Remarks Before the 2013 AICPA National Conference on Current SEC and PCAOB Developments — Audit Policy and Current Auditing and Internal Control Matters

Brian T. Croteau

Deputy Chief Accountant, Office of the Chief Accountant

Dec. 9, 2013

As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC Staff.

Introduction

Good morning. Thank you Melanie [Dolan] for the introduction and thank you to the AICPA for inviting me to be here again this year. For those unfamiliar with OCA´s Professional Practice Group (PPG), I am fortunate to have a talented and dedicated team of ten professionals who focus on audit quality and investor protection each and every day. We work closely with, and provide advice and support to, other offices and divisions within the SEC on auditing, internal control, and auditor independence matters. OCA´s PPG also has a significant role in leading and coordinating the Commission´s oversight of the Public Company Accounting Oversight Board´s (PCAOB) activities and so we work very closely with the PCAOB throughout the year to achieve our shared investor protection objectives.

As you know, continuing resolutions, sequestration, and a government shutdown have attracted some of the attention here in Washington lately. As a result, OCA´s PPG operated this year with a reduced headcount while our workload grew. Nonetheless, OCA´s PPG continues to work tirelessly and stay focused on audit quality and investor protection. I observe this same enthusiasm and focus on investor protection in my interactions with my colleagues throughout the SEC every day. I have few opportunities to express my gratitude to my team before such large audiences, so this morning I´d like to say thank you to them. I am very proud of what we are accomplishing on behalf of investors as a result of their efforts.

Before discussing some of our work with the PCAOB and a couple of SEC rulemakings this year I want to begin with some observations on auditor independence, certain SEC enforcement actions, and internal controls. I chose these topics based upon my reflections on recent activity and a degree of concern I have about the future. Now before I lose anyone, my remarks are intended to be directed equally to management, audit committee members, and auditors.

Continued Focus on the Importance of Auditor Independence to Auditor Objectivity

Reliable financial reporting is a cornerstone of our capital markets, and investors are entitled to it. Investor confidence in financial reporting is supported by high-quality audits that are performed objectively by independent auditors. Being independent in both fact and appearance is foundational to an audit and necessary to reduce threats to auditor objectivity and to enhance credibility. I believe the SEC´s independence rules have served us well over the last decade. Indeed, we continue to see efforts to emulate aspects of our rules around the world.

Auditor independence is an area that requires attention in connection with selecting an auditor, throughout the entire audit relationship, and potentially even beyond. With increasing frequency, I hear comments that incorrectly suggest that the responsibility for compliance with auditor independence rules rests primarily with auditors. To be sure, auditors are of course responsible and are held accountable for being independent from their audit clients. However, management and audit committees have as much — if not more — at stake. Ensuring auditor independence is as important as ensuring that revenues and expenses are properly reported and classified. If the auditor´s independence is impaired, the company will not have satisfied its requirement to file financial statements audited by an independent accountant. Depending on the facts and circumstances of a violation, it can call into question the reliability of the company´s financial reports and the effectiveness of the audit committee´s oversight of the auditor. Violations can also lead to unplanned but necessary auditor changes, not to mention potentially costly re-audits of one or more periods.

With this in mind, let me reinforce why maintaining independence is a shared responsibility. In a recent example, an auditor provided services to the audit client we believe are inconsistent with the Commission´s independence rules. For whatever reason, the audit committee failed to prevent the service from being performed. In the end, when the issue was eventually identified, the audit committee found itself needing to engage a new auditor and obtain re-audits of prior year financial statements, which had potentially significant effects on the issuer´s ability to raise capital.

If you have not done so recently, I´d suggest reflecting on whether improvements to policies and procedures are appropriate to help ensure that services to be provided by the company´s auditor are appropriately evaluated by management and audit committees, in addition to auditors, prior to commencement. This consideration is particularly timely in light of the expansion of non-audit service offerings by accounting firms that Paul Beswick discussed earlier this morning.

Another area that can easily result in similar consequences relates to the SEC´s requirement, as set forth in Rule 2-01 of Regulation S-X, which requires auditors to be independent of not just the audit client but also its affiliates. It is important that all of a company´s affiliates and subsequent changes to the company´s affiliates are identified and evaluated timely. This is another area where it may be helpful to reflect on current policies and procedures to be sure that management, audit committees, and auditors are aware of the complete population of affiliates when addressing independence, and that each of those parties are aware when changes to the population of affiliates occurs. Omitting consideration of an affiliate makes it more likely that independence violations are not identified, the implications of which can become more severe and difficult to resolve with the passage of time. Leaving the affiliate identification and analysis to the auditor without evaluation by management and the audit committee of how the auditor´s assessment compares to the company´s own assessment increases the risk of violations.

On another front, recently the staff has been receiving more questions from companies that operate in certain non-U.S. jurisdictions that have been considering or advancing legislation requiring mandatory tendering or mandatory rotation of audit firms. These rules may have consequences for foreign companies that list securities in the U.S. or for subsidiaries of U.S. companies. Regardless of the reason, any time there is a change in auditors, proper planning is necessary to ensure that independence conflicts, if they exist, are resolved. This could mean that the issuer may need to identify a new auditor well before the commencement of the audit and professional engagement period. For instance, to contend with this practicality, the board of a large financial institution in the UK recently announced its intention to appoint a new auditor for the year ending December 31, 2015 while retaining its current auditor for both 2013 and 2014 in order to provide time to prepare for the change. The Commission´s rules do not provide transition relief for auditor changes and there is little the staff can, or in my view should, try to do to accommodate a change from an auditor who is currently independent in accordance with SEC rules to an auditor who is not. Moreover, it is my view that compliance with existing independence rules is an important factor that should be carefully taken into account in establishing any new regulatory requirements or company policies and processes in anticipation of, or in response to, such decisions.

A consideration to keep in mind when changing auditors is the potential desire for a predecessor auditor´s involvement in the event management determines it is necessary to restate previously issued financial statements. When there is a restatement of previously issued financial statements, a predecessor auditor can only audit the restatement if he or she is independent during the time the procedures are performed. Accordingly, it may be in the best interest of the company and its investors to consider preserving, to the extent possible, the predecessor auditor´s independence for some period of time, in consideration of the potential that the company´s financial statements need to be restated, to help reduce the risks of delays or otherwise unnecessary costs. In 2006, after close coordination between SEC and PCAOB staff, the PCAOB issued staff FAQs addressing how auditing standards should be applied in these circumstances.[1] The PCAOB´s FAQs describe alternatives available that provide a degree of flexibility on whether the predecessor or successor auditor reports on restatements, provided the auditor performing the work is independent during both the audit and professional engagement period. The bottom line is that, when the predecessor auditor is unable or unwilling to issue a report on the prior period financial statements that are being restated, an entire re-audit, rather than procedures to just audit the adjustments, may become necessary.

I´ll wrap up independence by mentioning that OCA´s PPG has several staff members devoted to addressing questions regarding auditor independence and I encourage you to consult with us as you find appropriate. Information about OCA´s consultation process is available on the SEC website under Information for Accountants.[2]

PCAOB Matters

You´ll be hearing from PCAOB Chairman Doty and Board Member Hanson later today as well as PCAOB senior staff tomorrow. I´d like to just share three observations given that the oversight of and collaboration with the PCAOB is a significant part of OCA´s PPG´s work.

First, the PCAOB´s project to consider changes to the auditor´s reporting model is a project to which SEC staff has devoted significant time. Now we are very interested to hear what you think about the proposal, including any ideas you have to improve it. I encourage you to provide your input to the PCAOB. Their comment period closes on December 11th.[3] The PCAOB is also planning additional outreach in 2014, and we will continue to pay close attention to this project. I am hopeful the public feedback can help the PCAOB to advance their work on this project.

Second, for the past few years I´ve been encouraging quicker progress on amendments to audit performance standards. Standards such as auditing estimates, including fair value and use of other auditors and specialists, have been on the PCAOB´s agenda and talked about at various meetings for years now but have still not even advanced to a public proposal. My view is there has been enough talk about the need to update these standards. It´s time to make progress by advancing these projects to proposal for public input. SEC staff continues to stand ready to work with the PCAOB to get these projects, which may have the most potential to improve audits, advanced.

Third, last year I highlighted my enthusiasm for the PCAOB´s near term priority projects.[4] I still believe they are ambitious, significant, and meaningful. Some progress has been made in 2013. Inspection reports have been issued more timely, remediation determinations are more current, and a concept release on audit quality indicators is anticipated in the first half of 2014. Still, relative to priorities such as improving the content of inspection reports, audit committee outreach, and standard setting, there is much to be done. Here too, we continue to stand ready to work with the PCAOB as they advance these priority projects. Meanwhile, congratulations to the PCAOB for their work so far to improve the timeliness of inspection reporting and quality control remediation determinations. If this momentum is sustained as it should, future reports and determinations will be more timely and therefore, in my view, more relevant and useful to auditors and audit committees. I also understand that more timely generalized or so-called "Rule 4010" inspection reports are being considered in 2014, which I have long supported and encouraged.

I´m going to move on to some enforcement comments but I don´t mean to give PCAOB matters short shrift. Please take a moment to send up your questions, observations, or topics that you´d like me to address on the end of day Q&A panel.

Enforcement Matters

Enforcement support is another area where OCA´s PPG devotes considerable attention. You´ll be hearing tomorrow from Andrew Ceresney, Co-Director of the Division of Enforcement and David Woodcock, a regional director and the Chairman of the SEC´s Financial Reporting and Audit Task Force. The Task Force was established earlier this year and is dedicated to detecting fraudulent or improper financial reporting. OCA has worked, and will continue to work, closely with the task force in 2014.

Meanwhile, let me point out some recent actions I think should be of particular interest to this audience. The first is the SEC´s recent action against JPMorgan related to disclosure controls and procedures, arising out of actions related to the so-called "London Whale".[5] Public companies are obligated to maintain disclosure controls and procedures that are designed to ensure that important information flows to the appropriate persons so that timely decisions can be made regarding disclosure in public filings. Commission regulations implementing the Sarbanes-Oxley Act require management to evaluate on a quarterly basis the effectiveness of the company´s disclosure controls and procedures, and the company to disclose management´s conclusion regarding their effectiveness in its quarterly filings.

In a quarterly report, JPMorgan stated that, based upon management´s evaluation, its disclosure controls and procedures were effective, a conclusion that was later determined to be incorrect. Among other things, failures to timely escalate information to senior management and inadequate communications between senior management, internal audit, and the audit committee contributed to reaching this incorrect conclusion. And, as to the information that was escalated, senior management did not make a considered assessment as to whether critical facts existed—including any significant deficiency or material weakness in internal controls—that had to be disclosed to the audit committee.[6]

As a result of its failure to maintain effective disclosure controls and procedures, internal accounting controls, and as a result of its filing of inaccurate reports with the Commission, JPMorgan violated Sections 13(a), 13(b)(2)(A), and 13(b)(2)(B) of the Exchange Act and Rules 13a-11, 13a-13, and 13a-15 and was required to pay significant monetary fines.

If you play any role in maintaining, evaluating, reporting on, or relying on disclosure controls and procedures (which I assume covers many of you), I recommend that you read the September 19th JPMorgan enforcement order. You might do so without necessarily focusing on the particular area of disclosure or the nature of the transactions involved, unless of course it is relevant to you. Instead, I suggest thinking about your own organization´s reporting and disclosure risks and contemplate, "Could any element of what is described in the order happen at my organization and, if so, what should be improved?"

We continue to spend time with staff in our Enforcement Division on investigations that involve internal control considerations, and I think you should expect that financial reporting and disclosure investigations going forward are likely to continue to include taking a close look at the adequacy of internal accounting controls as well as evaluations and conclusions about both internal control over financial reporting and disclosure controls and procedures. We´re also beginning to see some of our first auditor cases related to audits of internal control over financial reporting. So in addition to reading the JPMorgan order, it may also be a good time to for evaluation of your DC&P and ICFR evaluation processes to be sure they are being maintained and executed well to support the maintenance of controls and the necessary disclosures about effectiveness.

Some other actions have included barring accounting firms and individual CPAs from appearing and practicing before the Commission. You´ll hear a bit more about these from our enforcement staff tomorrow. I don´t have time to discuss them in detail now, but I have included references to a number of them in my written remarks that will be posted to our website later today. Many of those cases have involved improper professional conduct as a result of planning and performing audits that do not comply with PCAOB auditing standards. For example, violations noted in multiple recent actions include failures to consider fraud risks, obtain written management representations, prepare and retain certain required documentation, and obtain the required engagement quality reviews.[7]

Internal Control Over Financial Reporting — Where are the Material Weaknesses?

Before wrapping up with a couple of SEC rulemakings, let me address internal control over financial reporting more broadly. Consistent with Paul and Dan´s remarks, we are working together throughout OCA as well as with other offices and divisions on ICFR matters. You´ll hear from staff in our Divisions of Corporation Finance and Enforcement tomorrow. Corp Fin will briefly discuss thoughts on the implementation of COSO´s updated framework. I believe COSO´s updated framework provides an opportunity, when implemented, to improve internal control over financial reporting. The PCAOB is also focusing on audits of ICFR as noted by recent inspection findings and a recent audit risk alert.[8]

As we maintain or increase the intensity of our focus in this area, I´d like to make a couple points. First, I remain convinced that at least some of the PCAOB´s inspection findings related to the audits of internal control over financial reporting are likely indicators of similar problems with management´s evaluations of ICFR, and thus potentially also indicative of risk for unidentified material weaknesses. Some have suggested to me over the years that auditors and the PCAOB have higher expectations than management when considering the adequacy of entity-level controls or the severity of control deficiencies. The SEC´s interpretive guidance for management issued in 2007[9] describes one way in which management can conduct its required evaluation, and SEC rules provide a safe harbor for the adequacy of evaluations conducted following this guidance.[10] The SEC and PCAOB worked very closely together in 2007 to ensure that the SEC´s guidance for management and Auditing Standard No. 5 are fully aligned, especially on the two topics I just mentioned,[11] and we have not received any consultations that suggest otherwise.

My second point is that I continue to question whether all material weaknesses are being properly identified. It is surprisingly rare to see management identify a material weakness in the absence of a material misstatement. This could be either because the deficiencies are not being identified in the first instance or otherwise because the severity of deficiencies is not being evaluated appropriately. OCA plans to continue our close work with Corp Fin, the PCAOB, and Enforcement to address these matters in 2014. Meanwhile, it may be useful for management to dust off the SEC´s 2007 interpretive guidance and compare management´s ICFR evaluation process to the SEC guidance to see if improvements are in order.

Reporting and Audit Requirements for Brokers and Dealers

Let me finish up this morning with brief remarks on two areas of SEC rulemaking. On July 30, 2013, the SEC finalized amendments to broker-dealer financial responsibility requirements and financial reporting rules.[12] In addition, on October 10, 2013 the PCAOB adopted new attestation standards and a new auditing standard, which are now subject to Commission approval.[13] The Commission´s comment period on the PCAOB´s rules closed last Friday. The staff plans to study the comment letters and make recommendations to the Commission prior to the current February 13, 2014 deadline for Commission action. Meanwhile, for those interested, a slide deck I recently presented at the AICPA/SIFMA conference in October providing an overview of the new requirements is available on the SEC´s website.[14] Similarly, slide decks from the PCAOB´s recent broker dealer forums for auditors can be found on the PCAOB´s website.[15]

One point I´d like to emphasize is that auditors of broker-dealers continue to be required to be qualified and independent in accordance with the Commission´s auditor independence requirements in Rule 2-01 of Regulation S-X. This has been the case since 1975. Among other things, this means that auditors cannot both prepare and audit the financial statements of a broker or dealer. Doing so is a violation of SEC independence rules.

Proposed Rules for Crowdfunding

The Commission has continued to make significant progress on other proposals and final rules under the Dodd-Frank Act and the Jumpstart Our Business Startups Act, or JOBS Act. For example, Title III of the JOBS Act directed the Commission to write rules that would permit companies to offer and sell securities through crowdfunding. In October, the Commission proposed these rules that, among other things, would: permit individuals to invest in companies using crowdfunding, subject to certain thresholds; restrict the types of entities that could use crowdfunding and limit the amount of money a company can raise; require certain disclosures about the offer; and create a regulatory framework for intermediaries to facilitate crowdfunding transactions.[16] As Chair White has stated, "we want this market to thrive in a safe manner for investors."[17]

The proposed rules would require all entities to file with the Commission, provide to investors and intermediaries, and make available to potential investors a complete set of financial statements prepared in accordance with U.S. GAAP covering the shorter of the two most recently completed fiscal years or the period since inception. Depending on the amount offered and sold during a 12-month period, the financial statements would have to be accompanied by a copy of the company´s tax return or be reviewed or audited by an independent public accountant. The Commission proposed that SEC independence rules would be applicable. Also, the Commission proposed that reviews be conducted in accordance with the Statements on Standards for Accounting and Review Services issued by the Accounting and Review Services Committee of the AICPA. Audits would have to be conducted in accordance with the auditing standards issued by either the AICPA or the PCAOB, although auditors would not be required to be registered with the PCAOB. The release is 585 pages long and includes 295 questions for public input. The comment period closes February 3, 2014. Our office will continue to work closely with Corp Fin to consider the public input, particularly as it relates to the proposed financial reporting provisions, including the independence and attestation requirements.

Conclusion

Let me close by thanking you for your commitment to reliable and useful financial reporting, including your commitment to audit quality. I look forward to answering questions as part of the end of day Q&A panel.



[1] See PCAOB, Staff Questions and Answers: Adjustments to Prior-Period Financial Statements Audited by a Predecessor Auditor (June 9, 2006), available at http://www.sec.gov/servlet/Satellite/goodbye/SECLink/1370540473437 .

[2] See OCA, Guidance for Consulting with the Office of the Chief Accountant, at http://www.sec.gov/info/accountants/ocasubguidance.htm.

[3] See PCAOB, Docket 034: Proposed Auditing Standards on the Auditor's Report and the Auditor's Responsibilities Regarding Other Information and Related Amendments, at  http://www.sec.gov/servlet/Satellite/goodbye/SECLink/1370540473533 .

[4] See Brian T. Croteau, Remarks Before the 2012 AICPA National Conference on Current SEC and PCAOB Developments — Audit Policy and Current Auditing and Internal Control Matters (Dec. 3, 2012), available at http://www.sec.gov/News/Speech/Detail/Speech/1365171491828.

[5] See In re JPMorgan Chase & Co., AAER No. 3490 (Sept. 19, 2013), available at http://www.sec.gov/litigation/admin/2013/34-70458.pdf.

[6] Id.

[7] See, e.g., In re Patrizio & Zhao LLC and Xinggeng (John) Zhao, CPA, AAER No. 3500 (Sept. 30, 2013), available at http://www.sec.gov/litigation/admin/2013/34-70562.pdf ; In re Malcolm L. Pollard, CPA and Malcolm L. Pollard, Inc., AAER No. 3501 (Sept. 30, 2013), available at http://www.sec.gov/litigation/admin/2013/34-70564.pdf ; In re Wilfred W. Hanson, CPA, AAER No. 3503 (Sept. 30, 2013), available at http://www.sec.gov/litigation/admin/2013/34-70567.pdf; In re Sherb & Co., LLP, Steven J. Sherb, CPA, Christopher A. Valleau, CPA, Mark Mycio, CPA, and Steven N. Epstein, CPA, AAER No. 3512 (Nov. 6, 2013), available at http://www.sec.gov/litigation/admin/2013/34-70823.pdf.

[8] See PCAOB, Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting (Oct. 24, 2013), available at http://www.sec.gov/servlet/Satellite/goodbye/SECLink/1370540474662 .

[9] See FR-77, Commission Guidance Regarding Management´s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (June 27, 2007) ("Commission Guidance"), available at http://www.sec.gov/rules/interp/2007/33-8810.pdf.

[10] See FR-76, Amendments to Rules Regarding Management´s Report on Internal Control Over Financial Reporting (June 20, 2007), available at http://www.sec.gov/rules/final/2007/33-8809.pdf.

[11] For adequacy of entity-level controls, see Commission Guidance at 18–19 and Auditing Standard ("AS") 5.23. For evaluating the severity of control deficiencies, see Commission Guidance at 34–38 and AS 5.63–5.67.

[12] See Rel. No. 34-70073, Broker-Dealer Reports (July 30, 2013), available at http://www.sec.gov/rules/final/2013/34-70073.pdf; Rel. No. 34-70072, Financial Responsibility Rules for Broker-Dealers (July 30, 2013), available at http://www.sec.gov/rules/final/2013/34-70072.pdf.

[13] See Rel. No. 34-70843, Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Auditing Standard No. 17, Auditing Supplemental Information Accompanying Audited Financial Statements and Related Amendments to PCAOB Standards (Nov. 8, 2013), available at http://www.sec.gov/rules/pcaob/2013/34-70843.pdf; Rel. No. 34-70842, Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on Attestation Standard No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers, Attestation Standard No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers, and Related Amendments to PCAOB Standards (Nov. 8, 2013), available at http://www.sec.gov/rules/pcaob/2013/34-70842.pdf.

[14] See Brian T. Croteau, Slide Presentation: Broker-Dealer Rulemaking and Applicability of Auditor Independence Rules to Broker-Dealer Audits, AICPA/SIFMA FMS National Conference on the Securities Industry 2013 (Oct. 25, 2013), available at http://www.sec.gov/News/Speech/Detail/Speech/1370540094003.

[15] See PCAOB, Forum on Auditing Smaller Broker-Dealers (Oct. 31, 2013), available at http://www.sec.gov/servlet/Satellite/goodbye/SECLink/1370540474249 ; PCAOB, Forum on Auditing Smaller Broker-Dealers (Nov. 20, 2013), available at http://www.sec.gov/servlet/Satellite/goodbye/SECLink/1370540474345 .

[16] See Rel. No. 33-9470, Crowdfunding (Oct. 23, 2013), available at http://www.sec.gov/rules/proposed/2013/33-9470.pdf.

[17] See SEC, SEC Issues Proposal on Crowdfunding (Oct. 23, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370540017677.