Date: Dec. 10, 2015
Speaker: Jay D. Hanson, Board Member
Event: AICPA Current SEC and PCAOB Developments Conference
Location: Washington
Good Afternoon,
Thank you for the privilege to speak again at this conference. As I am completing my fifth year as a Board member of the Public Company Accounting Oversight Board ("PCAOB" or "Board"), this is still one of my favorite conferences to learn about current developments, as well as interact with many of you to hear your suggestions and concerns.
You already heard from a number of other PCAOB speakers during this conference. We each provide our own unique insights and, as you have heard others say before me, the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB.
In the brief time I will take today, I will comment on a few aspects of our standard setting activities, share some opinions on topics others have raised, and comment on our project on audit quality indicators.
PCAOB Chief Auditor Marty Baumann just provided an update about some of our standard-setting projects. Several representatives from the Securities and Exchange Commission ("SEC") also commented at this conference on our work to improve our standard setting process. Behind the scenes, much work is in progress to refine the process by which projects get added to our agenda, how they get prioritized and how the work flows from start to finish. While many aspects of these changes may not be visible to most of you in the room, I hope the result is better decisions about what gets on our agenda, informed by appropriate research. I also hope that we end up with a better definition of the problem we are trying to solve, broad consideration of alternatives to solve the problem, and ultimately, if rulemaking is necessary, a solution that addresses the problem in a timely and cost effective way.
I will comment on a few of the projects Marty discussed. We received significant feedback on the auditor reporting model project after we proposed it in 2013.[1] A number of commenters expressed concern about the broad scope of what the auditor would have to consider in identifying critical audit matters ("CAMs") to report. Commenters also expressed concerns that CAMs would sometimes address matters that are immaterial or that would reveal company information not otherwise required to be disclosed under applicable securities laws and regulations. I am optimistic that our reproposal will address these important concerns and result in a meaningful, operational standard. Another overarching concern from preparers is whether we should proceed with a project like this at all, as opposed to letting the SEC mandate any needed improvements to management's disclosures. A similar theme among the comments was the question of whether the CAMs would substantially duplicate other disclosures, including management's discussion of critical accounting estimates.
One benefit of the passage of time since our 2013 proposal is that we have had an opportunity to monitor developments in other countries, including the United Kingdom ("UK"). We are closely watching the results of the expanded audit or reporting that has been in place there for several years. We are also benefitting from new academic studies that are beginning to focus on the value of the auditor disclosures, how much duplication may be occurring with management disclosures and whether investors value – and act on – the information.
The feedback from the consultation papers our staff issued on fair value, estimates and specialists have been informative.[2] I encourage preparers to follow these projects closely since the ultimate result may require auditors to perform more work and therefore may affect the amount of time preparers spend gathering information for their auditors. The specialist consultation paper includes some provocative questions about whether all information that management provides to the auditor should be treated the same, regardless of whether it was prepared by accountants employed by the company or by a specialist, such as an actuary, who relies on historical data provided by the company, along with assumptions about the future. The Board's decisions on the appropriate degree of scrutiny by auditors of this type of information could have significant effects on many aspects of an audit. I personally hope we end up in a place that would enhance the current standards for the auditor's use of the work of a specialist, but not go as far as certain of the ideas raised in the consultation paper might suggest.
Marty mentioned the feedback we have received from the U.S. Chamber of Commerce regarding the work auditors are performing in the area of internal controls over financial reporting. Several other speakers at the conference, including SEC Chair White, as well a panel yesterday afternoon that included my fellow PCAOB Board Member Jeanette Franzel, discussed the importance of internal controls. I personally have participated in meetings with many preparers and members of organizations representing financial management. I have also had many meetings with audit committee members over the past year. I welcome the feedback about the practical consequence of our regulation of auditors. In many respects, hearing directly from those on the receiving end of an audit how rigorous and challenging the audit is today is good news. On the other hand, it is troubling to hear stories of auditors focusing too much on immaterial items and doing "defensive auditing." And as you all know, if you focus too much on the small items, you may miss big picture. Our inspection activities show that all engagement teams do not execute required audit procedures equally well. Many firms have developed tools, checklists and templates to drive more consistent execution. While these tools overall are successful, they are not substitutes for an auditor's understanding of the business, the controls and why specified audit procedures are necessary. I was pleased with the panel discussion yesterday, which brought out many of the issues we have discussed with firms and preparers in recent months. A big take-away from the panel was that good communication between management and the audit team is essential.
In that context, let me emphasize again some comments I made recently at another conference. Many of the concerns I have heard about ICFR from preparers is that they believe their management review controls are effective in detecting potential material misstatements, because they know what actions they and their team take to review a monthly reporting package, and they know that their staff will follow up on questions raised during this process. The auditors, however, are telling preparers that they cannot accept their sign-off as evidence of the control's effectiveness. And in fact, while auditors may be able to accept a sign-off when testing a simple process level control that does not involve much judgment (like matching a purchase order, shipping document and invoice), that does not suffice for management review controls. The applicable auditing standard, AS 5, specifically states that inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control. [3] The actual procedures needed for a particular management review control will depend on, among other things, the nature of the control, the risk associated with the control, the information used in the control, and the evidence of the control's operation. AS 5 gives examples such as observation, inspection of relevant documentation, and re-performance of a control. One of my mentors early in my career frequently said "you can't just audit by conversation, you need to audit the support for what management tells you." Those words from over 30 years ago apply today to controls testing.
I look forward to continuing our discussions with preparers and auditors on these important topics and many others.
Yesterday, Cindy Fornelli from the Center for Audit Quality ("CAQ") described the CAQ efforts around audit quality indicators. Chief Accountant Jim Schnurr and others also have mentioned the PCAOB project in this area. I commend the CAQ for the work they have done and what they have shared with us. Collectively, we are advancing thought in this important area and driving improvements in audits.
The Board issued a concept release in June 2015 on audit quality indicators.[4] Prior to the issuance of the concept release, we had several discussions over multiple meetings with our Standing Advisory and Investor Advisory Groups. Since the issuance, we had further discussions with both groups. I personally have discussed the concepts with multiple preparers, audit committees and others. Overall, we have received substantial helpful input.
The overwhelming feedback has been that exploring audit quality indicators is a worthwhile effort. However, there is sharp divergence on the role of the PCAOB in this area, questions about how AQIs should be used, and varying views about appropriate next steps. Some advocate that the PCAOB should move quickly to require the use of certain defined indicators by audit firms and individual engagement teams and that such indicators be made publically available for all investors to consider. Many others have argued that best use of audit quality indicators is in a discussion between the engagement team and audit committee, focusing on indicators that best capture the relevant considerations for that audit. Some of these commenters suggested that the PCAOB refrain from mandating any specific indicators at this time. Rather, these commenters believe that the Board should let auditor and audit committee practice develop on a voluntary basis before considering whether rulemaking is necessary.
We received very little feedback on the specific AQIs discussed in the concept release. Many commenters believed that those engagement level AQIs that are focused on the availability and competence of engagement personnel are most valuable. Some of my one-on-one conversations with audit committee members emphasized the importance of the qualitative aspects of the relationship with the engagement partner, and no quantitative metric would capture that.
With regard to next steps, my personal opinion is that we need to further our efforts to validate which AQIs have the strongest correlation to high quality audits. I believe we should refine the list of 28 indicators included in the concept release to 10 or fewer and make that list public, along with clear definitions for each indicator to encourage consistency in their use. We should continue to collect and analyze information, through our inspection process and other outreach, about what indicators audit committees and engagement teams find most valuable and provide transparency about our findings and conclusions. After a few years, we can reassess the need, if any, for rulemaking to mandate the use, discussion or disclosure of quality indicators.
I also believe we should encourage the firms' efforts in publishing audit quality reports to make as much relevant information available to investors as possible. Relevant to this approach, I was interested to see that the UK Financial Reporting Council ("FRC") recently published its 2016-19 strategy.[5] One aspect of the FRC plan is something I agree with: Place greater emphasis on best practice, education and other non-regulatory approaches to help secure continuous improvement in the quality of information and behaviour, including through our corporate reporting and audit quality review activities." The FRC's regulatory mandate is broader than the PCAOB's, but the principles apply equally to us. Audit quality indicators is one project where we can experiment with driving improvements in audit quality by providing information and encouraging voluntary compliance and disclosure, before we determine whether regulation is needed. Stay tuned.
Tomorrow, you will hear about our recent inspection findings from Helen Munter, PCAOB Director of Registration and Inspections. I won't go into any details of what she will discuss, but I want to highlight a couple of points from our recent general purpose report on observations of the Risk Assessment Standards.[6] This report provides information regarding the implementation of, and compliance with, the Risk Assessment Standards from the PCAOB's 2012-2014 inspections of registered public accounting firms. The report expresses the Board's concern about the number and significance of deficiencies related to the Risk Assessment Standards. It is important to understand that the procedures required by these standards underlie the entire audit process and drive decisions about the scope and nature of the procedures that the auditor ultimately performs to support the opinion expressed in the auditor's report. Summarizing our inspectors' conclusions about potential causes of the deficiencies, the report provides examples, including the following, among others:
· "The firm did not have an adequate understanding of the issuer and its processes and related internal control over financial reporting."
· "The firm did not adequately design and perform audit procedures to address identified and assessed risks of material misstatement."
· "Senior members of the engagement team, including the engagement partner, may not devote sufficient attention to the performance of risk assessment procedures or the supervision, including review of the work of engagement team members."
· "Some firm professionals may not exercise due care, including professional skepticism (e.g., overreliance upon management assertions, reliance on perceived knowledge of the issuer, and insufficient evaluation of contradictory evidence)."[7]
The Canadian Public Accountability Board ("CPAB") is Canada's audit regulator responsible for the oversight of public accounting firms that audit Canadian reporting issuers. CPAB recently issued a report that discusses the 2015 annual inspection findings for Canada's four largest public accounting firms, and I noted that several observations in CPAB's report are consistent with our recent report. For example, that report states:
· "Auditors must make sure that procedures are appropriately designed and executed. If fundamental audit areas are delegated to more junior staff, the firm must see to it that staff have the appropriate training to perform their assigned procedures and that their work is appropriately supervised and reviewed."
· "An insufficient understanding of the client's business is the root cause behind many of the audit findings we identified. To assess risk of error and ultimately determine an effective audit strategy, the auditor needs a sound understanding of the company's business, operations, and nature and flow of accounting transactions. Otherwise, it is difficult to plan and execute an effective audit."
· "Areas requiring the most professional judgment and skepticism continued to feature prominently in our 2015 inspection findings. Participation of senior engagement leaders at both the planning and issues resolution stages remains the best way to deal with these matters. To address audit team inexperience and to support the delivery of a quality audit, the timely and appropriate involvement of engagement leadership is essential." [8]
As I think about my (now dated) experience as an auditor and consider issues relating to the appropriate scope ICRF audit work, the most important AQIs, and PCAOB inspectors' observations about potential causes of inspection findings, I find that there is a common theme that comes up again and again: The best audits are those that are conducted by the right people, with the right skills, doing things at the right time and in the right order, properly supervised, with a skeptical mindset and communicating effectively throughout the process. Simple, right?
With that, let me thank you again for listening, and I will take questions during the session at the end of the day.
[1] Proposed Auditing Standards – the Auditor's Report on an Audit of Financial Statements when the Auditor Expresses and Unqualified Opinion; The Auditor's Responsibilities regarding Other Information in certain Documents containing Audited Financial Statements and the related Auditor's Report; and related Amendments to PCAOB Standards, PCAOB Rel. No. 2013-005 (Aug. 13, 2013).
[2] See Staff Consultation Paper No. 2015-01: The Auditor's Use of the Work of Specialists (May 28, 2015); Staff Consultation Paper: Auditing Accounting Estimates and Fair Value Measurements (Aug. 19, 2014).
[3] Auditing Standard No. 5 (now AS 2201), An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, par. 50.
[4] Concept Release on Audit Quality Indicators, PCAOB Rel. No. 2015-005 (July 1, 2015).
[5] Financial Reporting Council, FRC's Strategy for 2016/2019 (October 2015) at 2.
[6] Inspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through No.15) (Oct. 15, 2015).
[7] Id. at 22-23.
[8] Canadian Public Accountability Board, Public Report 2015 (November 2015) at 5-6.