Remarks on the Global Audit 

DATE Feb. 8, 2013 
SPEAKER(S): James R. Doty, Chairman 
EVENT: 35th Annual Conference on Securities Regulation and Business Law  
LOCATION: Austin, TX 

Let me begin by saying that the views I express are my own and should not be attributed to the Public Company Accounting Oversight Board as a whole or any other members or staff.

I want to thank the Law School at the University of Texas at Austin, as well as the Texas State Securities Board, the Fort Worth District Office of the Securities and Exchange Commission, and the Business Law Section of the State Bar of Texas.

This is a prestigious conference. You have much to be proud of in this 35th year. I am delighted to be here today.

There is a lot going on at the PCAOB. We have an active standards-setting agenda, including projects related to reexamining the standard-form audit report to better serve users, and projects to improve audit performance, such as in the areas of auditing related parties and using the work of other auditors and specialists.

We recently adopted a new audit standard on auditors' communications with audit committees. A novel aspect of this project is that it is the first standard promulgated after the Jumpstart Our Business Start-ups Act of 2012. Thus, when the PCAOB submitted the final standard for approval by the SEC, we included a discussion of efficiency, competition and capital formation.

We are also involved in implementing those provisions in the Dodd-Frank Wall Street Reform Act that task the PCAOB to set standards for and inspect auditors of brokers and dealers.

For those of you who practice in the broker-dealer space, I encourage you to read the PCAOB's August 2012 report on the PCAOB's findings from its first year of running a temporary, exploratory inspection program for audits of brokers and dealers. The program is intended to help us gain experience and insights that will help us scope a more permanent program.

I will be happy to talk about these projects, including the materials we provided for your syllabus, and others you have questions about. But as billed on the program, I would like to use my planned remarks to brief you on another area of our activities that I believe should be of interest to you — what I call the global audit.

I know many of the practitioners among you counsel in the energy sector, which has long been an international endeavor here in Texas. Moreover, today, investment opportunities right here in Texas are attracting foreign investment. You heard yesterday about some burgeoning cross-border sources of capital for energy and mining companies from Canadian practitioners.

With all this growth, so grows the need for reliable audits to back the numbers. The headlines today are frequently graced with stories of businesses being swindled into bad deals with bad numbers. There also remains the risk that your clients' control over growing foreign operations may not be as secure as they would like.

You may prepare SEC filings or engage in counseling on the securities acts. You may advise clients in designing compliance programs. Or you may be involved in conducting an internal investigation of foreign payments or defending a client against alleged FCPA violations.

In any of these circumstances, the global audit is a feature of our financial reporting system that every securities lawyer should understand.

I will start with an overview of how global audits are performed, who the various players are, and what challenges may exist for you, your clients and investors.

Then, I will discuss work regulators around the world are doing together to improve the quality of global audits, to promote the investing public's — and companies' — interest in accurate reporting.

As a former securities law practitioner and counsel to boards and executives, I believe the audit is the most cost-effective way to avoid being surprised by errors or malfeasance that have quietly grown to a material level, by which time it's too late to avoid the concomitant penalties and collateral damage to executives that can ensue.

Finally, I will leave you with some questions that regulators worldwide are wrestling with to ensure we get the most value out of audits.

I. Auditors Around the World Participate in Audits of U.S. Issuers, But There is Little Transparency About Their Involvement.

This session is well-timed for me, because I am just back from a short trip to Europe to sign protocols on cooperation and information-sharing with the audit regulators in France and Finland last week.

In both those countries, there are audit firms — quite substantial firms — that have registered with the PCAOB because they audit or play a substantial role in the audit of a U.S. issuer. Most of them are members of one of the large accounting firm networks that bear a variation of the name of a U.S. firm.

These agreements will allow the PCAOB to begin conducting joint inspections of these firms with the local regulators in France and Finland.

Overall, there are around 240 non-U.S. audit firms in over 50 foreign jurisdictions that have issued audit opinions on U.S. issuers and are required to be inspected at least every three years.

To date, the PCAOB has conducted inspections in 40 foreign jurisdictions. Last year, one-fourth of our inspections took place outside the United States.

Our non-U.S. inspections are important, not only because of the foreign private issuers that sell securities in U.S. markets. Many of the non-U.S. audit firms that have registered with the PCAOB also perform significant audit work for U.S. companies that have operations abroad.

This is the nature of the global audit. The principal auditor — that is, the auditor that signs the audit report — refers a portion of the audit to local auditors in a country or countries where the company has subsidiaries or significant operations.

The local auditor may perform specified procedures that the principal auditor asked it to perform. Or it may perform for the principal auditor a complete audit, with audit report, on the local operation.

In either case, generally speaking, the principal auditor uses the work of other audit firms to form an opinion on the financial statements as a whole. Only the principal auditor's name goes on the audit report that the public sees.

The engagement partner is at the center of the effort. He or she "is responsible for the engagement and its performance," and must, therefore, make sure that the work and those who perform it are appropriately supervised and coordinated.[1]

Generally, however, little if any of this is transparent to the public. We are reminded, from time to time, that even the most sophisticated business people and government officials who use audit reports do not realize that audits for large companies are often performed by consortiums of separate audit firms.

For companies, and their counsel, concerned about the risk of override of controls and material misstatements in far-flung locations, it is the work of these undisclosed subsidiary auditors, and the rigor of the principal auditor's oversight of their work, that provides the company (and investors) assurance that the necessary controls are in place and working effectively.

Depending on where a company's operations and accounting are, the underlying source of half or more of this assurance work may be performed by a firm or firms other than the firm whose name is on the audit report. But even those who are aware that multiple firms may be involved in an audit generally don't know the extent of work performed by other audit firms.

When we do inspect, we sometimes find that the work of the other auditor was not reliable. Sometimes the work requested by principal auditors was not even performed.

The PCAOB has proposed to require that auditors disclose in an audit report the names of firms that participated in the audit, and the extent of work they performed.[2] This proposal has gained considerable support. I hope it will be issued in final form later this year.

A. PCAOB Inspections Have Identified Numerous Hand-Off Failures in Global Audits.

To be sure, the problems go both ways. That is, in an audit of a foreign private issuer, the principal auditor is usually based in the country of the issuer's headquarters. In some cases, inspectors have found that audit work performed by the principal auditor's U.S. affiliate does not satisfy the objectives of its role in the audit.

Since the PCAOB began inspecting, the PCAOB has focused firms on the need to assess the quality of and oversee the work of their affiliates. They also need to be aware of local customs, ways of communicating, and risks that may affect subsidiary audits.

This is not simply to say that audits in countries with weak enforcement regimes are likely to be worse than audits in countries such as Finland, which tops Transparency International's Corruption Index as the least corrupt country.

For example, in some countries, confirmation of cash cannot be taken for granted. Take the audit of the India-based issuer, Satyam, where the CEO confessed to committing fraud to bridge a gap between actual and reported operating profits.

The fraud has been called "absurdly simple": The company said it had about $1.1 billion in cash and bank balances. But, in fact, it had less than $100 million.[3]

A consortium of Indian firms, all related to one of the large firm networks, conducted the audit of Satyam for approximately $980,000 a year. The auditors failed to perform basic audit procedures to verify that the reported cash existed.

For that, the firms faced charges by both the Securities and Exchange Commission and the PCAOB and fines that far exceeded their audit fees.[4] The capital markets and investors obviously lost out as well.

The SEC and the Board also found that all five firms were responsible for a quality control failure among them because they "routinely relinquished control of the delivery and receipt of cash confirmations entirely to their audit clients and rarely, if ever, questioned the integrity of the confirmation responses they received from the client by following up with the banks . . . ."[5]

Unfortunately, this is not necessarily an isolated example. There have been numerous other reports of poorly executed bank confirmations in emerging markets, including collusion of bank officials. When a spate of such cases was revealed in 2011, the PCAOB issued a staff audit practice alert on Audit Risks in Certain Emerging Markets to help auditors here and elsewhere design audit procedures to address these risks.[6]

The alert is based on observations from PCAOB inspections and other oversight activities, as well as other situations that have come to light in recent corporate filings with the SEC and SEC orders suspending trading in certain emerging market companies.

The alert highlights conditions that indicate heightened fraud risk, such as fraud in bank confirmations, including through forgery or collusion. It also discusses risks involved in auditing variable interest entities.

While the alert is intended for auditors, it is a general guide to the fraud risks that anyone in international business might face, including audit committees and corporate counsel.

As we gain more experience inspecting audit work in different environments, both we and the firms involved become smarter about local audit risks. Based on our experience, in 2011, we reorganized our inspection program to execute group inspections by network on a global basis.

Now, we dedicate a senior inspection leader to each of the large networks. That leader oversees all inspections of firms in the assigned network, including both the U.S. firm, which we inspect annually, and all affiliated non-U.S. firms, which we generally inspect every three years.

The reorganization has served us well. It greatly facilitates risk assessment, by allowing us to build on what we know from previous inspections within the network. It also gives us a view on how global policies of the network are implemented by member firms in different jurisdictions.

II. Audit Regulators Are Developing a New Paradigm for Working Together.

Our risk assessment is also facilitated by coordination with our non-U.S. counterparts. For example, the local regulator in Germany — the AOC — can give us insights from its working relationship with the local Financial Reporting Enforcement Panel and the BaFin. Thus we gain a breadth of understanding of audit risks in Germany that we simply could not come to on our own.

While some of us were attending the signing of the cooperation agreements with France and Finland last week, others from the PCAOB met with representatives of the Dutch securities and markets regulator, the AFM, to discuss how we could enhance our risk assessment and analysis of European-based issuers listed in the U.S. through better appreciation for public sources of European market data.

The UK's Financial Reporting Council has recently devoted a new staff resource to research and analysis. This will provide our own Office of Research and Analysis a new foreign counterpart.

Budgets are tight in Europe, as here. But I believe there is renewed enthusiasm for risk assessment among regulators there. And I am hopeful we will see additional resources devoted to risk assessment in other countries.

We also benefit from our foreign counterparts' nuanced, on-the-ground knowledge of the audit firms in their jurisdictions.

Through their regular oversight activities, for instance, they get a more precise picture of whether and how audit quality as compared to business retention affects promotion and remuneration decisions.

We, in turn, provide our counterparts with other insights, for example, about quality control problems we have identified and tracked across multiple affiliated firms in a global network.

If PCAOB inspectors find a problem in a centrally operated control, such as a firm's internal consultation system, they will consider whether and how firms in the network are affected by it. By tracking such themes, we and our counterparts will have an idea of where risks may lie in firms throughout the network.

For our counterparts, who may not have the resources to inspect outside their jurisdiction, information about weaknesses in a network could provide critical insights necessary to spot and address a threat that is in their jurisdiction.

Gradually, together with our counterparts, we are creating a network of regulators to match the networks of firms. Like the firms, we need to work seamlessly together, not merely to send results back and forth.

As we deepen our relationships with fellow independent regulators, the value of collaborating on global audits increases. We see the whole better when we are able to view each part and examine them with the assistance of local regulators steeped in their home country market.

We have, in fact, identified significant audit failures after issues identified jointly with another regulator in an inspection of the principal auditor led us to review a subsidiary audit in a third country. And this benefit flows both ways.

We have had a foreign regulator join our inspection of the audit of a U.S.-based subsidiary, while we jointly examine the principal auditor's work in the other regulator's jurisdiction. We expect another regulator to do the same later this year.

We are also doing the reverse: sharing information about the investigation of a U.S.-based principal audit engagement with a foreign regulator that is investigating concerns about related audit work performed in its jurisdiction.

While progress developing relationships with European counterparts was slower than, for example, developing them with Canada and Latin America, we are experiencing real momentum for cooperation now. We now jointly inspect with local regulators in the U.K., the Netherlands, Germany, Spain, Norway, Switzerland, Japan and Korea.

We are close to concluding joint inspection arrangements with Sweden, Luxembourg, Belgium, Denmark, and Poland, all of which we hope to finish in the next few months.

We continue negotiations with the remaining EU jurisdictions, including Italy, Ireland and Greece. But progress has been slower in those jurisdictions for a variety of reasons.

Progress with China also continues to be challenging, although there have been some positive developments. In October 2012, we were able to send a team of inspectors to China to observe inspections conducted by local authorities. While these activities did not substitute for conducting an inspection, they were useful relationship-building exercises that I hope will bear fruit in the very near term.

Recently, there has been some suggestion in the Chinese press that the Chinese authorities are working on a solution or mechanism to help facilitate cross-border audit cooperation. The PCAOB stands ready to work with them, but we need to move quickly for the benefit of the investing public.

My preference is to work out cooperative arrangements to facilitate inspections and, when necessary, investigations. But if authorities in China and other countries continue to put up obstacles to legally required inspections of firms that have chosen to register in the United States, the PCAOB will have to re-evaluate the status of those firms in our system.

Any action we take will be a result of thorough and thoughtful deliberation. But ultimately our charge is to implement and enforce policy decisions embedded in U.S. law to protect the interests of investors in quality audits.

III. Audit Regulators Around the World Are Concerned About Auditor Independence, Objectivity and Professional Skepticism.

I've told you what the PCAOB has been doing to promote high quality audits of multi-national companies. It is critical work, and I believe it pays for itself by protecting the mutual interest of companies and their investors in strong audits that will detect and address latent accounting and financial reporting problems.

Let me now turn to inspection results. Again, when it comes to the global audit, we are advantaged by the new wealth of information and analysis emanating from our counterparts.

It should not be surprising that auditor skepticism is both one of the most challenging issues in auditing as well as one of the most important for audit regulators to protect.

Regulators around the world are expressing concerns about disappointing inspection results. For example, those of you involved in Australian deals may have read the recent opinion piece by the Australian Securities and Investment Commission's Chairman, Greg Medcraft, in the Australian Financial Review.[7]

It is auditor skepticism that moves the auditor to dig for signs of error and malfeasance. If an auditor finds such signs and addresses them with management, potential damages far in excess of the audit fee can be avoided. Careers too can be saved.

But skepticism must be championed. According to a compilation of inspection results from Canada, the U.S., the U.K. and Australia, prepared by the Canadian Public Accountability Board, "Insufficient Professional Skepticism . . . is undoubtedly the most common finding — that auditors are too often accepting or attempting to validate management evidence and representations without sufficient challenge and independent corroboration."[8]

A number of other regulators have also recently issued insightful reports on auditor independence and professional skepticism, including the Netherlands, France, Germany and Switzerland.[9]

In December 2012, the PCAOB issued a staff audit practice alert on Maintaining and Applying Professional Skepticism in Audits to remind auditors of the critical importance of professional skepticism to effective audits.

The Alert also describes a number of impediments to professional skepticism — including, for example, unconscious human biases and other circumstances that can cause auditors to gather, evaluate, rationalize, and recall information in a way that is consistent with client preferences rather than the interests of external users. Finally, the Alert describes steps that firms and auditors can take to enhance professional skepticism in audits.[10]

In addition, more broadly, in August 2011, the Board issued a Concept Release on Auditor Independence and Audit Firm Rotation. The concept release notes the importance of auditor independence to the viability of auditing as a profession. It asks for comment on ways to enhance auditor independence, objectivity and professional skepticism, including through auditor term limits, which are being debated around the world today.

Independence and skepticism are complex issues that warrant deep study. The PCAOB has embarked on a series of public meetings to engage prominent and thoughtful commenters with various, often conflicting, viewpoints.

They have included some of the most authoritative and experienced voices to address the subject of audit quality, auditor independence and the challenges to both. They offered varied perspectives as investors, senior executives and audit committee chairs of major corporations, chief executive officers of audit firms, academicians, and former regulators.

The most recent public meeting was in Houston, where the PCAOB heard from twenty panelists interested in the topic. UT Professors Henry Hu and Robert Prentice were among them and presented their ideas.

In these public meetings and other comments, we have been encouraged by some to consider whether audit committees can be enlisted to monitor and enforce auditor skepticism, in lieu of structural changes such as term limits and mandatory tenders.

Of course, equipping audit committees to perform the rigorous monitoring that would be needed to test and enforce skepticism would also require a significant change in the way audit committees operate. According to a January 2013 Global Audit Committee Survey, released by KPMG's Audit Committee Institute, only 38% of audit committees claimed to have a formal and comprehensive annual external auditor evaluation process in place.[11]

We must also watch and evaluate the implications of international developments. The Dutch Parliament recently adopted audit firm rotation. It appears likely that some companies plan to implement auditor switches ahead of the 2016 deadline.

The European Commission, Parliament and Member States are engaged in their own inquiry. Their legislative deliberations indicate a real likelihood that some form of term limits could be adopted this year. Firms in Europe have had to factor the possibility into their strategic business planning.

Given the breadth of the international debate, it is not surprising that people disagree on what the best reforms will be, or how to implement them, or indeed whether reform is necessary. Costs and any potential unintended consequences will have to be considered.

This is not to say that independence and skepticism will only be achieved through term limits. We should not rush to decision. I want to influence the debate worldwide, by broadening its scope and getting beneath the surface of generalities, coming to grips with the practical. It is not our way of doing things in this country, especially Texas, to shy away from large issues and avoid discussion of bold ideas.

* * *

You have been a gracious audience and I thank you very much for your attention. I would be happy to take any questions now.

[1] See paragraph 3 of Auditing Standard No. 9, Audit Planning, and paragraph 3 of Auditing Standard No. 10, Supervision of the Audit Engagement.

[2] See PCAOB Rel. No. 2011-007, Improving the Transparency of Audits: Proposed Amendments to PCAOB Auditing Standards and Form 2 (Oct. 11, 2011). This release, and comments received on it, are available at http://pcaobus.org/Rules/Rulemaking/Pages/Docket029.aspx.

[3] Heather Timmons and Jeremy Kahn, Auditor in Cross Hairs over Fraud at Satyam, N.Y. Times, Jan. 9, 2009.

[4] Five firms paid the SEC a $6 million money penalty, and the two firms that performed the audit for Satyam paid another $1.5 million to the PCAOB.

[5] Lovelock & Lewes, Price Waterhouse, Bangalore, Price Waterhouse & Co., Bangalore, Price Waterhouse, Calcutta, and Price Waterhouse & Co., Calcutta, SEC Rel. No. 34-64184, 2011 WL 1295803, at *9 (SEC Apr. 5, 2011).

[6] See PCAOB Staff Audit Practice Alert No. 8, Audit Risks in Certain Emerging Markets (Oct. 3, 2011). This release is available at http://pcaobus.org/Standards/QandA/2011‑10‑03_APA_8.pdf

[7] See Greg Medcraft, Op-Ed., Auditors Need to Lift Game, Australian Fin. Review, Dec. 18, 2012.

[8] See Canadian Public Accountability Board, Auditing in the Decade Ahead: Challenge and Change, Audit Quality Symposium Pre-Reading Materials, at 36 (2011).

[9] See U.K. Audit Inspection Unit, 2009/10 Annual Report 4 (July 21, 2010) (stating that "[f]irms sometimes approach the audit of highly judgmental balances by seeking to obtain evidence that corroborates rather than challenges the judgments made by their clients" and that "[a]uditors should exercise greater professional scepticism particularly when reviewing management's judgments relating to fair values and the impairment of goodwill and other intangibles and future cash flows relevant to the consideration of going concern"); AFM, Report on General Findings Regarding Audit Quality and Quality Control Monitoring 13-14 (Sept. 1, 2010); Australian Securities & Investment Commission, Audit Inspection Program Public Report for 2009-2010 (June 29, 2011); CPAB, Enhancing Audit Quality: Report on the 2010 Inspections of the Quality of Audits Conducted by Public Accounting Firms 3 (April 2011); Auditor Oversight Commission (German), Report on the Results of the Inspections According to § 62b WPO for the Years 2007-2010 (April 6, 2011); Federal Oversight Authority (Switzerland), Activity Report 2010.

[10] See PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits (Dec. 4, 2012). This release is available at http://pcaobus.org/Standards/QandA/12-04-2012_SAPA_10.pdf

[11] See KPMG's Audit Committee Institute, Global Audit Committee Survey, at 6 (Jan. 2013).