Speech by SEC Staff:
Remarks Before the 2010 AICPA National Conference on Current SEC and PCAOB Developments
Brian T. Croteau
Deputy Chief Accountant, Office of the Chief Accountant
U.S. Securities and Exchange Commission
December 6, 2010
As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the SEC Staff.
Good morning. It’s a real privilege to have this opportunity today to speak about important topics related to audit quality. As we head into the year-end financial reporting cycle and a time when auditors are about to perform year-end audit work, focusing on audit quality can help to ensure that an unvarnished assessment is delivered, to borrow a phrase from our Chairman. For those that don’t know me, I am the Deputy Chief Accountant of OCA’s Professional Practice Group (PPG). While I’ve been in this position for only about six months now, some of you may recall me speaking at this conference in my prior SEC role on the PPG staff in OCA from 2004-2007. I can’t tell you how delighted I am to have returned to the SEC at a very busy time to once again work with an incredibly talented and dedicated group in OCA focusing on auditing matters each and every day.
OCA’s PPG has a significant role in leading and coordinating the Commission’s oversight of the Public Company Accounting Oversight Board’s (PCAOB) activities. This is a topic I spoke about in 2005, when providing an overview of how the Commission discharges its oversight responsibilities over the PCAOBi. Little did I know at the time of course those remarks would end up referenced in an amicus brief to the Supreme Court four years later in support of the PCAOB in a constitutional challenge. Anyway, I’d like to pick up today in some ways where I left off in 2005 with the hope that there will be no need for today’s remarks to make their way to the Supreme Court.
I’d like to start with a brief update on a few overarching matters relative to the PCAOB and auditor oversight. Then I’ll discuss a few points regarding the PCAOB’s standard setting and inspection functions that I believe are particularly important relative to improving audit quality. Lastly, I’ll highlight a couple reminders on internal control over financial reporting (ICFR) and auditor independence.
Overarching Auditor Oversight Matters
As you know, on June 28, 2010 the Supreme Court ruled on the constitutional challenge of the PCAOBii. In this ruling, the Court found one aspect of Board tenure provisions in Sarbanes-Oxley Act of 2002 (SOX) to be unconstitutional. This was the “dual for-cause” limitations on removal of PCAOB Board members which enabled the Commission to remove Board members only for “good cause” rather than “at will.” The Court found this provision to be incompatible with the Constitution’s separation of powers. Fortunately, the Court found that the unconstitutional Board tenure provisions were severable from SOX and that the Board’s existence does not violate the separation of powers of the Constitution. The Supreme Court also found that the Board’s appointment is consistent with the Appointments Clause. Although severing this provision changes the removal provision for Board members, since Board members can be removed by the Commission at will, the decision does not otherwise affect the PCAOB’s day-to-day operations relative to registration, inspection, enforcement, and standard setting. Rather, this decision only further solidifies the comprehensive nature of the Commission’s oversight role.
Speaking of Board membership, there are currently three of five Board seats that need to be filled, one of which is currently vacant and the other two seats are filled by Board members who have continued to serve beyond the end of their terms. Of these three new members, only one will be a CPA in order to adhere to the SOX requirement that two, and only two, Board members must be CPAs. Chairman Schapiro has been leading the Commission’s efforts for the appointment of new Board members and although we have no news for you today, I can assure you we are working diligently on this.
On the PCAOB inspection front, the Board continues its efforts to reach agreement in the EU, Switzerland, and China that have prevented the PCAOB from conducting certain required non-U.S. inspections of audit work related to issuers. The ability for the PCAOB to conduct the inspections that are mandated by SOX is a very important element of investor protection. Accordingly, we have been working with the PCAOB to support their efforts towards satisfying their statutory mandate to inspect all applicable registered firms that audit or play a substantial role in auditing issuers. There has been recent progress in the EU, including an important decision adopted by the European Commission on September 1, 2010 recognizing the PCAOB’s “adequacy” for purposes of the European Union’s Statutory Audit Directive. However, the PCAOB must still negotiate agreements on a country by country basis. In some countries in the EU this is really just a matter of reaching agreement with foreign regulators to resume inspections since the PCAOB had previously been able to conduct inspections. In the meantime the PCAOB has issued a statement describing a change relative to its policies for registering new firms that would not be able to be inspected until these matters are resolved.iii While I believe there are reasons to be optimistic that the PCAOB will be able to make substantial progress in resuming or commencing inspections in 2011, we stand ready to work with them if alternative measures are appropriate from an investor protection perspective.
Lastly on the overarching points is the Dodd-Frank Act. While there are hundreds of pages of legislation that will result in a significant number SEC rulemakings, I’d like to mention just two specific auditor-related implications. First, the PCAOB has been granted comprehensive oversight authority over broker-dealer auditors, and we will be working closely with them as they move expeditiously to implement that authority. Second, non-accelerated filers have, as I’m sure you know, been exempted from the audit requirement of SOX 404(b). However, I’d like to highlight that management’s responsibilities for evaluating and reporting on ICFR under SOX 404(a) are not in any way changed by the absence of an ICFR audit mandate for these issuers.
John Offenbacher, a senior member of my group, will be discussing some points regarding audits of broker dealers and a few of the nuances of the 404(b) exemption on the next panel. I’d encourage you to pay particular attention to his points relative to 2010 audits of broker-dealers, which are likely to be subject to PCAOB inspection as part of their 2011 inspection cycle.
PCAOB Auditing Standards
Engagement Quality Reviews
Let me move on from the overarching points to PCAOB auditing standards. First, as you know, the PCAOB’s new standard for engagement quality reviews, AS 7, became effective this year (i.e., for audits of fiscal years beginning on or after December 15, 2009). While many auditors will have now applied the standard to three interim reviews, we’re now approaching the first implementation of the standard relative to year-end audit efforts. While I am sure many auditors have implemented new policies and procedures and gone through training this year on engagement quality reviews, I’d encourage auditors performing engagement quality reviews to refresh their memories on the requirements of this standard as they begin their first year-end implementation efforts to ensure that the benefits to audit quality of the new standard are fully realized. This includes starting the year-end portion of your engagement quality reviews early, to provide sufficient time for your comments to be meaningfully addressed.
I’d like to share a few other thoughts for auditors who perform these reviews. Consistent with Jim Kroeker’s remarks on the importance of the audit, I encourage you to ask the hard questions as an engagement quality reviewer and push back in order to challenge the engagement team’s thinking sufficiently for you to understand and assess the reasonableness of the difficult judgments being made, including considering the documentation of those same matters. Take the time to adequately evaluate the appropriateness of the engagement team’s assessment of, and audit responses to significant risks, including those related to fraud. Also, spend sufficient time evaluating the significant judgments about materiality and the disposition of the severity of indentified control deficiencies. As you can probably tell, I really like this standard. Why? Because it provides for an important element of quality control before an audit opinion is issued and affords engagement teams the opportunity to address significant engagement deficiencies in a timely way to help ensure that a high quality audit is performed. The implementation of this standard will be another area I’d expect that PCAOB inspectors will focus on in the 2011 inspections of 2010 audits.
PCAOB Standard-Setting — The Path Forward
With respect to the PCAOB’s audit standard setting runway ahead of us, Marty Baumann, PCAOB Chief Auditor, will be speaking to you tomorrow, so I won’t cover their agenda in detail. However, I will say, I believe that the PCAOB’s current standard-setting agenda and timeline is very ambitious, but appropriate. It covers topics such as audits of broker-dealers, fair value, use of specialists, confirmations, principal auditor, audit committee communications, and the auditor’s reporting model all during the next year.iv Some of these are big projects. Clearly the pace of audit standard setting at the PCAOB picked up in 2010 and is scheduled to continue in 2011 as the PCAOB updates their interim standards adopted in 2003.
I was delighted to see the PCAOB adopt its eight new risk assessment standards this year, after two rounds of exposure and helpful public input. As the Commission said when it published the standards for public comment, it expects to take action by the end of this monthv. If approved, these standards will replace six existing standards and become effective for audits of fiscal years beginning on or after December 15, 2010 (i.e., 2011 for calendar year audits).
As I reflect upon the PCAOB’s past agenda, the recent work of other audit standard setters, including the IAASB and ASB, PCAOB inspection report findings, and consider the PCAOB’s interim standards that have not yet been updated since the Board’s initial adoption, the topics on the PCAOB agenda certainly seem appropriate. Regarding process, some have been critical in comment letters about lack of convergence and the extent to which the PCAOB writes their own standards rather than simply adopting the standards as written by the IAASB or ASB. The level of prescriptiveness is also a common observation. While I leave it to you to decide for yourself and I very much welcome your input to both the PCAOB and the SEC, I’d like to provide you with some of my own reactions.
First, let me say that I am not a believer in creating overly prescriptive auditing standards, nor do I believe that the PCAOB should write standards solely to make inspections easier as some have suggested appears to sometimes be a goal. Any changes to auditing standards should be made for purposes of improving audit quality for the benefit of reliable financial reporting. I question the wisdom of creating a level of prescriptiveness in auditing standards that can potentially cause audits to become overly mechanical exercises, particularly if the result is that reliable financial reporting becomes a secondary focus to box checking. Doing so has the potential to undermine the appropriate application of auditor judgment, due professional care and professional skepticism in favor of strict compliance with lists of requirements.
As one example I’ve noticed that the PCAOB’s existing audit confirmations standard contains 36 paragraphs and 36 “should statements” which of course create presumptively mandatory requirements for the auditor. In contrast, the proposed confirmations standard contains 39 paragraphs (only 3 more that today’s confirmations standard) and over 70, or roughly double, the number of presumptively mandatory “should statements.” The ISA by contrast has only about 11 presumptively mandatory “shall statements.” Simply counting “should” or “shall” statements is not the point, but it does illustrate the differences in approach and level of prescriptiveness that deserve due consideration.
At the same time, we need to be mindful of having a sufficient base or “floor” for audit quality. Likewise, we must not let prescription and adherence to a minimum standard ever get in the way of auditors taking any additional measures necessary that are important to obtaining reasonable assurance. Let me also note though that it is not uncommon for the PCAOB standards to evolve through the standard-setting process. In this regard, I strongly encourage commenters to provide alternatives when they believe PCAOB proposals can be improved rather than simply noting their disagreement with the proposed approach. I think we saw this work well with both the Engagement Quality Review and Risk Assessment proposals, which are standards that significantly benefited from multiple rounds of the public input. I’ve read many of the very constructive and helpful comment letters to the PCAOB on some of the more recent proposals with great interest and very much look forward to working with the PCAOB as they consider these comments before the Board adopts their standards.
Second, I think we can and should think about convergence of auditing standards differently than convergence of accounting standards in that incremental requirements added by one standard setter do not necessarily preclude proper application of other standards or necessitate a conclusion that they are not “converged” in the same way that accounting standards may lack convergence. For example, often an auditor can perform additional procedures in one set of standards without affecting the ability to have complied with the standards of another standard setter. Many of the largest accounting firms around the world have of course been doing this for years now by using the ISAs to develop their global methodology base, yet still of course complying with local standards of other standard setters. On the other hand, when accounting standards lack convergence and the application results in differences in recognition or measurement, complying with two sets of standards simultaneously simply may not be a possibility and users end up receiving different financial reporting information.
Third, while I would not suggest that performance issues in PCAOB inspection reports always — or even frequently — need to be addressed through changes to auditing standards, I do believe there is an important role for standard setting in addressing common quality issues. In other words, while performance issues can sometimes be addressed by firm methodology, training, or reinforcement of existing policies and methodology, sometimes a change to the standards can also be a particularly effective way to bring about desired changes in behavior.
Fourth, I don’t believe that the PCAOB should be discouraged from “gold plating” their standards by creating incremental requirements to other standard setters or describing requirements in a more definitive way to improve audit quality, particularly when they do so based upon intelligence about audit quality from inspections. In some cases, there is probably room for differences given the specific purpose of the PCAOB’s standards versus the broader use of standards such as those of the IAASB or ASB. It’s also certainly possible that other standard setters could benefit from considering the PCAOB’s thinking.
One last important issue from my perspective relates to the vision for how the PCAOB’s standards will evolve into one set of congruent standards that auditors around the world can easily make reference to as they conduct their audits. There has been increasing attention in comment letters that the PCAOB should put forth a codification plan to begin to lay out the vision for how its auditing standards will fit together. Right now there are new sequentially numbered standards that don’t all fit together well and those sit alongside the remaining interim standards that also no longer fit together so well. There are also interim interpretations to the standards. We have encouraged the PCAOB to give attention to this area and the PCAOB has added this project to their strategic plan. I’m certainly looking forward to working together with the PCAOB on this project.
Speaking at this conference back in 2005, I discussed that I was not surprised that in light of the PCAOB’s risk based approach to inspections their work yields a listing of findings each year and, on the surface, those findings looked similar from year to year. I made an analogy to the FAA and the similarities between the aviation industry and audit profession. I noted that we are unlikely to see a zero defect rate either in flying airplanes or in conducting audits, but that we can and should learn and improve. I’ve recently checked and, sure enough, five years later, according to the FAA’s Administrator’s Fact Book, year after year the FAA continues to find significant numbers of near midair collisions, pilot deviations, and operational errors. Similarly, the PCAOB’s recently issued report summarizing inspection observations over the last three yearsvi reflects undesirable consistency. Year after year the PCAOB finds deficiencies in the areas of fair value measurements, impairments of goodwill, intangibles, and other long-lived assets, and allowance for loan losses.
However, one thing that seems to be a needed addition to this report is a discussion of the underlying root causes for the audit deficiencies identified. I believe there is a risk that we won’t see significant improvement if underlying root causes are not identified and addressed.
By analogy, the National Transportation Safety Board issues specific safety recommendations to prevent future aviation accidents based upon its studies and investigations of root causes of incidences. My staff and I have spent some time with PCAOB inspectors and standard setting staff to consider what can be done to get to the root causes of audit deficiencies and I’m hopeful that firms are also routinely thinking about this too. It can be a difficult exercise and I don’t have all the answers; however, I am confident that incremental efforts in this area have the potential to help break the cycle of consistency in the findings and also provide meaningful input to the PCAOB’s standard setting projects such as fair value and quality controls.
Let me wrap up with just a couple quick reminders in two areas, ICFR and auditor independence.
Internal Control Over Financial Reporting
Numerous PPG staff have spoken on the topic of assessing the effectiveness of internal control over financial reporting over the last few years. I won’t repeat the details today, but in addition to some discussion you’ll hear tomorrow from staff in the Division of Corporation Finance regarding the evaluation of the severity of identified control deficiencies, there is one overarching point that I’d like to emphasize. Refreshing the approach each year to evaluating internal controls is critical to maintaining the value to investors of the SOX 404 efforts. Importantly, investors deserve timely information about the effectiveness of controls which includes an evaluation of whether internal controls are being maintained in a way that keeps up with emerging financial reporting risks. This means that this effort must go well beyond a rollforward of testing of the operating effectiveness of the same list of controls each year. The assessment must also include the consideration of the adequacy of the design of controls. The assessment should consider, for example, whether the design of controls has kept up with economic or business conditions or changes in financial reporting requirements.
Finally, on the topic of auditor independence, Jim has mentioned some very important overarching points about auditor independence in both fact and appearance. I’d like to get more granular from a compliance perspective and give just two examples of specific areas where we are seeing more consultations. One area relates to initial public offerings and registrations of the exchange of newly public debt for a class recently placed in a 144A transaction (A/B exchange offers). In certain instances auditors and management have determined that audits of financial statements in prior years do not comply with the SEC’s independence requirements in Rule 2-01 of Regulation S-X. Private companies and their auditors should consider their relationships and the possibility that the company might decide to raise public capital by filing a registration statement that requires audited financial statements that comply with SEC and PCAOB independence rules. The company should take into consideration that the auditor must be independent for all years that are included in the registration statement, which for most issuers is three years. Meeting these requirements can require planning since there are differences between the SEC and AICPA independence rules. Auditors and management should be mindful to avoid performing non-audit services or entering into relationships that might be prohibited by SEC independence rules that may later result in potentially costly delays at an unwelcome time when the company is trying to go to market. For example, bookkeeping and preparation of financial statements and related footnotes, particularly in the income tax area, are areas that we see as causing difficulty more frequently.
A second area to highlight relates to the SEC’s definition of “affiliates” and “audit client” in Rule 2-01 of Regulation S-X. It’s important to be sure to give appropriate consideration to the prevention of the provision of prohibited non-audit services not just to audit clients but also to affiliates of audit clients. In the case of venture capital and private equity firms, this includes upstream affiliates and also brother-sister companies that are controlled by the venture capital or private equity firm.
Auditor independence matters often involve unique and complex fact patterns; I want to remind you that OCA staff is available for consultations. Instructions about the consultation process are located on the SEC web site.vii
Thank you very much for your commitment to reliable financial reporting and your focus on audit quality. I look forward to answering any questions you have as part of the end of day Q&A panel.
i See http://www.sec.gov/news/speech/spch120505bc.htm
ii See http://www.supremecourt.gov/opinions/09pdf/08-861.pdf
iii See http://pcaobus.org/International/Inspections/Documents/Registration_of_Non-US_Firms.pdf
iv See http://pcaobus.org/News/Events/Documents/10132010_SAGMeeting/OCA_standards-setting_agenda.pdf
v See http://www.sec.gov/rules/pcaob/2010/34-62919.pdf
vi See http://pcaobus.org/Inspections/Documents/4010_Report_Economic_Crisis.pdf
vii See Guidance for consulting with the Office of the Chief Accountant at http://www.sec.gov/info/accountants/ocasubguidance.htm