The Role of Audit in Preventing Financial Reporting Failures
Thank you for this opportunity to speak to you today. I want to congratulate the University of Houston Law Center for convening this third annual symposium on ethics and compliance.
This is a banner period for compliance officers. The Wall Street Journal says compliance officer is one of the hottest jobs in America right now.[1] It may also be the hardest. The range of issues compliance officers follow is broad: the symposium's topics alone include facilitation payments and other corrupt practices, data privacy, social media and political contributions.
Compliance officers are also responsible for monitoring safety, health and environment, anticompetitive conduct, and trade sanctions. Depending on the industry, there are a myriad of other risk areas that a compliance officer must cover.
I'm here to tell you that your help is also needed in another area — supporting the external audit. The auditor should be a partner to you in your mutual mission — the avoidance of damage to the company from a financial reporting failure.
As I begin, let me say that the views I express are my own and should not be attributed to the PCAOB as a whole or any other members or staff.
Today I'd like to cover three topics that speak to the opportunities and need for your help in supporting the audit. First, earlier this week the PCAOB adopted a new auditing standard and related amendments on related party and significant unusual transactions, which I know are an important concern of yours as well.
Second, I will move into a broader discussion of how the vigilance of audit committees and compliance officials help to promote high quality audits.
Third, I will discuss the PCAOB's initiatives to bolster the audit to continue to stay abreast of financial reporting and auditing risks, including both updates and improvements in auditing standards as well as broader policy initiatives to provide audit committees and markets better information to make the audit more useful and reliable. More useful and reliable audits should have many benefits, including a better controlled financial reporting culture, which should help compliance officers identify and reduce risk too.
I. The PCAOB's New Related Party Standard is Intended to Improve the Quality and Consistency of Auditors' Work.
The PCAOB's new related party standard and related amendments are intended to improve the quality and consistency of auditors' work, in order to protect investors from the risk of being misled by poorly explained, or undisclosed, related party transactions and significant unusual transactions outside the normal course of business.
Auditors ought to be highly focused on risks related to such transactions, and many are. But PCAOB inspections have found that others miss opportunities to do so, by approaching existing requirements in a mechanistic way and failing to probe confusing or incomplete disclosures.
The new auditing standard and related amendments update and strengthen audit procedures in these critical areas to improve the quality and reliability of disclosures to investors.
The new standard and amendments are subject to SEC approval. If approved, they will go into effect for audits of financial statements for fiscal years beginning on or after December 15, 2014.
The new standard and amendments are based on the PCAOB's evaluation of ways to integrate the auditor's procedures related to related party and significant unusual transactions with the overall audit approach, thus making the auditor's procedures both more effective and more efficient.
In 2010, the PCAOB had replaced the foundation of its auditing standards with a new suite of auditing standards that required auditors to incorporate and act on a risk assessment at every stage of the audit.
The new standard and amendments now more explicitly articulate the PCAOB's requirements for auditing related party and significant unusual transactions in terms of risk, and more explicitly require the auditor to identify and act on risks.
Risk isn't just about doing more procedures in areas that matter, and less in areas that matter less. A risk-based approach mandates not wasting the audit or nullifying the usefulness of its procedures by performing them in a mechanistic, unthinking way.
The new standard and amendments require auditors, among other things, to obtain an understanding of the company's relationships and transactions with related parties as part of the auditor's procedures to identify and assess the risks of material misstatement.
It also requires auditors to evaluate whether the company has properly identified related parties, including by testing the accuracy and completeness of management's identification and by taking into account other information gathered during the audit.
In other words, the auditor may not treat related party procedures as an isolated component of the audit. If other information from the audit suggests an undisclosed related party might exist, the standard requires the auditor to follow up.
In the same vein, when there are significant unusual transactions, amendments to the PCAOB's standard on consideration of fraud now explicitly require the auditor to understand and evaluate the asserted business purpose.
The Board also recognized, in amendments to the risk assessment standards, that a company's financial relationships and transactions with its executive officers, including executive compensation, may create incentives for the company to achieve a certain financial position or operating result.
The amendments do not require the auditor to judge the reasonableness of the amount or structure of executive compensation. But they do require the auditor to understand those relationships and transactions, to assess the risk that the financial statements are incomplete or misleading.
Finally, in addition to bringing all this information to bear in the auditor's overall opinion on the company's financial statements, the auditor must communicate to the audit committee the auditor's evaluation of the company's identification, accounting for and disclosure of relationships and transactions with related parties, and other related significant matters arising from the audit.
II. How Audit Committees and Compliance Officers Can Improve Audit Quality
These disclosures complement other existing required disclosures by the auditor to the audit committee, all reflecting the significant expansion of the audit committee's role in promoting high quality audits since the Sarbanes-Oxley Act of 2002.
From time to time, it has been suggested that the PCAOB's required communications to audit committees have, implicitly and without authority, contributed to an uncontemplated expansion of responsibility. As this line of argument goes, the PCAOB's focus on the auditor's relationship with the audit committee is misplaced. Rather, the audit committee should be seen as merely an interested bystander with a mutual interest in high-quality audits.
I don't think that's a fair reading of history, or the law. It is the Sarbanes-Oxley Act itself that effected this expansion, among other ways by requiring that the Securities and Exchange Commission direct the exchanges to amend their listing standards to require companies' audit committees to, among other things, (1) be comprised of independent directors, and (2) be "directly responsible for the appointment, compensation, and oversight" of the companies' auditors.[2]
The Act also provides for these audit committees to establish a mechanism for receiving and addressing complaints or anonymous information about the company's accounting — a whistleblower hotline. Audit committees must also approve any non-audit services that may be performed by the company's audit firm.
According to the legislative history of the Act, its approach to strengthening audit committees was intended to "help avoid future auditing breakdowns."[3] The Act does not envision a passive role. This is no bit part
Moreover, the point of making the audit committee responsible for oversight of the auditor and the auditor's compensation was to give the audit the support of a well-informed, and well-equipped audit committee that will champion audit quality.
To this end, the PCAOB has looked for opportunities to help raise audit committees' awareness of information that is uniquely within the PCAOB's purview. Two years ago, the PCAOB updated the long-standing audit standard on required auditor communications to audit committees, to reflect communications expressly required by the Sarbanes-Oxley Act and to address auditor lapses and missed opportunities identified in PCAOB inspections and otherwise, especially in light of lessons learned in the recent financial crisis.[4]
The PCAOB has also from time to time issued general reports on inspections, to highlight audit risks and trends in inspection findings, which may be of interest to compliance officers.[5]
In addition, in August 2011, the PCAOB issued a paper entitled Information for Audit Committees about PCAOB Inspections.[6] The purpose was to give audit committees techniques to make effective use of inspection results to improve the quality of the audits of their companies' financial statements.
It starts by explaining what PCAOB findings mean. Specifically, inclusion in the public portion of the inspection report means that the inspection staff has determined that the firm failed to fulfill its fundamental responsibility in the audit: the firm failed to obtain reasonable assurance about whether the financial statements are free of material misstatement.[7]
It is a failure to accomplish the essential purpose of the audit. Said another way, it means that, based on the audit work performed, the audit opinion should not have been issued, and more work consistent with applicable audit standards was necessary for the opinion to stand.
Such a finding is indeed a serious matter, including for audit committees and the compliance officials who assist them. The role of the audit committee and its advisors makes a difference to audit quality: how an audit committee addresses inspection results can affect the tone of the audit.
An audit committee that is impatient with the technicalities of an audit, or accepts weak arguments to dismiss the findings in an inspection report, may inadvertently signal to the audit firm and audit team that the audit committee is not concerned with quality.
An audit committee that, on the other hand, expresses explicit concern for how the auditor has resolved noted deficiencies tells the auditor that quality matters.
My colleagues and I are sometimes asked why we don't issue reports on successful, or exemplary, audits.
The PCAOB's main work is to inspect, and when necessary discipline, auditors of public companies and broker-dealers, against standards established to protect the public interest.
This work necessarily, and quite intentionally, focuses on identifying both individual audit failures and weaknesses in quality controls, and whether firms correct them. We do not set out to write a balanced scorecard of strengths and weaknesses.
But we have seen strengths develop, and I believe they are attributable to the collective vigilance of auditors, audit committees, compliance officials, audit and securities regulators, and others.
Measures of restatements by U.S. public companies provide an indication of the on-going need to address weaknesses, and at the same time highlight the benefits from past efforts. The number of restatements is considerably lower than the 2006 peak.[8] It has increased in recent years and remains above pre-2006 levels, which suggests a need for continued vigilance.
While the overall number of restatements is an important metric to gauge financial reporting quality, what I think is particularly interesting is the trend in size of the largest restatements — that is, the ones that have the most negative effect on net income and present the greatest risk to investors — which has declined steadily since 2004.[9]
The number and seriousness of PCAOB findings also remains unacceptably high. The number of findings described in reports on the four largest firms issued in 2013 (on 2012 audits) ranged from 13 to 25.
In total, inspectors examined portions of 208 audits across all four firms, admittedly a risk-based fraction selected from the firms' total client bases. We cannot say whether the unselected audits were exemplary. I have no reason to doubt that many were. But 76 of the 208 audits reviewed were sufficiently flawed that the PCAOB's inspectors determined that the audit opinion was not supported when issued. The trend at smaller firms and non-U.S. firms is also concerning.
On top of this, we still read in the papers and in announcements of SEC enforcement cases stories of companies, and auditors and audit committees, that have ignored red flags and let financial reporting problems fester and grow.
But taken all together, these figures tell me that inspections vigilance, and the vigilance of audit committees and other monitors such as yourselves, is paying off for those companies that promote a strong tone at the top and culture of good financial controls and compliance.
It is a sign of validation that we are on the right path. But there is more work to be done.
III. The PCAOB's Initiatives to Enhance the Reliability of the Audit
The PCAOB will continue to update audit standards as we identify opportunities to better articulate the steps necessary to obtain reasonable assurance that a set of financial statements is fairly presented in accordance with the applicable reporting framework and free of material misstatement.
We should continue to look for ways to modernize the standards, in light of both new risks and new technological tools. As we do, I believe it is appropriate that we also look for ways to simplify the standards, to articulate them in the clearest terms possible. Robust economic analysis is also important.
To this end, the PCAOB has an active standard setting agenda, including projects on auditing fair value measurements, use of other auditors and specialists, quality control, and other topics.
But a quality audit depends on more than just good standards on the books. Auditors' ability to execute a high quality audit depends as well on the environment, and balance of countervailing influences, around them.
The pressure to make budget, the pressure to keep a client, the pressure to expand one's client portfolio: these are all powerful influences that can counterbalance or even outweigh the pressure to maintain the firm's or one's own reputation, especially when there are few benchmarks against which to judge reputation.
Each of the four large firms is capable of the highest quality auditing. Each has an unacceptable number of serious inspection findings too. How to discern, how to predict quality?
Financial markets and investors can learn a lot about a company's management team from the company's annual report and regulatory filings. These materials allow the market over time to form opinions about the strength of the team and its members.
In contrast, in the U.S., financial markets and investors have no way of knowing whether the engagement team on an audit is led by a proven star or a less competent partner. They have no way of knowing whether a partner was prematurely switched out, which we know from the experience of fraud cases is a disturbing but stealth way of delaying a day of reckoning.
In firms that number hundreds or a few thousand partners, it's inconceivable there isn't variation in strength.
Nor can the markets or investors tell whether the firm that signed the audit report used the work of other audit firms, in minor or substantial part. Yet there can be dramatic variation in quality between firms, even within a network of firms.
Audit committees do know their engagement partners. But they are asked to select them based largely on inquiry, anecdote and the proposing firm's presentation. I don't mean to make light of this task, because I know from experience it can be time-consuming and intensive.
But it is not efficient. Today, if an audit committee wants to know how an incumbent or a potential engagement partner stacks up against other partners, it would have to rely on the audit firm itself to compile the statistics. And there are no objective benchmarks or standardized criteria on which to develop track records.
The PCAOB is exploring ways to change this state of affairs, and to harness the disciplining power of markets to promote audit quality, through three complementary initiatives.
A. Audit Transparency
First, the PCAOB has proposed that the name of the engagement partner and other firms involved in an audit be disclosed.
Sixteen of the 20 countries with the largest market capitalizations already require disclosure of the name of the engagement partner. Through the International Auditing and Assurance Standards Board, the auditing profession has indicated it will soon begin requiring that all audits conducted under its standards disclose the name of the engagement partner, at which time all 20 except the U.S. will require it.
Disclosure of the engagement partner allows the market to reward with a lower cost of capital those companies whose audit committees choose audit partners with a reliable record. The same effect can be expected to attend disclosure of the other audit firms used in the audit.
With such disclosures in place, analysts and data services will be in a position to develop useful benchmarks to compare partners both inside and across firms. This would mean that, in the near future, audit committees will have access to objective data on prospective engagement partners and audit firms.
B. Audit Quality Indicators
Second, the PCAOB is also working on developing other indicators of audit quality, both at the engagement and firm level. At its root, the project seeks to answer two questions: Can we develop a portfolio of quantitative measures that provide new insight into audit quality? If so, how can we deploy those measures in a manner that best promotes quality?
The PCAOB staff have been engaged in broad outreach to develop a portfolio of about 15 indicators that might be sufficient to present a useful basis for comparison of audits. Examples of ideas discussed in our outreach are:
- Partner to staff leverage, staff utilization and Industry expertise;
- Relative time commitment by the partner, manager and engagement quality reviewer;
- Trends in inspection findings;
- Percentage and nature of work outsourced to service centers; or
- Absence of a going concern paragraph before a bankruptcy or similar financial distress.
I would not want to suggest that any single indicator would be determinative of a good or bad audit. They are not algorithms, or safe harbors or even benchmarks to target. AQIs are more likely to cause the user to ask the right questions; they are unlikely to definitively answer those questions.
We are in the process of identifying the indicators that appear to be the most promising. We will seek public comment to help us decide which measures to pursue in more depth. Expect to see a concept release describing them later this year.
C. The Auditor's Reporting Model
Finally, last year, the Board also proposed the first significant changes to the auditor's reporting model in more than seventy years, based on investors' calls for more informative, insightful and relevant audit reports.
The proposal is based on several years of outreach to investors, auditors, preparers, academics and others, on what kind of changes would be most useful and achievable.
The PCAOB first issued a concept release in 2011, outlining certain approaches we could take, ranging from a new, stand-alone auditor's discussion and analysis of the financial statements all the way to some relatively small, but helpful clarifications to the standard auditor's report.
After considering comment, the PCAOB proposed a middle ground approach. It builds on the pass-fail report but would provide more insight about the audit, to help the public understand where the audit was most challenging and thus provided the most value.
The proposal provides a framework to report critical audit matters, which keeps the auditors in their area of expertise — the audit. The intent is to provide markets and investors more value from the audit, but information on critical audit matters could well be useful for compliance officials as well.
The proposal would also require auditors to report on their evaluation of certain other information, besides the financial statements, such as the company's annual report and management's discussion and analysis.
As we consider this new reporting model, we are fortunate to be able to look to examples of considerable experimentation abroad.
The U.K. began using expanded audit reports earlier this year. The U.K.'s move has been well received by investors, auditors and issuers.
The European Parliament has also voted to adopt a broad package of audit reforms for EU companies, including expanded audit reports.
These examples should help the PCAOB and market participants consider the merits of potential changes here.[10]
* * *
Underlying all these initiatives is the goal to make audits more reliable and more relevant to today's markets. Neither the profession nor the PCAOB can do this alone, though.
The audit function needs to be championed and encouraged by the corporate community for it to work. You have an important role to play in this regard. An effective and robust compliance program can help considerably in setting the right tone.
Maintaining a strong culture of compliance is important both to the success of the audit, as well as ultimately to establishing the investor trust and confidence that the audit can bring.
I want to thank the University of Houston Law Center for making this event possible.
[1] Gregory J. Millman and Samuel Rubenfeld, "Compliance Officer: Dream Career?", The Wall Street Journal, January 15, 2014.
[2] Sarbanes-Oxley Act of 2002 § 301, 15 U.S.C. § 78j-1 (2002).
[3] S. Rep. No. 107-205, at 23 (2002).
[4] PCAOB Auditing Standard No. 16, Communications with Audit Committees.
[5] For example, in 2013, the PCAOB issued a report on observations in firms' implementation of the PCAOB's standard on engagement quality reviews, including compliance failures. The PCAOB has also issued reports on overall inspection trends among smaller firms and trends in compliance with the PCAOB's standard on auditing internal control over financial reporting.
[6] See PCAOB Release No. 104-2004-001, Statement Concerning the Issuance of Inspection Reports, (Aug. 26, 2004), http://pcaobus.org/Inspections/Pages/PublicReports.aspx.
[7] When PCAOB inspectors identify significant audit deficiencies, they describe their concerns in detail to the auditor. If the auditor disagrees, the auditor has ample opportunity to demonstrate to the inspection team any oversight or error in the inspection team's analysis or its understanding of the facts. The inspection team's conclusions are reviewed by PCAOB staff at multiple levels, in light of input the auditor provides, including any response to a draft of the inspection report.
Firms' approaches to characterizing these inspection results can sometimes distort them, intentionally or unintentionally. For example, one common claim is that a cited audit deficiency is based on nothing more than the auditor's failure to adequately document work that the auditor in fact performed. A firm may also argue that the cited audit deficiency reflects merely a difference of professional judgment, between the inspection staff and the auditor, within a range of reasonable professional judgments.
Audit committees should probe such assertions. In the case of every failure cited in the public portion of an inspection report, the inspection staff have considered and rejected any contention that the procedures were performed but just not documented. Similarly, in the case of every failure cited in the public portion of a report, the inspection staff has considered and rejected any suggestion that a reasonable judgment could be made that the omitted procedures were not necessary.
[8] Audit Analytics, 2013 Financial Restatements: A Thirteen Year Comparison (April 2014), at 11.
[9] Id. at 13.
[10] Transcripts, witness statements and public comments relating to the PCAOB public meetings on Docket 034: Proposed Auditing Standards on the Auditor's Report and the Auditor's Responsibilities Regarding Other Information and Related Amendments are available at http://pcaobus.org/Rules/Rulemaking/Pages/Docket034.aspx. Podcasts are available at http://pcaobus.org/News/Webcasts/Pages/04022014_PublicMeeting.aspx.