Grading the PCAOB: Transparency, Accountability and Investor Protection

Date: Sept. 17, 2019

Speaker: J. Robert Brown, Jr, Board Member

Event: Fall Conference of the Council of Institutional Investors

Location: Minneapolis, MN

I. Introduction

Thanks, Jeff, for the introduction. I want to use my time to share some thoughts about the PCAOB but will leave a bit of time at the end for questions.

Let me start by saying that I have been looking forward to this conversation. Your work as asset managers, with pension plans, and on behalf of investors, contribute directly to the success of our capital markets and help ensure the economic future for much of the American public. It is a great pleasure to speak with you today.

In thinking about your responsibilities, I want to suggest that our professions have something in common. Before coming to the PCAOB, I was a law professor. You might think – what does this have to do with the investment community? Well, in a way, we are both in the business of assigning grades. I did this for students; you do it for investments. You develop principles and methodologies to assess value and through your decisions effectively assign each investment a grade.

So let's use some of this mutual expertise and assign some grades to the work of the PCAOB. And spoiler alert, they aren't all going to be passing.

Before I go further, I should note that the views I share, including my grading standards, are my own and do not necessarily reflect the views of the PCAOB, the staff of the PCAOB, or other Board members.

II. Assigning a Grade: Accountability and Transparency

First we need to identify some guiding principles that can be the basis for any grading exercise. That part is easy. Congress gave it to us in the Sarbanes-Oxley Act of 2002.[1]

With the collapse of Enron and WorldCom fresh in mind, we were told to oversee "the audits of companies that are subject to the securities laws …in order to protect the interests of investors and further the public interest . . ."[2] In other words, our mission, our guiding principle, is to protect you and your work, the investors here in this room.

Grades then should entail an assessment of how we are fulfilling this mission. In other words, any grade is about accountability to investors and the public.

A. Accountability and Transparency

Let's start with the PCAOB as a whole and for this grading exercise I want to focus on accountability and transparency.

As already noted, we are assigned the task of protecting the interests of investors and the public. Stating a mission and adhering to it are two different things. As academics have long recognized, regulators can sometimes lose their way. They may do so for any number of reasons, whether ossification,[3] capture,[4] or bureaucratic overconfidence.[5]

But our regulatory system builds in a fix when this happens and you play an essential role in that. Our system depends on you — and the public more broadly - to hold agencies accountable. Public accountability improves the discipline and quality of the regulator's work in achieving its mission.

Yet, you can't ensure accountability for what you don't know. As a result, transparency is an essential component of accountability. It's perhaps no surprise then that transparency has been described as "an essential characteristic of a vital democracy."[6]

This has not been lost on Congress. A set of laws essentially provide a minimum level of transparency for federal agencies. These include, among others, the Sunshine Act,[7] the law which provides for mandatory open meetings in certain circumstances, the Freedom of Information Act,[8] which provides a mechanism for obtaining various records from agencies, and the Administrative Procedure Act,[9] which mandates notice and comment in the case of certain rulemakings and requires the implementation of a mechanism for petitioning an agency to change its rules.

These laws mandate disclosure in specified circumstances. But their true strength is not the individual requirements but their collective impact. In other words, they are more than the sum of their parts. Together, these laws encourage a greater willingness of regulators to be transparent and open about their thought process and their regulatory approach. So armed, the public can better judge whether a regulator is acting in a mission-consistent manner.

Let me give you an example of transparency in practice. For many years, the staff in the SEC's Division of Corporation Finance sent comment letters to issuers following a review of their periodic reports and other filings. We know this because these letters are routinely made public.[10] But this wasn't always the case.

Until 2004, the letters were non-public but available through the FOIA.[11] That year, the Commission decided to release the letters – both the comment letters from the staff and the company's response – to the public, no FOIA request required.[12]

And the benefits? Publication has increased regulatory effectiveness.[13] With everyone able to read the letters, more companies got the message. The approach also provided increased transparency into the staff's views and thought process, allowing investors and the public to better understand the relevant issues and provide a more effective opportunity for feedback.

So, transparency can benefit everyone, agencies, those subject to regulation and, most importantly, the public.

How is the PCAOB doing on the transparency front? In the drive for transparency, we start behind, way behind.

In creating the PCAOB, Congress chose to structure us as a non-profit corporation formed under the laws of the District of Columbia.[14] As a result of this decision, the legal regime designed to ensure transparency and facilitate accountability across federal agencies simply doesn't apply to us. We are not subject to the Sunshine Act, the FOIA, or the APA.

What difference does the inapplicability of these laws make? In my opinion, plenty.

How about letters received by the PCAOB from third parties? We are not required to make that information publicly available.

How about a calendar of board meetings that shows the outside groups who have met with us and the agenda for the meetings? Again disclosure is not required.

Want to petition us with concerns and request changes in our rules or standards, something otherwise required by the APA? Go ahead, but we have no obligation to make the request or any follow up comments public.

What about public meetings, something enshrined in the Sunshine Act? The Act does not apply to us and our obligation are limited to what we specify in our bylaws.[15] No particular matter or circumstance automatically triggers the obligation to hold a public meeting, although we do as a matter of practice schedule them when we approve our budget or consider changes to our standards or rules.

Given these limits, it may not be surprising then that at our most recent meeting of the Investor Advisory Group, one of the members described our role as "completely opaque."[16]

And let's be clear. While we are not subject to these laws, that's not the same as a prohibition. We have the latitude to implement at least some of requirements on a voluntary basis. In fact, we voluntarily submit our proposed standards to the public for notice and comment, something otherwise required for federal agencies under the APA. And, by the way, we make those letters public.

The lack of transparency resulting from the inapplicability of these laws, in my opinion, has an additional consequence. A lack of transparency can have a disproportionate impact on investors and the public. We have regular interaction with audit firms, particularly through the inspection process. These interactions can provide significant insight into our regulatory approach and provide a catalysts for change.[17] Yet investors and our other stakeholders do not have these same opportunities to gain insight into our thought process and regulatory approach.

I do acknowledge that transparency can have uncomfortable consequences. Third parties may be less inclined to write to us if they know their correspondence and our response will be posted on our website or otherwise be made public. Publishing a calendar of meetings with the full board that includes agendas with outside organizations may generate plenty of additional requests and take up additional board time.

But when you act in the public interest, which we do, accountability in my opinion takes precedence and requires a more open approach. So let's call transparency a regulatory cost of doing business, particularly when the business is acting in the interest of investors and the public.

What more could we do?

I want to first make clear that this board has taken some steps in an effort to be more open. We adopted a strategic plan that includes the promise of increased transparency and provided the public with an opportunity to comment on the plan.[18] We have created a new position designed to engage in outreach to investors, audit committees and preparers.[19] We are developing a new approach to inspection reports that hopefully will provide investors and the public with results that are more accessible, informative, and transparent.

But these steps offer only limited additional insight into our "completely opaque" role. And, in my opinion, there is more that could be done, much more.

We could create a Board corner on our website and disclose relevant correspondence from third parties, as well as any responses, keeping confidential anything required by our statute or otherwise exempt under the FOIA. The corner could include calendars for the full board that showed the outside groups who meet with us, including the agendas for the meetings.

We could provide a mechanism that would allow any stakeholder to petition us for a change in our standards or rules and then post the petition and any comments. We could mandate the inclusion of memoranda in the notice and comment file for proposed standards or rules identifying outside groups that discussed ongoing rulemaking matters with us.

We could better take into account the informational asymmetries between those we oversee and the public. Where for example we alter our approach to inspections, regulated entities will often become aware of the changes when we implement them. In other words, they'll learn from experience. Investors and the public will only learn about the changes when we tell them. We can do a better job at making this type of information available to you and the public on a more routine and fulsome basis.

We could provide an explicit invitation on our website to investors and stakeholders about scheduling meetings with the PCAOB and the full board.[20]

We could take an inventory of information that we have kept confidential and reconsider the approach given the passage of time. For example, the PCAOB has apparently never made public the application filed in 2003 that allowed the SEC to issue an order authorizing the PCAOB to begin operations.[21]

These are examples. But in reality it's not about the number of documents or agendas that are disclosed. It is about a culture of openness with respect to a regulator's thought process and approach to its mission.

And in advancing the goal of increased transparency, we will not be alone. Other regulators in our space are making a renewed commitment to transparency.[22]

So my grade? An incomplete. In academic parlance, incomplete means there is more to be done but still time to convert the incomplete into a passing grade.

B. Accountability and the Division of Registration and Inspections

Let's turn to a second area for grading consideration. Again, the grade needs to be based on our mission of protecting you and the public. For this second exercise, I want to focus on our Division of Registration and Inspections.

The PCAOB does a lot of things. We set standards, bring enforcement actions, and conduct economic analysis. But we are primarily an inspections organization. The Division of Registration and Inspections or DRI is the largest operating unit at the PCAOB, representing around 60% of our personnel. It's through inspections that the PCAOB communicates most regularly with the public, whether in inspection reports, staff inspection briefs, or from outreach with audit committees. Our success as an organization hinges in no small part on the work of DRI.

The PCAOB is undergoing transformation. This is particularly true with respect to inspections. DRI has been keenly focused on how to make the inspection process more effective in protecting investors and the public interest.

Transformation at DRI builds on a strong foundation. The Division each year inspects around 160 audit firms in the US and in roughly 30 foreign jurisdictions, reviewing portions of over 700 public company audits,[23] statistics that do not include the more than 100 or so broker-dealer audits.[24] The program is often credited with raising audit quality, both domestically and globally.

I would add that I also know this from direct experience. In my tenure at the PCAOB, I have participated in a number of inspections and have witnessed the remarkable skill and commitment of the inspection staff firsthand.

But past accomplishments do not ensure future success and the Division knows this. The Division has been working hard at developing approaches that will help increase the quality of audits and improve trust in the financial disclosure process. Let me highlight a few ways that DRI is doing this.

First, the Division is conducting a deeper review of the system of quality control employed by the largest firms. This is the process that audit firms put in place to, among other things, make sure that their individual engagements meet applicable standards. DRI is looking into the design and operating effectiveness of each system. Improvements in connection with these systems could improve quality at the engagement level.

Second, DRI is seeking to become more nimble and better able to react to current and emerging circumstances. This year the Division sent into the field a "target" team that is performing inspections on specific procedures across a number of audit firms.[25] This team, made up of approximately 10 inspectors, will allow DRI to be more agile, responsive, and focused on topics that involve current or emerging risks. This approach also has the potential to add increased elements of unpredictability into the inspection process.

Third, DRI is working on making our inspection reports more accessible, informative, and useful, and hopefully this will provide a more transparent picture of what we learn through the inspection process.[26]

Fourth, DRI is increasing accountability through stepped up involvement with audit committee chairs. DRI has implemented a policy of reaching out to more audit committees of issuers subject to inspection, with interviews of more than 250 chairs conducted by the end of August. This provides an opportunity for audit committee chairs to obtain insight into the role of the PCAOB and the importance of the inspection process. They in turn can give us insight into their process and enable us to better understand the information they need from us to help advance their gatekeeper function. The invitation can also provide awareness of an inspection and may increase the dialogue between audit committee and auditor.

Fifth, DRI has been deeply involved in the process of ensuring proper implementation of critical audit matters or CAMs. A CAM is a matter arising from the audit of the company's financial statements that involved especially challenging, subjective, or complex auditor judgment.[27] It is also a matter that was communicated – or required to be communicated – to the audit committee, and that relates to accounts or disclosures that are material to the financial statements.

This is a significant change. Investors will for the first time hear directly from auditors about some of the most difficult areas of an audit, a form of audit firm transparency. In advance of the effective date, we met with ten audit firms, received feedback on their practice runs with their issuer audits, and reviewed their methodology.[28] Prior to the effective date, we issued several rounds of guidance.

Now that the requirement has become effective, DRI has flipped into high gear. Somewhere around 70 large accelerated filers had fiscal years ending on June 30, the effective date for CAMs, and the Division is inspecting the audit reports for some of them. Inspections staff will examine the approach to the determination of CAMs and how they were communicated in the audit report. We will see what we learn from the findings and to the extent appropriate will provide additional guidance to improve application of the standard.

All of these changes are important but they only scratch the surface of the transformation process in DRI. There are other significant issues that in my opinion should be addressed.

Let's go back to first principals like the purpose of an inspections. Right now we primarily assess whether auditors have met our standards.[29] Should we view audit quality more in terms of the overall impact on financial reporting?[30] In doing so, should we inspect areas of the audit that relate to accounts or disclosures that investors and other consumers of the financial information have perceived as inadequate?

Then there is our engagement selection process. Given our limited resources, we can't inspect every audit. With respect to the Big Four, for example, we inspect maybe 50 to 55 of the engagements each year, less than 10% of the audit opinions actually issued.[31]

In making our selections, we rely on a variety of variables, including risks factors, random selection, and market capitalization, among others. Are these the appropriate variables? What risk factors should we consider in selecting engagements? Should we emphasize other purposes? Should we focus more on audits where there is a higher risk of accounting violations in the financial statements and how might we do this? What areas of the audit should we inspect?

So DRI is a division in motion, with strong leadership, a committed staff but with plenty of work yet to be done. Based upon my 18 months at the PCAOB, I would assign the Division of Registration and Inspections an A for fully meeting the guiding principle of the protection of investors and the public through improvement in audit quality and trust in the financial disclosure system.

C. Request of Help

Let me end by asking a favor.

Coming back to transparency, help us convert that incomplete into a passing grade. Write to us, talk to us, ask for meetings with the staff or the full board to share your views. Give us any insight you have into how we might better provide greater transparency into our thought process and regulatory approach. And more specifically, help us transform in a way that will make us more effective and accountable to investors and the public.

We would benefit from any thoughts you may have in connection with our transformation, particularly with respect to our inspections program, including the purpose of inspections and the engagement selection process.

Why should you do this? Because if we can make better decisions in this space, we will improve the quality of, and trust in, the corporate reporting regime. This will allow you to assign more accurate grades to your own investments.

And if you write, let your letter be a small step towards increased transparency and accountability. Tell us to post it so that other investors and the public can see the concerns or compliments that you raised and maybe that will be the beginning of a more active conversation about accountability, transparency, and investor protection at the PCAOB.

[1] Pub.L. 107–204, 116 Stat. 745 (2002).

[2]15 U.S.C. § 7211 (2002). The Sarbanes-Oxley Act, as originally adopted, focused on audits of public companies. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 expanded the PCAOB's authority to include oversight of firms that audit broker- dealers. See Section 982 of the Dodd-Frank Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010).

[3] See Thomas O. McGarity, Some thoughts on "Deossifying" the Rulemaking Process, 41 Duke L.J. 1385 (1992).

[4] See Michael A. Livermore, Richard L. Revesz, Regulatory Review, Capture, and Agency Inaction, 101 Geo. L.J. 1337 (June 2013).

[5] See Brett McDonnell, Daniel Schwarcz, Regulatory Contrarians, 89 N.C. L. Rev. 1629 (June 2011).

[6] See Steven Aftergood, Reducing Government Secrecy: Finding What Works, 27 Yale L. & Pol'y Rev 399 (2009).

[7] 5 U.S.C. §552b.

[8] 5 U.S.C. §552.

[9] 5 U.S.C. §551.

[10] Information on the Division of Corporation Finance's filing review process is available on the SEC's website. See https://www.sec.gov/divisions/corpfin/cffilingreview.htm. The letters are contained in EDGAR. See https://www.sec.gov/fast-answers/answerscommentlettershtm.html

[11] SEC Staff to Publicly Release Comment Letters and Responses (June 24, 2004) available at: https://www.sec.gov/news/press/2004-89.htm ("The SEC currently releases staff comment letters and responses to these comment letters only in response to a Freedom of Information Act request after the staff review is complete.").

[12] Id. ("In recent months, an increasing number of our comment letters and filer responses to them are being released publicly through the FOIA process, but only to those persons who make FOIA requests for them. We believe it is appropriate to expand the transparency of the comment process so that this information is available to a broader audience, free of charge.").

[13] See Miguel Duro, The Effect of Enforcement Transparency: Evidence from SEC Comment-Letter Reviews, Review of Accounting Studies April 26, 2018.

[14] 15 U.S.C. § 7211(b).

[15] See Article V, of the PCAOB bylaws, available at https://pcaobus.org/Rules/Pages/Bylaws.aspx.

[16] See the PCAOB's Investor Advisory Group Meeting, dated November 8, 2018 available at https://pcaobus.org/News/Events/Pages/PCAOB-IAG-Meeting.aspx. (Transcript pages 97, 98 & 99).

[17] https://pcaobus.org/Standards/Documents/Staff-Guidance-Rule-3526(b)-Communications-Audit-Committee-Concerning-Independence.pdf (guidance noting that the relevant "issue arose in a number of inspections" and caused "numerous Firms" to request "clarification of their obligations"). We of course are limited in our statute in what we can communicate to the public about our inspections. See 15 U.S.C. §7215(b)(5). We are allowed, however, to disclose matters on an anonymized basis.

[18] Comments on the PCAOB Draft Strategic Plan 2018-2022 are available at https://pcaobus.org/About/Administration/Pages/Comments-Draft-Strategic-Plan-2018-2022.aspx.

[19] Information about the PCAOB's first liaison position for investors and audit committees is available at https://pcaobus.org/News/Releases/Pages/new-liaison-investors-audit-committees-preparers-Erin-Dwyer.aspx.

[20] Some regulators have made public these types of policies. See https://www.reginfo.gov/public/jsp/Utilities/faq.myjsp ("OIRA's policy is to meet with any party interested in discussing issues on a rule under review, whether they are from State or local governments, small business or other business interests, or from the environmental, health, or safety communities. . . . A log, available on Reginfo.gov, is kept of such meetings.").

[21] Order Regarding Section 101(d) of the Sarbanes-Oxley Act, Exchange Act Release No. 47746 (April 25, 2003).

[22] Increasing transparency has been promoted by a number of regulators in the financial services space, including FINRA and the FDIC. See https://www.fdic.gov/transparency/; see also https://www.finra.org/media-center/finra-unscripted/more-transparent-organization.

[23] Staff Preview of 2018 Inspection Observations (May 6, 2019), available at https://pcaobus.org/Inspections/Pages/staff-inspection-briefs.aspx.

[24] Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers, available at https://pcaobus.org/Inspections/Documents/Broker-Dealer-Auditor-Inspection-Annual-Report-2019.pdf.

[25] For example, the target team has, among other things, looked at multi-location scoping. When an audit firm audits a multinational company, the audit often needs the participation of audit firms or auditors other than the lead or principal auditor, potentially involving several other firms. When planning the audit, an auditor is required to establish an overall audit strategy that sets the scope, timing and direction of the audit, including the scope of work to be performed by other auditors at specific locations of the multinational company.

[26] See George Botic, Director, Division of Registration and Inspections, remarks on December 12, 2018 at the AICPA Conference on SEC and PCAOB Developments at https://pcaobus.org/News/Speech/Pages/botic-protecting-investors-through-change.aspx.

[27] AS 3101.

[28] PCAOB Staff Provides Guidance in Advance of CAM Effective Dates, available at https://pcaobus.org/News/Releases/Pages/PCAOB-staff-provides-guidance-advance-CAM-effective-dates.aspx ("These documents were informed by discussions with auditors regarding their experiences conducting dry runs of CAMs with their audit clients, the staff's review of methodologies submitted by 10 U.S. audit firms that collectively audit approximately 85% of large accelerated filers, and other outreach efforts.").

[29] See PCAOB Release No. 2012-003, Information for Audit Committees about the PCAOB Inspection Process (August 1, 2012) available at https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf ("PCAOB inspections are designed to identify and address weaknesses and deficiencies related to how a firm conducts audits.").

[30] Some view audit quality less in terms of adherence to standards and more in terms of an increase in the credibility in the financial reporting process. See Mark DeFond & Jieying Zhang, A review of archival auditing research, 58 J. of Accounting and Economics 275, 280 (2014) ("we define higher audit quality as greater assurance of high financial reporting quality.").

[31] For a review of inspection reports, see https://pcaobus.org/Inspections/Reports/Pages/default.aspx. We disclose the number of engagements inspected in each report. The annual report required by the PCAOB for registered firms must disclose the audit reports and the identity of the issuers during the relevant reporting period. See Part IV of Form 2, https://pcaobus.org/Rules/Pages/Form_2.aspx