Independent audits of public company financial statements are a cornerstone of the global financial system. Recent events, however, demonstrate that these audits are not up to the task of providing investors with assurance about the health and performance of the companies they invest in. What can be done to reform the audit system? The author examines the various root causes of poor audit quality and proposes several possible solutions.
Beginning with the passage of the 1933 Securities Act, Congress has required an independent audit for every publicly listed company in the United States. When Congress debated the 1933 Act, it discussed whether to have audits performed by employees of the government. Banks regulated by the Federal Reserve, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) are all examined by government-employed banking examiners. In the end, however, the 1933 Act required public company audits to be performed by a licensed CPA who is “independent.” Today, CPAs who audit publicly listed companies are currently regulated by both the SEC and its Office of the Chief Accountant as well as the PCAOB.
The independence of auditors and the effectiveness of regulators have been called into question. This article describes the impediments to audit quality and proposes solutions to them based on the author’s decades of experience as an auditor and regulator.
Continuing Issues with Poor Audit Quality
There continue to be issues with the quality of audits performed by CPAs. In October 2008, the U.S. Treasury Department’s Advisory Committee on the Auditing Profession (ACAP) issued a report with many recommendations for the SEC, PCAOB, and auditing profession. This committee of business leaders, investors, former SEC regulators, and CPAs studied the profession for one year before issuing its report, but today, more than 10 years later, few of the recommendations have been acted upon by the large audit firms or their regulators. As a result, it appears the Big Four have become “too big to fail.” In addition, many of those who are regulating these firms have come from them and, eventually, returned to them, as highlighted in the recent $50 million settlement reached by the SEC and KPMG.
The following are some of the continuing issues affecting the credibility and trust in the auditing profession.
Lack of independence.
Auditors view management of the companies they audit as their clients, not the public. It is important to audit partners that they maintain the “annuity” income received from the audit fees, as losing the revenue stream from a large company can affect a partner’s career. As a result, the need to maintain professional skepticism and a lack of bias conflicts with the need to maintain the annuity for the firm.
Management provides the audit firm with business opportunities to grow its revenues and profits, and most importantly, writes the check. Furthermore, audit committees too often delegate hiring and oversight of the auditor to management. Management and audit committees have often retained the same auditor for decades, even centuries, continuing to pay the annuity and receiving “clean” audit reports. Most disturbingly, auditors have testified in court that they do not have an obligation to detect material financial statement fraud and serve the public interest.
Management provides the independent auditor with the accounting records and financial statements (i.e., the numbers) to be audited. Then, upon request from the independent auditor, management also provides the auditor with the evidence to support the numbers. When auditors talk of using “Big Data” in an audit, too often they are testing data in a database created and maintained by management. As such, the numbers, evidence, and support come from the party that is the subject of the audit. It is doubtful that management is going to provide evidence that does not support the numbers it has created.
Unfortunately, GAAS does not specifically address the need for auditors to consider publicly available information that contradicts the information management has provided. Time and time again, it is this information that has resulted in analysts and other outside researchers bringing to light errors in financial statements and disclosures. And it is this information that auditors have failed to address in their audits.
The government mandates that management and the company must buy the audit, rather than the shareholders who actually own the company. In this respect, auditing of publicly listed companies is like a publicly mandated utility.
Lack of transparency.
Investors are not provided with the information necessary to determine the quality of the audits of the financial statements and disclosures of the companies they invest in and own. In that regard, investors are being asked to vote and ratify the selection of the auditor without the information necessary to make an informed decision. Investors are consistently told that audits have been done in compliance with GAAS set by the PCAOB, a misleading statement in light of the very high deficiencies in compliance with GAAS reporting found by the PCAOB and other audit regulators around the globe.
Management provides the audit firm with business opportunities to grow its revenues and profits, and most importantly, writes the check.
Lack of independent governance.
The large audit firms, which audit the vast majority of publicly listed companies in the United States as well as around the globe, all lack meaningful independent governance. This lack of governance, which is required for publicly listed companies, has resulted in low audit quality and poor performance.
Lack of quality.
Based on inspection reports from around the globe, audit quality is so poor that the International Forum of Independent Audit Regulators (IFIAR) called in the senior leadership from each of the six largest firms to discuss the issue. The IFIAR’s Global Audit Quality (GAQ) Working Group and the Global Public Policy Committee (GPPC) networks undertook an initiative aimed to reduce the frequency of inspection findings. In accordance with a target established by the GAQ Working Group, the GPPC networks seek to improve audit performance, as reflected in a decrease of at least 25%, over four years on an aggregate basis, in the percentage of inspected listed public interest entity (PIE) audits across the GPPC networks that have at least one finding. Nevertheless, the IFIAR’s 2016 inspection findings report stated, “Inspected audits of listed PIEs with at least one finding remained unacceptably high at 42%” (http://bit.ly/3aUM2sN).
Audit firms often say that deficiency rates are high because the regulators are cherry picking “high-risk” audits. In some, but not all, instances, this is true; however, one would also expect audit firms to assign these audits to their very best auditors, and as a result, there should be fewer deficiencies.
Finally, audit reports have failed to convey to investors—as well as audit committees—the auditors’ concerns, even when those same auditors know management and companies are violating laws and regulations. Such reports are required for auditors of government entities that receive federal funds, but are not required for audits of public companies.
Below are several ideas the author believes could address the current issues with poor audit quality. Some of these recommendations were put forward 10 years ago in the ACAP report.
Change the auditing regime.
Remove the current requirement in the Securities Acts that a public company must have an audit by an independent auditor, thereby eliminating the federal government mandate. Replace it with a market-based requirement that every five years, a shareholder proposal be included in the annual proxy that asks if investors want an independent audit of the financial statements. Accordingly, it would be made clear that independent auditors work for, and serve the public interest of, the owners of the company—investors. This author expects that investors would almost always vote for an independent audit, unless they saw little value in having one.
If the stockholders did approve the independent audit requirement, the audit committee—not management—would select and nominate the auditor. This responsibility could not be delegated to management. The stockholders would then be asked to vote on and approve the auditor. The audit committee—again, not management—would then be responsible for negotiating the fee to be paid to the auditor. The audit committee would submit a bill for the audit fee to the PCAOB as necessary during the course of the audit.
The PCAOB would collect a fee from each public company to cover the auditor’s bill. The board already has a mechanism in place for collecting the fees required from public companies.
The PCAOB could also require companies to tender their audits for proposal if it found the auditors had engaged in improper professional conduct, as defined in SEC Rule 102(e); had a material weakness in their own internal audit quality controls; or had significant deficiencies on an audit in which they had failed to comply with GAAS as set by the PCAOB. In no event would an audit firm serve as auditor for a publicly listed company for a period longer than 20 years (the duration currently permitted by the European Union).
Make the new audit report universal.
The new audit report adopted by the PCAOB should be required on all audits of public companies. This report requires the auditor to state and discuss critical audit matters (CAM). It also requires the auditor to include “a statement that PCAOB standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud.”
Unfortunately, the PCAOB exempted a wide swath of public entities and did not require communication of CAMs for audits of emerging growth companies; broker-dealers reporting under the Securities Exchange Act of 1934 Rule 17a-5; investment companies (e.g., mutual funds), other than business development companies; and employee stock purchase, savings, and similar benefit plans.
If auditors, through their audit work, become aware of a violation of some law or regulation that could have a material impact on the financial statements or operations of a company, they should be required to disclose it in their report, just as an auditor of a governmental agency subject to the GAO’s “Yellow Book,” Generally Accepted Government Auditing Standards, is required to do.
Include forensic segments in all audits.
In August 2000, the SEC’s panel on audit effectiveness, chaired by former Price Waterhouse chairman Shaun O’Malley, recommended that each audit include a forensic segment. Consideration should once again be given to this recommendation, including establishing within GAAS the need for auditors to consider publicly available information that contradicts the evidence management has provided them.
Include audit quality indicators.
The disclosure of audit quality indicators should be required for each report on which an auditor’s opinion is provided to investors in the company. These indicators should be disclosed in the company’s proxy as part of its audit committee report to investors. Audit committees should also be required to disclose, either in the proxy or in the charter of the committee, their procedure for periodically tendering the audit. Audit firms should already be measuring audit quality on individual audits if they are in fact managing audit quality; audit inspection results from around the globe, however, suggest this is not occurring.
The disclosure of audit quality indicators should be required for each report on which an auditor’s opinion is provided to investors in the company.
Improve the transparency of the PCAOB.
The PCAOB inspects a very small percentage of the audits of publicly listed companies each year and provides a public inspection report to each firm with its findings. For the audits inspected, the PCAOB inspection reports are perhaps the best indicator of audit quality today, yet the PCAOB has refused to provide the name of companies being audited, claiming that the Sarbanes-Oxley Act of 2002 (SOX) prohibits this. That assertion is false, however, as there is no language in SOX that prohibits the disclosure of the names of companies whose audits are inspected. What SOX does prohibit is disclosure of investigations and enforcement actions taken by the PCAOB with respect to a poor audit. In May 2002, Senator Paul Sarbanes (D-MD) agreed to an amendment prohibiting public disclosure until the PCAOB enforcement action is final, at the request of the audit firms and Senator Mike Enzi (R-WY), who was negotiating on their behalf. Harvey Goldschmid, who would shortly thereafter become an SEC commissioner, and this author pleaded with Sen. Enzi not to make this change, as enforcement actions taken by the SEC are not private, but are in fact public. Senators Jack Reed (D-RI) and Chuck Grassley (R-IA) have subsequently introduced legislation, supported by the PCAOB in the past, to reverse this change and make the actions public. Unfortunately, in the meantime, audit firms have used this provision to appeal and delay actions against them; when the action is finally completed, they often make a public statement that says the final PCAOB action is years old and should be ignored.
End auditor rotation.
Currently, the law requires that an audit partner be rotated off as the lead audit partner for a company after no more than five years. This is to provide a “fresh set” of eyes to the audit, according to the congressional record. There can, however, be many partners on an audit, and it is not uncommon to find the lead partner rotated off and one who has been on the audit in the past rotated into the lead partner position. As a result, there are still incentives for partners not to bring up new problems from the past. Given the reforms cited above, this requirement, which has significant costs associated with it, could be eliminated.
Make auditors reporters.
Require each auditor of public companies to issue an annual report containing the following:
- Financial statements prepared in accordance with Generally Accepted Accounting Principles (GAAP). This is important to assessing the financial health of audit firms, which have become “too big to fail” as demonstrated by actions of law enforcement agencies and regulators.
- A discussion of the firm’s quality controls regarding all aspects of the audit, including independence; hiring, training, and supervision; performance of audits; selection and retention of clients; and testing and enforcement of quality controls.
- A discussion of firmwide—as opposed to individual audit engagement—audit quality indicators.
- A description of the firm’s governance structure, process, and procedures.
The European Commission already requires large audit firms to provide a report with some of this information. U.S. audit firms do publish annual reports on their own, but these disclose very limited financial information, as well as little information on governance, accountability, and performance measurement.
Audit firms that audit more than 100 public companies should be required to have independent directors or members on their governing boards.
Audit firms also need to abandon the “pyramid” scheme they use for staffing and adopt a paraprofessional model like that used in law firms. The pyramid structure has resulted in talented, but young and inexperienced, staff being assigned to perform audit procedures with respect to business transactions that they are ill prepared to examine and challenge.
All CPAs should be required to have a master’s degree in accountancy. Large audit firms currently encourage students to leave school and begin their careers before receiving a master’s; this is disappointing in that it highlights a lack of commitment to education. Actions speak louder than words.
Finally, the SEC should revise its definition of an audit committee financial expert. The SEC should clarify that audit committees may not delegate this responsibility to management, which is often done today.
A New Beginning
The indications that the current audit regime is not working is overwhelming. Neither the public interest nor the needs of investors are being served by the auditor-client relationship as it exists. This author believes that the reforms suggested above represent advances that would help the auditing profession become a trusted, independent watchdog of public companies’ financial information.