Speech by SEC Staff:
Improving Audit Effectiveness
Deputy Chief Accountant, Office of the Chief Accountant
U.S. Securities and Exchange Commission
2006 AICPA National Conference on Current SEC and PCAOB Developments
December 11, 2006
This is my first National Conference and I'm delighted to be here. I have been at the SEC for four months now. Prior to joining the SEC, I was a professor at the University of Southern California. As a professor, I spent more than two decades thinking and writing about the quality of financial reporting and auditing. Generally, I had the luxury of considering issues from afar as my time and inclination permitted. But in OCA, we work day-in and day-out to maintain and improve the quality of financial reporting and auditing. So, the issues have taken on a new sense of importance and urgency for me.
In the Professional Practice Group, we focus on auditing. This means that we have a significant role in leading and coordinating the Commission's oversight of all the PCAOB's activities, including auditing standard-setting, as well as the Commission's work with respect to auditor independence. Given this focus and consistent with my long-standing interest in audit quality, I decided to make the theme of my remarks here today: "Improving Audit Effectiveness."
But, before I get to my remarks, I need to pause and remind you that the views I express here today are solely my own. They do not necessarily reflect the views of the Securities and Exchange Commission, the Commissioners, or of any other members of the Commission's staff.
That said, every day when I walk into the SEC building here in Washington, DC, I'm reminded that our mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. More than 70 years ago, the Securities Acts recognized that financial reporting, with full and fair disclosure, is a critical element in this mission. Moreover, the Acts recognized that having financial statements audited by knowledgeable, independent, objective accountants enhances the credibility and reliability of the financial information registrants provide to the markets.
Even though registrants must file audited financial statements to comply with the Securities Acts, many companies actually provided audited financial statements before the 1930's Acts. And still today, we see companies in unregulated and emerging markets voluntarily contracting for audits. In other words, financial statement audits are viewed as value-added. They're not just a compliance activity. So, let's turn to some important considerations if we are to maintain and improve the value and effectiveness of audits.
Audit effectiveness is a partnership between regulators, audit firms, and the accounting and auditing experts like many of you that lead and work for these firms. That is, audit effectiveness is a function of both standards and performance. Standards whether auditing, quality control, or independence provide a floor for auditor performance.
Importantly, audit firms should have incentives to go beyond the floor and compete on the basis of quality. This occurs not only from enlightened self-interest, but when, for example, audit quality carries a premium and clients are willing to pay more for higher quality services. And, this introduces another party to the audit effectiveness partnership namely clients, including management and audit committees. I'll subsequently touch on these partners, particularly audit committees.
First, we must recognize, for public companies post-SOX, audit effectiveness needs to be viewed from the perspective of an integrated audit that is, an audit of both the financial statements and internal control over financial reporting (or ICFR).
Even so, unlike financial statement audits before the Securities Acts, prior to SOX, for the most part, companies (other than financial institutions) didn't have ICFR audits. There was almost no voluntary demand for audits of ICFR for reporting to investors in public companies. However, this does not necessarily mean audits of ICFR do not have value.
Everyone agrees that controls are important even those running and investing in non-public companies, including those in the private equity market, want companies with good controls. For investors in our U.S. securities markets, SOX takes this demand one step better and gives transparency on and assurance about the effectiveness of these controls. These disclosures can benefit investors and issuers in a number of ways. One of which is that disclosure, by its very nature, provides an incentive to maintain effective ICFR systems, remediate weaknesses, and generally improve controls. And these activities can improve the quality of financial reporting for investors.
While recognizing the potential benefits, assessing and attesting to ICFR also has costs. As all of you know, it has been a challenge to get standards and performance appropriately calibrated on audits of ICFR. The good news is that there are sufficient dials that can be adjusted as we, the PCAOB, auditors, and management work together on this calibration.
Similarly, it has been a challenge to get an effective integration of the ICFR and financial statement audits. This seems to me a key point. It's all about improving the quality of financial reporting by mitigating the risk of material misstatement. To do so, the financial statement audit needs to inform the audit of ICFR and vice versa. Here again, there is good news. Once barriers to achieving integration are removed and appropriate incentives established, it's likely that integrated audits will be viewed as big step forward in audit effectiveness.
To get there, standard-setters have been hard at work to restore the value proposition on the ICFR side and to strengthen and improve the integration of the two audits. During the year, the SEC staff has worked closely with the PCAOB on revising AS 2. Moreover, the Commission is considering whether the 404 process would be facilitated if the SEC provided guidance to management on planning and conducting its evaluation of ICFR under 404 (a).
So, it has been a very busy year, indeed. The Professional Practice Group in OCA, along with the staffs of other divisions and offices, has worked tirelessly on these initiatives. I know you are anxious to hear about these activities. While the Commission has indicated that it will consider management guidance at an open meeting later this week, Mike Gaynor, who is among those in OCA who have worked so long and hard on it, will be speaking at this Conference about taking a risk-based approach to the evaluation of ICFR. And, various members of the PCAOB staff will be covering their activities.
Soon it will be your turn. The SEC and the PCAOB very much look forward to receiving your comments on any management guidance and the revision of AS 2, respectively. Importantly, we also look forward to many of you implementing the final guidance as you perform annual assessments of ICFR or integrated audits on accelerated filers in 2007. Everyone's objective in the partnership should be to get 404 rationalized, and you have a very important part in this if we are all to succeed.
An expectation is that guidance will be principles-based rather than prescriptive. This means that all participants in the partnership will be required to use judgment. Reasoned judgments with a reasonable basis and support for them can be a powerful way of restoring common sense to the 404 process. No one is well served, including investors, by clearly excessive work or unreasonable efforts. Indeed, this diminishes not enhances the value of audits.
To summarize, getting 404 rationalized is an enormously important challenge that must be met if integrated audits are going to be effective, and if they are going to be perceived to be so, as we go forward. And you are a critical part of the rationalization process. We must insure that the value proposition applies to both parts of the integrated audit. If ICFR audits are not perceived as cost-benefit effective, it will only undermine the value and viability of what you do and the structures that support it.
Let me elaborate on this point with two illustrations one drawing on PCAOB inspections and the other on the role of audit committees.
The excessive costs of implementing 404 have created pressures for the PCAOB to use the inspection process to assess the efficiency of ICFR audits. While PCAOB inspections can serve as a very important source of feedback for improving both auditor performance (including through identifying and disseminating best practices) and for improving standards (whether audit, quality control, or independence), inspections were not visualized by SOX as a mechanism for assessing audit efficiency SOX intended inspections to assess the degree of compliance of each registered public accounting firm and associated persons of that firm with SOX, PCAOB and SEC rules, and professional standards in connection with performing audits (Section 104). This means assessing compliance with a floor. But remember, from the standpoint of audit effectiveness, we want auditors to have incentives to exceed the floor. We don't want the ceiling and floor to be one and the same.
While some view inspecting for efficiency as a creative use of a regulatory mechanism, I believe that investors, in the long run, are best served if regulators focus on audit effectiveness. Solving the 404 problem with your help, by rationalizing ICFR assessments and attestations, will enable regulators to regain their focus on audit effectiveness.
Similarly, let's consider the role of audit committees. SOX gives audit committees the responsibility for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by an issuer (Section 301), which includes the responsibility for pre-approving all audit and nonaudit services (Section 202). Here again, concerns over excessive costs of 404 audits have caused many audit committees to focus on reducing fees for the ICFR audit by probing auditor scoping decisions, challenging the necessity of the work, and asking auditors to cut-back on what they consider to be unnecessary efforts. These activities certainly are consistent with the responsibilities of audit committees.
Nonetheless, there exists a potential for excessive pressure on fees by audit committees, which, in turn, has the potential for resulting in cut backs on important and legitimate audit scope. To borrow a line from Professor Bill Kinney at the University of Texas at Austin: "If we're not careful, we may be creating conditions, which will lead to the floor for auditor performance being above the ceiling." So, once again, my concern is that we have to get 404 fixed, or legitimate concerns over inefficiencies in ICFR audits may undermine audit effectiveness.
Now let me turn to auditor independence, which is another area that the Professional Practice Group oversees. This afternoon Mike Husich will be covering some of the independence issues that we thought might be of interest to you. Even so, I have two more general comments consistent with the theme of improving audit effectiveness.
At last year's conference, Ed Bailey, of OCA, gave a speech that discussed a more principle-based approach to independence, the foundation for which would be strong audit firm quality control systems. I would like to affirm that the Chief Accountant and I are both very supportive of this underlying premise, and we are considering how to advance it.
On another topic, you have been hearing discussions about the convergence of accounting standards, some about the convergence of auditing standards, and little about convergence of auditor independence standards. Yet, the lack of convergence for independence standards creates similar compliance challenges for audit firms and their multi-national audit clients. Different models of auditor independence have evolved. And we recognize that the current disparity in independence rules can be burdensome. In conjunction with other securities regulators in IOSCO, the staff at the Commission is beginning to survey the landscape, in an effort to compare and contrast the auditor independence requirements in various jurisdictions throughout the world. In discussions among regulators, we are working on understanding current similarities and differences to engage in constructive dialogue going forward.
Well, I am almost out of time. So, let me conclude by summarizing an overarching point of my comments here this morning: We face a number of public policy challenges with important implications for audit practice that need to be addressed as we go forward. But if we recognize that this is indeed a partnership and that the goal for all of us is simply improving audit effectiveness, we can get there.
Thank you very much.