Newport Beach, CA
Oct. 23, 2015
The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author's colleagues upon the staff of the Commission.
Thank you for the kind introduction and invitation to speak with you today. Before I begin, let me remind you that the views expressed today are my own and not necessarily those of the Commission, the individual Commissioners, or other colleagues on the Commission Staff.
Let me start by thanking you for the important and difficult role you play in protecting investors. In my former life as an audit partner, I had the opportunity to interact with audit committees at not only some of my firm's largest audit clients, but also some small and mid-size audit clients. Through those interactions, I have seen significant improvement in the quality and performance of audit committees in their integral role with respect to investor protection. Among other things, they provide oversight over, and serve as a check and balance on, a company's financial reporting system.
In 1999, a publication of the Blue Ribbon Committee[1] identified audit committees, together with management and the independent auditor, as one of the three legs of the stool that supports appropriate financial disclosure and an environment of active and participatory oversight over the financial reporting process. The report went on to say that the audit committee must be first among equals in this process, because the audit committee is an extension of the full board and hence the ultimate monitor of the process. A short time later, the Sarbanes-Oxley Act of 2002 (SOX) introduced a number of significant changes to audit committee responsibilities that further reinforced the importance of their oversight role.[2] More recently, the role of audit committees in the financial reporting system was emphasized in the 2013 COSO Internal Control — Integrated Framework. The updated Framework devotes one of its 17 principles to the responsibilities of the board of directors or its audit committee in the oversight of a company's internal control.[3]
Over the past several years, many audit committees have also assumed a number of responsibilities that extend beyond their specific regulatory obligations. For example, today, audit committees are often charged by the board with oversight of a host of major risks facing the company — from cybersecurity, through emerging technologies, to compliance risks posed by government regulation and enforcement efforts. Because the financial reporting implications of such risks are naturally of interest to the audit committee, it's not surprising that some boards have sought to leverage the audit committee's skills, knowledge, and involvement in these areas.
Today, I would like to share my thoughts and perspectives on several key issues facing audit committees — the Commission's Concept Release on Audit Committee Disclosures, the importance of internal control over financial reporting, implementation of the new revenue recognition standard, and disclosure effectiveness.
Corresponding with the importance and breadth of audit committee responsibilities, the staff has observed a growing desire by some investors to hear more from audit committees about how they perform their role as gate keepers for the benefit of investors. We have also heard that as some audit committees reflect on the time and effort they spend on their responsibilities, the one or two paragraph report they have historically prepared may not give justice to the full extent of the work they have performed. In response, some audit committees have taken initiatives to enhance their public reporting to investors and have included disclosures that go beyond the requirements in existing rules. While changes in the roles, responsibilities, and scope of required audit committee disclosures have been afoot in other jurisdictions, SEC disclosure requirements for audit committees have not changed since 1999 and pre-date the SOX reforms.
With this background in mind, on July 1st of this year, the Commission sought feedback on whether improvements could be made to the existing audit committee reporting requirements through the issuance of a Concept Release on Possible Revisions to Audit Committee Disclosures.[4] The Concept Release sought public comment on a variety of issues related to the audit committees' oversight of the independent auditor — a significant part of the audit committee responsibilities mandated by SOX. The Concept Release also requested feedback on the desire of investors for additional disclosures regarding audit committees' work in other areas of their responsibilities.
The comment period for the Concept Release closed on September 8, and the Commission has received almost 100 comment letters from a variety of constituents. The most, approximately 40%, have come from audit committees and management. About 20% of the letters are from auditors and other accountants, and the remaining 40% are fairly evenly distributed among investors, academics, professional associations, and others, such as law firms and individuals. Overall, I would say there were mixed views about the need for additional mandatory disclosures related to audit committee oversight of the independent auditor. Some commenters supported additional disclosure in certain areas, while others thought enhanced disclosure should be encouraged solely on a voluntary basis.
Many of the commenters who supported voluntary disclosures were members of audit committees and other representatives of issuers who currently voluntarily include at least some disclosures that go beyond the existing SEC requirements. However, the practice of voluntary disclosure is by no means common to all listed companies. In fact, some commenters questioned the extent to which the voluntary reporting by certain audit committees today is in response to the Commission's current interest in considering the adequacy of the existing disclosure requirements. These commenters questioned whether a potential lack of Commission action to improve disclosures would result in a shift back to the previous practice of generally only disclosing the minimum information required.
Of those commenters who were supportive of additional audit committee disclosure requirements, many encouraged the SEC to consider implementing principles-based requirements. They noted that doing so would allow audit committees sufficient flexibility to tailor disclosures to their particular facts and circumstances, as it pertains to both the company and the particular year, and to avoid boilerplate reporting. Some of those commenters suggested the Commission's potential disclosure examples in the Concept Release would, if adopted, amount to a rules-based disclosure regime that would lead to a checklist approach and boilerplate reporting aimed primarily at ensuring compliance and minimizing risks, including risks of litigation. In this respect, I would like to observe the Concept Release published by the Commission did not constitute a proposal or endorsement of any particular disclosure requirements or the manner of their implementation. Rather, it sought feedback on potential areas of disclosure which may be useful to investors and the ways in which the related disclosure requirements of the Commission could be enhanced. The SEC staff is carefully evaluating all the comment letters in advance of making any further recommendations to the Commission.
While the Concept Release primarily sought feedback regarding additional disclosures of audit committees' oversight of the independent auditor, it also asked whether potential new disclosure requirements should extend to other important areas of audit committees' work. In this respect, a number of commenters expressed their belief that focusing solely on auditor oversight might not be reflective of the full scope of audit committees' responsibilities. They suggested that investors might benefit from disclosure of audit committees' work in other areas, such as oversight of financial reporting by management, oversight of internal control, and oversight of the internal audit function.
A number of commenters also expressed the belief that the Commission should look beyond the audit committee reporting requirements and should revisit its rules regarding the composition of audit committees. In particular, some commenters suggested that a strengthened definition of an audit committee financial expert might be appropriate to help encourage meeting the demands of today's financial reporting environment.
A variety of other topics were addressed, including potential litigation risk, effects of disclosure on communication between audit committees and independent auditors, and the committees' growing workload.
Finally, respondents to the Concept Release observed a potential overlap between some of the topics considered in the Concept Release and certain projects currently being pursued by the PCAOB[5], including the PCAOB's transparency project, which would require disclosure of the name of the audit engagement partner and the firm names of other participants in the audit. In addition, the PCAOB has proposed changes to the auditor reporting model and the potential use of audit quality indicators. The staff will consider these comments as we continue our close collaboration with the PCAOB on those projects.
As I mentioned a moment ago, some respondents to the Concept Release highlighted the important role audit committees play in the oversight of internal control over financial reporting (ICFR). Taking this into account, I would like to address several aspects of ICFR assessments, and the related audits, that may be relevant to you in your oversight work. We are routinely reminded through our daily work, academic studies, and interactions with investors that investors view ICFR assessments — and independent auditors' attestation on ICFR — as beneficial and important for investor protection. Accordingly, ICFR is an area that has and will continue to attract the attention of the SEC staff.
You may have noticed SEC staff speeches over the past few years questioning whether material weaknesses in ICFR are being properly identified, evaluated, and disclosed.[6] Some of you may also work with a company who received questions about its ICFR evaluation or disclosures in a comment letter from the Division of Corporation Finance as part of its ongoing disclosure review program. Furthermore, some of you may have heard from your auditor that the PCAOB has identified and disclosed in the public portion of its inspection report an audit deficiency related to the company's ICFR audit. Suffice it to say, the staff's efforts related to ICFR are coordinated among the various offices and divisions of the SEC, including OCA, the Division of Corporation Finance, and Enforcement. We also work closely on ICFR matters with the PCAOB.
Much of the dialogue the SEC staff has with companies regarding ICFR continues to focus on fully and accurately describing identified control deficiencies, including understanding the nature of the deficiency and the control that failed or was insufficient. We also routinely engage management in discussions regarding the root causes of identified control deficiencies, which is important because of the potential pervasive impact of certain control issues that may not be immediately obvious. Appropriate disclosure of a material weakness is important because it can aid investors in assessing the potential impact to the financial statements of the material weakness.
All of these matters require careful consideration by both management and the independent auditor and may involve a significant amount of judgment. Effective oversight of these judgments and the conclusions reached by both management and the independent auditor represents an important responsibility of audit committees.
Timely identification, appropriate evaluation, and accurate disclosure of material weaknesses are, of course, predicated on a comprehensive assessment of ICFR by management and on an effective audit of that assessment by the independent auditor. Unfortunately, as you may be aware, ICFR deficiencies continue to be one of the most frequent findings in PCAOB inspections of the largest public accounting firms. These findings often question the sufficiency of auditing procedures to evaluate the adequacy of the design of controls, in particular management review controls, or the effective operation of the control.
The persistent and frequent nature of these ICFR inspection findings has drawn attention from various stakeholders and raised questions regarding the underlying issues. Some suggest that ICFR implementation is simply not compliant with the requirements and that deficiencies in audits identified by the PCAOB may, at least in part, be indicative of deficiencies in management's controls. Others have suggested the PCAOB may have set expectations for auditor performance at a level that exceeds the requirements of its auditing standards.
Of course, these are just two possible explanations, and many have been eager to share their own views. For example, a letter sent to PCAOB Chairman Doty and me by the U.S. Chamber of Commerce in May of this year discusses the experience and perspectives on ICFR audits of certain of the members of the Chamber.[7] PCAOB staff, with me and members of my staff observing, recently had outreach meetings with the Chamber, the Center for Audit Quality, FEI, and certain of each organization's members. These conversations have been a productive start to a dialogue which will continue.
Based on what we have heard so far, it is important to keep in mind that while PCAOB inspection findings are, of course, one very visible factor to consider, they are only one of several elements in the ICFR equation. That equation also includes the Commission's interpretive guidance[8] that is aligned with Auditing Standard No. 5[9] and management's statutory obligation to devise and maintain an adequate system of internal controls. Furthermore, to the extent a company's ICFR is subject to an independent audit requirement, it is also important to recognize that auditors need evidence of the design and effective operation of controls.
This basic principle is well recognized in the SEC's guidance for management, which states that management's assessment must be supported by evidential matter that provides reasonable support for its assessment. The guidance goes on to say that the nature and extent of the evidential matter may need to be adjusted depending on factors such as complexity of a control, the level of judgment required to operate the control, and the significance of the risk of misstatement the control is designed to address. Similarly, the updated COSO Framework discusses documentation of internal controls, including management's responsibility for providing support to regulators, shareholders, independent auditors, and other third parties for its assertion on the effectiveness of internal control.[10]
In analyzing the impacts of the PCAOB inspection process, it is also important to consider that in some instances, management may not be fully informed about the nature of the issues behind the audit deficiencies identified by the PCAOB. It is also possible that auditors are not always adequately explaining the reasons why certain of their procedures are important to forming their opinion.
Much of what we have heard through the ongoing outreach efforts tends to be fact specific and necessitates a specific discussion. This is where I see room for additional involvement by audit committees. Under the three-legged stool model that I mentioned earlier, audit committees are in a unique position to gain valuable insights into both management's financial reporting process and internal controls and the work performed by the independent auditor. I encourage you to engage in a dialogue with your auditors regarding matters such as the auditors' risk assessment decisions, selection of key controls, and approach to testing these controls in the context of existing guidance from the SEC and the PCAOB. You may seek understanding of the critical audit decisions from both the engagement team and, if necessary, request that the concerns or disagreement between management and the engagement team be elevated to others at the audit firm who may be in a better position to articulate certain aspects of the firm's audit approach and methodology.
I believe that more effective communication between audit committees, management, and independent auditors will help alleviate some of the concerns raised. At the same time, we will continue to work closely with the PCAOB in this area. Together we will consider whether these issues would benefit from additional staff communication, for example at future conferences, or other actions by the Commission or the PCAOB, keeping in mind first and foremost both organizations' commitment to reliable financial reporting and investor protection.
I'll wrap up my comments on ICFR with a forward-looking point: as companies work to implement the FASB[11] and IASB's[12] newly converged standard on revenue recognition,[13] it is important to give early and ongoing consideration to implementing new controls or redesigning existing controls where necessary. This includes both controls that operate at the process or transaction level as well as controls in other components of ICFR such as control environment, risk assessment, and information and communication. Given the special importance of properly accounting for revenue, to the extent changes are made to ICFR in advance of adoption that also relate to current period financial reporting, I would also remind management to consider its quarterly obligations to disclose material changes to ICFR. And again, audit committees should provide effective oversight of the changes made by management to the company's system of ICFR in transitioning to the new revenue recognition standard.
Speaking of the new revenue recognition standard, audit committees have an important role to play in overseeing companies as they look to successfully implement the new guidance. Revenue is one of the single most important measures used by investors, and I believe the new standard — when applied with appropriate professional judgment — will consistently report revenue, regardless of the company's industry or the capital markets accessed. I am encouraged that preparers, auditors, and standard-setters are working together to identify, evaluate, and resolve implementation issues in a consistent manner across all industries and transaction types.
Even with the recently finalized one year deferral,[14] the effective date of the standard will be upon us before you know it. I know that many of you have commenced discussions with management on the new guidance; some may even have a preliminary assessment of how the company may be affected. But these preliminary discussions are just the first step. As part of its governance role, I encourage audit committees to review and critically evaluate management's detailed implementation plan. While these plans should be tailored based on the extent to which the company will be affected by the new standard, let me highlight a couple of observations.
First, a thorough implementation plan will include the key actions to be taken during the implementation phase, the estimated timing of these actions, and how management is tracking against that timing. The impact of the new guidance is likely not limited to the financial statements. Rather, management's key actions should holistically consider how the new guidance will impact other aspects of the organization, including information systems, business processes, compensation and other contractual arrangements, and tax planning strategies, just to name a few. You may also want to evaluate management's planned transition method and disclosures as the standard provides for either full retrospective or a modified retrospective adoption of the new guidance.
Next, management should be assessing whether it currently has the information needed to satisfy the new reporting requirements. Because of the nature of the changes, including the enhanced disclosure requirements, new processes and controls may be needed in order to not only gather the information but also ensure its accuracy and completeness. Consistent with my earlier remarks, investors expect companies to have internal controls in place to reasonably assure the reliability of the financial information reported by management. It will be important that management take a holistic view of the potential effects the new standard may have on internal controls.
Another key consideration around implementation is whether the company has sufficient resources to properly apply the principles of the new standard. Such a significant change can put pressure on resources for reporting earnings and preparing periodic reports. I would encourage you to consider whether adequate resources have been dedicated to analyzing the impact of the new guidance and whether additional internal or external resources may be needed.
Considering the changes in the key principles for recognizing revenue from a risk and rewards approach to a control approach, the impact on different industries could be significant. For example, a straight forward manufacturing company will likely not see a change in the timing of the recognition and measurement of its revenues, while more significant changes are expected to occur for other industries including the software and real estate industries.
I would suggest that, as you review the changes, you ask management to identify and explain why the changes are occurring or in some cases why changes are not occurring. In particular, I would suggest that you inquire whether there are differing views within the industry on how to implement the new standard and if so how have management and the auditor concluded that the company's approach was appropriate.
I also suggest you challenge the auditors on conclusions that do not appear to reflect the core business of the company. For example, some in the profession have taken the view that the new standard requires more separate performance obligations than under today's standard which will require the company to separately allocate revenue to each of the obligations. OCA has observed this issue with respect to those who suggested that shipping the product was a separate performance obligation. The Transition Resource Group of the FASB and IASB has addressed this issue[15], but I am still concerned there may be interpretations that are overcomplicating the financial reporting of transactions.
Finally, a thorough implementation plan should also consider how management will identify and communicate with key constituents about the impact the new standard will have on its financial statements. This may include understanding from investor relations the nature and timing of communications with various users and analysts. It will also include developing appropriate disclosures regarding the impact the new standard will have on the financial statements when it becomes effective in a future period.[16] We expect the level of these disclosures to increase between now and adoption and are looking forward to understanding more about the impacts during our review of the 2015 financial statements.
That reminder on disclosures highlights the final key responsibility of audit committees I'll mention today, which is oversight of financial reporting and the importance of effective disclosures. The core purpose of disclosure is to provide investors with the information they need to make informed investment and voting decisions.[17] The audit committee plays a critical role in overseeing management's preparation of reliable financial disclosure.[18]
The SEC staff continues to work on a number of disclosure effectiveness initiatives, including considering ways to update the existing requirements in Regulations S-K and S-X. As part of these efforts, the Commission is currently seeking public comment on the requirements for the form and content of financial disclosures that companies must file with the SEC about acquired businesses, affiliated entities, and guarantors and issuers of guaranteed securities. [19] This request for comment is an important step in the disclosure effectiveness initiative, and we continue to support our colleagues in the Division of Corporation Finance as they develop recommendations on additional ways to update Regulations S-K and S-X and the presentation and delivery of disclosures.
Chair White also has instructed OCA to coordinate with the FASB on ways to improve the effectiveness of financial statement disclosures and minimize duplication with other existing disclosure requirements. In collaboration with the FASB, OCA and the Division of Corporation Finance are actively working on recommendations to address the interaction between the Commission's rules and GAAP. In addition, the FASB recently issued a proposal[20] aimed at potentially improving the effectiveness of financial statement disclosures. That proposal would, among other things, clarify that omitting a disclosure of immaterial information would not be an accounting error.
We support efforts by the FASB to provide a disclosure framework that facilitates clear communication of the information most important to users of a company's financial statements and look forward to constituent feedback on both the Commission and FASB requests for comment.
While these efforts aim to support the objective of disclosure effectiveness, updates to U.S. GAAP and Commission rules are only one step in improving disclosures. Companies also play an important role in improving the quality and effectiveness of disclosures, and there is nothing to stop preparers from performing their own disclosure effectiveness analysis. I realize that making significant changes to the periodic report is not an effortless task, so let me leave you with a couple of observations.
First, I would encourage you to set the tone for the organization — one that expects effective disclosure and robust judgments on preparing it. Empower management and embrace efforts to focus on disclosure effectiveness. For some companies, this could entail, among other things, redesigning portions of the document to include tables and graphs, removing outdated disclosures when appropriate, and increasing the use of hyper-links and cross-references instead of repeating the same disclosure in multiple places.
Next, actively participate in the dialogue, not only around the "volume" of disclosure but, more importantly, around the quality of those disclosures. Consider the various users of the financial statements and think about better ways to convey information to them. Effective disclosures are not static. Rather, what is important to investors may change over time. As facts and circumstances change, you may need to re-evaluate whether existing disclosures continue to be relevant and applicable to your current situation.
Finally, omitting immaterial financial statement disclosures will often require significant judgement. The accounting literature allows for appropriate, well-supported judgments around disclosure.[21] Well-reasoned, practical judgments to omit immaterial disclosures should be grounded in the objectives and principles of the relevant guidance and companies should have appropriate processes and controls to evaluate those judgments. As part of its oversight, audit committees should encourage this dialogue. Developing appropriate processes to enhance disclosures — and judgments for deciding which disclosures can be omitted — naturally requires coordination with the audit committee. Being an active and willing participant in the process is a key step as we collectively work to achieve disclosure effectiveness.
I appreciate the opportunity to share my remarks to you today at this important conference. Thank you for your attention.
[1] Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, published by the New York Stock Exchange and National Association of Securities Dealers (1999) available at: http://www.chugachelectric.com/pdfs/agenda/fcagenda_051403_ixd.pdf.
[2] Among other things, the Sarbanes-Oxley Act of 2002 required the Commission to adopt rules directing the national securities exchanges and associations to require in their listing requirements that audit committees of U.S. public companies to comprise solely board members independent of management. SOX also made audit committees directly responsible for the appointment, compensation, and oversight of the work of the independent auditor and enhanced requirements for communication between the audit committee and the independent auditor. SOX also directed the Commission to adopt rules requiring issuers to disclose whether at least one "audit committee financial expert" serves on the audit committee.
[3] Internal Control — Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (May 2013) ( "COSO 2013 Framework"), p. 39, available at: www.coso.org/IC.htm.
[4] SEC Release No. 33-9862, Possible Revisions to Audit Committee Disclosures (July 1, 2015) [80 FR 38995], available at: http://www.sec.gov/rules/concept/2015/33-9862.pdf.
[5] Public Company Accounting Oversight Board.
[6] See Brian T. Croteau, Remarks Before the 2014 AICPA National Conference on Current SEC and PCAOB Developments "” Audit Policy and Current Auditing, Independence, and Internal Control Matters (Dec. 8, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370543616539.
[7] See http://www.centerforcapitalmarkets.com/wp-content/uploads/2015/05/2015-5.28-Letter-to-SEC-and-PCAOB.pdf.
[8] Release Nos. 33-8810, 34-55929, Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (June 27, 2007) available at: http://www.sec.gov/rules/interp/2007/33-8810.pdf.
[9] PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With An Audit of Financial Statements.
[10] COSO 2013 Framework, pp. 29-30.
[11] Financial Accounting Standards Board.
[12] International Accounting Standards Board.
[13] See Financial Accounting Standards Board Accounting Standards Update No. 2014-09 Revenue from Contracts with Customers (Topic 606) (May 2014), available at http://www.fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1176164076069&acceptedDisclaimer=true.
[14] See http://www.fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1176166272502&acceptedDisclaimer=true.
[15] See the FASB's Proposed Accounting Standards Update Identifying Performance Obligations and Licensing at http://www.fasb.org/jsp/FASB/Document_C/DocumentPage?cid=1176166005104&acceptedDisclaimer=true which reflects the FASB's tentative decisions to amend the guidance on shipping and handling as a result of the challenges discussed by the TRG.
[16] See SEC Staff Accounting Bulletin (SAB) No. 74 (Topic 11.M), Disclosure of the Impact that Recently Issued Accounting Standards Will Have on the Financial Statements of the Registrant When Adopted in a Future Period.
[17] See remarks by Chair Mary Jo White to the National Association of Corporate Directors, The Path Forward on Disclosure (Oct. 15, 2013), available at http://www.sec.gov/News/Speech/Detail/Speech/1370539878806.
[18] Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, note 1, supra.
[20] Proposed Accounting Standards Update Assessing Whether Disclosures Are Material and Proposed Accounting Standards Update Chapter 3: Qualitative Characteristics of Useful Financial Information. See http://www.fasb.org/cs/ContentServer?c=FASBContent_C&pagename=FASB%2FFASBContent_C%2FNewsPage&cid=1176166401832.
[21] Accounting Standards Codification Topic 105-10-05-6 states "The provisions of the Codification need not be applied to immaterial items."