What to Expect from the PCAOB and the Impact on Preparers
Good Afternoon,
First, thank you for inviting me back again this year to talk about the activities of the Public Company Accounting Oversight Board and how our work might affect your companies and your work in financial reporting.
Before I go further, I should tell you that the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.
Background
As you probably know, the PCAOB was created by Congress through the passage of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley Act") to oversee the audits of public companies in order to protect investors and the public interest by promoting informative, accurate, and independent audit reports The PCAOB began operations in April 2003 and has four main responsibilities:
1. Registration of public accounting firms that audit public companies or broker-dealers;
2. Inspections of registered public accounting firms;
3. Setting of auditing standards for the audits of public companies and broker-dealers; and
4. Investigations and disciplinary proceedings in cases where auditors may have violated certain provisions of the securities laws or applicable standards or rules.
In order to achieve our mission, we have a staff of over 800 employees, which work in in sixteen offices around the country. The majority of our employees work in our core program areas in the Division of Inspections and Registration, the Division of Enforcement and Investigations or the Office of the Chief Auditor. In addition to our administrative offices, we also have an Office of International Affairs and an Office of Research and Analysis, both of which provide important information and assistance to the Board and staff.
The PCAOB is led by a five full-time Board members, each of whom is appointed by the U.S. Securities and Exchange Commission ("SEC") to a five year term (with a maximum of two terms permitted). As mandated by the Sarbanes-Oxley Act, two of the five Board members must be Certified Public Accountants, and I was appointed in 2011 to fill one of these CPA positions. We operate under the oversight of the SEC, which, in addition to appointing Board members, must approve our budget and any rules and standards issued by the Board.
Currently, almost 2200 firms are registered with the Board, including over 900 foreign firms from 85 jurisdictions. Of these firms, over 650 firms regularly conduct audits of issuers and approximately 750 firms audit brokers-and dealers (with many firms doing both).
Since commencing operations in 2003, the PCAOB has, among other activities:
- Conducted over 2500 inspections of firms that conduct audits of issuers, including inspections in 44 jurisdictions outside the United States;
- Conducted over 175 inspections of auditors of broker-dealers under an interim inspection program that began in 2010;
- Issued 18 auditing standards and substantially amended a number of others;
- Sanctioned dozens of firms and individual auditors for violations of applicable federal laws, auditing standards, and SEC or PCAOB rules, including barring or suspending firms or individuals from practicing before the Board, imposing censures, monetary penalties, and other sanctions; and
- Issued public reports summarizing inspection findings, staff audit practice alerts to provide insight into common audit deficiencies or difficult audit issues, and other publications intended to provide information to the public and transparency about our work.
With that brief background in mind, I would like to provide a little more detail about some of our current work that may be of interest to you.
Inspection Reports
First, let me say a few words about inspection reports. As you may know, we issue two types of reports. The first type is the firm-specific inspection report issued after every inspection of a firm that audits issuers. Part of this report — which discusses certain findings related to issuer audits — is made publicly available on our website (though it does not identify the issuers inspected). The other part of the report — often referred to as Part II — discusses weaknesses and deficiencies in the audit firm's system of quality control. This part of the report remains non-public, except to the extent the firm does not sufficiently remediate the deficiencies within 12 months after issuance of the report. After considering their remediation efforts, we have, in the last few years, made public some portion of the Part II for five of the six largest audit firms (as well as dozens of smaller firms).
The second type of inspection report we issue, under PCAOB Rule 4010, are public reports that summarize our inspection findings over time or in a particular audit area, such as internal controls over financial reporting or engagement quality review.
When I first joined the Board four years ago, our focus in the inspection reporting area was to try to issue our inspection reports more quickly and on a predictable schedule. As I mentioned last year at this conference, we have made significant progress in that regard, though we continue to strive to improve. More recently, we have focused on evaluating and improving the content of our reports.
One improvement to our firm-specific inspection reports over the last year has been to include references to auditing standards related to each of the deficiencies cited in the public portion of the report. We have also heard, especially from audit committee members, that it would be useful for the PCAOB to provide more context around our inspections data overall, particularly with respect to our large firm inspection reports. We have been asked to provide summaries of frequent findings or high risk areas, financial statement areas associated with findings, and more information about the universe of audits inspected, such as the industries or the size of companies we inspected or where we have the most findings. We are currently working on the format for our large firm inspection reports for the 2014 inspection year, and I am hoping that we can include more information along these lines in our reports. I also continue to hope that we can devise a way to differentiate the findings by severity in the reports.
Last year at this conference, I discussed the Board's practice of using the phrase "audit failure" in our inspection reports to describe findings where the staff believed that auditors, in one or more areas of the audit, did not gather sufficient audit evidence to justify their opinion on the financial statements or the effectiveness of internal control over financial reporting. I found it troubling that we referred to audits with such deficiencies as "audit failures," because — given the use of the term "audit failure" in other contexts — our reports appeared to be causing confusion about whether our findings meant that a company's financial statements were misstated, or that the audit opinion had been or should be withdrawn, or that we had found a problem in the company's internal controls.
I am pleased to report that the Board decided to discontinue — starting with the 2013 inspection reports issued during 2014 — the use of the phrase "audit failure" in our public inspection reports. Instead, we now try to use language that explains more clearly what our findings mean: that the auditor did not gather sufficient audit evidence before the opinion was issued and therefore issued the opinion without satisfying the fundamental obligation to obtain reasonable assurance about whether the financial statements were free of material misstatement and/or the issuer maintained effective internal controls.
Looking forward, we continue to consider other improvements, including to our summary inspection reports under PCAOB Rule 4010. We have already started down this road by providing executive summaries of these reports, including information about potential root causes of audit deficiencies, and suggesting possible questions audit committee members may want to raise in response to our findings. I would like to see us continue to improve these reports, including, for example, by maximizing the analysis of what the findings mean and why they should matter to auditors, investors and audit committees. I am also hopeful that we can move toward providing information about what auditors are doing right, rather than focusing our reporting primarily on observed deficiencies, especially in the areas where firms successfully remediate quality control deficiencies.
Audit Committee Outreach
I also mentioned last year that the Board began a few years ago to increase its outreach to audit committees in order to better understand how we can be helpful to them, as they go about fulfilling their obligations to oversee the audit on behalf of investors. Over the last few years, Board members and senior staff from the PCAOB have attended and made presentations at many audit committee gatherings — large and small — where we have provided information and listened to feedback.
So what have we learned from these meetings? First, it is clear that many audit committee members take very seriously their duties to oversee the audit and to help ensure integrity and accuracy in the financial reporting process. The audit committee members who have engaged with us are well-informed, experienced and interested in what we do. They are also very busy, as the scope of work assigned to audit committees continues to increase. Therefore, one of the key messages from audit committees to us has been that any information we can provide should be provided on a very timely basis (i.e. when we become aware of an issue, rather than a year later after all of our formal reporting has been completed) and in a format that is brief, clear and tailored toward audit committee members. This has been the impetus for some of the changes you may have seen in our public documents, such as executive summaries and information to help audit committees respond to our findings. In addition, we are working on ways to provide audit committee members with more timely and targeted information about relevant risks and concerns.
Audit committee members also have expressed concerns about the scope and impact of our work. Some worry that we are needlessly driving a "compliance mentality" among auditors, especially those who are younger and less experienced. This, they believe, drives up audit costs without providing additional value or enhancing audit quality. Some audit committee members also are concerned that our inspectors may be engaged in standard-setting through inspections, imposing requirements beyond what is required in the standards issued by the Board and approved the SEC.
On the latter point, let me assure you that we have a rigorous quality control process. Comment forms reviewed carefully before they are issued to an audit firm after an inspection, and firm responses to comment forms sometimes satisfy the staff's concerns about a particular audit issue. Inspection reports subsequently go through multiple layers of review within our Inspections Division, General Counsel's Office, and Office of the Chief Auditor and are carefully reviewed by Board members before they are issued. We make a strong effort — and I believe we generally succeed — in backing up our reported findings with specific auditing standard requirements. It is my hope that the newly added citations to specific sections of those standards will help convey more clearly what our concerns are with respect to each inspection finding.
With regard to the concern that our actions are driving a compliance mentality, we and firms have to be diligent to avoid this as much as possible. As firms are trying to drive audit quality, often through remedial measures implemented in response to our inspection reports, firms have provided more training, imposed more firm specific requirements, and demanded more documentation from their audit teams. In general, these are positive steps that have positive results. I would caution auditors at all levels, however, about the danger of trading in their judgment and experience for compliance with documentation and check-list requirements. Check-lists, practice aids, audit guidance and similar documents can be helpful tools for auditors to work through complex issues and to avoid missing important steps, but they should not replace the judgment that is crucial to the performance of an effective and efficient audit. This is an issue that we at the PCAOB will be mindful of, as we move forward with our 2015 inspections and remediation discussions with firms, as well as in the context of our standard setting activities.
Outreach to Preparers
As we have increased our outreach to audit committee, we likewise are trying to make sure that we hear from preparers of financial statements, people like you, who are often on the receiving end of the actions auditors take in response to our regulatory activities. My fellow Board members and I have been able to meet with groups of preparers through organizations like Financial Executives International, the Institute of Management Accountants, networks of controllers organized by audit firms or corporate governance organizations, meetings organized through the U.S. Chamber Commerce, and a variety of other meetings and conferences.
What we hear from the preparer community often echoes what we hear from audit committees. Some believe that our actions are causing their auditors to spend more time than necessary on "busy work" or "check-the-box" compliance activities without adding much value to the audit process. Others believe that we are bringing back the more burdensome "Auditing Standard No. 2" in audits of internal controls, which was superseded in 2007 by Auditing Standard No. 5. We also hear that some auditors may not be performing effective risk assessments, but rather are treating all areas as a risk in order to avoid a PCAOB finding.
Recently, the U.S. Chamber of Commerce issued a publication called "FAR — Fix Add Replace — Agenda 2015."[1] In this document, the Chamber urged the PCAOB, among other things, to "avoid rote check the box policies," "end regulation through enforcement," and to conduct an effective cost-benefit analysis in the context of standard setting.
While it can be painful, I appreciate hearing critical comments and believe it is important that we continue our dialog. We take seriously concerns about inefficiencies and adverse consequences on companies, and we will continue to work toward the right balance between regulations intended to enhance investor protection and unnecessary burdens on auditors and issuers. I personally would welcome a "deeper dive" dialogue with preparers and their auditors to better understand what activities are not adding value to the audit.
Standard-Setting
Finally, let me say a few words about some of our current standard-setting projects that may be of interest to you.
Auditor's Reporting Model
One of our highest profile projects relates to the auditor's reporting model. After conducting extensive outreach and concluding that investors and the public would like auditors to provide more information about the audit, we issued a proposal in August 2013 to require auditors to discuss in their reports so-called "critical audit matters." These were defined in the proposed standard as those matters addressed during the audit that (1) involved the most difficult, subjective or complex auditor judgments; (2) posed the most difficulty to the auditor in obtaining sufficient appropriate evidence; or (3) posed the most difficulty to the auditor in forming the opinion on the financial statements.[2]
We received hundreds of comment letters on this topic and held a public round table discussion in April 2014 to facilitate further discussion about a possible way forward. In commenting on the proposal, some suggested the requirements do not go far enough to require the auditor to report the information that investors want. Others suggested that most of the matters to be discussed in the audit report would largely duplicate disclosures already included in the financial statements or management's discussion and analysis; while yet others expressed concern that the auditor might disclose original information about the company that applicable SEC rules and regulations do not require or explicitly allow the preparer not to disclose. Finally, some skeptics wondered if the end result of the changes to the auditor's report will be limited to the addition of new "boilerplate" language to the report that ultimately will not be helpful to investors. And many ask whether this requirement would simply add to what some already consider information overload in public company disclosures.
Auditor reporting is also an issue that has received attention internationally. As you may know, the International Auditing and Assurance Standards Board ("IAASB") — which issues International Standards on Auditing that are used in many countries around the world (but not in the U.S.) had a similar project on the auditor's reporting model. After several rounds of outreach and public comment, the IAASB recently adopted a standard requiring auditors to discuss so-called "key audit matters" in the auditing report, along with certain other information about the auditor's independence and responsibilities, as well as enhanced reporting by auditor's on going concern.[3] Key audit matters are those matters that required significant auditor attention during the audit and may include areas of higher assessed risk of material misstatement, areas in the financial statement that involved significant management judgment, and significant events or transactions, among others.
Likewise, the United Kingdom's Financial Reporting Council adopted requirements for enhanced auditor reporting in 2012, including that auditors:
- Describe those assessed risks of material misstatement that were identified by the auditor and which had the greatest effect on the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team;
- Provide an explanation of how the auditor applied the concept of materiality in planning and performing the audit; and
- Provide a summary of the audit scope, including an explanation of how the scope was responsive to the assessed risks of material misstatement and the auditor's application of the concept of materiality, as disclosed in the auditor's report.[4]
Currently, the PCAOB is considering the comments received on our auditor's reporting model proposal, as well as monitoring auditor reporting in other countries under the new requirements. I expect that we will issue a re-proposal of a standard governing the auditor's report later in 2015. It is likely that our revisions will result in a narrower, more focused requirement that would facilitate the disclosure of only the most relevant information about the audit, while not crossing the line into areas that are within management's responsibility. I encourage all preparers to take a fresh look at the reproposal and offer suggestions to improve the workability and usability of the approach.
Supervision of other auditors
Two other projects that may be of interest to many of you are the project on the supervision of other auditors and a separate project on the supervision of specialists.
With regard to other auditors, the Board currently is considering possible standards relating to the enhanced supervision of other audit firms or individual accountants by the audit firm issuing the audit report. This is an important area in light of the increase in companies with global operations, requiring the use of auditors around the world. Under current standards, there are multiple approaches for the oversight of such other firms or auditors, and the Board has observed varying levels of audit quality in the work performed by other auditors and varying degrees of supervision by the firm issuing the audit report. Therefore, the Board is considering whether to revise standards governing the use of other auditors to create a single, comprehensive framework, and we anticipate issuing a proposed standard, and related amendments, sometime in 2015.
Supervision of specialists
Similarly, the Board is reviewing the auditing standards governing the supervision of specialists — including valuation specialists, lawyers, geologists and other non-auditors that provide information relevant to the audit. Because we believe that we need first to understand better the way in which auditors and companies currently interact with specialists, I expect that the PCAOB's Office of the Chief Auditor will issue a staff consultation paper on this issue in the near future. Our hope is to elicit information that will help us determine whether and how to go about drafting potential new standards in this area.
Fair Value
A project that is closely related to our work on the supervision of specialists is our work on PCAOB standards related to auditing accounting estimates and fair value measurements. Last year, the PCAOB staff issued a staff consultation paper to assess the potential need for changes to the PCAOB standards in this important area and to develop a possible approach for the Board's consideration. We also held a special meeting of our Standing Advisory Group last October to seek further input, and we have received forty comment letters in response to the consultation paper. We currently are evaluating the comments received and expect that the staff will recommend a possible standard setting approach to the Board sometime in 2015. Because many specialists used by auditors are valuation specialists, it is important that our work on the supervision of specialists be closely coordinated with our work on standards governing the auditing of management estimates, to ensure maximum effectiveness and efficiency in affected audits.
Because these standard setting projects are likely to impact your audits and your auditors, I encourage you to ask your auditor what the potential changes could mean for your engagement. To keep an eye on or work — you can sign up on our website for email alerts that will keep you informed of our standard setting progress. And I urge you to send us comments on our proposals to explain how they may impact your company.
With that, let me thank you again for asking me to be here today, and I would be happy to take questions now or informally during the break.
[1] See U.S. Chamber of Commerce, Fix, Add, Replace (FAR) Agenda 2015 (March 3, 2015).
[2] The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses and Unqualified Opinion; The Auditor's Responsibilities Regarding Other Information in Certain Documents Containing Audited Financial Statements and the Related Auditor's Report; and Related Amendments to PCAOB Standards, PCAOB Release No. 2013-005 (Aug. 13, 2013).
[3] See IFAC, IAASB Issues Final Standards to Improve Auditor's Report (Jan. 15, 2015).
[4] See Financial Reporting Council, ISA 700 (UK and Ireland) (Revised) The independent auditor's report on financial statements (June 4, 2013).