses. Our review shows that as of November 15, 2005, the top four industry sectors reporting material weaknesses were information technology (117 weaknesses or 23 percent of the total); consumer (102 weaknesses or 20 percent), financial (81 weaknesses or 16 percent), and industrials (73 weaknesses or 16 percent).
The material weaknesses disclosed run the gamut. The four most prevalent reporting areas to which weaknesses related were [3] taxes (31.7 percent), revenue recognition (30.5 percent), inventory (26.3 percent) and lease accounting (17.1 percent). By control issues, the top five areas were year-end adjustments (54.4 percent), inadequate personnel (46.4 percent), restatements (44.4 percent), poor or nonexistent segregation of duties (21.1 percent), and IT control issues (18.9 percent).
2. AS No. 2 Report
I said earlier, that internal control reporting has come at a price. A recent survey commissioned by the Big Four accounting firms [4] finds that, for large companies, the total cost of Section 404 compliance last year was $7.3 million; for smaller companies, it was $4.3 million. (The dividing line is above and below $700 million in market cap.) What caused these costs?
In its 2005 annual inspections of the largest firms, the Board included an evaluation of the effectiveness and efficiency of a limited selection of audits of internal control. On November 30, the Board issued a report based on its monitoring of the first year of AS No. 2 implementation.[5] Here is some of what that report concluded.
Year one was difficult for both managements and auditors. On the whole, the Board’s monitoring revealed that auditors performed competently, under difficult circumstances, including a compressed timeframe for implementation; shortage of staff with prior appropriate training, and related strains on available resources; as well as deferred maintenance and documentation issues at many companies.
Looking at the audit process itself, in the recent monitoring, the inspectors found that the five key reasons for lack of efficiency in AS No. 2 audits were that some auditors –
- did not integrate their audits of ICFR with their financial statement audits, (The amount of reliance placed on controls in establishing the nature, timing and extent of the financial statement audit work was limited.)
- did not use a top-down approach, (In a top-down approach, you begin by evaluating company-level controls and significant accounts at the financial statement level and then work down to the relevant controls at the process level.)
- did not alter the nature, timing and extent of their testing to reflect the level of risk, (Instead, they took a uniform approach to testing and spent too much time looking at the lower-risk areas.)
- performed inefficient walkthroughs of major classes of transactions, and
- did not use the work of others to the extent permitted by AS No. 2.
3. The Future of Internal Control Reporting
The Board intends to continue to monitor closely the implementation of AS No. 2 and will use its inspections program to focus on obstacles to performing internal control audits efficiently and effectively. Additionally, the Board will also continue to issue interpretive guidance concerning the implementation of AS No. 2.
The second year of implementation should be better. Some factors that will lead to cost reductions include the fact that it will not be necessary to repeat the documentation exercise that consumed so much time last year, except where there have been changes. Further, for managements, much of the focus should shift to monitoring. Moreover, audit committees are going to expect that their auditors apply the May 16 (and November 30) guidance and are likely to be asking questions aimed at finding out whether that is the case. Finally, the financial statement and internal control audits should come closer to being a single integrated process. As a corollary, there will be more time spent on risk analysis and less on process-level testing. Consequently, there should be more willingness, consistent with AS No. 2, to rely on internal audit testing at the process level.
The study I mentioned earlier projects that costs for large companies will fall 42 percent (to an average of $4.4 million). For small companies, it will decrease 39 percent (to $900,000). These are still large numbers for smaller issuers. The SEC’s Advisory Committee on Smaller Public Companies is considering a recommendation to the Commission that would permit smaller companies, including many accelerated filers, to opt out of 404 or into a slimmed-down design-and-implementation review. The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) has also issued an exposure draft on its recently developed guidance on its internal control framework to aid smaller companies in implementing effective controls.
B. Auditing Standards
The other 2006 priority is integrating our standards setting and inspections programs. The Board has the unique advantage of being able both to set the standards by which audits are conducted and to conduct inspections to see how those standards are being applied in practice. Our inspections authority also gives us the ability to spot trends and emerging issues in auditing before they turn into problems. We intend to use the knowledge we gain in inspections to help set our priorities for developing new auditing standards.
What does that mean in practice? Many of the most frequent problems identified in the Board’s 2005 inspections suggest the need for changes in auditing standards. For example --
- Engagement Quality (i.e., second partner) Review
This is actually a statutorily required standard. But, the inspections program also suggests that that it is a problem area.
- Fraud -- should SAS No. 99 be modified? Auditing of revenue recognition, related party transactions, and confirmation requirements are particular problem areas in this field.
- Audit committee communications
Existing auditing standards require auditors to communicate certain things, in specific ways, to audit committees. It is likely that we will try to combine all of these existing requirements into one professional standard. A new auditing standard might also require an auditor to engage in discussions with an audit committee about risk assessment.
New standards may be proposed in these areas during the coming year.
VI. Conclusion
The past nearly three years have been very busy for the PCAOB. However, much remains to be done, and the coming years hold some formidable challenges. I think we have made a lot of progress.
Thank you. I would be happy to answer any questions.
Endnotes
[1] Audit Analytics is an on-line market intelligence service that conducts research on the accounting, insurance, regulatory, legal and investment communities.
[2] This does not include opinions filed by non-tickered funds and trusts, non-accelerated filers, and the duplicate material weakness filings by subsidiaries.
[3] These percentages are of the 502 issuers reporting material weaknesses. Many issuers reported more than one weakness.
[4] Sarbanes-Oxley Section 404 Costs and Implementation Issues: Survey Update, CRA International ( December 8, 2005 ).
[5] Report on the Initial Implementation of Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements , PCAOB Release No. 2005-023 (November 30, 2005).