Reliable financial reporting and high quality auditing is very important; it’s critical to investor protection, critical to trust in our system, and critical to the effective functioning of our capital markets and our economy.
I’m very happy to be here to give you some updates on what’s going on at PCAOB and some of the challenges that we have as a regulator and that firms still face.
Audit Quality
One of the big questions is, “Where are we in terms of audit quality all these years after the establishment of PCAOB? Are we there yet?”
The quick answer is no. But we’re seeing some glimmers of hope and I think we need to think about where we go next. Firms have to think about it, and we, as a regulator, need to think about it. We were in a serious crisis back in 2002 when the Sarbanes-Oxley Act was passed. The board’s immediate goal when it began operations in 2003 was to restore confidence, because the system, the economy, and the markets were in crisis. Some of the staff who were onboard refer to this period as a time where they were just trying to stop the bleeding. PCAOB programs had to be established very quickly.
As PCAOB started to gain experience, it started to refine and evolve some of its approaches. It is very clear that audit quality has significantly improved since the passage of the Sarbanes-Oxley Act and the implementation of audit regulatory oversight. But it’s hard to prove that. There are some indicators out there and we can point to those.
Anybody who has done a lot of auditing knows that it’s hard to measure and monitor all the professional judgment and the qualitative factors that come into play while it’s happening. But the firms are experimenting.
There’s still need for improvement, obviously. I recently read a blog which said that reading these inspection reports is like Groundhog Day. But I think we’re starting to see some progress. Each of the larger firms are at slightly different points on this journey. Unfortunately, in the small firm space we still find a few firms each year that do not get it. They usually go into our enforcement function, and we’ve removed a fair amount of firms from the system of public company auditing as a result.
Last year at the AICPA conference, Helen Munter, our Director of Registrations and Inspections, reported that overall audit quality is better. She identified five key areas where we’ve seen improvements, including tone at the top, targeted and focused training being provided to staff, new audit practice aids and checklists, coaching and support to audit teams, and monitoring the quality of the work performed. Monitoring allows adjustments to be made early rather than waiting and finding deficiencies later.
She also reported five areas that continue to be challenging for firms and where she’s looking for further improvements. The first is the recurring audit deficiencies that we find year after year. The second is remediating quality control problems that we find and that are reported in Part Two of the inspection reports. We also want to implement and maintain a root cause analysis of the causes of audit deficiencies.
I think a lot of firms are finding that after they take care of the training, the methodology, and some of the technical issues, they’re still running into problems. And they’re finding that it’s coming down to project management. For example, when the client gets the information to the auditors late, then the auditors aren’t able to keep their schedule, and things tend to fall apart.
And finally, monitoring auditor independence issues, we heard about some of those this morning from the SEC. Unfortunately these independence issues are still fairly prevalent in broker-dealer audits. We’ve seen some improvement in the broker-dealer audit space but there is still room for improvement. We and the SEC have also been taking enforcement actions in these cases.
The Inspection Approach
There’s no doubt in my mind that the inspection program has been a strong driver of some of these improvements that we’re seeing in audit quality. The changes that firms are making to their quality control systems are starting to yield fewer audit deficiencies and less severe audit deficiencies. If you read PCAOB inspection reports over time, you’ll see that in some cases they appear to be longer. This is because instead of finding that a firm did virtually no audit work on the area of revenue, the firm did these five things but missed three other things, and therefore the revenue audit work was not sufficient. We’re seeing findings become a bit more granular.
For three of the Big Four, the most recent reports show that the percentage of inspected audits with deficiencies declined from 2013 to 2014. We expect to see similar progress in the 2015 inspection reports for the other large firms that we inspect annually.
Our approach to date has been designed based on a risk-based selection of audits. Basically we select the highest risk audits, and then we look at the highest risk areas of that audit based on financial statement area and audit work that is the most difficult or involves the most difficult or inherently uncertain areas of the financial statement. When our inspectors are thinking about whether there is a systemic quality control problem in the firm, they look at how many deficiencies they found in various areas and then combine it with some testing of the firm’s quality control system.
But any group of auditors and accountants would know that this risk-based selection approach that we’ve been using is not representative. We’ve been criticized by academics for that, and sometimes people question our high deficiency rates. They say, “Well, of course you’re finding lots of deficiencies, you’re looking at the most difficult things.” But this is an expedient way of allocating our inspection resources when it is these high-risk areas that will have high levels of deficiencies. But when those deficiencies start coming down, is it still efficient to put so much effort into looking at individual audits, or should we shift our effort? That’s some of the thinking that we’re doing at PCAOB.
One potential change that we’re exploring and beginning to implement is selecting audits for inspection on a broader basis than the current risk-based approach. Not necessarily purely random, but more random than what we’re doing. This would help us know what the rest of the audits look like in a firm. Some predict that the results from inspecting those audits would be a lower deficiency rate, because maybe they’re not as risky. Others say, we’ll find a higher deficiency rate because the firms are really putting all their time and effort and resources into the risky things. We don’t know, and I guess we’ll find out.
Another potential future change could be changing the focus of inspection procedures, to look at fewer audits but really look harder at that quality control system. If a firm is having very few deficiencies because the quality control system is functioning, it makes sense to put effort into looking at that quality control system, because if everybody is looking at that system, then presumably deficiencies or weakness could be detected earlier and fixed earlier, and that would protect investors.
I don’t think we’ll ever get away from looking at individual audits. The real question is, “Where do we put our efforts in these various areas?” And frankly, it could be different at each firm.
This follows the same theory that auditors use when considering the effectiveness of internal controls in determining the level of substantive testing needed. This kind of approach also follows the approach that many other professions use.
Enforcement
Let me switch gears to talk about our enforcement program. We do a lot of coordination with the SEC on cases. It’s very important for us to have a strong enforcement program to back up the rest of our oversight programs. Our enforcement program has also evolved over the years as we’ve learned more and found new and emerging risks.
In 2015, the board issued its first order in which the respondent admitted to the violations. Also for the first time in 2015, the board applied its relatively new policy, and we did not pursue disciplinary action against a firm because of their extraordinary cooperation.
The Division of Enforcement and Investigations is also enhancing its use of data analytics in its processes for identifying enforcement matters and prioritizing cases. It is getting very sophisticated and it’s very exciting to be able to use this in various programs. Over the years, the enforcement division has successfully removed many firms and individuals with serious misconduct from the issuer audit space. Through March of this year, the board has publicly announced 125 sanctions against firms, with 64 revocations of firms’ registration, so they can no longer perform audits of issuers. It has also made 112 sanctions against individuals, resulting in 86 bars and 11 suspensions.
The division has a number of priorities. One of the priorities is cross-border audits. One is lack of independence and integrity in the audit, and another is a lack of professional skepticism associated with serious audit deficiencies.
In addition, noncooperation with the board’s inspection processes or enforcement proceedings—which includes altering audit documentation prior to an inspection or an enforcement proceeding—is also a priority. We’re starting to focus more on these cross-border audits, and I think you’ll see some more action.
The PCAOB’s Future Agenda
We’re working on trying to improve our process, so part of that is finishing the projects we’ve been working on for a very long time.
In December we approved rules dealing with transparency of the audit partner’s name and the other firms involved in the audit. We’ve also since put out a proposal on improving the supervision of audits involving other auditors. This will be very important in the international space, where the firm affiliates are doing work for a U.S.-based firm and going in the other direction as well.
In the very near future we’re going to put out a re-proposal on the auditors’ reporting model. [Editor’s Note: On May 10, 2016, the PCAOB announced that its rules were approved by the SEC and that implementation guidance would be forthcoming.]
There’s no doubt in my mind that the inspection program has been a strong driver of some of these improvements that we’re seeing in audit quality.
We do have a number of other projects on the list that we’re moving on as well. By the end of the year, you should expect to see something on auditing/accounting estimates and the auditor’s use of the work of specialists. We’re coordinating very closely with the IAASB [International Auditing and Assurance Standards Board] on those. I think that the quality control standards are going to be a critically important project. I don’t know if we’re going to do a project on going concern; the staff is still studying that. One other thing we’ve done to try to improve our standards setting process is hiring a consultant to review the process from top to bottom. That consultant is also very involved with looking at the SEC’s oversight of our process. We’re looking at everything from environmental scans to emerging issues; improving our interaction with the standing advisory group and the investor advisory group, with preparers, audit committees, and others to get feedback into our standards setting process.
We’ve also been doing economic and risk analysis and research. These functions have developed over the years at the PCAOB, and they’re becoming quite sophisticated. Our Office of Research and Analysis has been exploring innovative technical approaches to data analytics. They’ve been building databases, building different types of analyses to guide inspection, enforcement, and standards setting. They also look at risks and emerging trends that could lead to increased audit work or audit risk, and they’ve also conducted a series of studies looking at the risks posed by the business models of the firms, and that’s really been fascinating. And the board is now contemplating that in terms of our oversight.
We’ve got high concentration in the audit market and we’ve got these business models that could also add risk. The board is analyzing that research currently. We hope to actually publish something sometime in the future. I think it’s good for the market to understand these risks and how we view them.
The Office of Research and Analysis also had a big project on audit quality indicators, which will continue into the future. It had 28 potential audit quality indicators that might be useful. The plan now is to whittle that down to a smaller number that might be useful and maybe put some definitions and criteria around them, so that if firms and audit committees choose to use these audit quality indicators, they’re using them on a somewhat consistent basis. At this point, I don’t see us mandating their use. I think it would be better to let audit committees and audit firms use these and add context. But that could change in the future.
Questions from the Audience
An audience member asked if there were different profit models for each of the three large units—audit, tax, and advisory—within the Big Four, and if there is a significant risk difference between the “tiers” of audit firms.
When I look at the landscape of public company auditing, the Big Four and their global affiliates audit about 98% of the market cap for the companies listed in the United States—and then what you’re calling the next tier probably does about another 1.7%. I’m not going to comment on the differences in their business models.
I think the real trick is getting the right auditor with the right client to reduce audit risk. We see a lot of good things happening in the large non–Big Four firms. They’re in different situations. You know, some of the advantages that some of these non–Big Four firms could use to reduce risk is that they’re smaller, and therefore can more easily monitor what their people are doing, and can change culture faster.
We’re working to improve quality and reduce risk across the system even though some of these firms are very different.
Another audience member asked about the inspection of broker-dealer auditors.
We’ve had an interim inspection program for brokers and dealers for a number of years. The Dodd-Frank Act gave us the authority to oversee the audits of brokers and dealers after the Bernie Madoff scandal. And the SEC has also recently changed its reporting rules and, in my view, greatly improved them.
We’re looking at everything from environmental scans to emerging issues; improving our interaction with the standing advisory group and the investor advisory group, with preparers, audit committees, and others to get feedback into our standards setting process.
We’ve been doing an interim inspection program through all this. We wanted the SEC to get its rules changed and then we changed our rules for audits of brokers and dealers. We wanted to let all of this flush through the system before we designed a permanent program, and we wanted to learn about the current state of auditing in that broker-dealer space.
We do not put out individual inspection reports, but each year in August we put out a summary report. The vast majority of the audits had some kind of problem. The independence problems were very high.
It’s interesting because the auditors in that space thought that they were required to follow AICPA rules, not SEC rules. That was a common misconception.
We are starting to design different alternatives for a permanent program, and we’re hoping to get a proposal from the staff by the end of this year.
The final question from the audience concerned whether there are plans for the PCAOB to issue their reports on a more current basis.
It’s been one of my biggest frustrations since coming to the board. I never knew really what year I was looking at when I was reviewing an inspection report. We are working with the firms and we’re trying to get these reports out on a more expedited basis.
Unfortunately, there are some things that are just beyond our control. For example, firms just don’t get back to us. Of course, we’ve got kind of a cumbersome internal process as well, which we’re trying to improve. But I agree with you, the quicker we can get this stuff out, the better, especially when we’re dealing with the detection of deficiencies.
