DATE | March 18, 2014 |
Jay D. Hanson, Board Member | |
EVENT: | CBI 10th Annual Pharma/Biotech Accounting & Reporting Congress |
LOCATION: | Philadelphia, PA |
Good Afternoon,
Let me begin by thanking you for inviting me to be here today. Your work in the exciting and fast-paced pharmaceutical, biotechnology, medical device and healthcare industries presents a host of challenging accounting and financial reporting issues. I am pleased to have been asked to be a part of your discussions. I would like to talk a little bit about the role of the Public Company Accounting Oversight Board ("PCAOB") and some of our current activities that may affect your work.
Before I go further, I should tell you that the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.
As you know, the PCAOB was created by Congress through the passage of the Sarbanes-Oxley Act of 2002 ("Sarbanes-Oxley Act") to oversee the audits of public companies in order to protect investors and the public interest by promoting informative, accurate, and independent audit reports The PCAOB began operations in April 2003. I joined the Board in February 2011 after spending over thirty years in public accounting.
Under the Sarbanes-Oxley Act, the PCAOB has four main responsibilities:
In order to achieve our mission, we have a staff of over 800 employees, which work in in sixteen offices around the country. The majority of our employees work in our core program areas in the Division of Inspections and Registration, the Division of Enforcement and Investigations or the Office of the Chief Auditor. In addition to our administrative offices, we also have an Office of International Affairs and an Office of Research and Analysis, both of which provide important information and assistance to the Board and staff.
The PCAOB is led by a five member Board, each of whom is appointed by the U.S. Securities and Exchange Commission ("SEC") to a five year term (with a maximum of two terms permitted). As mandated by the Sarbanes-Oxley Act, two of the five Board members are Certified Public Accountants, and currently I am one of the two. We operate under the oversight of the SEC, which, in addition to appointing Board members, must approve our budget and any rules and standards issued by the Board.
Currently, more than 2300 firms are registered with the Board, including over 900 foreign firms from 85 jurisdictions. The Board has conducted well over 2000 inspections of public company audits, including inspections in 40 jurisdictions outside the United States. After the Dodd-Frank Wall Street Reform and Consumer Protection Act gave us authority in 2010 to inspect the auditors of brokers and dealers, we commenced an interim program of broker-dealer auditor inspections. We are evaluating the findings from the interim inspection program and will consider the effects of our recently issued new broker-dealer audit standards in determining the scope of a future permanent inspection program.
On the standard setting front, since its inception, the Board has issued 17 auditing standards — including, for example, standards addressing audit documentation, internal controls, audit planning, engagement quality review, risk assessment and audit committee communications — as well as two attestation standards for audits of brokers and dealers. We also have substantially amended a number of interim standards — including, for example, standards addressing communications about control deficiencies, audit reports, audit sampling, and substantive analytical procedures, among others.
The fourth prong of the PCAOB's statutory mission is enforcement of applicable federal laws, standards and rules. To date, the Board has publicly announced sanctions against over 50 firms and over 70 individuals, with sanctions including revocations of firm registrations, orders barring or suspending individuals from practicing before the Board, censures and, in some cases, significant monetary penalties. Our cases have involved Big Four firms as well as smaller firms and sole practitioners and have been brought against firms in the U.S. and abroad. In addition, we have matters currently under investigation and in litigation, but those remain non-public pursuant to the Sarbanes-Oxley Act.
As of last year, the PCAOB had been operating for ten years, and many of our processes are now well-established and, we believe, effective. In an effort to continue to enhance our efficiency and effectiveness, however, the Board announced six so-called "near-term priorities" for 2013, which were intended to achieve improvements in how we do things and how useful our work is to our stakeholders. The priorities include:
In 2013 we made substantial progress in a lot of these areas, and beginning this year, the priorities have been incorporated into our five-year Strategic Plan. For example, we now have explicit longer term goals to continue to improve the timeliness, content and readability of inspection reports, provide additional transparency about our remediation process, and enhance data analysis. The project on audit quality indicators continues, and we have incorporated our intention to enhance our interaction with audit committees into several of our strategic goals, including a plan to continue our outreach activities and to enhance our communications generally with audit committee audiences in mind.
I would like to say just a little bit more about three of these important priorities:
With respect to inspection reports, our staff has been working diligently to issue inspection reports more quickly without compromising accuracy, consistency or fairness, and they have made substantial progress. Many of our reports are issued within a matter of months, and for those that take longer than a year after we complete our work in the firm's offices, there is usually a good reason, such as the need to consult internally or with the SEC about complex accounting or independence questions or delays in obtaining or evaluating relevant information from the inspected firm.
In addition, we have been evaluating the content of both our firm-specific inspections report (which are made public in part, consistent with the Sarbanes-Oxley Act) as well as our periodic general reports which summarize inspection findings over a period of time and across firms. One improvement to our general reports, also known as Rule 4010 reports, has been the addition of an "executive summary" written in plain English that we hope will be helpful to investors, audit committees and readers who may not be accountants. In addition, we have tried to go beyond merely summarizing inspection results by providing more context and meaning to those results, including pointing out in our general reports the relevance of the information presented to audit committees and their work. Recently, we also refined some of the standard language in our firm-specific inspection reports, and we began including specific references to auditing standards on which each of the cited deficiencies is based. You can expect to see some additional tweaks in our report format for reports issued in 2014.
Beyond these ongoing improvements, there are several additional changes that I am eager for the Board to consider in the future. First, I am troubled by the Board's use of the term "audit failure" in our reports. Our firm-specific inspection reports publicly identify inspection findings that are of "such significance that it appeared that the Firm, at the time it issued its audit report, had failed to obtain sufficient appropriate audit evidence to support its audit opinion" on either the financial statements or the effectiveness of internal control over financial reporting. In the context of a financial statement audit, for example, this would mean that the identified audit deficiency indicates that the firm did not do enough audit work and did not gather sufficient audit evidence, to render its unqualified opinion that the financial statements are fairly stated. It does not necessarily mean, however, that those financial statements are misstated. Rather, it just means that the auditor did not do enough to know whether or not they were.
Such inspection findings are referred to as "audit failures" in both our firm specific inspection reports and our general summary reports. And of course, the firm, in fact, did not do enough work in the inspected areas. Nevertheless, calling every such deficiency an "audit failure" appears to have caused confusion among investors, audit committees and others, some of whom have interpreted our findings as meaning that the financial statements are misstated or that there is a problem in the company's accounting or internal controls. In fact, however, only very few of our inspection findings ultimately can be linked to a problem in the company's financial statements, and restatements arising out of our inspection process are rare, although they do occur.
Meanwhile, in other contexts, the term "audit failure" is understood to mean that the company's financial statements were misstated, and that the auditor did not identify the relevant problems during the audit. The U.S. Government Accountability Office, for example, in the context of a Congressionally mandated study about whether public companies should be required periodically to rotate their audit firms, defined the term "audit failure" as "audits for which audited financial statements filed with the SEC contained material misstatements whether due to errors or fraud."[2]
I don't believe it is necessary or appropriate for us to deviate from this more commonly understood definition of "audit failure" by using that term to refer to our inspection findings — which are deficiencies in the firm's work but not necessarily representative of problems in the audit client's financial statements or internal controls. Therefore, I would like to see the Board eliminate the use of the term in our inspection reports (unless we know, with respect to a particular audit, that the auditor's failure, in fact, relates to misstated financial statements).
Likewise, I am troubled by providing a "rate" of audit failures in our public reports. Indeed, we include language in our inspection reports explaining that audits are selected for review based on risk and that our reports are not "balanced scorecards" with respect to any particular firm, much less across firms. The risks associated with each audit, and each firm's audit practice, are unique. Presenting "rates" of audit failures, then, which inevitably will be utilized to compare one firm to another, may be misleading at best and harmful at worst.
I also believe that our inspection reports would be more meaningful if we provided more context about the severity of each finding. Currently, each inspection finding in the public portion of a PCAOB inspection report must meet the threshold I just described — that the audit firm did not gather sufficient evidence to render an opinion — but the reports provide no information about which of the deficiencies are relatively minor or involved only a portion of a disclosure, and which indicate a much more significant problem with the audit. I would like to see the Board consider whether it would be possible to classify inspection findings by severity level, in order to provide that additional context.
Finally, I believe that certain information to which I, as a Board Member, have access, would also be helpful in providing more context to readers of our inspection reports. More specifically, when I review draft inspection reports, I request and consider information related to the size and industry of the company whose audit was reviewed, as well as the risks based on which our staff decided to review the particular audit or audit area. While routinely providing this information in inspection reports likely would present implementation challenges to our inspection staff, I believe the Board should add this to its list of potential improvements to consider.
As we have considered how to improve the content and timeliness of information we make available to the public, we have also asked ourselves about who our stakeholders are and how best to reach them. Audit committees are a very significant stakeholder group for us. We recognize their important role, complementary to our own, in overseeing public company audits. As a result, we committed as one of our priorities to enhance our outreach to audit committee members, and we have made a great deal of progress. Board members and senior staff from the PCAOB have attended and made presentations at a number of conferences and discussion groups focused on audit committee members, and, so far, we continue to be invited back! We are also hoping to host a PCAOB-sponsored event for audit committee members sometime this year, in order to hear more about how we can help audit committee members fulfill their responsibilities. And I would be pleased to have a dialogue with any of your audit committee members who may be interested.
For the most part, our conversations with audit committee members have been well received, and we have heard excellent new ideas for how the PCAOB and audit committees can work together. But we have also heard some concern about the PCAOB's involvement in the work of audit committees, including whether we are trying to regulate audit committees or otherwise impose requirements on audit committee members. We are trying to do neither. Rather, our actions are a direct response to hearing, for several years, that audit committees wanted more information from the PCAOB and ideas for what to do with the information we provide. We were frequently asked by audit committee members what they should do with our inspection reports and what our inspection summary reports mean for them. That is the type of information we have attempted to provide — context around our inspection findings and suggestions for how audit committees might be able to use our information to engage with their auditors. I expect we will continue this dialog and hopefully can find the appropriate balance for the type and amount of information to provide.
Finally, let me turn to the last Board priority that I want to address today. For the last year, our Office of Research and Analysis has been working on trying to identify audit quality indicators that could be used to evaluate the quality of work performed by audit firms. As conceived by the Director of our Office of Research and Analysis, this project seeks two answer two questions:
Our expectation is that audit quality indicators can provide information about audit quality that may not otherwise be transparent to investors and audit committee members, who are the "buyers" of audit services. Providing such information, we hope, may improve audit quality by promoting competition among auditors based on quality, rather than cost or other considerations that are unrelated to audit quality.
The indicators are not intended to be formulas for quality, or benchmarks or to provide a "safe harbor" from liability to those who meet certain minimums. Rather, they are intended to provide additional information, hopefully comparable over time and across engagements or firms, that audit committees can put into the mix of information they normally consider in choosing and evaluating their auditor or audit partner.
The Board and staff have discussed this project with our Standing Advisory Group, Investor Advisory Group and other stakeholders, and we have obtained valuable feedback. Currently, the staff is evaluating and testing a number of possible indicators, and we hope to issue a concept release in the coming months to seek comment on a list of potential audit quality indicators that seem to show the most promise.
Finally, let me turn to some important inspection results from the last several years that we believe warrant attention from the audit profession and preparers of financial statements alike. In December 2012, we issued a general inspection report, "Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control Over Financial Reporting." This report summarized observations drawn from inspections of 309 audits of internal control over financial reporting at public companies.[3] In 46 of the 309 integrated audit engagements (approximately 15 percent) that were inspected in 2010, the PCAOB found that the firm had not obtained sufficient audit evidence to support its audit opinion on the effectiveness of internal control due to one or more deficiencies identified by the PCAOB. In 39 of those 46 engagements in which the firm did not have sufficient evidence to support the internal control opinion, the firm also had not obtained sufficient audit evidence to support the financial statement audit opinion.
The inspections results summarized in this report include, among others, our staff's observations about deficiencies in auditors' execution of the "top-down" approach to testing controls. One common finding noted in the report that we are still seeing in our inspections reflect the challenges posed by the need to understand the design, operation and effectiveness of such controls, including whether the control operated at a level of precision that would prevent or detect material misstatements.
Since 2010, these types of findings have continued. As a result, in October 2013, the Board issued a Staff Audit Practice Alert, "Considerations for Audits of Internal Control over Financial Reporting."[4] In that alert, the Board's staff of the Office of the Chief Auditor discussed the application of certain requirements of Auditing Standard No. 5[5] and other PCAOB standards to specific aspects of audits of internal controls.
In connection with our discussions of these troubling inspection findings, we have heard that financial statement preparers have expressed some concern about what the findings mean, and whether there will be significant increases in audit effort, and audit costs, as a result. Some have suggested that the PCAOB, through the inspection process, is bringing back superseded Auditing Standard No. 2[6] or imposing other new requirements that are not mandated by existing auditing standards.
AS No. 5, as many of you may recall, replaced AS No. 2 in 2007, and focused on risk and entity level controls, required the consideration of objectives of the audit rather than focusing on specific procedures, and facilitated the scalability of audits of internal controls.[7] After AS No. 5 was issued, the Board's inspection focused on the implementation of that standard, and, in September 2009, the Board issued a report about the implementation of AS No. 5, "Report on the First-Year Implementation of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements."[8] As described in that report, the Board's initial inspections after the issuance of AS No. 5 were focused on determining whether firms were appropriately implementing the new standard, including whether auditors were appropriately focusing on risk and utilizing an efficient and effective top-down approach.
In the years that immediately followed issuance of AS No. 5, it appeared that firms were very focused on the new standard and doing a good job implementing it. More recently, however, it appeared that the firms' focus on AS 5 — both with respect to audit performance and training — had decreased, and our inspection findings began to creep up.
With regard to the concern that the Board may be moving back toward the more procedures-oriented requirement of AS No. 2, I can assure that that is not the case. Nor are we trying to impose "new" rules on auditors through the inspections process. Contrary to what some preparers may be hearing, we are not imposing specific requirements like telling auditors that they need to follow around the issuer's staff in order to see internal controls in practice, or dictating the creation of flowcharts or even the use of the new COSO framework. However, underlying many of our inspection findings in recent years is the fact that firms did not fully appreciate the way certain controls, especially entity level controls, operated and whether they fully addressed possible risks of financial statement misstatement. And that, of course, is the key to an effective audit of internal controls.
A simple example is a control that requires a signature of a specified person with in the company. Seeing the signature is one piece of evidence of the control, but what underlies the signature? Does the person signing to certify the control following specific steps to satisfy him or herself that it works? Or is the person simply following a monthly practice to "sign here" when told to do so? Auditors need to understand how the control really works. Auditors must understand the control and the risks it is intended to address, evaluate its design effectiveness, and test its operating effectiveness. In some cases, especially if the documentation that supports the operation of the control is not thorough, that may mean following the process as it occurs, such as by watching the person perform necessary steps to achieve comfort that the control is operating effectively. Whatever steps the auditor chooses to satisfy himself about the operation of the control, it must involve a full understanding of what lies behind that signature.
As I turn to taking your questions, I want to thank you for the hard work you do as accountants to translate your companies' transactions into transparent accounting and financial reporting. The capital markets depend on credible financial reporting. I know the work you do today is more difficult than ever and compressed into very short time frames. Your company's current and future investors rely on your diligent efforts.
[1] See Public Company Accounting Oversight Board, "Strategic Plan: Improving the Relevance and Quality of the Audit for the Protection and Benefit of Investors 2012-2016" (Nov. 30, 2012) at 5.
[2] See Government Accountability Office, "Mandatory Audit Firm Rotation Study: Study Questionnaires, Responses, and Summary of Respondents' Comments" (Feb. 27, 2004) at 6. The full definition of "audit failure" in the GAO report is as follows:
audits for which audited financial statements filed with the SEC contained material misstatements whether due to errors or fraud, and reasonable third parties with knowledge of the relevant facts and circumstances would have concluded that the audit was not conducted in accordance with GAAS, and, therefore, the auditor failed to appropriately detect and/or deal with known material misstatements by (1) ensuring that appropriate adjustments, related disclosures, and other changes were made to the financial statements to prevent them from being materially misstated, (2) modifying the auditor's opinion on the financial statements if appropriate adjustments and other changes were not made, or (3) if warranted, resigning as the public company's auditor of record and reporting the reason for the resignation to the SEC.
[3] "Observations from 2010 Inspections of Domestic Annually Inspected Firms Regarding Deficiencies in Audits of Internal Control over Financial Reporting," PCAOB Release 2012-006 (December 10, 2012).
[4] Staff Audit Practice Alert No. 11, Considerations for Audits of Internal Control over Financial Reporting (October 24, 2013).
[5] Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements.
[6] Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements (Superseded by Auditing Standard No. 5, effective for fiscal years ending on or after November 15, 2007).
[7] See, e.g., Briefing Paper, Auditing Standard No. 5 and other topics (May 24, 2007), available at: http://pcaobus.org/Rules/Rulemaking/Pages/Docket021.aspx
[8] "Report on the First-Year Implementation of Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements," PCAOB Release No. 2009-006 (September 24, 2009).