Remarks before the 2011 AICPA National Conference on Current SEC and PCAOB Developments
Professional Accounting Fellow
U.S. Securities and Exchange Commission
December 5, 2011
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC Staff.
Good morning. My name is Christian Peo, and I am a Professional Accounting Fellow in OCA’s Professional Practice Group. I am pleased to be here today to share some thoughts on two topics that we have been dealing with in our office: COSO’s project to update its internal controls framework as well as the topic of improving audit quality.
As many of you know, the Committee of Sponsoring Organizations (COSO) has a project to update its internal controls framework. COSO’s Chairman has said that, “this project is not intended to change how internal control is defined, assessed, or managed, but rather provide more comprehensive and relevant conceptual guidance and practical guidance.”1
It seems to me that, given all of the change that has occurred since the original framework was published in 1992, an update of COSO’s internal controls framework is appropriate. The Office of the Chief Accountant has a particular interest in the project because a vast majority of issuers use COSO as the framework with which to evaluate their internal controls over financial reporting.
The proposed framework, which is expected to be released for public comment shortly, will be available for your review on COSO’s website. There will be an area on the site that allows you to answer specific questions about the framework or to upload your own comment letter.
The SEC, PCAOB and COSO have each taken steps over the past decade to make assessing internal control over financial reporting requirements more efficient and effective. Therefore, I am particularly interested in your feedback about whether the proposed changes will have a positive impact on how an entity is to achieve effective internal controls over financial reporting. I encourage you to review the proposed framework, answer the questions and provide additional feedback as you see appropriate. The comment period will likely close near the end of March, 2012.
Improving Audit Quality
Now to the topic of improving audit quality. My remarks are, in many ways, a continuation of the remarks made by Brian Croteau in his speech earlier today. Improving audit quality is a popular topic these days, and there are many potential solutions being considered by the PCAOB and other regulatory bodies around the world. Some of those potential solutions would cause significant changes to the auditing profession. Perhaps the first thing that I should say is that I don’t think the profession should be afraid of significant changes, per se. I am a firm believer that, as the saying goes, the cream always rises to the top. So even if there are significant changes, there will always be a need for good professionals committed to performing quality audits. However, I also believe that if changes are to be made, they should be based upon a sufficient understanding and analysis of the problems being addressed.
As Brian indicated earlier today, one of the keys to ensuring that audit standard setting will improve audit quality is the performance of a root cause analysis of identified audit deficiencies. I’ll use a brief metaphor to explain why I also think this is so.
Recently, the check engine light on my car came on. I dropped my car off at a mechanic so it could be fixed. By the end of the day, I hadn’t heard from the mechanic so I called him. He told me that my car was ready to be picked up—he had repaired the car. When I picked the car up, it was obvious the mechanic was busy with other things and not able to give me a lot of attention, but as I paid him I asked what was wrong with the car. “It wasn’t working right,” he said. “Oh,” I thought to myself sarcastically, “if only I had realized that the car wasn’t working right, I might have been able to fix it myself.” Imagine my frustration when the check engine light came on again before I had even reached my house. I spent the rest of the evening kicking myself for not making sure the mechanic and I were both more informed about what was really wrong with the car. Was it just one part that was broken and needed to be replaced? Was that part faulty, or did it wear down because some other part of the car was not working properly as well?
Similar to my experience with the car and the mechanic, understanding the root causes of audit deficiencies is key to improving audit quality. Just as it was not enough to know that my car “wasn’t working right,” knowing simply that audit deficiencies exist should not be the end of the discussion. Just as it was not enough for the mechanic to replace some random part in the engine without fully understanding the cause of the problem, I think it is important to understand the root causes of the audit deficiencies when considering how to respond with measures to improve audit quality. If we fail to first understand the root causes of audit deficiencies, I worry we will find the auditor’s “check engine light” come on again, even after significant changes have been made.
Who should be performing a root cause analysis of audit deficiencies? The PCAOB, with its organizational structure that integrates inspections, standards setting and enforcement, is in a unique position to be able to provide views about the root causes of audit deficiencies and use that information to inform standard setting and enforce those standards. But the metaphor of the car does not apply just to the auditing standards setters. In fact, a great deal of responsibility lies with auditors. Auditing firms play a key role in increasing audit quality by analyzing the root causes of audit deficiencies. Auditing firms have access to not only the findings of the PCAOB’s inspections, but also of internal inspections and other ongoing internal monitoring and peer review results. By performing proper root cause analysis of audit deficiencies and by performing robust monitoring procedures over existing quality controls, the firm may be in the best position to identify changes to its quality control system that will specifically respond to the underlying issues causing audit deficiencies. For example, the PCAOB has to write standards for all auditors. A firm, however, if it can isolate the root causes of the audit deficiencies, can make informed choices about how to implement standards, including layering on top of professional standards additional firm requirements, considerations and best practices that are specifically suited to the problems facing that particular firm. While a proper root cause analysis may not be simple, the more robust the root-cause analysis, the more targeted the solutions, and the higher the resulting audit quality.
What would a root cause analysis of audit deficiencies entail? As Brian mentioned earlier, the PCAOB, firms and others seem to be more at the beginning of the process to develop comprehensive and robust root cause analysis. One of the first steps in a successful root cause analysis is to understand whether there was a breakdown in the firm’s quality controls and then to identify which of the quality controls was not functioning. The elements of a quality control system include, at a minimum:2
- Independence, Integrity and Objectivity;
- Personnel Management;
- Acceptance and Continuance of Clients and Engagements;
- Engagement Performance; and
I believe that linking the root causes of audit deficiencies to the quality control standards is important because it allows auditors and regulators to evaluate the root causes using established criteria. This should reduce misunderstandings among auditors, between auditors and regulators, and between regulators and users of inspection reports as to what each party believes the underlying issue to be. And, by linking the root causes of audit deficiencies to the quality control standards, the PCAOB may be provided with critical insights into how best to update and revise the interim quality control standards.
It seems to me that too often the focus is on the audit deficiency itself, rather than the quality control that failed. For example, if an inspection noted multiple audit deficiencies related to auditing income taxes, a proper root cause analysis likely wouldn’t result in a quality control deficiency that, in effect, simply concludes that the firm’s quality controls around income taxes need to be improved. That may be true, but it likely doesn’t get to the heart of the matter. A proper root cause analysis might reveal breakdowns in personnel management (for example, technical competence) and in engagement performance (for example, reviews by the engagement partner and possibly the engagement quality reviewer). Understanding the breakdown in the quality controls will provide better information about what needs to be fixed, and may also reveal, for example, that the issues are not limited to the area of income taxes even though that is where the deficiencies manifested themselves.
I believe root cause analysis works best when it is performed objectively and consistently. Once there is a robust process to link the audit deficiency to a breakdown in the relevant quality control, the next step in the root cause analysis is to continue to ask “why did this occur?” until you arrive at the root cause or causes. When such a system is in place, one begins to have better evidence about the types of changes needed to be made to improve audit quality.
Performing your own “root cause” analysis.
What about many of you sitting here today who do not have any say over performing such a root cause analysis? What can you do to improve audit quality?
Well, given that the factors affecting audit quality are many and varied, I cannot tell you exactly what you should be doing differently. However, in preparation for my remarks, I have reflected on my experience in OCA, and how the insights I have gained and the experiences I have could be helpful to you in considering ways to perform higher quality audits. One thing I have found is a newfound appreciation for the auditing standards. All of the “shoulds” and “should considers” and other performance requirements are carefully placed into the standards. Take the time to read the auditing standards and then think about them as you perform audit work, focusing on why a particular performance requirement is included, and reflecting on how you might best fulfill that performance requirement. A deep understanding of the auditing standards, instead of following them as a sort of rote checklist, will naturally lead you to perform a higher quality audit.
This is the first year that the PCAOB’s new risk assessment standards are required. As you gain a deep understanding of these standards, you may start to find areas that warrant your specific attention to facilitate improvement. For example:
- The new risk assessment standards require you to perform certain procedures before you assess risk of material misstatement. Do you perform those procedures thoughtfully, or do you skip straight to assessing risk of material misstatement because you feel you are experienced enough to know what the risk of material misstatement should be for each assertion? Understanding the risk assessment standards will likely lead you to conclude that those procedures weren’t just required to help you assess risk, but also to give you the proper context to respond to risk and evaluate the evidence you obtained.
- Have you spent enough time to understand the business and its environment?
- As you complete an audit area, do you pause to consider whether you responded to risk in a way such that the higher your assessment of risk, the more persuasive the audit evidence you have obtained?
- Where you document “per discussion with management” or otherwise explain management’s view of a matter in your working papers, have you checked whether you have gathered sufficient appropriate evidence to corroborate management’s assertion?
- Particularly on areas with significant risk of material misstatement, have you considered introducing elements of unpredictability into your work?
- Particularly on areas with significant risk of material misstatement, have you identified and addressed contradictory evidence? If so, does your documentation clearly lay out why the other evidence you have used to support your conclusion is more persuasive? If you haven’t identified any contradictory evidence in an area with significant risk of material misstatement, you might properly conclude on the amount and nature of the audit evidence, but do you at least pause to consider whether you have gathered sufficient evidence and whether you have gathered your evidence from the most relevant and reliable sources?
These are just some examples for you to consider as you apply the new risk assessment standards. Perhaps you are already excelling at everything I have mentioned. But, through my own “root cause” analysis I have found, and perhaps you may also find, it is likely that we can improve our performance in the audit in some way, and a good way to start is to study and internalize the auditing standards.
I hope you have a great rest of the conference and that the things you have heard and will hear throughout the rest of the conference will assist you in doing your part to increase audit quality. Thank you.
1 COSO News Release, November 18, 2010
2 QC Section 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, paragraph 7.