Sarbanes-Oxley and the Post-Enron Environment: Auditor Oversight

I am very pleased to be here in Tokyo and to be part of examining the evolving responsibilities of “gatekeepers” in the United States and Japan. It is particularly an honor to appear before such a distinguished group of Columbia alumni. It is a little daunting to be one of the few lawyers admitted to the room today without having first passed through the Columbia Law School.[*]

Although many other important topics were added, the Sarbanes-Oxley Act started out as a bill to create a new oversight framework for auditors. In many ways, the most concrete differences between the pre- and post-Sarbanes-Oxley environments in the United States stem from the changes in the relationship between companies, their auditors, and their audit committees that have resulted from the Act. I want to make some comments about those changes and about the role of the Public Company Accounting Oversight Board.

Before I begin, I must give you a warning: The views I express are solely my own, and not necessarily those of the Board, its other members, or the staff of the Public Company Accounting Oversight Board.

I. Accountants As Gatekeepers

First, I think it is worth observing that auditors are the original gatekeepers. In the U.S., an auditor’s opinion is a necessary condition to selling securities to the public and to having those securities trade in the public markets. There are ways to get along without an underwriter or a lawyer or an analyst following. But not without an auditor’s opinion.

Unlike other gatekeepers, it has always been recognized, at least in theory if not always in practice, that the auditor has important obligations to the investing public that may require him or her to act contrary to the interests of the client. Many of the audit failures that lead to the enactment of the Sarbanes-Oxley Act can be viewed as the result of auditors losing sight of those obligations to the public and defining their role as selling services, rather than controlling the gate through which companies can access the securities markets. Fundamentally, the Sarbanes-Oxley Act seeks to refocus auditor on their obligations to public shareholders.

II. What Went Wrong?

Much has been written and spoken about the loss of public confidence in financial reporting during the late 1990s and early 2000s in the auditor’s performance of this gatekeeper role. Let me list three factors that, in my view, contributed significantly to the erosion of trust in auditing:

  • First, the rise of non-audit, consulting, services.

    Revenues from activities, such as systems design, tax planning, assistance with data processing procedures, and a host of other high-margin advisory services, became increasingly important. In many cases, clients were paying their auditors more for consulting than for the financial statement audit. As a corollary, firms began to see the lower-margin audit as a foot-in-the-door to more lucrative consulting engagements.
     
  • Second, downward pressure on auditing fees.

    Firms faced considerable pressure to keep the audit fee low, or risk losing both their audit and (more profitable) non-audit relationships with clients. In a rising market, clients viewed the audit opinion as merely another standardized commodity to be purchased as cheaply as possible.
     
  • Third, increased reliance on more cost efficient means of auditing.

    The tactic of using the audit to gain entrée to other work, coupled with the difficulty in raising audit fees, meant that the costs of auditing had to be controlled. That, in turn, led to more emphasis on risk-based auditing -- the theory under which the auditor plans his or her work based on judgments about which aspects of the client’s business are the most likely sources of error or fraud. In the areas of perceived low risk, the auditor relies more heavily on internal controls and management representations. While sound in theory, this process, if not judiciously applied, can have disastrous consequences -- particularly if the underlying judgment about risk turns out to be incorrect. WorldCom is a good example.

III. The Sarbanes-Oxley Act

In the Sarbanes-Oxley Act Congress, sought to restore confidence in the auditor’s opinion and to reinvigorate the auditor’s gatekeeper role. I would point to four key aspects of the law.

  • First, largely building on actions the SEC had already taken, it sharply restricted the auditor’s ability to render non-audit services to audit clients.
  • Second, it made the audit committee, composed of independent members, rather than management, the focal point of auditor-client relationship. This was an attempt to deal with the ultimate conflict -- while the auditor owes duties to the public, management retains and pays the auditor.
  • Third, and much less noticed at the time and much more noticed now, it required the auditor to render a second public opinion, in addition to the traditional opinion on the financial statements. Section 404 of the Act requires the auditor to opine on the effectiveness of the company’s internal control over financial reporting.
  • Finally, in the area of public company auditing, it ended the profession’s long tradition of self-regulation and peer review. In its place, the Sarbanes-Oxley Act created the Public Company Accounting Oversight Board to oversee auditors of public companies, including periodic inspections, and to set auditing standards.

IV. The PCAOB

I want to say a few words about the responsibilities of the Public Company Accounting Oversight Board and about the Board’s progress.

The Sarbanes-Oxley Act says that the Board’s mission is to oversee the auditors of public companies, protect the interests of investors, and further the public interest in the preparation of informative, accurate, and independent audit reports. While the Board was established by a federal law and is overseen by the Securities and Exchange Commission, a federal agency, the members and staff of the Board are not government employees. Instead, the Board is a Congressionally chartered, private, not-for-profit corporation.

Congress gave the Board four primary responsibilities -- registration, inspection, investigation, and standard-setting.

Registration

Every accounting firm, U.S.-based or foreign, that issues an audit report with respect to an SEC-reporting company, or that substantially participates in such an audit, must be registered with the Board. About 1,500 firms have registered with the Board. Roughly 900 are U.S. firms and the remaining 600 or so are foreign--including nine Japanese firms.

Inspections

Once a firm is registered, the Sarbanes-Oxley Act requires the Board to inspect it periodically. For firms that audit more than 100 public companies, inspections must occur annually. For the other firms that have at least one SEC client, inspections must take place at least once every three years.

  • The focus of Board inspections is on two things: How the firm seeks to maintain audit quality and professionalism in its practice, and on how it conducted specific public company audit engagements. As part of reviewing an audit engagement, the Board also looks at the auditor/audit committee relationship.
  • At the end of an inspection, the Board issues an inspection report describing the results. These reports have both a public and a non-public portion. The Sarbanes-Oxley Act prohibits the Board from making public disclosure of criticisms of a firm’s quality controls, unless the firm fails to correct those deficiencies within 12 months. Therefore, we are forced to confine those types of observations to the non-public part of the report.

Enforcement

Many of the specific auditing problems the Board identifies will be dealt with through comments in inspection reports. However, inevitably, situations will arise from inspections or otherwise in which merely requiring better performance in the future is inadequate. Therefore, the Board also has an investigation and enforcement program.

The Board has the authority to impose fines and to order changes in how a firm practices. In more serious cases, we can suspend or bar firms or individual accountants from being involved in public company auditing. As long as we believe that an auditing firm is acting in good faith and is capable of and willing to conduct audits in accordance with the PCAOB’s standards, we will generally use our authority to make non-public inspection recommendations, rather than our authority to bring disciplinary actions. For firms that seem unwilling or unable to follow the rules, we will take the harsher enforcement approach. We recently brought our first enforcement case, and several other matters are under investigation.

Auditing Standards. Finally, Congress charged the Public Company Accounting Oversight Board with establishing auditing and other professional standards (such as quality control and ethics) to govern public company audits. We have the unique advantage of being able both to set the standards by which audits are conducted and to conduct inspections to see how those standards are being applied in practice. So far, we have issued new standards in important areas such as audit documentation and internal control auditing and have adopted new rules governing independence and tax services.

V. What is the Auditing Environment Today?

Finally, I want to briefly consider how the auditing environment in the U.S. today has changed, post-Sarbanes-Oxley. Four things stand out.

Refocus on auditing

The profession is beginning to again view auditing as its core business -- not merely an adjunct to consulting. Many non-audit services have been prohibited. For those that remain legal, audit committee pre-approval is required, and audit committees are more reluctant to let their auditors perform significant non-audit services.

The impact of inspections

The inspection process is the key to the Board’s impact on auditing. The knowledge that, in the case of any particular audit, PCAOB inspectors who are themselves experienced auditors but who are not “peers” may review the work-papers and form their own judgment on how well the audit was conducted has had a significant effect on how auditors do their work. While there is a place for enforcement proceedings and a place for liability to private parties who are injured by bad auditing, in my view, a well-thought-out inspection is more likely to improve the day-to-day quality of auditing than are those other, blunter tools.

Auditor risk aversion and client selectivity

Our inspections and published figures show that the major firms have “fired” some clients, particular those that are riskier. Firms also have developed more sophisticated tools for assessing client risk and using those assessments to tailor how they audit.

Greater auditor sensitivity to risk is a good thing. However, it does have some perverse consequences. Some public companies -- particularly smaller ones -- are finding it harder to engage or retain a Big 4 audit firm. Also, in some cases, clients accuse their auditors of “over-auditing” as a result of the new environment and the knowledge that the Board may be looking over the auditor’s shoulder.

Section 404 internal control audits

The audits of internal control have added an important new dimension to the auditor’s work. The auditor is required to have a more complete understanding of the strengths and weaknesses of the client’s financial reporting systems. Audit committees are also being forced to learn more about those systems in order to assess significant deficiencies that the auditor reports to them.

However, nothing good is free, and internal control auditing has come at a price. There is a lot of dispute about the costs of these reviews and how much of those costs were first-year costs and how much will be continuing. However, this added expense of being a public company also raises issues regarding the impact on small companies and on capital formation. The Board is committed to making sure that Section 404 is implemented in a way that balances costs and benefits, but it may take some time to fully achieve that goal.

VI. Conclusion

What will the ultimate impact on auditors of Sarbanes-Oxley be? It is certainly too early to tell. The profession is in many ways stronger today than it was three years ago. However, in order to fully understand and evaluate the impact of Sarbanes-Oxley on auditors, we need to wait until Section 404 audits are fully integrated with financial statement audits; until PCAOB inspections are so routine that the fact of oversight is second-nature to auditors; until the Act is no longer new, but part of the day-to-day fabric of corporate life. And, we have to see how the system performs in the next bubble.

One thing is clear however: Our markets are critically dependent on reliable financial information. Therefore, the auditor’s gatekeeper role is too important for us not to get right.

Thank you. I would be happy to answer questions. 

Endnotes

[*] The views expressed herein are solely those of the author and are not necessarily those of the Public Company Accounting Oversight Board or any of its other members or staff.

Related Information