Before I talk about the state of audit quality, I want to provide a quick snapshot of the PCAOB. The Sarbanes-Oxley Act [of 2002] was, in my view, a very clean act as far as what our responsibilities are: We have a registration function, an inspection function, enforcement, and standards. Having been at GAO all those years, I saw a lot of authorizing legislation for different programs that were very messy and needed a lot of interpretation, but we got very clear instructions in the Sarbanes-Oxley Act as to what we needed to do.
Since 2003, we’ve grown from zero to 876 budgeted staff for this year. Several of the board members have been calling for a stop to this growth and to evaluate our programs, and how we can do things more efficiently, and that’s what we are doing now. We probably will come in under our budget as well.
In 2017, we plan to do 195 inspections of audit firms. Ten of those are firms that we inspect annually because they have 100 or more audits of issuers. Of the others, 130 are triennial U.S. firms and 55 are triennial foreign firms. We also have our interim broker-dealer program going on right now, which will go to 75 firms and look at 115 audits there.
2015 Inspection Results
The Exhibit shows the inspection results for the U.S. Big Four firms, and these lines represent the percentage of issuers inspected that ended up in Part 1 of our inspection reports, meaning that we found audit deficiencies, such that we thought that the auditor did not do enough work to issue the opinion. The good news here is, we’re finally starting to see a downward trend. I should say that for the smaller firms, the ones that we look at triennially, 49% had no Part 1 deficiencies—so there’s a lot of good news with the small firms as well.
Overall, we have seen significant improvements in audit quality. We’ve seen a reduction in the number and severity of Part 1 findings, and we’ve seen the large firms dedicate significant resources toward remediating deficiencies and improving quality control systems. We’ve also seen improvements in tone at the top, coaching and support to audit teams, and training and monitoring of audit quality. These are real improvements to those quality control systems that can then—if they’re operating effectively—help keep the deficiency rates down and prevent deficiencies going forward.
Currently, the challenge for the larger firms seems to be consistency of execution across teams, coming down to a people problem in a lot of cases. The firms have put in place training tools and technical guidance, and some teams do a very good job and others don’t. The firms are really taking a look at some of the inputs, people, staffing, and resources to try to get that consistency of execution.
Interestingly, another thing that they’ve discovered is that project management—not only managing the audit itself, but also managing the client—seems to be extremely important to audit quality. For instance, if the client is struggling with a difficult estimate or question, or a difficult accounting area, and therefore getting the whole package to the auditor later than the auditor wanted, the auditor takes on all kinds of risk by not having enough time to do a proper audit.
We’ve seen a lot of small firms doing high-quality work, taking their responsibility very seriously, and working closely with our remediation staff to get insights into whether various types of remedial efforts would help solve these issues. For the most part, we’ve really seen a good focus on audit quality backed by actions and resources.
Our inspections division is studying root causes of good audits and root causes of bad audits. We faced some criticism in the past that we always focus on the negative, but you can’t understand the root cause of a negative outcome unless you also can contrast that to a positive outcome. Firms are doing that as well. I’m hoping that at some point, some of this information can be made public, because I think there’s a lot of learning going on both at PCAOB and within firms.
Unfortunately, across the system, we still see firms that need significant improvements and others that are serious outliers. 2016 was a record year for our enforcement division in terms of numbers of cases, and this year there’s been a tremendous amount of activity as well.
One of the risk factors that we’ve found has been audit quality across the global networks—in other words, in the global affiliates of the large firms—we’ve had some spectacular enforcement cases there. We’ve also got a standards-setting project on the supervision of other auditors that should strengthen the standards in that area. Our transparency rule will also call for the disclosure of the use of other firms, and we’re hoping that all of these things together will produce results.
The way firms are set up, the global structure of the global entity might be in some cases limited in terms of what they can tell the firms to do. But that’s changed, I think, based on some of the cases we’ve seen and some of the risks that are out there. And we see the U.S. firms really taking the lead in trying to influence quality across the global networks.
The good news is the number and severity of frequent findings—auditing of ICFR [internal control over financial reporting], auditing of estimates, including fair value measurements, and assessing and responding to the risk of material misstatement—is going down. Our inspectors are currently focusing on risk assessments in the current round of inspections, because if a firm doesn’t get that process right, it does impact the rest of the audit.
Audit Quality Indicators
I’m happy to report that we’ve actually seen significant advances in the area of audit quality indicators [AQIs] since the board issued its concept release on AQIs on July 1, 2015. That release discussed possible uses of a group of 28 potential AQIs, related to audit inputs, audit processes, and audit results.
The real objective of our AQI project was to start a discussion about indicators or metrics that could be used on a regular basis to monitor and help ensure audit quality to get out of the mode of looking at everything after the fact. We received 50 comment letters on the concept release, with a wide variety of viewpoints. These were potential indicators to start a discussion.
At this point, we’re encouraging and monitoring the use of AQIs by firms, audit committees, other regulators, and academic researchers, as well as the firms’ root cause analyses. We hope to publish a report, maybe later this year, with observations that we’ve seen about AQIs in our remediation and root cause programs, including a discussion of the potential benefits.
Some firms are actively deriving and using these types of metrics based on their own analyses of their audit outcomes and determining what works and what drives quality. To me, that’s fantastic news, and we hope to continue the discussion and take it to the next level. We’ve also seen AQIs gain momentum among audit committees and firms. PwC put out an Annual Corporate Director Survey in 2016 where 58% of the respondents said that they use some type of AQIs or something similar when overseeing their auditor.
The Center for Audit Quality [CAQ] also released an updated version of its external auditor assessment tool in April 2017. It offers evaluation questions for audit committees to consider asking about certain thematic areas of audit quality, and this builds on a previous publication that they had put out on the use of AQIs. We’re also seeing a number of other audit regulators around the world using AQIs in their audit oversight programs, and there are many resources and reports out there now on the topic of audit quality indicators. This is all great news in my view, and I’m hoping that, as I said before, we can put something out to continue to advance the use and discussion on these issues.
Finally, PCAOB staff work in this area is helping to inform a current standards setting project dealing with firms’ systems of quality controls.
Randomization of Audit Quality Inspections
Another development is a project that we’re calling “randomization.” When we say “randomization,” we’re really referring to several different efforts to get a better statistical feel for the state of audit quality in a big firm, or even across firms. As a former auditor, and somebody who had to do a lot of statistical sampling and projection, this is really exciting for me.
Our previous approach of risk-based selection was done so that we didn’t have to look at so many audits, but it also involved the riskiest audits and the riskiest audit areas. It was designed as a remedial approach, intended to encourage firms to address identified weaknesses and related quality control issues while keeping our inspection numbers manageable.
When I was here last year, I talked about the possibility that, as those deficiency rates come down, our inspection focus may need to change to look at the quality control system. But in order for us to do that, we need to have a better idea of the state of audit quality within a firm. So we are now selecting some non–risk-based audits for inspection and some random selections in addition to our risk-based selections. We are also estimating the probabilities for the risk-based selections, and we have actually gone back and done those estimations for some prior year data as well. When you put this all together, you can do a statistical projection; I’ve seen one round of results, and it’s really fascinating.
I think our statisticians would like another year’s worth of results before they decide whether we should publish anything or how we should use this, but it’s a very good advance in terms of our own analytical capabilities. The results will be useful for better understanding the state of audit quality within an individual firm, but we could also do it for different groups across the firms, such as the S&P 500. Wouldn’t that be great to have?
This also helps us assess the effectiveness and efficiency of a risk-based selection process, looking at the risk-based results compared to the ranges of the statistical projections and looking at whether that makes sense given what we think we’re accomplishing with risk-based selection. The Canadians did an interesting experiment a couple of years ago where they backed off from their risk-based approach with the larger audits and they looked at a different group of audits that was not risk-based. For two of the Big Four firms, the deficiency rate went up, and for two of the firms, the deficiency rate went down. I guess it was dependent on how the individual firms were managing to the inspection process or managing to the riskier audits.
As deficiency rates come down, our inspection focus may need to change.
Continuing Technological Developments
We’ve heard some about the impact of technology this morning. I think there is a potential for serious disruption to traditional approaches to auditing and to the staffing models in firms, based on some of the technologies and different techniques that are being experimented with. Some firms have told us that they’re very close to deploying data analytics, artificial intelligence, automated testing of entire populations of transactions and controls. At the same time, the financial reporting side may also be significantly disrupted, not only by those technologies, but also things like distributed ledgers and blockchain.
My colleague on the board, Lou Ferguson, likes to say that “the accounting profession might become Uberized.” I think what we need to do is be positioned to evolve, because even with all of these changes, the profession still has a very important role in our capital markets and our system of providing assurance. There is an awful lot that can’t be solved by technology. Professional judgment requires people—experienced people—making good judgments to help protect our capital markets.
I also think the role of management, internal audit, and external audit might be challenged through this process. Right now, you’ve got the audit firms developing all kinds of technologies to look at large groups of transactions and find anomalies. If you’re in management, why would you want to wait until your external audit to find this out? There might be some kind of shaking out between who’s going to use what types of technology to achieve high-quality financial reporting and assurance. The profession needs to be poised to embrace this change—and frankly, so do educators.
Current Standards Projects
I’ll briefly discuss our standards-setting projects. Of course, we’ve got the auditor’s reporting model out there. We’re pretty much ready to go on this. But because it’s the biggest change ever to auditors’ reporting, we believe it’s prudent to wait until the new chair of the SEC is in place so we can get him briefed before we send it over to the SEC.
We’ve also got a couple of other proposals that are getting close to ready to go. Auditing accounting estimates, including fair value measurements—we’re looking at finding a date to put that out. Along with the auditors’ use of the work of specialists, we’re hoping to put those two out very close to each other because they are related. And, of course, our transparency rule is final now, so engagement partner names and the other auditors participating in the audit are currently being put into Form AP on our website; that will become effective June 30.
We’ve also enhanced our standards-setting process. I shouldn’t say it’s new, but it seems new to me because we’ve improved governance over the process. The previous approach was, if a board member pounded his fist loud enough on the table, something would get on the agenda, and then the staff would figure out what to do about it.
Now we’ve got a very formal process of getting input from a wide range of stakeholders to decide whether there are issues out there that might require standards setting. We’ve currently got a list of about 15 issues, and we decide which ones we should dedicate resources to right now.
These are the four that are currently on our research agenda: a quality control standard; use of data analytics and technologies in audits; the auditor’s role regarding other information, including company performance measures and non-GAAP measures; and finally, the auditor’s consideration of noncompliance with laws and regulations. We are actively doing research and outreach on these issues, and the staff will ultimately come to the board with a recommendation on next steps.
The Continuing Challenge of Diversity
We’re facing a lot of challenges going forward, and a key driver of audit quality is the quality of talent in the auditing workforce. Unfortunately, diversity in the accounting profession continues to be dismal, especially at the top levels, despite many years of initiatives. We need some type of systemic approach that actually makes a difference.
And I want to commend the CAQ for having this be a topic of its symposium last August, where the leaders of the largest firms in the profession acknowledged the slow progress and the challenges and the need to do something different. The diversity discussion was part of a much larger discussion about talent in the profession. We’ve got empirical evidence that continues to come out to support diversity as a driver of effectiveness. Whether it’s audits or audit committees or boards of directors, the research just keeps coming out on this. I think, unfortunately, the profession has tried a lot of the same things over and over, and guess what? We’re not getting different results.
I do believe this is a crucial area for the sustainability of the profession as we go forward and as we try to tackle many of these challenges.
Questions and Answers
Norman Strauss, conference moderator: Why are firms doing so poorly on diversity?
If I had that answer, I could leave the board and charge them a high price to solve the problem.
Some of it starts in the colleges and universities. If you look at the AICPA’s statistics, already at that level certain groups are not well represented in the students who are studying accounting and then available to take the CPA exam.
I don’t know what’s going wrong in the upper levels of the firms. I think in terms of advancing diverse candidates, it is an historical problem and it takes a little while, but to me that’s an excuse. I know that all the firms are concerned about this, and frankly, similar problems exist in the financial services industry and at the top levels of corporations. But again, that’s no excuse to say, “We’re just as bad as everybody else, so therefore we can live with it.”
Audience member: How do you define diversity in accounting, and what does the PCAOB plan to do to promote it?
I tend to bring it up and use my bully pulpit a lot. We meet with firms on a wide range of topics, and we’ve now made that a semiregular topic on the agenda, asking what kind of progress are they making in terms of promoting women into partnership positions and promoting and nurturing diverse talent.
Diversity can have many different meanings, and I like to use all of them mushed together. I think, if you’re really going to be inclusive, you need to be inclusive. I go to a lot of universities and also speak with professors about how they’re handling things. The PCAOB doesn’t regulate diversity, but because I believe it is an element of quality, and it’s very important to the profession, we as a board have certainly taken that on.
Strauss: In past years, there was tension between auditors and the PCAOB regarding the scope of inspections. What do you think the current status of that is?
There was a lot of tension in the system, especially after we started drilling down harder on ICFR auditing and finding a lot of deficiencies. And there is a whole long sad story there about ICFR; AS [Auditing Standard] 2 came out and it was too detailed, and then PCAOB had to put out AS 5, which basically said, “pull back and do top-down, risk-based.”
Then several years into that, PCAOB started inspecting for, “Are you following the standards?” And with that new emphasis came a lot of audit deficiencies, and suddenly auditors were finding themselves in the uncomfortable position of having to tell their clients, “What we did last year was not sufficient, and we need to do things differently this year because of the PCAOB.”
That filtered up through audit committees, and we’ve been having a lot of dialogue with audit committees and preparers on these issues. And firms have said it’s an unacceptable answer to blame the PCAOB, because it basically shuts down and does not allow for productive conversation. There should be some tension in the system, but CFOs and audit committees and auditors should be having honest discussions about what work is necessary.
I think the profession has tried a lot of the same things over and over, and we’re not getting different results.
In some cases, when we find deficiencies in the auditing of ICFR, the reason the auditor was struggling is because the client actually had a material weakness. That’s a really difficult conversation for an auditor to have. We’ve seen a significant number of ICFR opinions get pulled when we come in and find a deficiency. I think that a lot of this is working out and rationalizing, and there is still some tension out there. But I think there will always be some tension between auditing and financial reporting; otherwise there is probably something wrong.
Audience member: How do you see automation and artificial intelligence impacting the size of audit teams?
If, in fact, artificial intelligence and other automated tools are being used to do some of the otherwise rote type of work that the staff auditors do, you now need more experienced people to be able to deal with the output from those processes. I think there is potential for these different processes to impact the audit team size and composition.
We are monitoring this very carefully because we’re not sure where some of this stuff fits into the standards. Some of these techniques could be considered risk assessment techniques; going through a big population of transactions and spitting out the risky ones, is that a risk assessment process? Do you use that to determine how much substantive testing to do? In some cases, it may actually be a test of automated controls; in other cases, it could be a substantive test. Depending on where it fits in our standards, do our standards give enough guidance?
In some cases, it comes down to the fundamental question of what is sufficient appropriate audit evidence when you’re getting your audit evidence through processes that have never been used before. That’s the real big impact. And that’s why we’ve got this on our research agenda, because standards setting is notoriously slow. What we don’t want is a gap with a lot of uncertainty or duplicative work. There is a fear out there that firms might do the standard compliance approach to meet the old standards, while also doing some of these automated techniques. That would be very inefficient and ineffective.
The above is an edited transcript of her remarks. The views expressed are her own and not necessarily those of the PCAOB, the board members, or the staff.