Do PCAOB Audit Inspections and ICFR Assessments Protect the Public Interest?

The PCAOB inspects audits of registered public accounting firms and identifies deficiencies in gathering audit evidence and internal controls over financial reporting and the failure to comply with its standards. An analysis of inspection reports shows a declining rate of deficiencies for Big Four firms between 2018 and 2020—followed by an increase in 2021. The findings indicate that auditors need to better communicate about deficiencies in internal controls over financial reporting (ICFR), whether the financial statements are free of material mis-statements, and critical audit matters. The PCAOB should timely disclose the rate of deficiencies in audit firm quality controls, engagement quality controls, and the names of company clients on whose inspections were deficient, as well as accelerate its review of audit quality indicators.

***

The Sarbanes-Oxley Act (SOX) created the Public Company Accounting Oversight Board (PCAOB) in 2002 “to protect investors and to further the public interest by overseeing the work of accounting firms that audit publicly traded companies” (Public Law 107-204). The PCAOB assesses audits of publicly owned companies through an inspection process described below. In short, the Board’s mission is to “audit the auditors.”

The PCAOB annually inspects registered public accounting firms that issue audit opinions on more than 100 issuers, and triennially inspects firms with 100 or fewer audit reports. The board selects audits for inspection using both risk-based and random methods.

According to the PCAOB, inspections involve assessing the “auditor’s risk assessment processes, financial reporting, audit areas of concern, and a review of the firm’s system of quality control.” Should a potential deficiency be identified, inspectors discuss the matter with the firm and may review additional audit documentation. If the inspection team still believes that a potential deficiency exists after this step, it will provide the firm with a written comment form on the matter. The firm is allowed the opportunity to provide a written response to the comment form (PCAOB, “Basics of Inspections. Inspections: An Overview,” https://bit.ly/3mX9QXN).

Given that the audit inspections carried out by the PCAOB are designed to protect the public interest, the authors believe it is important to evaluate whether the board is meeting its mandate through the inspection process. CPAs need to understand that process, the nature and causes of audit deficiencies, how they are reported by the PCAOB, and whether the PCAOB’s inspection process enhances audit quality.

CPAs also need to understand the primary causes of deficiencies in inspected reports. At the top of the list is deficiencies in internal controls over financial reporting (ICFR). After all, if deficiencies in ICFR persist, then how can the PCAOB protect the public interest? The board should also strengthen the engagement-level audit quality indicators (AQI) to provide useful information to investors.

Section 404 of SOX requires companies to review their ICFR and disclose whether they are “effective” or “ineffective.” Effective internal controls are essential in ensuring that financial statements are accurate and complete. Ineffective internal controls pose a risk for stakeholders, as vital information disseminated by the company may be incorrect.

An analysis of SOX 404 disclosures over an 18-year period shows that ICFR deficiencies, which had been declining through 2020, have started to reverse course and are now increasing. According to research by Audit Analytics, the number of adverse ICFR auditor attestations for accelerated filers increased to 197 in 2021, up from 153 filed in 2020, or a 28.8% increase (Audit Analytics, “SOX 404 Disclosures: An Eighteen Year Review,” July 2022, https://bit.ly/3Jnt1Bt).

Adverse auditor attestations indicate ineffective ICFR. The number of adverse attestations represents 5.8% of all auditor attestations for 2021, an increase from 4.8% in 2020. The number of companies filing first-time auditor attestations that disclosed ineffective controls increased from 20.9% in 2020 to 28.4% in 2021, or a 35.9% increase, further indicating problems with ICFR.

A PCAOB staff report shows a year-over-year increase in the number of audits with deficiencies at audit firms that the PCAOB inspected in 2021. The aggregate data show that approximately 33% of the audits reviewed will have one or more deficiencies discussed in Part I.A of the individual audit firm’s inspection reports, up from 29% in 2020. According to PCAOB Chair Erica Y. Williams, “Higher deficiency rates in 2021, coupled with the fact that the PCAOB is also seeing an increase in comment forms for 2022, are a warning signal that the audit profession needs to sharpen its focus on improving audit quality by modernizing our standards, enhancing our inspections, and strengthening our enforcement” (PCAOB, “Audits With Deficiencies Increased in 2021, According to New PCAOB Staff Report,” https://bit.ly/3mWOOIO).

Big Four Audit Inspection Results

The audit inspection results in Exhibit 1 show a declining rate of audit deficiencies in the audits reviewed between 2018 and 2020 for each of the Big Four. The reduction in the rate for Deloitte continues a trend of low deficiency rates, and the rates have declined at Ernst & Young and KPMG. The decline for PricewaterhouseCoopers deviates from the expected because the deficiency rate was higher than the other Big Four in 2019 and substantially lower in 2020.

The audit inspection results for the 2018–2021 period indicate that, following a decline in the three-year comparison from 2018 through 2020, audit deficiency rates were on the rise in 2021. This is a troubling result because it implies that the firms have not been able to solidify the positive steps taken in 2020 regarding improvements in the quality of audits inspected by the PCAOB.

The following is a description of the deficiencies identified in inspection reports (PCAOB, “Guide to Reading the PCAOB’s New Inspection Report,” https://bit.ly/3JMWV3s).

Audit Inspection Results Part I.A

Exhibit 2 shows the results of the authors’ review of PCAOB inspection reports for the period 2018–2021. For the most part, all Big Four show a declining rate in Part I.A deficiencies for 2018–2020, but an increase in these amounts for 2020–2021. This is consistent with the results shown in Exhibit 1 for 2021 and raises questions about the firms’ ability to sustain the decreases in 2020.

Three factors may have been responsible for the decline in Part I.A deficiencies from 2018 through 2020.

• Firms may have learned over the years to pay more attention to audit quality, reducing the instances of audit deficiencies as indicated in Exhibit 2. Both audit professionals and investors “associate fewer identified audit deficiencies with higher audit quality” (Brant E. Christensen, Steven M. Glover, Thomas C. Omer, and Marjorie K. Shelley, “Understanding Audit Quality: Insights from Audit Professionals and Investors,” Contemporary Accounting Research, vol. 33, no. 4, 2015, pp. 1648–1684).
• Firms may have paid more attention to their audit of ICFR (AS 2201) and their assessment of the risks of material misstatement (AS 2301), the main sources of deficiencies as discussed below.
• Firms may have improved their quality controls in response to the high-level of deficiencies cited in PCAOB inspection reports. The PCAOB’s Quality Control Standard (QC) 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice (https://bit.ly/3KEHI4S), discussed below, provides guidance for a firm’s quality control policies and procedures.

Daniel Aobdia suggests that there may be a direct correlation between effective audit quality controls and reduced Part I audit deficiencies. He used a unique dataset of firm-wide QC deficiencies identified by the PCAOB during its inspections of audit firms and found a negative association between QC deficiencies, mainly performance-related, and audit quality (Daniel Aobdia, “The Economic Consequences of Audit Firms’ Quality Control System Deficiencies,” Management Science, vol. 66, no. 7, 2019, pp. 212–222).

Auditing Standards Associated with Part I.A Deficiencies

Understanding which audit standards have been identified as deficiencies in Part I.A is important because it bears on the quality of the audit. Exhibit 3 shows the deficiencies under the two auditing standards most frequently cited by far in the inspection reports, namely AS 2201, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements (https://bit.ly/3FxKwxU) and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement (https://bit.ly/3lnw9p2).

Internal Controls over Financial Reporting

The relatively high rates of deficiency under AS 2201 suggest that the Big Four are not adequately meeting the SOX section 404(b) mandate for auditors to attest to, and report on, management’s assessment of ICFR. One possible explanation is the high cost to management of establishing ICFR, thereby making accurate auditor assessments more difficult.

To better understand the causes of the high rates of deficiency, it is important to consider the difficulty of assessing ICFR deficiencies that exist when the design or operation of a control does not prevent or detect a material misstatement of an account balance or disclosure. Auditors should test the design and effectiveness of controls and whether they are operating as intended by management so that they “can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.” (PCAOB, AS 2201).

In one research study, the authors interviewed experienced audit partners who reviewed case studies to assess how they consider the difficult ICFR judgments and decisions they confront on audit engagements. The authors found that “the decision to identify a detected control problem is complex, in part due to the need to ‘balance the demands of maintaining positive client relations while remaining firm against managements’ resistance to ICFR findings and the tendency to discount the auditors’ findings.’” This is because “managers often argue that their management review and other compensating controls could mitigate the control problems identified by auditors” (Jeffrey R. Cohen, Jennifer R. Joe, Jay C. Thibodeau, and Gregory M. Trompeter, “Audit Partners’ Judgments and Challenges in the Audits of Internal Control over Financial Reporting,” Auditing: A Journal of Practice & Theory, vol. 39, no. 4, November 2020, pp. 57–85).

Another reason for the high rates of deficiency is the need to assess management’s tone at the top. This may be easier said than done, given the sensitive nature of any such discussions between auditors and management.

Risk of Material Misstatements

The second most frequently cited deficiencies are found under AS 2301. This is important because it is a critical component of the auditor’s assessment about whether the financial statements are free of material misstatements. Moreover, the risk of material misstatement can arise from a variety of sources, including deficiencies in ICFR.

In addressing the auditor’s responses to the risk of material misstatements, AS 2301 emphasizes the need to gather sufficient competent evidential matter to support the auditors’ opinion. This requires exercising due professional care and professional skepticism, including evidence to corroborate management’s explanations or representations concerning important matters, such as through third-party confirmation, use of a specialist engaged or employed by the auditor, or examination of documentation from independent sources (PCAOB, AS 2301). When audits are deficient due to any such factors, it means the financial statements may not be reliable.

Audit Inspection Results Part I.B

Part I.B of the PCAOB inspection reports include “deficiencies that do not relate directly to the sufficiency or appropriateness of evidence each firm obtained to support its opinion(s) [which are identified as Part I.A. deficiencies], but nevertheless relate to instances of non-compliance with PCAOB standards or rules” (PCAOB, “Guide to Reading the PCAOB’s New Inspection Report”).

Exhibit 4 shows the deficiencies under the two auditing standards most frequently cited in 2021 inspection reports, namely AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion (https://bit.ly/3soS4eY), and AS 1301, Communications with Audit Committees (https://bit.ly/3moeAp8).

AS 3101 addresses critical audit matters (CAM) that should be communicated to the audit committee, including those that relate to the materiality of accounts and disclosures, and those that relate to complex auditor judgments. One reason to communicate CAMs to the audit committee is to make them aware of especially challenging, subjective, or complex auditor judgments.

The deficiencies associated with AS 1301 are also due to the failure to make required communications to the issuer’s audit committee, meaning that the auditors failed to have quality controls in place to inform audit committees of problems with the audit including items that were material to the financial statements, such as critical accounting policies and practices or estimates. The result is that the auditors were not sufficiently sharing their evaluation of the company’s financial reporting with the audit committee.

Adverse SOX 404 Assessments

Adverse internal control assessments include the disclosure of issues that led to, at least in part, the conclusion that a company’s ICFR was ineffective. The 2022 Audit Analytics study referred to above classifies “internal control issues” as internal control weaknesses arising from deficiencies in the company’s control structure. The four internal control issues cited in both 2020 and 2021 appear in Exhibit 5. Once again, the trend shows an increase in deficiencies.

The increased deficiencies in accounting personnel resources emanate from the need for more highly trained accounting personnel—a troubling finding, because well-trained personnel are essential to properly evaluate the ICFR and the risks of material misstatements in the financial statements. These may also impact the segregation of duties. The increased deficiencies in information technology is of concern because it suggests that ICFR was ineffective in that regard, and it may negatively influence disclosure controls.

Audit Quality

An important aspect of audit quality is the exercise of professional skepticism in making decisions about gathering and evaluating audit evidence. Professional skepticism is part of an auditor’s skill set and is closely interrelated to the fundamental concepts of auditor independence and professional judgment, which contribute to audit quality (Kathy Hurtt, “Development of a Scale to Measure Professional Skepticism,” Auditing: A Journal of Theory & Practice, vol. 29, no. 1, May 2012, pp. 149–171). To promote the application of professional skepticism, CPA firm management should set an appropriate tone at the top that emphasizes a questioning mind throughout the audit. This can be accomplished through better training of staff, managers, and partners; more internal oversight; and increased understanding of complex GAAP rules.

Several researchers have looked at whether PCAOB inspection reports have the potential to be used as a measure of audit quality. In one study, “Both audit professionals and investors associate a smaller number of audit deficiencies with higher audit quality” (Brant E. Christensen, Steven M. Glover, Thomas C. Omer, and Marjorie K. Shelley, “Understanding Audit Quality: Insights from Audit Professionals and Investors,” Contemporary Accounting Research, vol. 33, no. 4, pp. 1648–1672, 2015).

Not all evidence supports the conclusion that PCAOB inspection reports are a useful measure of audit quality for investors and other parties. Another research study determined that the market share of audit firms is insensitive to the issuance of a negative PCAOB inspection report. The authors proposed a couple of reasons why the reports may lack informational value: 1) they do not provide an overall “opinion” on the quality of the firm, and 2) they do not disclose information related to the firm’s quality control system (Clive Lennox and Claire Pittman, “Auditing the Auditors: Evidence on the Recent Reforms to the External Monitoring of Audit Firms,” Journal of Accounting and Economics, vol. 49, pp. 84–103, 2010).

Jeanette Franzel, a former PCAOB board member, looked at the audit quality issue by examining Part I findings in inspection reports between 2010 and 2015. She identified a downward trend in audit deficiencies that mirrors that of 2018–2020. Franzel observed that the PCAOB has seen “significant improvements in audit quality.” The reasons given are that the large firms are dedicating “significant resources toward remediating deficiencies and improving quality control systems.” Other factors include “improvements in the tone at the top, coaching and support to audit teams, and training and monitoring of audit quality” (Jeanette Franzel, “The PCAOB’s Role in Improving Audit Quality,” The CPA Journal, August 2017, https://bit.ly/3Jn1P5X).

Some critics suggest that the PCAOB is not paying enough attention to audit quality indicators (AQI). Lynn Turner, a former chief accountant of the SEC, pointed out that accounting firms are more focused on providing firm-wide reports, which do not provide useful information about whether a particular audit was high quality or not. He believes that investors want engagement-level AQIs. Turner relates investors’ view that AQIs are important because if audit firms “are not measuring it [quality] they can’t be managing it” (Soyoung Ho, “PCAOB May Face Long Odds Completing Audit Quality Indicators Project,” November 2, 2022, https://tmsnrt.rs/3zAwPe3).

One positive development is that the PCAOB has proposed a new quality control standard that would lead firms to improve their quality control (QC) systems through the following measures:

• Requiring a risk-based approach to QC, including well-defined quality objectives and a systematic effort to identify and proactively manage risks to the firm’s achieving those objectives
• Emphasizing firm governance, the “tone at the top,” and individual accountability
• Providing more direction regarding monitoring activities and remediation of identified deficiencies to encourage an ongoing feedback loop that drives continuous improvement
• Providing for a rigorous annual evaluation of a firm’s QC system
• Introducing annual QC reporting to the PCAOB to underscore its importance as well as oversight
• Requiring enhanced communication to the audit committee. (PCAOB, “A Firm’s System of Quality Control,” PCAOB Release 2022-006, November 18, 2022, https://bit.ly/3llNZsm)

Is the PCAOB Protecting the Public Interest?

A confounding factor in assessing whether the work of the PCAOB is protecting the public is the turmoil at the PCAOB from 2018 to 2020, when it experienced serious leadership, governance, and tone-at-the-top issues. This led to the SEC removing chairman William Duhnke following complaints about the deregulatory environment and drop in enforcement actions at the board; the SEC went further, replacing all five members of the board. Also, it could be that disruptions due to COVID-19 hampered the PCAOB’s ability to do thorough inspections of 2020 reports. The question now is whether the deficiency rates during that time can be relied upon. This bears watching, given that deficiency rates reversed course in 2021 and are now on the rise.

The Project on Government Oversight (POGO) studied the work of the PCAOB over a 16-year period from 2003 to 2018 and in 2019 released a critical report on the board’s accomplishments. According to the report, the “Big Four performed audits that were so defective that the audit firms should not have vouched for a company’s financial statements, internal controls, or both.” POGO cites 808 such instances, but the PCAOB “brought only 18 enforcement cases against [those firms] or employees of the firms.” The 18 cases involved just 21 audits.

The POGO investigation concludes that, assuming “the 808 audits cited as fatally flawed in the PCAOB inspection reports were as bad as the reports said,” the PCAOB “could have fined the audit firms more than $1.6 billion.” The fines, however, were just $6.5 million, less than 0.5% of the potential fines (David S. Hilzenrath and Nicholas Trevino, “How an Agency You’ve Never Heard Of is Leaving the Economy at Risk,” POGO.org, September 5, 2019, https://bit.ly/3FD4O9n).

One way of looking at the level of the fines is to consider how POGO developed its numbers. To determine the penalties the PCAOB had the potential to impose based on inspection findings, the POGO multiplied the number of defective audits identified in inspection reports on the Big Four—808—by $2 million, which yields just over $1.6 billion. Under SOX, the PCAOB is empowered to fine audit firms up to $2 million per violation for ordinary violations and bigger fines for more serious violations, up to $15 million (David S. Hilzenrath and Nicholas Trevino, “The Methodology Behind POGO’s Investigation of the PCAOB,” POGO.org, September 2019, https://bit.ly/3JTwTf5).

In assessing the validity of fines, one factor to consider is whether POGO considered each, or some part of each, of the 808 defective audits as a material weakness or the less severe offense of a significant deficiency, which should be communicated to the audit committee but would not necessarily result in an enforcement action or fine.

Are POGO’s criticisms too harsh? One prominent professional who believes so is Daniel L. Goelzer, who was a founding member of the PCAOB and acting chair from August 2009 through January 2011. Goelzer believes that accounting firms have paid more attention to their system of quality controls in identifying audit deficiencies and in assessing management’s report on ICFR. Moreover, quality control criticisms of firms that failed to remediate satisfactorily are made public, albeit not on a timely basis (as discussed above). The PCAOB has disclosed all or a portion of Part II deficiencies “in more than 300 cases—approximately 10% of inspection reports. The result has been that firms devote substantial time and resources to addressing the deficiencies in their systems of quality control cited in their inspection reports, and those systems are stronger today” (Daniel Goelzer, “Audit Oversight and Effectiveness: Understanding the Past and Looking Forward to the Future,” December 2020/January 2021, https://bit.ly/3Ly7Krz).

Goelzer concedes that some think that the PCAOB has not done enough to improve audit quality, given the all-too frequent audit failures and relatively high deficiency rates, and that it has “not been tough enough on firms when auditing breakdowns [occur].” Alternatively, “others argue that the PCAOB has been too aggressive, that auditors are now motivated largely by fear of PCAOB inspectors, and that a keep-the-regulator-happy mentality drives up audit (and internal control) costs out of proportion to any benefits.” Even if the latter were true, it does not lessen the importance of the work of the PCAOB.

Looking Forward, not Backward

The jury is still out whether the PCAOB is serving the public interest. If one believes that audit quality has improved and deficiencies in firm quality controls have lessened, as appears to be the case during the 2018–2020 period, then the question is whether additional changes should be made to strengthen inspections. The reversal in 2021 shows that more time may be needed to assess the efficacy of the inspection process. In that regard, the authors believe that the proposed new QC standard might be a step in the right direction.

Goelzer’s observation that 10% of inspection reports were made public because quality control deficiencies were not remediated raises the question: Why not disclose 100% of these Part II deficiencies by including them in the year they occur, not three years later? These deficiencies relate to specific audits inspected in a specific time period. Determining whether to disclose in a retrospective manner does not serve the public interest, because investors have a right to know about these deficiencies right away, not after they may (or may not) have been corrected. Timeliness enables investors to make better decisions. Another question is: Why not disclose engagement-level AQIs, as suggested by Lynn Turner?

Lastly, perhaps it is time for the PCAOB to disclose the names of client companies audited by public accounting firms whose audit inspections were deficient or ICFR assessments did meet SOX 404 requirements. The authors believe that the public has a right to know the names of these companies alongside their auditors, because it bears on whether firms are conducting appropriate audits and assessments of ICFR on companies that may have experienced financial fraud. Imagine if we knew the names of companies, along with audit deficiencies, that experienced fraud—Theranos, Luckin Coffee, Wirecard, Wells Fargo, and GE, to name a few. This kind of information would enhance transparency and shed light on why certain firms have high rates of audit deficiencies or adverse ICFR assessments. It could also explain why there have been several audit failures in recent years.

Need for Improvement

It has been more than 20 years since SOX was enacted into law, yet audit deficiency rates still seem too high to many observers. The fact that deficiencies in applying PCAOB standards for the assessment of ICFR and audit risk assessments are high in comparison with other standards means that the quality of audits needs improvement.

In the authors’ view, the high rates of deficiencies in standards related to communications with the audit committee and identifying CAMs need to be addressed. Auditors should design their audits to identify CAMs and how they might affect the determination whether the financial statements are free of material misstatements, and then discuss these matters with management. Deficiencies in ICFR and the risks of material misstatements in the financial statements need to be addressed to improve the quality of audits. The proposed new standard on quality control can help in this regard.

In conclusion, the PCAOB should do more to ensure that audits reflect the interests of investors, the public, and other stakeholders by addressing their potential concerns about financial reporting, disclosures, and ICFR. The best way to do this is through the PCAOB’s inspection process. Although differences of opinion exist regarding whether investors are influenced by the results of inspection reports, going through the process of being inspected provides an opportunity for registered accounting firms of all sizes to strengthen their audit quality controls.