Quality Control: The Next Frontier

I. Introduction

Good afternoon, everyone. Thank you, Dr. Cunningham, for that kind introduction and thank you to the University of Tennessee's Neel Corporate Governance Center for inviting me to speak here today in Knoxville.[1] I am honored to be part of the Center's Distinguished Speaker Series on corporate governance.

The Neel Center and the Public Company Accounting Oversight Board have several things in common. We are both celebrating our 15-year crystal anniversary. More importantly, we both have a deep interest in corporate governance, albeit from different vantage points.

The Center focuses on researching where public policy and corporate governance intersect, contributing to academic study, informing practitioners, and benefitting regulators as well. In our work as an audit regulator, the PCAOB recognizes good corporate governance as a lynchpin for informative and accurate financial reporting, and the delivery of high quality assurance activities.

Good governance is also key to the effective functioning of corporations and other institutions, including public accounting firms. It is also integral to our public policy work.

Today, I would like to talk about one aspect of effective corporate governance: quality control. I want to share some thoughts on the vital role that quality control plays in ensuring better audits and what the PCAOB is doing to sharpen our focus on it. Simply stated: Concepts of quality should be embedded into everything audit firms do: their methodologies, audit processes, governance, and even their culture.

First, I'd like to briefly tell you about the PCAOB, our mission and new strategic direction, and how quality control fits into our plans to drive improvements in audit quality.

II. The Capital Markets and the PCAOB

The U.S. financial reporting system is one major pillar of our capital markets. Corporate financial statements provide essential information to investors, market participants, and other stakeholders. By certifying the fairness and material accuracy of those financial statements, independent auditors provide assurance that those reports reveal the true state of a company's finances and continuing viability.

By lessening fear of loss from reliance on inaccurate information, auditors play a vital role in fostering public investment in our nation's industries. This investment, in turn, powers growth of the U.S. economy.

While essential to the effective operation of our capital markets and economic growth, we have seen that investor confidence and trust can be fleeting. In the wake of the Great Depression, the federal securities laws were born to restore faith in public companies and markets. Over the ensuing 85 years, both corporations and our markets have evolved, becoming more complex.

Since the initial adoption of the federal securities laws, we have experienced episodic disruptions that have undermined investor and public confidence. When significant, these disruptions also have led to further refinement of the federal statutory and regulatory regime.

One such disruption triggered the creation of the PCAOB. Just after the turn of this century, the United States had a series of high profile accounting scandals and record bankruptcies of large public companies. Corporate stalwarts — such as Enron, Tyco, and WorldCom — filled the daily headlines with reports of fraud and abuse.

Investors lost hundreds of billions of dollars, and trillions of dollars in market capital disappeared. Public confidence was shaken in the financial reporting and disclosures of public companies. Trust in the opinions of auditors on the accuracy of those financial reports was undermined. Questions arose regarding the objectivity and impartiality of auditors. Faith was weakened in the integrity of the U.S. securities markets.

To restore public confidence, in the summer of 2002, Congress passed the Sarbanes-Oxley Act. The Act mandated enhanced financial disclosures, corporate responsibility, and auditor independence from conflicts of interest. It also created the PCAOB, with a mission to protect investors and the public interest through the preparation of informative, accurate, and independent audit reports.

III. Our Reevaluation

That was 15 years ago. Now, for the first time since our inception, the PCAOB has five new board members. Our collective experience is diverse and spans the financial reporting process: preparer, auditor, board member, and investor adviser and advocate.

Over the past year, the board has been reevaluating the PCAOB's activities and operations from bottom to top. Throughout this process, each board member has brought our unique perspectives to bear.

But we did not go it alone. We solicited input through a public survey and dozens of in-depth one-on-one meetings with our stakeholders. We heard from investors, audit committee and board members, chief financial officers, and others who play significant roles in the preparation and evaluation of financial statements. We spoke with auditors from an array of firms. The SEC chairman, commissioners, and staff shared their perspectives. Academics and foreign regulators weighed in as well.

Through this extensive outreach, we gained insight into what works well at the PCAOB and what needs improvement. The general consensus in the marketplace affirms that, since the establishment of the PCAOB, audit quality has substantially improved and restatements of financial statements are dramatically down.[2] But we also know that more needs to be done.

For example, over the last several years, we have seen roughly the same percentage of audit deficiencies year over year during our inspections of the largest audit firms.[3] And that percentage is not small. While the picture is not yet complete, for five of the six largest global network firms with publicly reported inspection results, the deficiency rates over the past three years have ranged from 20 percent to 74 percent.[4]

To be sure, our inspections of individual audits are largely risk-based. Our inspectors typically focus on high risk audits — those with a higher likelihood that the financial statements will have a material misstatement; they also focus on the audit work around the most challenging or inherently uncertain parts of those financial statements, such as estimates, like the valuation of intangible assets. But, even for a risk-based program, the plateauing of deficiencies at an unacceptably high rate causes us and others to pause.

IV. Our Response

What is our response?

Earlier this month, the board adopted a new five-year strategic plan for the PCAOB. That plan establishes our collective view on how to drive audit quality forward. It also establishes our vision of how to transform the PCAOB into a more agile, innovative regulator in pursuit of our mission.

Our strategic goals are clear. We are committed to overseeing audit firms more effectively, anticipating and responding to innovation, improving our external engagement, and optimizing our processes and culture.[5] More specifically, when it comes to audit quality, we are committed to raising the bar through a combination of prevention, detection, deterrence, and enforcement. We are also positioning the PCAOB to better anticipate and adapt to a changing environment, particularly as it relates to emerging and potentially disruptive technologies.

V. Why and How Quality Control Fits into Our Strategy

As part of our commitment to improving audit quality generally, and targeting prevention specifically, we are laser focused on firms' quality control systems. These systems encompass the processes and protocols that firms put in place to provide them with reasonable assurance that their personnel are complying with applicable professional standards and related regulatory requirements, as well as firm norms around audit quality.[6]

Why is quality control so important? Let me give you an example. When shopping for a car, we as consumers typically have a primary objective: replacing an aging vehicle; upgrading after diligently saving for a down payment; or coveting the latest technology and safety features, such as a remote starter or automatic emergency braking. Regardless of the specific objective, most consumers look for the highest quality automobile within their price range. One potential measure of quality is the number of manufacturer recalls.[7]

A higher number of recalls reflects more problems with a car model, which ultimately lowers customers' views of its quality. Or does it? Recalls may not necessarily translate into a perception of low quality if a manufacturer acts preemptively. Case in point: In 2005, recalls from three large automobile manufacturers – DaimlerChrysler, General Motors, and Toyota –ranged from 2.5 percent and 10.1 percent.

At just over 10 percent, Toyota recalled four times as many vehicles as Chrysler's 2.5 percent. Yet, the following year, Toyota ranked number one in customer satisfaction in a survey conducted by J.D. Power & Associates.[8] Why? Arguably, Toyota self-identified and corrected issues before customers had problems. Fewer breakdowns on the road; less ill will toward the manufacturer. Managing quality includes finding and fixing problems before they have negative effects.

Bottom line for us and the firms we regulate: Inadequate quality control systems present missed opportunities to prevent, detect, and remediate deficiencies before audit reports are issued and relied upon. Going forward, the PCAOB is committed to lessening the chance that these opportunities are missed in the future.

VI. What We Are Doing

At the PCAOB, we are looking at quality control through the lens of each of our core duties: (1) registering public accounting firms, (2) conducting inspections, (3) setting standards, and (4) pursuing disciplinary actions when warranted.

A. Registration

In connection with reassessing our approach to registering audit firms, we are considering whether we should do more upfront to assess an applicant's system of quality control. Currently, applicants need only summarize their policies related to the five elements referenced in our standards on quality control. Independence, integrity, and objectivity is the first element; the remaining four elements are engagement performance, personnel management, client acceptance and continuation, and monitoring.[9]

If we get more information on the design and implementation of an applicant's quality control protocols upfront, we are better able to spot patent defects and weaknesses. Armed with that information, we could require the applicant to fix those shortcomings before ever auditing the financial statements of a public company or broker-dealer. In other words, putting prevention into action.

B. Inspections

Beginning with the 2019 inspection cycle, we will increase our focus on firms' quality control systems. Let me use an analogy to explain why.

One hundred and fifty years ago, a company in Hartford, Connecticut – Hartford Steam Boiler – launched a business specializing in insuring against breakdowns of commercial boilers and other large machinery. At the time, boilers exploded frequently, causing devastating results to people and property. Based on experience, Hartford Steam eventually refused to write any coverage unless the insured allowed it to regularly inspect covered equipment to verify its proper maintenance. Lesson learned: Appropriately maintained and inspected boilers rarely exploded.[10]

Taking a page out of Hartford Boiler's playbook, we view inspections as a critical tool to monitor audit quality. While we expect our approach to evolve over time, directionally here is where we intend to head.

First, as I mentioned, we have generally taken a risk-based approach when selecting individual audits and focus areas for inspection. Moving forward, our staff will also apply a risk-based approach when inspecting firms' quality control systems. This approach will allow our staff to tailor our inspection procedures based on the size, complexity, and risk profile of firms, including their past inspection results, identified weaknesses, and known changes in controls.

Second, during these quality control inspections, our staff will assess the processes that firms have in place to self-identify and assess the particular risks they face to delivering audits consistent with PCAOB standards and rules. In addition to assessing the overall control environment, including firm culture and tone at the top, our inspectors will assess the specific controls that firms use to mitigate their self-identified risks.

While still noting instances where firms do not meet PCAOB standards, these initial assessments will also help us identify how quality control systems timely detect negative audit quality. We will also learn how such systems prevent risky audit behavior and activities. The results of these assessments will also inform other aspects of our inspection programs, such as the selection of individual audit files for review, the focus areas reviewed within those files, and remediation determinations.

Third, we will begin to gather data on what, if any, audit quality indicators (AQIs) firms use when planning, managing, and monitoring their audit work, and deploying their professionals. We will also begin collecting information on the AQIs that firms share with audit committees. The goal of this data collection is to start to pinpoint metrics that correlate with, or at least provide indicia of, audit quality. We are committed to sharing factors identified that correlate with audit quality.

Fourth, we are revisiting our approach to assessing remediation around quality control deficiencies. Yes, we want to make our remediation determinations timelier, and that effort is already underway. But we also want to push for more impactful improvements in firm quality control systems using the information we gather through these inspections.

Finally, we have created a new senior position – Quality Control Leader – to coordinate our initiatives around quality control across all our inspection programs.[11] This leader's job will be to scan horizontally across firms and programs to identify behaviors and practices that promote and enhance, or alternatively degrade, audit quality. Once identified, we are committed to sharing these insights with the marketplace.

C. Standard Setting

Registration and inspections are only part of the equation. After finalizing three long awaited standard-setting projects on estimates and fair values, use of specialists, and supervision of other auditors, we expect to turn next to our quality control standards.

The current standards were adopted by the PCAOB over 15 years ago. They are largely based on standards developed six years earlier, in 1996, before Congress created the PCAOB, at a time when auditors regulated themselves.

We are taking a multidisciplinary approach to assessing our quality control standards. A PCAOB interdivisional team has been studying those standards. This team has been researching whether changes to our standards could help enhance audit quality. This month we also convened our two advisory groups – the Investor Advisory Group and, just yesterday, the Standing Advisory Group – to discuss quality control as a way to more effectively drive audit improvements.

Rather than taking a risk-informed and integrated approach, the current standards identify five discrete elements of quality control ranging from engagement performance and personnel and client management to monitoring. And, other than using the word "integrity," the standards do not describe how concepts of professional ethics and values are reinforced through quality control.

The standards also do not reflect changes in audit practices, such as the use of shared service centers in countries with lower labor rates, the evolution of approaches to internal controls, or the emergence of enterprise risk management methodologies.[12]

Modernizing and enhancing these standards is a strategic imperative. Why? Because systematic improvement in quality control environments across firms may serve as the force multiplier needed to remove the audit deficiency plateau that we are currently experiencing.

So how could we update our quality control standards? Without prejudging where we may end up, I'd like to see our quality control standards build in concepts of prevention. This means reinforcing notions of self-policing, whereby firms self-identify, self-correct, and self-report deficiencies before audit reports are issued and relied upon.

In my mind, our quality control standards should be broad, thematic, and organized around universally applicable principles that are scalable so that small and large firms alike can tailor and apply them to their specific operations, business models, and risks. Key features will likely include governance and oversight, and being risk informed, integrated, process oriented, and dynamic. We look forward to hearing our stakeholders' views on this subject. Stay tuned.

D. Enforcement

Finally, in connection with our broader strategy not only to detect audit deficiencies but also to prevent them from occurring, our enforcement team will continue to investigate allegations of quality control failures. Our enforcement staff typically review all referrals for potential quality control failures and, when found, recommend charges.

If a deficiency does not trigger revocation of a firm's registration, the resolution of these matters almost uniformly results in detailed undertakings designed to address the quality control failures and prevent its recurrence. These undertakings not only address the failures in the specific enforcement action, but they also serve as notice to the profession of what we expect. We anticipate continuing this approach, with our eyes on reinforcing prevention through deterrence.

VII. What a Firm Can Do to Enhance Its Quality Control

That's where we are heading strategically related to quality control. How can a firm better prepare for these changes? Here are some thoughts.

One: Regardless of size and business model, a firm should have a strategy for how to systemically deliver quality audits. At a minimum, that strategy should be informed by the firm's particular risks to audit quality and its operating environment. To be most effective, concepts of quality must be embedded in everything the audit firm does. It must be part of the firm's culture; it must be enterprise-wide.

Of course, the strategy should recognize the firm's obligations to comply with PCAOB standards and rules and relevant SEC regulatory requirements. It should also specifically incorporate ethical and other legal obligations.

Two: Key to any effective quality control system is strong governance. An appropriate governance structure should exist to oversee the quality control program. Specific roles and responsibilities should be assigned to personnel related to the program, thereby building in accountability from the start.

Given what auditors do, audit quality is the responsibility of everyone at the firm. Regardless of its organizational structure, a firm's governing body – typically a board or executive leadership – should have ultimate responsibility for overseeing the quality control program. Senior leaders and partners should have responsibility for managing the program. And every audit professional should understand his or her specific responsibility for implementing the program.

Supervisory and reporting lines need to be clear. And no ambiguity should exist on how perceived threats to quality are quickly communicated, elevated, and resolved within the organization.

The firm's governing body should also set the tone on quality. That tone should reinforce the primacy of audit quality over other commercial and firm objectives. It should also emphasize that the ultimate goal of the organization is to perform audits competently, with integrity, objectivity, due care, and appropriate professional skepticism.

Three: A firm should perform a risk and control assessment. Specifically, the firm should scan the horizon, identifying the particular risks it faces to delivering high quality audits. These threats to quality can arise from a variety of sources. For example, staffing shortages can create workload issues; mergers and acquisitions can pose integration threats. Quality risks can also arise in particular offices or regions, or in an industry segment.

Based on identified risks, the firm should put in place tailored measures – people, processes, and technology controls – to mitigate, manage, monitor, and report on those risks to quality.

Four: A firm should have processes in place to systematically monitor the quality of its audits from start to finish, looking for indicia of potential problems, as well as periodically evaluating the effectiveness of relevant people, processes, and technology controls. These processes should include conducting internal inspections and learning from their results.

Why is this so important? As the legendary baseball player Yogi Berra astutely noted: "You can observe a lot by just watching."

Ideally, comprehensive monitoring systems arm a firm's leadership with actionable information to help them oversee audit activities and quickly respond to and remediate deficiencies, weaknesses, and other potential threats to the delivery of quality audits. Effective remediation is also key, and it should include robust root-cause analyses to enable the firm to correct not only the deficiency at hand, but also to go deeper to understand the underlying source of the problem and to prevent its spread to other audits.

Five: Because business models, clientele, and operations evolve, including in response to emerging and disruptive technologies, a firm should establish processes to systematically re-evaluate its quality control strategy and program based on lessons learned from past issues and near misses. By periodically – and also when events warrant – re-assessing its quality control strategy and measures, the firm creates a dynamic process that allows for continuous learning. That feedback loop provides upward pressure to evolve and become better over time.

One final note: Emerging technologies also provide the promise to build quality control requirements into solutions from the start, rather than bolting them on after the fact. This is why technology can be so potentially powerful and transformational for audit quality.

VIII. Conclusion

To be most effective, firms should embed concepts of quality into everything they do: their methodologies, audit processes, governance, and culture. Not just the tone at the top, but the tone at all levels of the organization. Instead of grafting quality measures onto existing infrastructures and legacy processes and hoping they take, quality must become part of the DNA of audit firms and their professionals.

Such an approach promises to transform firms from firefighting against audit deficiencies to fire prevention. Modernized standards and approaches to quality control will lay the foundation for this next frontier.

Thank you for your attention.

[1] The views I express here are mine alone, and do not necessarily reflect the views of my board colleagues or the PCAOB staff.

[2] Audit Analytics, 2017 Financial Statements Review (June 2018). https://www.auditanalytics.com/blog/2017-financial-restatements-review/.

[3] An audit deficiency exists when our inspectors have determined that the auditor's statement that the financial statements were presented fairly, in all material respects, in accordance with the applicable financial reporting framework, cannot be verified based on what they saw in the work papers and learned from the engagement team. In other words, the audit firm could not support its opinion that the financial statements were not materially misstated.

[4] Specifically, for these five firms, in 2014, the deficiency rates ranged from 21 percent to 74 percent. In 2015, those rates were between 22 percent and 52 percent, and for 2016, the rates ranged from 20 percent to 67 percent. Internationally, the latest report from the International Forum of Independent Audit Regulators (IFIAR) indicated that overall deficiencies rates for the largest firms ranged from 47 percent in 2014, to 40 percent in 2017. https://www.ifiar.org/?wpdmdl=7970. Annex B, p. B-3.

[6] See paragraph .03 of QC 20, System of Quality Control for a CPA Firm's Accounting and Auditing Practice.

[7] John J. Hampton, Fundamentals of Enterprise Risk Management, at pgs. 225-226 (2009)

[9] See QC 20.07–.20.

[10] John J. Hampton, Fundamentals of Enterprise Risk Management, supra at p. 234.

[11] The PCAOB has three inspection programs: one for the largest six auditing firms (referred to as the Global Network firms); another for all other registered firms that audit public companies (referred to as the Non-Affiliated firms); and the third for auditors of broker-dealers.

[12] See, e.g., COSO, Enterprise Risk Management – Integrated Framework https://www.coso.org/Pages/erm-integratedframework.aspx.