It has been nearly two decades since the creation of the PCAOB in response to a series of major financial reporting failures. But today, some have questioned the agency’s raison d’etre. The author reviews the history of the PCAOB inspections and audit quality initiatives. He argues that although progress has been made over time, much more needs to be done. The board is integral to the future of audit oversight and the continuing improvement of audit quality.
Almost 20 years ago, a crisis in confidence in financial reporting led Congress to pass the Sarbanes-Oxley Act of 2002 (SOX). SOX marked the beginning of a new era for the auditing profession in the United States. The act ended self-regulation and ushered in independent oversight under a new organization, the Public Company Accounting Oversight Board (PCAOB). The law also expanded the scope of auditors’ responsibilities by requiring auditors to opine on the effectiveness of internal control over financial reporting.
The PCAOB has made considerable progress in fulfilling its mission of furthering the public interest in the preparation of informative, accurate, and independent audit reports. However, in its 2021 budget, the Trump administration proposed abolishing the PCAOB and transferring its responsibilities to the SEC. To evaluate this idea, it is useful to review why the PCAOB was created, what it has accomplished, and how it should evolve. Rather than jettisoning the PCAOB, there are several practical steps that would strengthen the board and enhance its effectiveness.
The Birth of the PCAOB and its Inspections Program
SOX created the PCAOB in the wake of a series of financial reporting failures. Beginning in the late 1990s, revelations of accounting frauds and accompanying investor losses frequently dominated the headlines. In 2001, Enron announced that its financial statements could no longer be relied on; in mid-2002, WorldCom filed what was then the largest-ever U.S. bankruptcy, following disclosure of its history of financial reporting fraud. These events severely shook confidence in the audited financial information upon which capital markets depend. SOX sought to rebuild that confidence. The cornerstone of the SOX oversight regime is the PCAOB, and the cornerstone of PCAOB oversight is its inspections program.
SOX directs the PCAOB to annually inspect audit firms with more than 100 public company clients and to inspect other firms that regularly audit public companies at least once every three years. It requires a public report on the results of each inspection, but says little about how inspections should be performed or about the content of inspection reports. The law does, however, put some limits on inspection reporting. It provides that information received by the PCAOB in connection with an inspection is confidential and that criticisms of, or potential defects in, firm quality control systems are not to be made public unless the firm fails to address those deficiencies to the board’s satisfaction within one year.
In late 2002, the initial PCAOB board members—including this author—began to discuss how to turn the statutory blueprint into a working inspection program. One of the early decisions was that the board should conduct inspections in its first year of operations. This was an ambitious goal because, at the time, the board had no staff, no offices, no protocols for inspections, and no idea how the profession would react. We also decided that inspections should focus on the most challenging aspects of the most challenging engagements, not on reviewing all facets of an audit or on random sampling as an engagement selection method. This approach seemed more likely to uncover problems and drive improvements in audit quality.
In its early days, the PCAOB also devised a reporting framework to inform the public about inspection results within the limits SOX places on disclosure. Under that framework, deficiencies in individual audits are described in the public portion (Part I) of a firm’s inspection report in enough detail to give the reader an understanding of the problem, but without violating the SOX confidentiality provisions. Quality control criticisms and defects are laid out in Part II, which is not initially made public, per the SOX requirements.
Based on these foundational decisions, in 2003 the board conducted limited inspections of the four largest U.S. accounting firms. Reports on these first inspections were issued in mid-2004; since then, the board has inspected thousands of audits and issued more than 3,200 reports.
Inspections and Their Impact
Many accounting firms were initially somewhat dismissive of the PCAOB’s inspection findings. Typically, the inspected firm would submit a brief letter for inclusion in its report; this essentially stated that auditing requires the exercise of judgment and that the engagement deficiencies cited in the report merely reflected differences in professional judgment between the board’s staff and the firm. Gradually, however, this began to change. At least five factors caused the PCAOB’s inspection program to significantly impact public company auditing.
First, the board adopted a new standard on audit documentation. Auditing Standard (AS) 3, now codified in AS 1215, requires workpapers to document the procedures performed, evidence obtained, and conclusions reached with respect to all relevant financial statement assertions. The workpapers must provide this documentation in a manner that would “enable an experienced auditor, having no previous connection with the engagement” (such as a PCAOB inspector), to understand the nature, timing, extent, and results of the procedures performed, evidence obtained, and conclusions reached.
The need to memoralize the audit in workpapers that tell the full story of how it was conducted, in a manner that another auditor could understand, has resulted in more thoughtful auditing.
AS 3 creates a presumption that undocumented work was not performed. That presumption can only be overcome by “with persuasive other evidence,” subject to the limitation that “oral assertions and explanations alone do not constitute persuasive other evidence.” In the inspection context, this means that it is difficult, if not impossible, for firms to convince inspectors that, despite inadequate workpapers, the audit was properly performed. The need to memorialize the audit in workpapers that tell the full story of how it was conducted, in a manner that another auditor could understand, has resulted in more thoughtful auditing.
Second, the board decided that inspection reports should call out audit deficiencies, regardless of whether a deficiency could necessarily be tied to a material error in the financial statements. PCAOB inspectors do occasionally uncover auditing defects that, in turn, expose financial statement errors that lead to restatements. Fundamentally, however, a deficiency in Part I of a PCAOB inspection report indicates that, at the time the firm issued its audit report, it had not obtained sufficient appropriate audit evidence to support the opinion. Delinking the deficiencies cited in inspection reports from financial reporting failures puts the focus on the auditor’s responsibilities, not management’s.
Third, the board demonstrated that it took firm quality controls seriously and that, if firms did not do so as well, the public would know. In 2006, the PCAOB began to disclose inspection report Part II quality control criticisms of firms that failed to remediate satisfactorily. In 2011, portions of a Part II from a Big Four firm were made public for the first time, and other large-firm Part II disclosures followed shortly. Although the PCAOB has generally accepted firm remediation steps that reflect at least substantial progress, it has disclosed all or a portion of Part II in more than 300 cases—approximately 10% of inspection reports. The result has been that firms devote substantial time and resources to addressing the deficiencies in their systems of quality control cited in their inspection reports, and those systems are stronger today.
Fourth, the board used its inspection program to put teeth in the SOX requirement that auditors assess and report on the effectiveness of the audited company’s internal control over financial reporting (ICFR). The ICFR audit requirement became effective for accelerated filers in 2004. Initially, the PCAOB took a light touch to this new aspect of public company auditing; in 2010, however, the inspection program began to focus on the ICFR component of the audit and to identify deficiencies in inspection reports. Since 2010, the great majority of the engagements cited in Part I of the large firms’ inspection reports have involved an ICFR audit deficiency. (In the 2017 inspection cycle, 26% of the engagements that the PCAOB inspected for the six largest U.S. audit firms were found to have a deficiency in the ICFR audit, and 84% of all engagements included in Part I for these firms had at least one ICFR audit deficiency.) In response, auditors have increased the time and effort devoted to ICFR, which in turn has put pressure on companies to deepen their control assessments and to improve the documentation of their control processes.
Although this emphasis on ICFR has imposed costs on reporting companies, controls over financial reporting are stronger and more effective today than in 2002. At the same time, ICFR auditing has become more risk-based, and more focused on meaningful testing of key controls and clear documentation of the results. Stronger ICFR auditing has led to better auditor understanding of controls that in turn, provides a better foundation for the financial statement audit.
Fifth, the PCAOB built a worldwide inspection program. SEC reporting companies often have significant offshore operations, and a significant number represent foreign private issuers. Accordingly, accounting firms based outside the United States, including affiliates of major U.S. firms, perform, or play an important role in, many audits over which the PCAOB has jurisdiction. From the beginning of its inspection program, the board recognized that these firms should be held to the same standards as domestic auditors. To do that, PCAOB concluded that it needed to inspect them with the same rigor as domestic firms—not defer to home country regulators that were not necessarily versed in U.S. auditing and reporting requirements.
Obtaining the ability to conduct on-the-ground inspections in other countries has required years of negotiation; in fact, China continues to refuse to admit PCAOB inspectors. Nonetheless, the investment in international inspections has paid dividends. A review of the early foreign firm inspection reports shows that, in many cases, their SEC registrant audits did not conform to U.S. standards. PCAOB inspections put a spotlight on these problems and forced improvements.
Has the PCAOB Improved Audit Quality?
These PCAOB initiatives have worked together to strengthen auditing. Most CPA firms soon concluded that, instead of arguing about inspection deficiencies, the better course was to accept the board’s findings and take steps to correct things. Particularly at the large firms that audit the vast majority of public company market capitalization, PCAOB inspection remediation has evolved into a sophisticated effort to identify the root causes of audit deficiencies and to design system changes to address them.
Although this emphasis on ICFR has imposed costs on reporting companies, controls over financial reporting are stronger and more effective today than in 2002.
Audit quality is hard to define and hard to measure, but most observers—including the major accounting firms—would likely agree that quality is higher today than it was in 2002. While not a perfect surrogate for quality, the frequency with which audited financial statements are subsequently restated has fallen sharply over time. Research firm Audit Analytics has reported that the number of restatements reached an 18-year low in 2018. Overall, only 6% of public companies restated their financial statements in 2018—the lowest percentage since Audit Analytics began tracking restatements. Similarly, in fiscal year 2019, the SEC brought 108 enforcement actions that were classified as “Issuer Reporting/Audit & Accounting” cases; by contrast, in 2002, it brought 199 such cases. Moreover, investor confidence in audited financial reporting appears to be at high levels. According to the Center for Audit Quality’s most recent annual survey, in 2019, 78% of retail investors expressed confidence in audited financial information, and 83% had confidence in public company auditors.
The bottom line is that, although more progress is unquestionably necessary, the quality of public company auditing is better today than it was when the PCAOB was created in 2002. Auditors know that, for any public company engagement, there is a real possibility a PCAOB inspector will review their work with an expert eye. This may have increased the level of stress associated with being a public company auditor, but it has also increased the incentives to perform the audit in a way that will withstand scrutiny. Audited financial reporting is more reliable as a result.
Should the PCAOB Continue to Exist?
Despite all it has accomplished, the PCAOB has been subject to criticism, and there is debate about whether it should continue to exist in its current form. Certainly, audit failures still occur too frequently, and the number of deficiencies uncovered in inspections is disturbing. Some argue that the board has done too little to improve audit quality and not been tough enough on accounting firms when auditing breakdowns are uncovered. In contrast, others argue that the PCAOB has been too aggressive, that auditors are now motivated largely by fear of PCAOB inspectors, and that a keep-the-regulator-happy mentality drives up audit (and internal control) costs out of proportion to any benefits. Furthermore, the PCAOB’s reputation was seriously marred in 2018 when three former staff members were indicted for providing a Big Four firm with confidential information concerning the audit engagements the PCAOB was planning to inspect.
Eliminating the PCAOB would be a mistake. There is considerable risk that the progress of the last 18 years would be lost in the process.
Against this background, the 2021 Trump administration budget proposed eliminating the PCAOB and folding its functions into the SEC. The supporting documentation does not argue that abolishing the PCAOB and asking the SEC to do its work would make auditing oversight more effective. Instead, the justification is regulatory streamlining. The budget notes that the SEC already “has the authority to impose disciplinary action, including for public accounting firms that are also overseen by PCAOB” and accordingly, that consolidating the PCAOB’s functions in the SEC “will reduce regulatory ambiguity and duplicative statutory authorities.” In 2020, Congress did not pursue the President’s suggestion that it abolish the PCAOB as a cost-savings measure. However, the board’s critics have not gone away, and the idea may well re-emerge in the future.
Eliminating the PCAOB would be a mistake. There is considerable risk that the progress of the last 18 years would be lost in the process. The SEC has a long list of responsibilities, and audit oversight would inevitably receive less attention and resources if it became just another item on that list. The idea that there is duplication and overlap between the SEC and the PCAOB is overstated. Although there is some potential overlap in their enforcement powers, the SEC oversees the PCAOB, and in practice, the two agencies have not duplicated effort. More importantly, the SEC does not inspect audit firms or promulgate auditing standards. While the SEC could be given the necessary authority and could begin this job, it would take years to rebuild what the PCAOB has created; even then, these tasks would not be the SEC’s primary focus. The likely results would be that confidence in audited financial reporting would fall back to its pre-PCAOB levels, the cost of capital would rise, and the efficiency of the capital markets would suffer.
The Future of Audit Oversight
This is not to say that the PCAOB should continue to do business as usual. For the PCAOB to achieve its mission in a rapidly changing world, some shifts in its authority and approach are necessary. Some of these would require congressional action, while others can be implemented by the PCAOB on its own. I would start with five priority items:
- Shine sunlight on enforcement. The PCAOB is often faulted for the level of its enforcement activity. Whatever one’s view of how and when the board should use its enforcement authority, there is a serious structural flaw that limits the utility of PCAOB enforcement. Today, SOX requires that PCAOB enforcement actions be nonpublic until the conclusion of the case—and, if the PCAOB loses, that the case remain nonpublic forever. Nonpublic proceedings encourage delay, discourage settlements, and deprive the public of a real-time understanding of the kinds of auditing lapses that the board believes require sanctions. Congress should amend the law to end enforcement secrecy and make PCAOB enforcement actions—including SEC enforcement actions—open to the public, beginning with the decision to bring a case.
- Make inspection reporting more informative. PCAOB inspection reporting should provide a better understanding of the overall quality of the inspected firm’s audit practice. Today, while the PCAOB tries to discourage it, there is a tendency to evaluate firms by counting the number of Part I findings in inspection reports. This occurs because the board provides few other metrics to judge quality. The PCAOB has stated that one of its strategic goals is to develop audit quality indicators—objective factors that correlate with the quality of audit services. These should be integrated into inspection reporting as a way of putting engagement deficiencies in context and providing the public with a better sense of the quality of a firm’s audit practice. A public quality grade would also create new incentives for firms to improve.
- Adopt new quality control standards. In the long run, improving audit quality requires firms to improve their quality control mechanisms. The foundation for stronger quality control is stronger quality control standards, particularly standards that incentivize firms to think proactively about emerging risks to audit quality. The PCAOB has proposed strengthening its quality control standards and bringing them into better alignment with the international standards. That project should be finalized as soon as possible and the new standards integrated into the board’s inspections program.
- Modernize the auditing standards to recognize the role of technology. It is widely recognized that technology is changing auditing. The auditing standards, however, were largely written during the pencil-and-paper era. For example, the standards governing receivables confirmation are predicated on the assumption that the process will be conducted through the mail. Today confirmation is largely electronic. Sampling is another area where the auditing standards lag behind technology. The current standards, which allow for judgmental sampling, are antiquated in the age of Big Data and the ability to perform instantaneous, automated reviews of entire populations of contracts or transactions. The PCAOB should undertake a comprehensive review of its auditing standards to bring them into the 21st century.
- Expand the PCAOB’s mission beyond financial statement auditing. The PCAOB’s authority is over public company “audits,” defined in SOX as examinations of financial statements. Traditional financial reporting, however, is becoming a smaller part of the information that companies disclose and that investors utilize. For example, investors increasingly use non-GAAP measures and key performance indicators, along with traditional financial reporting, in investment decision making. Moreover, investors have become more focused on the risks and opportunities presented by external, nonfinancial factors that can affect a company’s long-term success or failure. This type of information is often referred to as ESG—environmental, social, and governance information. Virtually all large companies make ESG disclosures, and most do so in a sustainability report.
The PCAOB has stated that one of its strategic goals is to develop audit quality indicators—objective factors that correlate with the quality of audit services.
As investors increasingly demand non-GAAP measures and ESG reporting, auditors are being called upon to provide assurance over these types of information. Congress should expand the PCAOB’s authority to ensure that, as auditors’ assurance over nontraditional information becomes more common and more critical to capital allocation, the board will have the ability to set standards and inspect this aspect of auditors’ work.
Keeping the Doors Open
The PCAOB was born during a crisis in confidence in auditing and charged with restoring trust. It has made significant progress. The trajectory of audit quality has improved since SOX was enacted in 2002. Investors and other users of audited financial information can have more confidence in the work of the auditing profession today than in the pre-PCAOB days of self-regulation.
Despite that progress, it is fair to ask how audit oversight should evolve to ensure that the profession meets the expectations of financial statement users and the challenges of a rapidly changing business environment. The solution is not to close the doors at the PCAOB—doing so would put the accomplishments of the past 18 years at risk. The debate should instead be about how to make the board stronger and more effective.