EDITORS NOTE: This article is an edited and condensed transcript of Mr. Panucci’s remarks at the conference.
Three new commissioners were appointed in 2018, the last one being Commissioner [Elad] Roisman. That put the Commission at a full five members, though Commissioner [Kara] Stein’s term is up, so she may be leaving shortly.
Chairman [Jay] Clayton has been on board for roughly six months. He’s been engaged with his agenda. I think first and foremost is what he calls the Main Street investors or Mr. and Mrs. 401(k). He thinks about it whether you’re talking about policymaking or enforcement activity. He also talks a lot about having the right balance of our three-part mission, which is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.
One of the projects that was finalized recently was the disclosure simplification program, meant to reduce or remove redundant and outdated disclosures, simplifying things for preparers without taking anything away from investors.
The Office of the Chief Accountant, or OCA, provides the accounting and auditing advice to the Commission and the other divisions and offices. If there are accounting or auditing matters as they relate to rule making that other divisions and offices may be working on, if there are complicated corporation finance matters that come up through the comment letter process, or difficult enforcement consultations, the OCA is involved.
The accounting group also has a big role in oversight of FASB; they’ve obviously been busy, especially with new GAAP. When you think about the revenue, leases, and the CECL [Current Expected Credit Losses] standard, they’re taking a lot of pre-filing consultations directly with registrants.
And then there’s the Professional Practice Group, or PPG. We focus more on the auditing side, but we also have responsibilities for internal controls over financial reporting. And if there’s any rulemaking or guidance, we have the lead as it relates to auditor independence. We also spend a lot of time assisting the Commission in its oversight of the PCAOB. Some of those responsibilities include approving the annual PCAOB budget; approving any PCAOB rulemaking, including standards setting; and appointing and replacing board members.
The Commission appointed a new PCAOB board in December 2017, including the new chairman, Chairman [William] Duhnke. The new board’s been in place since about April, and we think they’re off to a great start.
We want to make sure we coordinate where appropriate. We’re trying to speak with one voice. We’re trying to do more external things together so people see how we work behind the scenes. It’s easy to do that because we have the same goal: improving audit quality. And this is about building upon the success of the previous boards. I think everybody acknowledges the PCAOB has done a lot to improve audit quality, and this is about continuing that process.
The new board is reassessing its programs and operations. I think Chairman Duhnke outlined it well in one of his speeches where he noted that audit quality has improved, but there’s also been some plateaus, especially around certain firms. How do they help those firms continuously think about improving audit quality? We’ve talked a lot about how the PCAOB has reached maturity. It’s a good opportunity to ask whether the programs and operations have kept pace. I think that’s another reason why the board is going through the reassessment.
The reassessment doesn’t mean everything changes. If things work well, we expect them to continue to do it. If things need to be tweaked or changes need to be made, we expect the board to take those on. The new board could easily have come in and said, “We’re the new board,” done an internal assessment, made changes, and reported out publicly where appropriate. That’s not what they’ve done. They’ve done it through extensive outreach, internal and external. It really came together with the strategic plan that was finalized in November. We’re very supportive of those goals and objectives.
One question Chairman Duhnke highlighted in his recent speech is, how do we help companies and auditors get it right the first time? That’s the best protection for investors. That doesn’t mean the detective methods are less important or they take a back-seat. When you think about enforcement and inspection, you want to make sure that bad behavior is held accountable. But how do we improve those preventive methods?
Current Priorities
Getting into some of the PPG’s activities, I wanted to touch on three things: internal control over financial reporting, implementation around the new auditor’s report, and auditor independence.
On internal control over financial reporting, I wanted to touch on two things. First is the importance of the evaluation of control deficiencies. Over the last couple of years, I’ve done a lot of presentations with management, and I’ve seen management focusing on what it means to have good controls. When management sees benefits of good internal controls and sees them as more than just compliance, that’s when controls have the best chance to succeed.
Recently FEI [Financial Executives International], through its CCR [Committee on Corporate Reporting], issued two documents around leases and CECL, thinking about good controls. Obviously, those documents are nonauthoritative. And they are asking for feedback, because this is a new process for them. I think it will be important for them to get that feedback, but certainly we support management promoting good controls and consistent reporting.
When we think about internal controls over financial reporting, one thing we try to talk a lot about is, the more management can define their policy processes and controls upfront, the better the chance of them having consistency in financial reporting. It can really help mitigate against unintentional errors, and intentional errors as well. Thinking in terms of fraud, inappropriate management bias, or just management override, the more people are part of developing a process, understand it, and see that it’s consistent, the better the chance of accepting the results, whether positive or negative. It’s certainly harder to override them.
Evaluation of control deficiencies is an area we have not spoken about a lot recently. We’ve seen improvements in this area, and we continue to see improvements. A few years ago, it seemed like the only time it there was a material weakness was when there was a material misstatement; that’s not the case anymore. But we did have an enforcement matter over the past year, and other things that made us think it would be a good idea to give some reminders around the evaluation of control deficiencies.
We’ve seen some situations where management and auditors have identified a deficiency, and there was actually a material misstatement, but they have tried to say the severity of that deficiency was something less than a material weakness. That gets difficult when you think about the definition of material weakness: that is, is it reasonably possible there’s a material misstatement? When one has actually already occurred, we’re going to have a lot of questions and most likely object if the evaluation of that deficiency is something less than a material weakness.
Then we get into the evaluation around potential magnitude. Obviously, the most important part of this is defining the control deficiency, because if you don’t define it appropriately, it’s hard to do a good magnitude analysis. You’ve got to understand what the root cause is so you can understand what accounts, disclosures, or classes of transactions are impacted. Every once in a while, we’ll go back and forth with the registrant, and how they’ve defined the deficiency may change.
But then also once it’s defined, there can be information that is part of the evaluation process that management may not be including. For example, there might be multiple errors and they net to something immaterial, but if you look at absolute value, they all went the same way. The question becomes, would management detect it then? And it very well could be material. Those are some things that we ask questions about.
The New Auditor’s Report
Obviously, we’re interested in monitoring implementation around the auditor’s report as well. Round one is done, but the harder part is yet to come. Right now, it’s the reporting of the critical audit matters (CAM). Our understanding is there’s a lot of effort on the dry runs, and firms are trying to touch many large accelerated filers instead of just the ones they have to do in 2019. The audit committees of those companies, if they’re not seeing it, they’re asking for it because they see the benefits of the dry run.
We’re starting to get some feedback, but certainly continue giving it, especially if there are questions around how to execute the standard or the guidance around it—because that can help inform our communications, whether from an SEC perspective or a PCAOB perspective.
We want to be coordinated with the PCAOB. We want to make sure that we speak with one voice. If appropriate, we’ll work on things together. We certainly don’t want to create mixed messages and confusion in the marketplace; that reduces the chance of a successful implementation. We’ll certainly keep upto-date with other divisions and offices within the SEC.
Independence
The last area I’ll touch on is auditor’s independence. We continue to get a number of independence consultations, both formal and informal. Most of them come from audit firms, but not always. Sometimes we get them directly from companies, whether for the audit committee, management, or outside counsel. We welcome any participation by the company.
We always talk about this being a shared responsibility. Certainly, firms are going to make sure they stay independent. But management is going to want to make sure they get involved as well, because we’ve all seen situations where there had to be a change in auditors or a re-audit. That can have a big impact. In our formal consultations, we’re not only going to look for the auditor’s conclusion; we want to know what the audit committee’s conclusion is for that shared responsibility.
Certainly, firms are going to make sure they stay independent. But management is going to want to make sure they get involved as well.
We also talk about it in a preventive mindset. A lot of our consultations are transaction-driven, and there are IPOs [initial public offerings] or other reasons for which SEC and PCAOB independence is needed. We want to make sure management, audit committees, and auditors are coordinated. If those transactions are being contemplated, the best practice is start the SEC and PCAOB independence roles early, because then you could avoid the violation altogether.
