Date: Dec. 9, 2014
Speaker: Jay D. Hanson, Board Member
Event: AICPA Conference on Current SEC and PCAOB Developments
Location: Washington, DC
Good Afternoon,
Thank you for the opportunity to be here with you today. I have attended this conference as a participant or speaker for many years, and I am always impressed with the quality of the speakers and the broad audience reached by this conference. With thousands of participants attending here in Washington, participating in other cities, or listening on-line, this event reaches one of the largest audiences of accountants and auditors every year.
You already heard yesterday from the PCAOB's Chairman, Jim Doty, and you will hear from a number of other PCAOB speakers during this conference, including our Chief Auditor and the Directors of our Inspections Division, Enforcement Division and Office of Research and Analysis. Between all of us, you will hear a lot about what we are up to at the PCAOB, and I will try to not duplicate the information they will provide. But one thing you will hear from all of us is our disclaimer, which requires me to say that the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.
Turning to the substance of my remarks today, I would like to discuss today my perspective on several concepts important to the PCAOB, many of which others have mentioned already at this conference. They all happen to begin with the letter "R": Relevance, Reporting, Remediation and Root Cause.
2001 was a dark year. Of course, no one can forget the horrific events on September 11, 2001, including the loss of life, the terror in America, and the uncertainty of the future world order. But that fall also marked the start of a historic decline in the confidence in public company financial reporting and the audit profession. Enron's first press release, announcing unprecedented losses and billion dollar charges against its balance statement, was issued in October 2001. The subsequent cascade of restatements at Enron and elsewhere, and the discovery of extensive fraudulent financial reporting, marked a historic low point for the accounting and auditing professions.
Actions by Congress in 2002, resulting in the Sarbanes-Oxley Act of 2002 (SOX or Act) and the creation of the PCAOB, were a reaction to the crisis and necessary to reform behavior and restore confidence in the capital markets. In contrast to more recent reform legislation, referenced by Commissioner Gallagher in his remarks yesterday, SOX hit the mark on many fronts. The Act drove three primary developments: Changes in corporate governance giving the audit committee explicit responsibility for auditor oversight; new requirements for management to certify the financial statements and controls; and a new world for auditors who were made subject to PCAOB oversight. Taken together, these changes have made a tremendous difference.
The PCAOB has now been in operation for almost 12 years. Through the issuance of 18 new auditing standards and revisions to many others, over 2,000 inspections, and more than 80 enforcement actions, the Board has made substantial, relevant contributions to improving public company auditing. Auditors have become increasingly aware of their obligation to investors and the public. Audit committees have significantly upped their game in overseeing auditors. And while inspection findings indicate that auditors continue to struggle in a number of key areas, firms have made substantial investments to understand the causes of ongoing deficiencies and to drive improvements in their work.
Yet, I am often asked whether we have struck the right balance to drive positive changes while avoiding the imposition of unreasonable burdens. That is a question that all of us at the Board should regularly ask ourselves. You will hear more tomorrow about our inspection findings, which continue at a rate that no one finds acceptable. Of course, the PCAOB has improved at identifying potential problem areas and scoping inspections accordingly. Our inspections of the largest firms are primarily risk based and review audit work in the most difficult and subjective areas. At the same time, firms are changing the way they carry out the work, including, for example, through increased aggregation and analysis of large quantities of data. Will there come a time when audit practice has improved, or evolved, to the point that we should change our approach to inspections or their scope? Clearly, audit quality is not yet where we want it to be, but, in order for the PCAOB to remain effective and relevant, we must continually scrutinize our work and its results, in order to allow us to evolve and continue to contribute to the improvement of the audit profession even as conditions change.
Our standard setting process, which our Chief Auditor, Marty Baumann, will talk about in a few minutes, also is more rigorous than ever. We have issued some fundamentally important standards and amendments, including those relating to the audits of internal controls and those governing risk assessments, related parties, audit committee communications and others. But more remains to be done, and the Board is committed to improving our standard setting process, where possible, to make it more efficient and effective. Several speakers yesterday, including Chief Accountant Schnurr, Deputy Chief Accountant Croteau, and Commissioner Gallagher questioned whether the PCAOB standard setting process could be improved to result in more timely output of new performance standards. I look forward to working with the SEC staff on a review of our processes, including by taking a look at some fundamental issues such as how topics are added to or removed from our standard setting agenda and how they are prioritized.
Our standard setting program now also explicitly incorporates economic analysis. We have hired several economists to help us tackle this important work, but we all have a lot left to learn. For example, the concept of "information asymmetry" seems to permeate much of our economic analysis. In trying to relate this concept to the world of auditing and audit reports, I think of an analogy to when management evaluates a target for an acquisition. The more a potential acquiring party knows about a target (for example through extensive due diligence), the better it is able to price the acquisition. A set of audited financial statements alone usually would not be sufficient due diligence. Investors tell us that they rely on the audit as part of their due diligence when evaluating an investment. Thus, the more investors can learn from and rely on the financial statements and the more they learn about important audit issues, the better they can price their investment. We will continue to refine our thinking on this and other important economic concepts with the goal of driving the right changes in audit practice without imposing the wrong costs.
Few would argue that the PCAOB has not been an important contributor to the improvements in financial reporting and auditing that have largely restored the confidence in the capital markets that was lost in 2001 and 2002. But our work is not done, and the tough challenge ahead, I believe, will be how to continue to make relevant improvements, at justifiable costs, as both the business world and auditing continue to evolve.
One important aspect of our work that is directly related to our effectiveness and our relevance is the reporting of our findings. In addition to individual inspection reports, the Board issues summary reports aggregating inspection findings or highlighting particular trends, as well as staff practice alerts regarding frequently observed auditing deficiencies. Our staff has been working on improving our individual firm inspection reports, which are our primary means for communicating our findings. We are issuing reports on a more timely basis. We have started including detailed references to the auditing standards that give rise to the deficiencies.
This is a great start, but I believe we can and should do even more to make the individual reports more meaningful and easier to understand, including by providing more context around our findings. As a Board member, I can look at much of the detail that supports each finding cited in the public report, and I can see the trends from year to year for each firm and between firms. I know which audit areas in a given year were the source of the most deficiencies, and I have the context of which findings involved violations by individual auditors of the firms' policies versus those which involved inadequate firm guidance. I know why we picked an issuer, its size and industry, and what audit areas we chose to review, and I can see whether the audit was a "train wreck," a "near miss" or a one-off deficiency that will be relatively easy to address. Some of this context, I believe, would be helpful to our readers as well and I believe we should find a way to report it.
Another challenge we face in connection with our reporting is the balance between timeliness and accuracy. We recently met with an audit committee chair who articulated a common sense request — to share broadly the trends we are seeing in our current-year inspections, and potential audit risks, before the individual firm inspection reports are issued. This audit committee member wants to be able to engage his auditors about potential problems at a time when those issues are still fresh and potentially relevant to his auditors' current work, rather than one or two audit cycles later, after our inspection report has been issued. It is hard to argue with such a request from an audit committee member who is trying his best to exercise rigorous corporate governance, and we need to think about how we might be able to respond.
Likewise, we have made some improvements in our general inspection reports, which aggregate findings or report on specific issues or trends. In recent years, we have added executive summaries to these reports to try to provide, up front, a clear message about what we are finding and what it may mean to firms, audit committees, investors and others. I am hoping that we can continue to improve these reports, including by issuing them more timely and by fleshing out the reports to provide more analysis and context about our findings and relevant trends.
In carrying out our mission, we gain valuable information about audit firms and practices. We see and report on audits that did not meet our standards in some way. We also inspect a substantial number of audits each year, in firms large and small, where the work was done well, and we have no deficiencies to report. I consider all the insights we gain as valuable resources that can and should be shared with our stakeholders. I would like to see us use all of our resources to further improve audit quality.
One of the most important ingredients for audit quality is the firm-wide quality control system designed to provide assurance that firm personnel comply with applicable professional standards and the firm's standards of quality in performing audits. Therefore, one of the most effective ways to improve audit quality is to successfully remediate deficiencies in that quality control system to eliminate systemic problems with audit engagement performance. The Act provided an incentive to do just that, by requiring firms to remediate quality control deficiencies identified by Board inspections within twelve months of the date of the inspection report, or risk publication of any deficiencies that are not timely remediated. As the Board observed early on in its existence, this requirement "rested on the hypothesis that firms could be genuinely motivated by the prospect of keeping the Board's quality control criticisms confidential."[1]
In 2006, along with issuing a Board release describing the Board's process for determinations regarding remediation, the Board issued a general report, discussing its observations of the firms' initial implementation of the remediation requirements.[2] Since then, the PCAOB and registered firms have gained several years of additional experience with the remediation process. With respect to the vast majority of quality control deficiencies, firms took appropriate remedial steps. The Board has, however, made public some or all of the quality control weaknesses or deficiencies of over 150 firms, including some that provided no response to the Board to describe their remedial efforts. Of the largest six public accounting firms in the U.S. which are members of global firm networks, five have been subject to publication by the Board of one or more quality control deficiencies as a result of a Board determination that these deficiencies were not timely remediated.
Having evaluated firm remediation efforts for a number of years, the PCAOB last year issued staff guidance describing the considerations that the inspections staff has identified as relevant to its recommendations to the Board concerning the sufficiency of firms' remediation efforts. This guidance set forth a series of criteria used by the staff to formulate its recommendation to the board and is intended to help firms better tailor their remediation efforts to the Board's expectations. We are hoping to provide additional information about the remediation process and the Board's determination, as well as a follow-up general report to describe some of the remedial actions firms have taken more recently, and how effective those steps were deemed by the Board and staff.
But before a firm can begin to design and implement appropriate remedial actions, the firm has to ask itself: What is the problem that needs to be solved? If additional training or a new practice aid, tool or policy is put into place but does not address the real reason for the deficiency, much effort will be wasted, and audit quality is unlikely to improve. As a result, our Inspections Division has been working with firms, particularly the largest firms, to facilitate a root cause analysis of the underlying causes of their quality control deficiencies. Root cause analysis is a widely used concept in various industries to analyze and understand problems as a way to develop solutions that address the underlying problem rather than symptoms of the problem. Our Inspections staff has begun to analyze audit deficiencies using causal analysis techniques, involving many complex interrelationships between each cause and effect that resulted in an audit quality event. Likewise, we are urging firms to implement rigorous processes to understand the causes and effects contributing to their systemic quality control deficiencies, allowing them subsequently to take effective actions to address those deficiencies.
The other side of the coin is trying to understand what firms do well, or, put another way, conducting root cause analysis of positive audit quality events. In order to drive improvements in audit quality, we need to understand not only what auditors do wrong, but also what they do right or how they successfully tackle difficult challenges. Although our inspection program is designed to test for compliance with auditing standards and other applicable rules, and therefore traditionally has focused on identifying poor audits, rather than good audits, we have made inroads into trying to understand better what factors contribute to high audit quality. To that end, our Inspections Division has begun to identify audits that were performed well and to conduct root cause analysis to determine what sets those audits apart from others. Analyzing positive events may enable firms to articulate what is needed to again achieve those positive events and result in improved processes and work flows.
At the same time, our Office of Research and Analysis has been working on identifying useful audit quality indicators, including certain "input" or "process" indicators that may shed light on what activities by auditors lead to positive audit quality events. This analysis will leverage root cause analysis work by the Inspections Division and audit firms, and we hope that we ultimately will be able to communicate information about activities and processes that will help auditors perform effective, high quality audits on a consistent basis, as well as equip audit committees, investors, and others with information to aid in their evaluation of audits.
With that, let me thank you again for listening, and I will now turn to Marty Baumann to provide a little more detail about what is happening in the area of PCAOB standard setting.