Testimony Concerning the PCAOB

Chairman Baker, Ranking Member Kanjorski, and Members of the Subcommittee:

I am pleased to appear today before the House Financial Services Committee's Subcommittee on Capital Markets, Insurance and Government Sponsored Enterprises on behalf of the Public Company Accounting Oversight Board ("PCAOB" or the "Board").

I want to begin by taking a moment to thank the Subcommittee for its strong bipartisan support of our organization. We benefit greatly from your wisdom and encouragement, and from our strong and positive working relationship. We work hard to earn your confidence, and to push toward full realization of the objectives the Congress set for us, less than two years ago, with passage of the landmark Sarbanes-Oxley Act of 2002 (the "Act").

With that Act, Congress took a giant step toward restoring shaken investor confidence in financial reporting and auditing of public companies. The Act did not merely create a regulatory environment conducive to investor protection; it also reflected the powerful demand of the American people for fairness and honesty from those participants in the U.S. markets who benefit from the people's investments. Close to half of all households in America have invested in our securities markets,[1] and the volume of resources those investments provide to business is a driving force behind the U.S. economy. The more confidence that investors have in the financial information available to them about the issuers of securities, the more resources they will pour into our businesses, both large and small.

No one should doubt that it is the faith of those investors – not the freedom of corporate managers from public regulation and oversight – that fuels the growth and competitiveness of our economy.

Introduction

Over the last 18 months, we have turned the Sarbanes-Oxley blueprint into an operating organization. Today, the PCAOB is well on its way to maintaining, as required in the Act, a continuous program of auditor oversight "in order to protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports for companies the securities of which are sold to, and held by and for, public investors."[2]

Specifically, the Board's powers include authority to –

  • register public accounting firms that prepare, or substantially contribute to the preparation of, audit reports for public companies;
  • conduct inspections of registered public accounting firms in connection with their public company auditing practices;
  • conduct investigations and disciplinary proceedings concerning, and to impose appropriate sanctions where justified upon, registered public accounting firms and associated persons of such firms; and
  • establish auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports on the financial statements of public companies.[3]

The Board executes this authority through, and with the assistance of, three major operating units – Registration and Inspections, Enforcement and Investigations, and Professional Standards. We have also hired staff for key support functions, including human resources, information technology, finance, public affairs, government relations, legal advice, and international policy. In addition, we have established an office of Internal Oversight and Performance Assurance, which conducts internal examinations of the Board's programs and operations – using the same U.S. General Accounting Office ("GAO") Yellow Book standards that are used in performance reviews of government agencies –to help ensure efficiency, integrity and effectiveness in those programs and operations.

The Board has hired a staff of 200 auditors, analysts, attorneys, and others, including staff to fill all the top positions, and we plan to continue to grow and expect to be close to 300 employees by the end of this year. Most of our staff is based in our headquarters in Washington, D.C., and we have offices in New York City and the Atlanta, Dallas, and San Francisco areas to support our ongoing inspections of registered accounting firms. We also have an office near Dulles, Virginia, to support our significant investments in technology, and we expect to open offices in the Chicago area and Southern California in the near future.

With that brief background, let me now turn to a more detailed description of the ways in which our new organization has been energetically implementing the confidence-restoring regime established in the Act.

Registration of Public Accounting Firms

Registration of public accounting firms that audit public companies is the foundation of the Board's authority. Since October 22, 2003, it has been illegal for any U.S. public accounting firm to prepare, issue, or play a substantial role in the preparation or issuance of, an audit report on the financial statements of a U.S. public company unless it is registered with the Board. As of July 19, 2004, the same restriction will apply to non-U.S. firms that prepare, issue, or play a substantial role in the preparation or issuance of, audit reports on the financial statements of U.S. public companies. As of June 22, we have registered 976 U.S. and non-U.S. public accounting firms that audit or may wish to audit U.S. public companies, and we continue to receive applications from both U.S. and non-U.S. firms.

Although a registration requirement has the potential to result in the most bureaucratic of processes, the Board instead chose to fashion a dynamic, relational registration database under an aggressive development schedule. Given the limited time to register firms by last October 22, the conservative approach would have been to require each firm to submit a paper form containing the required registration information. Using a paper system, we certainly would have been able to complete the registration process by our deadline, but we would have lost a significant opportunity to capture the data that applicants submitted in a form that could be used long after registration for complex, relational risk analysis in all our programs.

Instead, the Board developed a system that would allow us to use the data we receive in the registration process to support our other programs. In approximately six months, our Office of Information Technology built a completely new Web-based registration system from the ground up. At the same time, we developed rules relating to the registration process; thus the system development and our rulemaking progressed on parallel tracks. I am pleased to report that our system has worked well throughout the eleven months during which we have processed and considered almost 1,000 applications, many of which include large amounts of information.

Registration is not automatic. The Board considers each application and gives special attention to those firms that have received negative peer reviews, been subject to disciplinary proceedings (against the firm or its principals), or reported unusually high ratios of public company audit clients to accountants employed at the firm. To grant approval, the Board must determine that registering the applicant is consistent with the Board's responsibilities to protect investors and to further the public interest in the preparation of informative, accurate, and independent audit reports. Once we have registered a firm pursuant to this standard, we continue to use our analysis of its strengths and weaknesses in our inspection risk assessment process.

I would like to tell you a little about what we have learned about the landscape of the public company auditing field. Four of the 976 registered firms are the so-called Big Four, and they audit more than 78 percent of all U.S. public companies, and their clients produce almost 99 percent of public company sales revenue.[4] Only eight U.S. firms have more than 100 public company audit clients:[5]

Firm Number of U.S. Public Company Clients [6]
PricewaterhouseCoopers LLP 3,234
Deloitte & Touche LLP 3,092
Ernst & Young LLP 2,856
KMPG LLP 1,893
Grant Thornton LLP 420
BDO Seidman, LLP 234
Crowe, Chizek and Company LLC 135
McGladrey & Pullen, LLP 114

These firms audit the vast majority of the financial statements that investors read and rely on. In addition to these firms, we also have 804 U.S. firms and 164 non-U.S. firms within our registry, many of which are far smaller in size than the top eight firms. Of these other firms, 863 have fewer than 10 public company audit clients, and about 268 registered firms have none at all. This distinction poses challenges to us to develop appropriate inspection programs that take into account the differences in size, complexity, and nature of risk of registered firms.

Inspections of Registered Firms

Once a firm is registered, it is subject to Board inspections. The Act and the Board's rules require annual inspections of the firms that audit more than 100 public companies and triennial inspections of the remaining registered firms that have at least one U.S. public company client.[7] The Board also has the authority to conduct special inspections, as necessary, to address issues that come to the Board's attention.[8] Inspections will use the greatest portion of the Board's resources, largely because of the need for a sizable, well-trained staff. Today, our inspections staff includes more than 80 auditors, and we expect to have 130 to 160 later this year.

Our inspections take up the basic task that had been the province of the profession's peer review system, but our inspections go much further than peer review ever did. Under the peer review system, reviewers focused on technical compliance with professional accounting and auditing standards and, on the basis of that review, opined on overall quality control. We begin by looking at the business context in which audits are performed. We focus on the influences – both good and bad – on firm practices. These include firm culture and the relationships between a firm's audit practice and its other practices and between engagement personnel in field and affiliate offices and a firm's national office. By doing so, we believe that we will gain a much better appreciation for the practices and problems that led to the most serious financial reporting and auditing failures of the last few years.

2003 Limited Procedures

Although the regular inspection cycle began this year, in order to earn the confidence of the investing public, we launched our inspection program in our start-up year of 2003 with "limited procedures" inspections of the Big Four firms. The Board's inspections teams for these inspections included seasoned auditors, who have an average of 12 years of auditing experience. Our inspection team leaders each have an average of 22 years of auditing experience.

The focus of those first-year inspections was to conduct a baseline assessment of the firms' internal systems of quality control over auditing. A firm's quality control system provides assurance to investors and others that rely on auditors' opinions that a firm's auditors comply with professional auditing and accounting standards. Firm culture – including, for example, the "tone at the top" that management infuses into the organization, and the system by which partners and employees are compensated and promoted – is one of the most important elements of a quality-control system. The quality-control system also includes internal controls over decisionmaking relating to auditing issues and internal reviews of audit engagements. In addition, we examine individual engagements to test whether the quality-control system is working.

Under the Act and our rules, we will make a draft of our report on an inspection available to the firm under review and the firm has 30 days to respond to the draft.[9] The Board will then finalize the report and deliver it to the Securities and Exchange Commission ("SEC") and, in appropriate detail, to appropriate state regulatory authorities.[10] We will also make certain portions of each report public, although the Act requires us to keep any criticisms of, or potential defects in, a specific firm's quality-control system confidential, so long as the firm corrects the problems identified within 12 months after the date of the report.

We have made our draft 2003 limited procedures inspection reports available to the four firms, and we are now awaiting their responses. As noted above, these inspections were more limited than our full inspections will be in this and future years. Nevertheless, we learned a great deal about quality control in the largest firms. In numerous interviews, we heard audit partners and staff express their perceptions of a renewed focus on audit quality. We have seen some evidence of this renewed focus in firm policies generally, and in internal firm communications about those policies. Even so, we alerted the firms to quality control concerns that we have formed, on the basis of our limited inspections, and we will continue to look hard at whether the firms' conduct mirrors their words.

In that regard, we have also learned that there is tremendous value in reviewing audit engagements, particularly with respect to inspections of larger firms. As one would expect of sophisticated organizations, each of the firms has developed multiple volumes of quality-control policies, but individual engagements are the litmus test for whether the firms are in fact conducting high quality audits. Although we only reviewed a small number of engagements in 2003, we identified significant audit and accounting issues. As we examine even more engagements in the future, we expect the prospect of scrutiny in our inspections to alter the relative risks and rewards to individual engagement partners who might otherwise consider shortcutting audit steps or bending to pressures to please clients.

Our inspections also provide valuable information about the need for enhanced standards. For example, although the limited number of engagements reviewed in 2003 prevented the Board from drawing conclusions about systemic deficiencies in audits, we formed a concern that auditors may place insufficient emphasis on the importance of thorough documentation of audit work. The Act expressly required us to adopt an auditing standard on documentation, and we began work on such a standard while we were conducting our limited procedures. We were able to use knowledge about existing documentation practices that we gained in our limited inspections to develop the new standard. We expect this new standard to drive significant improvements in audit quality, and we intend to monitor these improvements in future inspections.

2004 Inspections

We have now embarked on our 2004 full inspections of the largest U.S. firms.[11] In addition, we will inspect a great number of small U.S. firms. We began the fieldwork for these 2004 inspections in the first week of May, and we will continue these inspections through November. We will focus on, among other things, efforts to detect fraud; control over compliance with independence requirements; the adequacy of documentation; efforts to identify, evaluate, and manage risk; and compliance with professional auditing and accounting standards. In order to capture a significant sample of engagements at each firm, we plan to review approximately five percent of the Big Four firms' public company audits – that is, more than 500 audits – and 15 percent of the next four largest firms' public company audits – or, about 150 audits. That adds up to more than 650 audits, in addition to the small-firm audits that we will select on a case-by-case basis. Auditing and Related Professional Practice Standards

By virtue of the Act, for the first time, those developing auditing standards – our Board Members and staff – will have access to robust empirical and anecdotal evidence from inspections and enforcement activities to set priorities and to identify needs to develop or amend standards. We have already embarked on an aggressive agenda that is aimed at strengthening auditing standards in areas that were of particular concern to the Congress, as expressed in the Act, and in areas that we identify through our inspections or externally through outreach to investors, auditors, regulators, managers, academics and others.

First, as required by the Act, we adopted interim auditing standards that auditors have had to follow since we received our authority. The Board adopted as interim standards of the Board the body of auditing standards that had been developed by the profession, through the American Institute of Certified Public Accountants, as those standards existed on April 16, 2003. At the same time, we announced that we would review all of the interim standards and would determine, standard by standard, whether they should be modified, repealed, or made permanent. This will, of course, be a long-term project.

Second, the Board has developed and adopted three new standards – on references to PCAOB standards in audit reports, on auditing internal control over financial reporting, and on audit documentation. Our auditing standard on internal control implemented a significant requirement of the Act. Section 404 of the Sarbanes-Oxley Act, and the SEC rules implementing it, require corporate managements to issue annually a report on the effectiveness of the company's internal control over financial reporting. The Act requires the auditor, in turn, to report on management's conclusions.[12]

Our internal control standard is one of the most important and far-reaching auditing standards the Board will ever adopt. Whereas in the past auditors were required merely to consider internal control, not test it, now auditors must examine in detail and report on whether internal control over financial reporting is designed and operating effectively. Good internal control is also one of the most effective deterrents to fraud, and therefore we expect our standard to help protect investors from the kinds of financial reporting scandals that the Act seeks to prevent.

As we developed our standard on internal control, we paid careful attention to avoiding a one-size-fits-all approach to internal control. Rather, our standard provides for flexibility in considering internal control at companies of different size and complexity. A small company with a simple financial reporting structure will not need the complex procedures governing financial recording and reporting that a large, multinational conglomerate will need to have strong internal control over financial reporting. Section 404 and the Board's requirements will entail extra work and, for companies, extra expense, however, particularly in the first year of implementation. Companies that had good internal control to start with will experience less of an implementation burden than those that did not, and companies that have materially weak internal control at the time of the internal control audit will, under Section 404 and the Board's standard, receive an adverse auditor's report on internal control.

This is an important point. Once the SEC's rule and the Board's standard go into effect, investors will receive information that they have never seen before. Some of those reports will describe material problems with a company's internal controls over financial reporting. In such cases, both management's report on internal control and the auditor's report on internal control should contain important disclosures explaining the PCAOB Testimony Page 14 June 24, 2004 nature of the weakness, which investors should consider in evaluating those financial statements.[13]

In addition to developing these standards, the Board has established a Standing Advisory Group to provide advice on future standards-setting projects. The Board announced this 30-person advisory group in April, and we held the first meeting of the group earlier this week. We see this group as an important tool to obtain insight about ways to improve audits by developing clear and effective auditing standards, and so we have included in the group individuals with deep experience as auditors, financial statement preparers, investors, and academic researchers, among others.

We also seek information from practitioners and others on issues that arise in practice in the context of implementing our new standards, to better understand and resolve questions that may arise. For example, we convened informal working groups of auditors and corporate personnel involved in implementing our standard on internal control. We use information we gather in these sessions to identify points on which it may be useful for us provide guidance to auditors and others on how to implement our new standards, as needed.

Looking forward, we face a challenging near-term agenda, notwithstanding the achievements we have already made. Two important standards-setting projects expressly required by the Act are yet to be done. Those relate to second partner review of specific engagements and to overall quality control over compliance with professional accounting and auditing standards. We also plan to develop a comprehensive standard to address auditors' responsibilities for communications and relations with audit committees. Such a standard would incorporate requirements mandated under the Act into the audit and related professional practice standards. In addition, we will consider auditor independence and particular non-audit services, such as tax services, in the post-Sarbanes-Oxley environment. In this regard we will be holding a public roundtable meeting on tax services and auditor independence on July 14.

While the Act requires auditors to follow our standards only when they are performing public company audits, we hope that our Standards will come to be followed in other contexts. While some public companies do go private, in many more cases private companies go public. In addition, stakeholders other than public investors – such as lenders – have already begun to require auditors to provide audit reports according to our standards. For these reasons, we hope our standards can be applied uniformly in a variety of contexts. With this objective in mind, the PCAOB will monitor closely the standards-setting of the GAO and the International Auditing and Assurance Standards Board ("IAASB").[14]

I cannot conclude my discussion of our standards-setting activities without acknowledging the international aspects of our work. International convergence on high-quality standards is an important objective. As a first step in this direction, we have reached out to the IAASB – by, for example, seeking and receiving an observer seat at IAASB meetings – to increase the likelihood that international standards will develop in a direction we see as positive. Our observer seat will also increase the likelihood that international views find a place in the PCAOB's standards, and in that regard we have also invited the IAASB to participate as an observer with speaking rights on our Standing Advisory Group. In addition, we plan to consider relevant international standards on auditing in our standards-setting development projects. For example, we are studying closely the IAASB's new quality control standards in connection with our development of new standards on concurring, or second partner, review and on overall quality control.

Enforcement

The Board will address many of the auditing problems we identify through a combination of standards-setting and supervision through the inspection process. Situations will inevitably arise in which those tools are inadequate, however. When we find serious violations of PCAOB standards or the securities laws by auditors under our jurisdiction, we will use the authority the Act gives us to investigate and, as appropriate, to seek disciplinary sanctions. Those sanctions can include significant monetary penalties, and also may include revoking a firm's registration (and thus preventing it from auditing public companies) or suspending or barring individuals from working on the audits of public companies. Our authority to investigate includes authority to seek relevant documents and testimony from auditors and others, including client personnel. Because audit failures typically have an impact on the reliability of the financial statements the auditor was responsible for examining, we expect our investigations will often be a component of a larger investigation of the financial reporting itself and management's role in that reporting. We therefore expect to work very closely with the SEC in such cases.

Oversight of Non-U.S. Accounting Firms

Under Section 106(a) of the Act, non-U.S. firms are subject to the Act and to the rules of the Board "to the same extent as a public accounting firm that is organized and operates under the laws of the United States." As I mentioned earlier, we have registered 164 non-U.S. firms.[15] At this point, we expect that as many as 400 non-U.S. firms may register with the Board.

The Board has given considerable thought to how our oversight programs should operate in relation to non-U.S. firms that audit or play a substantial role in auditing U.S. public companies. Last October, we issued a briefing paper that describes a framework for oversight that depends, to the greatest extent possible, on cooperation among regulators. That paper fostered an international dialogue that contributed to the development of a landmark European proposal for an independent auditor oversight regime in Europe and to an unprecedented confluence in Brussels this past March of auditor oversight bodies from every European member state to discuss with us how we can mutually improve the quality of auditing on both sides of the Atlantic.

We have also had fruitful discussions with auditor oversight authorities in Canada, and in a number of other countries, including France, Switzerland, Germany, Australia, and Japan. We hope to be able to rely to a great extent on the inspection work of other regulators, and it is in that regard that we especially welcome the establishment of new, independent oversight systems outside the United States.

Our ability to work with and rely on our counterparts will necessarily depend upon whether we are able to develop arrangements among regulators concerning inspection programs for non-U.S. firms. Earlier this month, we adopted final rules to implement the concepts we put forward in October, which will give us the flexibility to fashion arrangements for joint work programs and other procedures that are appropriate to the circumstances, given the differences in regulatory structures throughout the world.

Conclusion

During the last 18 months, we have established a strong operational foundation for our statutory programs, but we still have many challenges ahead. Some of our most significant challenges in the next year will be to complete our first full inspections of the largest public accounting firms; to review our interim auditing and related professional practice standards and, where needed, to develop new standards; and to establish cooperative oversight programs with our counterparts in other countries.

We will continue to push forward, step by step, toward the world envisioned in the Act. It is a world in which public accounting firms are strong, reliable businesses that compete based on virtue. It is a world in which the investing public has enough confidence in the fairness of our capital markets – and in the auditors who stand in their place – to invest their and their children's futures in those markets. And it is a world in which U.S. companies have access to rich capital markets funded by those investors, to grow new businesses, to develop new products, and to hire new employees.

Thank you for the opportunity to describe our progress toward this goal.


[1] Arthur B. Kennickell, Martha Starr-McCluer, and Brian J. Surette, "Recent Changes in U.S. Family Finances: Results from the 1998 Survey of Consumer Finances," Federal Reserve Bulletin January 2000.

[2] Sarbanes-Oxley Act, Section 101(a).

[3] Sarbanes-Oxley Act, Section 101(c).

[4] See United States General Accounting Office, Report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services, Public Accounting Firms, Mandated Study on Consolidation and Competition, July 2003, GAO-03-864.

[5] Only one non-U.S. registered firm audits the financial statements of more than 100 U.S. public companies. Firms that have more than 100 public company audit clients are subject to annual inspections. See Rule 4003(a). Firms that have between one and 100 such audit clients are subject to regular inspections every three years. Ibid.

[6] 2002 data.

[7] See PCAOB Rule 4003(b).

[8] See PCAOB Rule 4002.

[9] See PCAOB Rule 4007(a).

[10] See PCAOB Rule 4008.

[11] The only non-U.S. registered firm that audits the financial statements of more than 100 U.S. public companies did not register until 2004. Therefore, under the Board's rules, full inspections of that firm will begin in 2005. See PCAOB Rule 4003(a).

[12] See Section 103(a)(2) and 404(b) of the Act.

[13] An auditor may be able to issue an unqualified audit report on a company’s financial statements, notwithstanding an adverse opinion on the company’s internal control over financial reporting. Today, auditors that determine that a company’s internal control over financial reporting is inadequate may nevertheless be able to reach an unqualified opinion on the fairness of the company’s financial statements by performing more substantive procedures. Similarly, once the Board’s standard is in effect, an auditor of a company that has materially weak internal control may, based on additional audit procedures, determine that the company’s financial statements are fairly presented in accordance with generally accepted accounting principles. The difference is that under the SEC's new rule and the Board's new standard the additional disclosures on the weakness of internal control will provide investors with new and useful information on which to base their judgments about the financial statements.

[14] The IAASB is a profession-organized group whose auditing standards serve as the basis for the standards auditors use in many countries.

[15] Title I of the Act is directed toward the auditors of public companies that seek to raise capital in U.S. markets. In the United States, the Act directly affects as many as 15,000 U.S. public companies. Those companies are headquartered in the United States, but they often have significant operations in other countries as well. The securities of about 1,400 non-U.S. public companies trade in U.S. securities markets, and so those companies must also follow many of the requirements of the Act, including the requirement to file with the SEC financial statements audited by a registered public accounting firm.