Remarks Before the 2012 AICPA National Conference on Current SEC and PCAOB Developments - Audit Policy and Current Auditing and Internal Control Matters
Brian T. Croteau
Deputy Chief Accountant, Office of the Chief Accountant
U.S. Securities and Exchange Commission
Dec. 3, 2012
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC Staff.
Good morning. Thank you Jack [Day] for the introduction, and I thank the AICPA for inviting me to join you again this year. For those unfamiliar, OCA's Professional Practice Group (PPG), I am fortunate to have a talented and dedicated team of about a dozen staff who focus on audit quality and investor protection each and every day. We work closely with, and provide advice and support to, other offices and divisions within the Commission on auditing matters, including auditor independence. OCA's PPG also has a significant role in leading and coordinating the Commission's oversight of the Public Company Accounting Oversight Board's (PCAOB) activities and so we work closely with the PCAOB on a daily basis to achieve our shared investor protection objectives, including our mutual interest in high quality audits.
Collective Commitment to Useful and Reliable Financial Reporting
Consistent with Paul Beswick's closing remarks, I'd like to begin this morning by acknowledging that your presence at this conference may be indicative of your commitment to maintaining investor confidence in useful and reliable financial reporting (in addition perhaps to earning a few CPE credits). I recognize that there are many preparers and auditors here or watching who strive each day to further this goal and, like Paul, though perhaps not as eloquently, I too would like to say thank you. I'd also like to encourage you to reach out to us throughout the year to provide your thoughts and ideas for enhancing the usefulness and reliability of financial reporting, including improving the quality of audits.
This morning I will be dividing my remarks into two parts. First I'll cover broader audit policy matters and then come back to a few topics that may be of more immediate relevance.
Audit Policy Matters and Initiatives
Over the last several years, Congress passed the Dodd-Frank Act and the Jumpstart Our Business Startups (JOBS) Act, both of which have significant implications for auditors. However, neither comes close to the now decade-young Sarbanes-Oxley Act of 2002 (SOX) in terms of implications for auditors and focus on internal control over financial reporting (ICFR) and reliable financial reporting. I continue to believe investors have benefited from many aspects of rules implemented following the passage of SOX, including required management certifications, internal control reporting requirements, forfeiture of bonuses and profits when there is a restatement due to material noncompliance, fair funds for investors, whistleblower protections, and enhanced reviews of issuer's periodic disclosures by staff in our Division of Corporation Finance. Additionally, SOX included specific auditing provisions including, but not limited to, independence provisions such as audit partner rotation requirements and extensive prohibitions on non-audit services, enhanced roles for audit committees including the oversight of the external auditor at listed companies, and, of course, the creation of the PCAOB, an independent audit regulator with responsibility to oversee all aspects of public company audits, including a regular program of inspections.
I believe many of these provisions have contributed significantly to prevention or earlier detection of the types of issues intended to be addressed by SOX. However, now is an opportune time to leverage what we have learned over the last decade to further improve audit quality and the reliability of financial reporting for the next decade and beyond. You'll be hearing from PCAOB Chairman Doty shortly, and PCAOB Board Member Hanson and a number of senior members of the PCAOB's staff will be speaking tomorrow and Wednesday. Without preempting their remarks, I'd like to provide a few thoughts about the work the PCAOB is doing and audit oversight and policy initiatives.
I'll start with the work of the PCAOB. During its first ten years of existence, the PCAOB has achieved many successes, faced countless challenges, and has taken efforts to adjust its course along the way. I am encouraged and optimistic about the prospects for the PCAOB's future, both in the near and long term. With respect to the near-term, just last Wednesday the PCAOB adopted its 2012-2016 strategic plan. The plan covers a broad range of goals and objectives; additionally, it includes six near-term priorities that, if implemented well, have the potential to provide significant benefits to investors, the public at large, and the public accounting profession. These near-term priorities include:
- Improving the timeliness, content and readability of inspection reports, including through outreach designed to improve usefulness of reports;
- Improving the timeliness of remediation determinations and providing additional information about the PCAOB's remediation process;
- Initiating a project to identify audit quality measures, with a longer term goal of tracking such measures with respect to domestic global network firms and reporting collective measures over time;
- Enhancing the PCAOB's processes and systems to improve analysis and usefulness of PCAOB inspections findings, including comparative analysis across firms and over time, in order to better understand audit quality in firms and better inform the PCAOB's standard-setting and its other regulatory activities;
- Enhancing the framework for the PCAOB's standard-setting process in order to improve the effectiveness of the process as well as the standard-setting project tracking information provided to the investing public; and
- Enhancing the PCAOB's outreach to and interaction with audit committees to constructively engage in areas of common interest, including auditor independence and audit quality. 1
These priorities are ambitious, significant and meaningful, and I believe the PCAOB has been reflective and thoughtful in laying them out. I am delighted and enthusiastic to support the PCAOB's advancement of all six of these important priorities. A decade into the PCAOB's existence is an excellent time to reflect on the past, look inward, conduct outreach, and take steps to improve the future. The content and readability of inspection reports is a great place to start. Also, timelier quality control remediation determinations can provide firms with important clarity about the Board's views regarding their remediation efforts. Timelier remediation determinations can also provide audit committees and the public with insight into the specific defects in quality control of concern to the PCAOB when individual firms do not otherwise make sufficient progress to remediate QC defects. I suspect these efforts could also serve to speed up the remediation of quality control defects by affected firms.
As another example, a deeper analysis of PCAOB inspection information coupled with timely remediation determinations can go a long way towards contributing to the proper functioning of what I often refer to as a robust audit performance feedback loop. This can provide more insight into the nature of current audit deficiencies, the likely root causes for them and potential solutions to address them. Analogies I've made to efforts of the Federal Aviation Administration or the National Transportation Safety Board at this conference over several past years will continue to be top of mind for me in the coming year.
I continue to believe that updating interim auditing and quality control standards to replace the standards adopted from the AICPA in 2003 and to take into account the most common inspection findings where auditors seem to struggle with some frequency should be a high priority. With a decade of inspection experience available to all of us, as well as some good thinking set forth by other standard setters, there is no need for audit firms to wait for new standards from the PCAOB to do things they believe will improve audit quality. I'm aware that some firms have moved ahead by layering in new policies and practices going beyond the requirements of the standards in the areas most commonly cited in PCAOB inspection reports or in their own internal inspections that can make clear and measurable differences. Audit committees can play a role by encouraging the audit firms they oversee in these efforts . Audit committees can also encourage firms to compete on quality by making engagement quality considerations a key element of every hiring or retention decision.
In the meantime, while the PCAOB forges ahead with their new priorities we have been fortunate that, even under a risk-based inspection program, generally only a small percentage of inspection findings have led to the identification of previously unidentified material misstatements. Nonetheless, we should not be satisfied with this result and we should continually strive for improvement. Sometimes I have observed through review of PCAOB inspection information or in my work assisting my enforcement colleagues that in the very areas an auditor has identified as being the most important areas of the audit, what would seem to be basic auditing procedures appear to be lacking. While admittedly, these areas can be challenging in terms of the ability to obtain sufficient appropriate audit evidence, these are the precise areas where auditors must devote the most attention. I'd encourage auditors confronted with these challenges to ask themselves, "Are there better sources of audit evidence that I have ignored, including some that may provide contradictory or disconfirming evidence, in order to reach a quick, but potentially, invalid conclusion? Additionally, have I merely looked to the evidence that management has directed me to or have I, on my own, contemplated relevant and reliable sources of evidence?"
Now let me turn to a project that I expect will gain momentum in 2013, and one which I know will require more public input. As Paul mentioned, the PCAOB continues to make progress in exploring ways to improve the standard auditor's report. As I've said before, I believe this project deals with questions about perceived information asymmetry between investors, management, audit committees and auditors, and raises the fundamental question of what the appropriate role is for auditors in reducing that asymmetry. Although the PCAOB received helpful feedback on its 2011 concept release, held a public roundtable and, more recently, discussed the topic with its standing advisory group (SAG), there will continue to be a need and opportunity for input. As the PCAOB hones in on a potential approach in 2013, I encourage you to provide your views on whether you believe the ideas the PCAOB exposes or alternative ideas are likely to improve the value of audit reports for investors.
One idea the PCAOB included in their concept release and recently explored in greater specificity with their SAG relates to requiring auditors to emphasize in their reports certain matters contained in financial statements and the notes to the financial statements. I believe an important element of this idea is the development of appropriate criteria for determining what to emphasize and sufficient direction for what should be said about the matters being emphasized. I also believe one important outcome could be improvement to management's disclosures as a result of increased focus by management, auditors and audit committees on the areas chosen to be emphasized by the auditor. It's also important for investors, as users of the information, to be provided with sufficient information to understand the reasons for including the information in the auditor's report, to maximize the utility of the information and to help minimize the risk of misunderstanding or misuse. This project requires close coordination between audit and accounting standard setters and myself and other staff in OCA are actively engaged in this effort. The IAASB and European Commission are likewise focused on auditor reporting considerations, which means that we can all learn and benefit from each other's outreach and ideas as views evolve about how best to improve the standard auditor's report.2
Before turning to other specific topics that may be of current interest, I want to take a moment to acknowledge the tremendous progress the PCAOB has made over the past year in advancing new cooperative agreements and developing relationships with non-U.S. regulators that have, among other things, enabled advancement of inspections of audits around the globe that are required by SOX. I'm optimistic that the success the PCAOB has experienced in working together with many regulators around the world will serve as an impetus for progress in the remaining jurisdictions where reaching agreements has been more challenging. When the PCAOB is unable to fulfill its inspection responsibilities, investors are left with uncertainty. Accordingly, comment letters issued by staff in our Division of Corporation Finance conducting routine filing reviews this past year have included comments, where applicable, requesting that management make appropriate risk factor disclosures to highlight the PCAOB's inability to conduct inspections in relevant jurisdictions, and to make clear that investors in U.S. markets who rely on such auditors' reports are deprived of the benefits of PCAOB inspections of auditors.
Let me turn to some current topics.
Use of Third Party Pricing Service Information
At this conference last year, several of us commented on the use of third party pricing service information in informing fair value measurements and disclosures.3 Much of last year's focus was on reminding management of their responsibilities - notwithstanding their engagement of a pricing service - for compliance with GAAP, including disclosure requirements, for developing and maintaining appropriate internal controls to prevent or detect material misstatements, and for assessing ICFR. I'm pleased to report that we have heard a lot of good news since last year relative to incremental transparency being routinely provided by pricing services as well as the increased use of so called "price challenges" and "deep dives" by users of pricing services. We've also heard of examples where management has significantly expanded the depth of their on-site or other reviews of pricing service activities. All of this has the potential to lead to a better understanding by management of the methods, inputs and assumptions being used by pricing services, a better basis for management taking responsibility for the estimates they are recording in their financial statements, and most importantly more useful and reliable information being disclosed to investors.
This is an area where OCA staff have worked closely with our colleagues in the Divisions of Corporation Finance and Investment Management over the past year as they've sought information from management as part of their filing reviews. The questions asked have sometimes led to the identification of control deficiencies in need of remediation. While there are reasons to be encouraged by the progress, I believe this is still an area where attention is necessary. For instance, in relation to the development and maintenance of internal controls that are appropriate to provide management with the basis they need for taking responsibility for their financial statements. One area in particular that may warrant increased focus relates to ensuring that adequate controls are in place and operating effectively to identify when securities begin to become thinly traded so that necessary changes to the valuation approach, and the related measurement and disclosures, can be made on a timely basis.
Internal Control Over Financial Reporting and COSO's Framework Update Project
Next, the Committee of Sponsoring Organizations (COSO) has a project to update its 1992 internal control framework.4 I notice that there will be a break out session on this topic on Wednesday. I understand that COSO's intent is to provide more comprehensive and relevant conceptual and practical guidance. One way in which COSO has attempted to do so is by enumerating fundamental concepts from the original framework into seventeen principles which are intended to help users focus on important aspects of the components of internal control. Staff from OCA's PPG have served as observers on this project because a vast majority of issuers choose to use COSO as the framework with which to evaluate their internal control over financial reporting. COSO received more than 200 responses in the form of comment letters and survey responses on its December 2011 public exposure. Due in part to feedback received, COSO has since developed guidance and tools to provide assistance when applying the framework, including a compendium of approaches and examples for internal control over external financial reporting. COSO released the compendium and a post-public exposure version of the framework for public comment in September and their second comment period ends tomorrow.
I believe that implementation of the updated framework once available could provide opportunities for management and auditors alike to reconsider areas where the design of internal controls could be improved to better address current and evolving risks to reliable financial reporting. It might also be helpful to dust off the SEC's 2007 Interpretive Guidance Regarding Management's Report on Internal Control Over Financial Reporting5 so that considerations related to how management will evaluate the effectiveness of ICFR can be contemplated together with changes being implemented.
It is also important for both management and auditors to evaluate financial reporting risks, how these risks change over time, the impact on ICFR, and if controls are designed to address the evolving risks. Finally, I'd like to remind management and auditors of something that may sound quite obvious: COSO has five components. While evaluating the control activity component is very important, the control environment, risk assessment, monitoring, and information and communication components are important to an effective system of internal control in accordance with COSO's framework. I'm often surprised by the lack of identification of risk assessment or monitoring component material weaknesses, especially when I see certain types of material weaknesses in the control activity component.
Jumpstart Our Business Startups (JOBS) Act
Let me move on to the JOBS Act passed earlier this year. You'll hear more about the Act from staff in our Division of Corporation Finance tomorrow but I'll quickly cover a few audit related points. As Commissioner Aguilar discussed this morning, the JOBS Act provided another exemption from SOX 404(b), this time for emerging growth companies (EGCs).6 You'll recall that the Dodd-Frank Act had already exempted non-accelerated filers from the audit requirement of SOX 404(b). The JOBS Act exemption in a way expands upon the existing phase-in provisions the Commission previously had established for newly public companies. However, management's responsibilities for evaluating and reporting on ICFR under SOX 404(a) is not in any way changed by the absence of an ICFR audit mandate for non-accelerated filers or EGCs.
In addition, the JOBS Act prohibits application of any future PCAOB rules requiring mandatory audit firm rotation or a supplement to the auditor's report in which the auditor would be required to provide additional information about the audit and the financial statements of the issuer (e.g., auditor discussion and analysis) to EGC audits.7 Another provision of the JOBS Act mandates that rules adopted by the PCAOB after enactment of the JOBS Act shall not apply to audits of EGCs unless the Commission determines that their application is necessary or appropriate in the public interest, after considering the protection of investors and whether the PCAOB standards will promote efficiency, competition and capital formation.8 I believe that one outcome you'll see from this provision will be helpful increased transparency into the reasoning behind policy choices made in the PCAOB's standard setting process.
Auditor and Audit Committee Interactions
I'll wrap up with a few words related to audit committees. PCAOB inspection findings appear to be resulting in audit committees becoming more interested in engaging in discussions about audit deficiencies and improving audit quality. Recently, the PCAOB issued an informational Board release intended to assist audit committees in understanding the PCAOB's inspection process and to help them consider how they might engage with audit firms about inspections.9 The release describes the nature of the PCAOB's inspection program and their reports and raises possible matters that audit committees may wish to discuss with audit firms. The document does not prescribe any particular requirements or responsibilities for audit committees, but provides audit committees with information that may be useful to their oversight role. I've read hundreds of inspection reports and comment forms, and I believe the PCAOB has it absolutely right in suggesting the types of questions that audit committees should consider asking. There is important information to be learned from the inspection process, and there is valuable information to leverage even if the audit of a particular issuer is not included in an inspection report or even inspected.
The PCAOB has also recently adopted a new auditing standard, Auditing Standard No. 16, on auditor communications with audit committees which is currently before the Commission for approval.10 With the adoption of Auditing Standard No. 16 and the publication of the Board's release for audit committees, and the adoption of its 2012-2016 strategic plan, the PCAOB has made clear its goals to enhance the communications between auditors and audit committees.
Before turning it over to Jenifer Minke-Girard and Julie Erhardt for their remarks related to IFRS, let me thank you again for your commitment to reliable and useful financial reporting, including your commitment to audit quality. I look forward to answering questions as part of the end of day Q&A panel.
1 See Public Company Accounting Oversight Board Strategic Plan 2012-2016 at http://pcaobus.org/About/Ops/Documents/Strategic%20Plans/2012-2016.pdf
2 See, for example, IAASB Auditor Reporting discussion at http://www.ifac.org/auditing-assurance/projects/auditor-reporting.
5 See Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (Jun 20, 2007) at http://www.sec.gov/rules/interp/2007/33-8810.pdf
9 See Information For Audit Committees About The PCAOB Inspection Process (Aug 1, 2012) at http://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf