What Corporate Directors Should Know about the PCAOB
Good evening. It’s great to be here in Minneapolis, especially to have the chance to meet with the NACD chapter. Having grown up next door in Wisconsin, this is a bit like a homecoming for me.
While it’s a treat for me, some of you may be wondering why you are indoors on such a beautiful Spring evening to listen to a regulator of auditors. The NACD is of course the country’s leading organization of public company directors, and I imagine that only a few of you are practicing auditors. And, the Public Company Accounting Oversight Board has no jurisdiction over directors.
But, I think that there are still reasons why you should take an interest in the Board’s work. I want to give you a bit of an overview of what is going on at the Board and explain why you, as corporate directors, should care.
Before I go further, however, I have to note that the views I express today are my own, and not necessarily those of the Board or of its other members or staff.
I. The Work of the PCAOB
I want to begin with a brief primer on the PCAOB. While the Board is roughly three and a half years old, it is still a bit of a mystery to many people.
The Board was created by the Sarbanes-Oxley Act of 2002. Today, many people seem to equate SOX and internal control reporting. However, the objective of the bill that eventually became Sarbanes-Oxley was to create a system of oversight for the auditors of public companies. Congress sought to strengthen public confidence in audited financial reporting -- confidence that had been badly shaken by a series of scandals and audit failures. Everything else was an add-on.
The Act says that the Board’s mission is to oversee the auditors of public companies, protect the interests of investors, and further the public interest in the preparation of informative, accurate, and independent audit reports. We do that through inspections, standard setting, and enforcement.
While those things may sound like governmental functions, the Board is not a government agency. The Board is a congressionally chartered, private, not-for-profit corporation -- like the Boy Scouts. We are, however, under the oversight of a federal agency, the Securities and Exchange Commission. The SEC appoints the Board members; approves the Board’s annual budget; and must approve all of the Board’s auditing standards and other rules before they take effect.
Overseeing U.S. auditors requires coming to grips with the fact that there are really two auditing professions in the country -- a small group of mega-firms and a large group of smaller firms. In total, there are over 1,600 firms registered with the Board, and about 1,000 of those are U.S.-based. That is a far greater number of firms than we originally anticipated, and it reflects the breadth of the public company auditing practice in this country.
However, in terms of concentration, a very high percentage of the total public company market capitalization is audited by only a handful of firms. In fact, a 2004 GAO report found that just four firms -- the so-called Big Four -- audit nearly 99 percent of the revenues of all SEC registered companies.
While it surprises many, something similar is true of reporting companies. The SEC Advisory Committee on Smaller Public Companies found that the smallest 50 percent of public companies together account for only 1 percent of total U.S. securities market capitalization. The next largest 30 percent of all public companies account for only an additional 5 percent of total market capitalization. At the other end of the spectrum, the largest 20 percent of public companies comprise 94 percent of total market capitalization.
This profile of the auditing profession and the public company community poses some significant issues for the Board. We need to make sure that our regulatory activities take into account the differences between large and small auditing firms and their clients and that we do not use a one-size-fits all approach where it is not appropriate. These are not easy goals to achieve, but they are goals that guide the Board as we approach our responsibilities.
II. Inspections
Let me turn then to the specifics of our work. The Board is fundamentally an inspection body. SOX requires us to annually inspect accounting firms that audit more than 100 public companies. The registered firms that have at least one SEC client must be inspected once every three years. The Board must issue a report at the end of each inspection. We have issued nearly 300 inspection reports, including 2003 and 2004 reports on the largest firms. The 2005 large firm reports are in the works and should be released soon.
Naturally, the inspection process and the reports are of intense interest to accountants. But why should PCAOB inspections of auditors matter to directors? I think there are at least three reasons.
First, you may find yourself part of an inspection. Board inspections look at two things -- how the inspected firm performed particular audit engagements and what the firm’s quality control procedures are. As part of reviewing audit engagements, the Board examines auditor/audit committee relationships and may ask to interview the audit committee chair. Inspectors are not trying to assess the audit committee but instead the auditor/audit committee relationship. Inadequate audit committee communications are frequent deficiencies.
Second, Board inspections may affect your financial reporting. The review of how an auditor performed an audit is necessarily in part a review of the client’s financial statements. Audit committees may find that they are faced with accounting issues as a result of questions raised by the Board’s staff with their auditor during an inspection. For example, at least 20 issuers filed restatements because of GAAP issues identified in the 2003 inspections. If the Board concludes that financial statements are inaccurate or were prepared by an auditor that was not independent, we describe that in the inspection report and inform the SEC.
I think the lesson for audit committees is to make sure that you are informed if the Board selects your audit for review. If that occurs, your auditor should be asked to keep you up-to-date regarding the issues that the Board’s staff raises during its review. It’s a way to gain insight into what an external, disinterested expert thinks are the tough issues in your audit. In fact, on the no surprises theory, I understand that it is becoming common for audit committees to require in engagement letters that the auditor will inform the company if its engagement is selected for review in the PCAOB inspection.
The third reason directors should care about PCAOB inspections stems from the Board’s obligation to make findings concerning auditor quality controls. The NYSE’s listing standards require an audit committee to annually obtain and review a report on the firm's internal quality control procedures, including any material issues raised by professional authorities. Even if your company is not NYSE-listed, reviewing the Board’s findings with the auditor is a logical component of doing your due diligence over the relationship with the auditor.
Audit committees may want to ask the auditor, among other things --
- What did the PCAOB conclude about the auditing firm’s quality controls?
- Have any quality control defects the Board identified affected our audit?
- What is the auditing firm doing to remedy those problems?
Board quality control criticisms are, by statute, included in the non-public part of the inspection report, and auditors may be unwilling to provide the full text to clients. In my view, the important thing is to find out the substance of the quality control findings.
III. Standard-Setting
I want next to touch briefly on the PCAOB’s standard-setting activities. The Sarbanes-Oxley Act assigns to the Board the responsibility to establish the auditing and other professional standards that govern the work of auditors who report on public company financial statements. While most of our activities in this area are probably of more interest to auditors than to directors and audit committees, you may find two things on our agenda worth watching --
- Engagement Quality Review
SOX requires the Board to adopt an auditing standard on second partner review of audit opinions. These concurring partner reviews are a potentially powerful tool for improving audit quality. While most firms that audit public companies already have such a review, the Board’s small firm inspections suggest that they are not always as effective as they could be at spotting issues the engagement team has missed. As the requirements in this area develop, audit committees may want to start thinking in terms, not of “our engagement partner” but of our engagement partner and our review partner.
- Audit Committee Communications
Existing auditing standards require auditors to communicate certain things, in specific ways, to audit committees. It is likely that we will try to combine all of these existing requirements into one professional standard. A new auditing standard might also require an auditor to engage in discussions with an audit committee about risk assessment.
As we have certainly learned in the area of internal control auditing, auditing standards affect not just auditors, but also their clients. New standards have to be introduced carefully to avoid unintended consequences. I encourage you to participate in the PCAOB’s standard-setting public comment process to make sure we get it right.
IV. Internal Controls
Let me turn next to a topic that I probably don’t have to convince you is of interest to directors. In fact, it is currently perhaps the most controversial area of public company financial disclosure and the most important public policy issue facing the Board. That area is internal control auditing.
First, a bit of background. In Section 404 of SOX, Congress required public company managements to report annually on the effectiveness of their internal controls. SOX also required auditors to audit the effectiveness of the company’s controls and report on management’s findings. The PCAOB’s role was to adopt the standard under which auditors do this new work. That standard is known as Auditing Standard No. 2.
The SEC has put Section 404 into effect for roughly 50 percent of public companies, the so-called accelerated filers -- companies that have over $75 million in market float. 2005 was the first year of Section 404 reporting for those companies, and those with calendar fiscal years have now been through the process twice.
A fair amount of data is becoming available on the results internal control reporting.[1] As of March 31, 2006, 3,743 ICFR opinions for 2005 had been filed; there were 2,894 2006 reports. In 2005, 15.4 percent of these companies -- 576 filers -- reported material weaknesses. So far this year, that percentage has fallen by nearly two-thirds, to only 5.6 percent.
The material weaknesses disclosed run the gamut. Last year, nearly one-third of the weaknesses related to documentation, policies, and procedures, while nearly one-quarter stemmed from numerous or material audit adjustments. Inadequate accounting personnel resources were the next most common problem, at 14.9 percent.
In 2005, the most prevalent reporting areas to which weaknesses related were --
Taxes expense/deferrals 31.8 percent Revenue recognition 31.8 percent Inventory and cost of sales 27.4 percent Liabilities, payables and reserves (including lease accounting) 25.6 percent
A case can be made that this new focus on controls has resulted in more reliable financial reporting. Probably as a result of internal control reporting, the number of restatements rose to record levels last year. According to a Glass-Lewis study, about one in 12 public companies restated -- twice the rate of 2004. How internal control reporting affects investor confidence is, of course, open to debate. One very recent study supports the idea that the markets place a premium on effective controls. It finds increases in capital costs of about one percent for companies that report material weaknesses and comparable decreases in those costs when weaknesses are corrected.
To me, however, the issue is not so much whether there are benefits, but rather the cost of those benefits. Nothing good is free, and internal control auditing has come at a steep price. A recent survey conducted by CRA International finds that, for large companies, the total cost of Section 404 compliance in 2005 was $8.5 million; for smaller companies, it was $1.2 million. (The dividing line is above and below $700 million in market cap.)
These costs must decline if 404 reporting is to be a sustainable process. In its 2005 annual inspections of the largest firms, the Board included an evaluation of the effectiveness and efficiency of a limited selection of audits of internal control. In a report we issued on November 30, the Board found that both firms and issuers faced enormous challenges in the first year of implementation. There was a sort of perfect storm, arising from --
- the limited timeframe that issuers and auditors had to implement a wholly new kind of testing and reporting;
- a shortage of staff with prior training and experience in designing, evaluating, and testing controls; and
- the need for many companies to make significant improvements in their internal control systems to make up for deferred maintenance (while effective internal control has been a statutory requirement since 1977, the prospect of public reporting served to concentrate the mind on controls in a way that had never before occurred).
Audits performed under these circumstances were not as cost-efficient as they could have been. For example, the Board’s report on Year 1 finds that some auditors did not aim their testing at the areas of greatest risk. Instead, they spent too much time looking at the lower-risk areas. Similarly, some auditors did not use the work of others -- that is, management’s own testing through the internal audit function, to the extent permitted by AS No. 2.
These findings suggest there is a lot of room for improvement in the efficiency of internal control reporting and indeed 2006 seems to have been better from a cost stand-point. The CRA survey I mentioned earlier finds that, in 2006, total Section 404 costs fell 43.7 percent for large companies and 30.7 percent for small. While the absolute costs are still high, we are going in the right direction.
What does all of this have to do with directors? Internal control auditing affects audit committees in some direct ways. For example, an ineffective audit committee can itself be a material weakness. Interestingly, however, only three of the 3,000-plus reports filed last year cited such a deficiency.
More importantly, audit committees can take an active role in making the process more efficient. In this regard, the audit committee might consider using the Board’s November 30 Report as a road-map for discussion with the auditor. Some areas of discussion that flow from the statement include --
- How will the internal control audit affect the financial statement audit? In what way will the auditor integrate the two audits?
- In the auditor’s view, what are the “top-level” risks facing our company and how will those risks affect the audit plan?
- To what extent does the auditor plan to rely on the work of the company’s internal audit staff? How and why was this determination made?
- How will the auditor assure that its audit of internal controls focuses on areas most likely to result in a material misstatement of the financial statements and does not devote extensive time to low-risk areas?
For directors of companies that are not accelerated filers, this discussion may seem rather theoretical. The SEC has deferred internal control reporting for these smaller companies until mid-2007. And, you may have heard that the SEC Smaller Company Advisory Committee has recommended a longer deferral. The Committee’s Section 404 Subcommittee was chaired by a very thoughtful Minneapolis executive, Janet Dolan, the recently-retired CEO of the Tennant Company. I want to briefly outline some of the Committee’s recommendations to the SEC regarding 404 reporting.
The Committee’s report, which was delivered to the SEC at the beginning of this week, proposes that, “unless and until” a framework for assessing internal control over financial reporting for small and microcap companies is developed that recognizes the characteristics and needs of those companies --
- The SEC should exempt completely from Section 404 micro cap companies with less than $125 million in annual revenue and small cap companies with less than $10 million in annual product revenue.
- The SEC should exempt from the external auditor reporting requirements of Section 404 small companies with less than $250 million in annual revenues but greater than $10 million in annual product revenue, and microcap companies with between $125 million and $250 million in annual revenue. Company management would still have to assess and report, but there would be no auditor involvement.
Under the Advisory Committee’s definitions, microcap companies are those public companies with market capitalizations below $128 million. Small public companies are those with market capitalizations below $787 million. Together, these companies comprise the bottom 6 percent of total U.S. market capitalization. Factoring in the revenue tests, the Committee’s Section 404 exemption recommendations would affect over 70 percent of all public companies.
It is not clear whether the SEC will adopt the Committee’s recommendations, and in my view smaller companies should not necessarily assume that internal control reporting is going away. However, the Committee’s report does highlight some important issues, including the lack of internal control guidance for smaller companies, the fact that controls play a different role in smaller companies than they do in large multinationals, and that, with or without exemptions, the SEC and the PCAOB could do more to make the 404 process workable and cost-efficient for smaller filers.
Along these lines, the PCAOB and SEC will be holding a roundtable on May 10 to discuss second-year experiences with the reporting requirements of SOX Section 404 and the need for changes in the rules and auditing standard. It is hard to predict exactly what will come out of the May 10 Roundtable. But, I think you can count on several things:
- The Board will continue to do everything it can to focus internal control auditing on uncovering control weaknesses that have a reasonable possibility of leading to material misstatements in financial reporting. That may well require amending AS No. 2. We want to make sure that the framework in which internal control auditing occurs steers the auditor to high risk areas that have a real-world impact on reliable financial reporting and away from matters that are trivial or unlikely to have a material effect.
- The Board is going to be more aggressive in using its inspections program to make sure that internal control audits are performed efficiently. Beginning this year, our inspection staff will be concentrating on the efficiency of internal control auditing.
- There is a strong recognition that companies, especially smaller companies, need more guidance on structuring controls and on how to perform a control assessment. And, similarly, small company auditors need more guidance on how to tailor their AS No. 2 work to the unique circumstances of their clients.
V. Conclusion
In conclusion, while the Board doesn’t have authority over public company directors, our work has an important impact on the work you do. The Board has sought to shape its programs in a way that takes into account the diverse business community that is affected by our oversight of auditors. We have also sought to make sure that our decision-making is informed by the perspective of both large and small firms and companies.
We also recognize that we live in an increasing competitive global market, one in which decisions we make about regulation in the U.S. have ramifications across the world. We want to make sure that our decisions help the U.S. capital markets maintain their position as the strongest and most attractive in the world. Your input helps us better accomplish that goal.
Thanks. I would be happy to answer any questions.
[1] Source: Audit Analytics