Remarks before the 2015 AICPA National Conference on Current SEC and PCAOB Developments
Brian T. Croteau
Deputy Chief Accountant, Office of the Chief Accountant
Dec. 9, 2015
The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement of any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues upon the staff of the Commission.
Good morning and thank you for the introduction. As Deputy Chief Accountant for OCA’s Professional Practice Group (PPG), I am fortunate to oversee a talented and dedicated team of professionals who focus on audit quality and investor protection each and every day. As part of our responsibilities, we work closely with, and provide advice and support to, other offices and divisions within the SEC on auditing, auditor independence, and internal control matters. OCA’s PPG staff also devote significant efforts to supporting the Division of Enforcement’s steady stream of auditor enforcement investigations. Jim Schnurr described two of the more significant cases this morning and you’ll hear more about those and other noteworthy cases from Andrew Ceresney and Mike Maloney later in the conference. OCA’s PPG also has a significant role in coordinating the Commission’s oversight of the Public Company Accounting Oversight Board (PCAOB).
This morning I’ll address four of the areas we devoted significant attention to over the past year. First, I’ll provide a few observations on assessments of internal control over financial reporting. Next, I’ll briefly discuss the Commission’s concept release on potential changes to audit committee reporting requirements. I’ll follow this with a few words on auditor independence before wrapping up with a brief discussion of some PCAOB-related matters.
Internal Control Over Financial Reporting (ICFR)
ICFR reporting continues to be an area of focus for OCA. As Jim Schnurr mentioned, we are routinely reminded that investors view management’s ICFR assessments and independent auditors’ attestation on ICFR to be beneficial and important to investor protection. Jim referenced PCAOB inspection findings related to audits of ICFR and the potential that some of these findings may be indicative of underlying problems with management’s controls. Accordingly, OCA’s PPG staff continues to work with our colleagues in the Divisions of Corporation Finance and Enforcement to provide technical support in connection with filing reviews and enforcement investigations that involve ICFR matters.
Based on discussions with public company management teams during our consultations, there are encouraging signs that some ICFR reminders provided by SEC staff in recent years at this and similar conferences are being heard. This is also evidenced by an uptick for the second consecutive year in reporting of material weaknesses in circumstances in which issuers have not identified a material misstatement.[i] Of course these are in addition to those material weaknesses that you would expect to see reported in connection with restatements to correct material misstatements. Still, given the frequency with which certain ICFR issues are identified in our consultations with registrants, I’d be remiss not to remind management and auditors of the importance of properly identifying and describing the nature of a control deficiency and understanding the complete population of transactions that a control is intended to address in advance of assessing the severity of any identified deficiencies. Then, once ready to assess the severity of a deficiency, it’s important to remember that there are two components to the definition of a material weakness - likelihood and magnitude.[ii] The evaluation of whether it is reasonably possible that a material misstatement could occur and not be prevented or detected on a timely basis requires careful analysis that contemplates both known errors, if any, as well as potential misstatements for which it is reasonably possible that the misstatements would not be prevented or detected in light of the control deficiency. This latter part of the evaluation, also referred to as analysis of the so called “could factor,” often requires management to evaluate information that is incremental to that which would be necessary, for example, for a materiality assessment of known errors pursuant to SAB 99.[iii] The final conclusions on severity of deficiencies frequently rest on this “could factor” portion of the deficiency evaluation; however, too often this part of the evaluation appears to be an afterthought in a company’s analysis. Yet consideration of the “could factor” is very important.
It’s also important that the information used in evaluating the severity of control deficiencies is reliable, including the use of reasonable assumptions about the risks of misstatements that flow from the deficiency being evaluated. If the evaluation leads to an effort to obscure the severity of a control deficiency, investors are less likely to receive the disclosures they expect. Likewise, limitations on management’s own internal understanding about the nature and severity of a deficiency can result in a lower likelihood that the remediation is comprehensive and sufficient.
This afternoon Jim will moderate a panel on ICFR that I will participate in along with representatives from the PCAOB, public companies, and audit firms. The additional topics we plan to cover have been selected based upon feedback we’ve received throughout the year, with a focus on the reported challenges experienced in evaluating management review controls. I am not surprised that as the years pass since the 2007 changes in the SEC and PCAOB guidance for ICFR assessments, management review controls have emerged as a topic of focus. I am thankful to those who have taken the time to meet with PCAOB and SEC staff to share their perspectives on this topic. It’s also noteworthy that throughout our outreach we have repeatedly heard from all of the parties involved that there is a strong agreement on the importance of ICFR. Today’s panel is in my view another step in the journey as we continue to administer the ICFR assessment requirements. I look forward to continuing outreach in 2016 in order to assess progress and to stay informed of new issues that might emerge. I strongly encourage regular discussions among management, auditors, and audit committees on existing and emerging issues in assessments of ICFR. Moreover, the role of audit committees in this dialogue is equally important. After all, ICFR is an area subject to audit committee oversight as part of its financial reporting oversight responsibilities.
I have one last point on ICFR. As you’ve heard from Wes Bricker and will hear from others in the accounting group of OCA later today, it is important to give ongoing consideration to implementing or redesigning controls as necessary in connection with the application of new accounting standards and policies. Such changes in accounting have the potential to significantly impact many important areas of financial reporting. Management’s ability to successfully transition to new accounting standards will depend, to a large degree, on the effective design and operation of ICFR. I’d also remind management to consider its quarterly obligations to disclose material changes to ICFR, including in situations where such changes are made in advance of the adoption of a new standard, but also impact current period financial reporting.
Audit Committee Reporting
Turning our attention to audit committees, this past July the Commission issued a Concept Release on Possible Revisions to Audit Committee Disclosures.[iv] The release sought public comment on a range of areas related to the audit committees’ oversight of the independent auditor – a significant part of the audit committee’s responsibilities mandated by the Sarbanes-Oxley Act of 2002 (SOX). The Concept Release also requested feedback on the desire of investors for additional disclosures regarding audit committees’ work in other areas of their responsibilities.
While SOX resulted in significant changes to the role and responsibilities of audit committees, SEC disclosure requirements for audit committees have been in place since 1999 and pre-date SOX.[v] As such, the staff has observed a growing desire by some investors to hear more from audit committees about how they perform their role as gatekeepers for the benefit of investors. The staff also has observed that many audit committees have enhanced their public reporting to investors by including disclosures that go beyond those required by today’s rules.[vi]
The comment period for the Concept Release closed in September. The Commission received approximately 100 comment letters from a variety of constituents, including investors, audit committees, management, auditors and other accountants, academics, professional associations, law firms and individuals.[vii] As Chair White mentioned, many commenters expressed support for considering whether and how to improve disclosures being made under current rules. However, there were mixed views about the need for additional detailed disclosure requirements with some suggesting that voluntary efforts could be sufficient. Letters submitted by investors largely suggest there is significant interest in hearing more from audit committees. This is particularly true for audit committees’ work in areas such as the selection and appointment of auditors, evaluation of the qualifications and work of the audit team, and determination of the auditor’s compensation. Of those commenters who were supportive of additional audit committee disclosures, many encouraged the SEC to consider implementing principles-based requirements. Some suggested that doing so would allow audit committees sufficient flexibility to tailor disclosures to their particular facts and circumstances and to avoid boilerplate reporting. Some commenters also raised questions about potential unintended consequences of additional disclosures such as litigation risks and effects on communication between audit committees and independent auditors. Finally, some commenters suggested that the Commission revisit its rules regarding the composition of audit committees, for example, through strengthening the definition of an audit committee financial expert.
We in OCA are working closely with our colleagues in the Division of Corporation Finance to evaluate the comment letters carefully in considering any potential recommendations that the staff might make to the Commission. In the meantime, I continue to be encouraged by the momentum that appears to exist behind additional voluntary disclosures. In this regard, a recent report issued by the Center for Audit Quality shows double-digit growth in voluntary reporting in several areas considered by the Concept Release. For instance, 25% of S&P 500 companies disclosed in 2015 the audit committee’s considerations in appointing the audit firm (up from 13% in 2014). Also, there has been a significant increase in disclosures across all companies in the S&P 1500 Composite index of the criteria considered when evaluating the audit firm in connection with its appointment as the auditor or otherwise.[viii]
However, the practice of voluntary disclosure is by no means common to all listed companies. Moreover, some commenters have questioned the extent to which the voluntary reporting by certain audit committees today is at least, in part, in response to the Commission’s current interest in considering the adequacy of the existing disclosure requirements and whether these efforts could wane in the future. I would encourage audit committee members of listed companies to continue to consider the usefulness of their audit committee disclosures and consider whether providing additional insight into how the audit committee executes its responsibilities would make the disclosures more meaningful.
Let me now move on to auditor independence.
Auditor Independence Matters
Investor confidence in financial reporting is highly dependent on auditors’ commitment to maintaining independence in both fact and appearance. Auditor independence lies at the very foundation of the profession and is necessary to reduce threats to auditors’ objectivity and lend credibility to the fair presentation of the financial statements.
Throughout the year, OCA staff interact routinely with auditors, management, and audit committee members given the responsibility these parties share for maintaining and ensuring auditor independence. We receive questions on a wide spectrum of issues related to the application of our independence rules. As we try to provide timely and helpful advice, we also benefit by better understanding current practices and emerging issues. Meanwhile, an area that is a personal favorite and often a concern of mine that I’d like to address is the provision of non-audit services to audit clients. OCA receives a number of questions about the permissibility of a variety of non-audit services each year. I believe it is particularly important for management and audit committees to have appropriate policies and procedures in place that are consistently executed to promote a thorough evaluation of the threats to auditor independence from any potential non-audit service.
In that regard, as you know, Rule 2-01(c) includes a non-exclusive list of prohibited non-audit services. Accordingly, the Commission’s guidance may not always specify whether a particular type of service is explicitly prohibited. In these circumstances, it is important to evaluate the proposed service against the four principles in the Preliminary Note of Rule 2-01. Neither the nature of the service nor the manner in which it is provided should be at odds with the four principles. Specifically, consideration should be given to whether a relationship or service to be provided by an auditor:
- Creates a mutual or conflicting interest with its audit client;
- Places them in a position of auditing their own work;
- Results in the auditor acting as management or an employee of the audit client; or
- Places them in a position of being an advocate for the audit client.[ix]
With this in mind, the auditor, management and the audit committee should evaluate whether there are any unacceptable threats that might bear on the auditor’s independence in applying the general standard. A proper evaluation should assess the nature and scope of the non-audit service as well as the manner in which the service will be delivered.
In addition, even after services are initially approved, I believe that it is advisable for management and audit committees to have policies and procedures for ongoing monitoring of the provision of non-audit services during their execution to address the risk of “scope creep” that could result in a service becoming impermissible and impairing the auditor’s independence. When that happens, unplanned changes in auditors and potential re-audits may be necessary which can be costly and distracting to the company and its shareholders and could interfere with capital raising plans.
As a general comment, I encourage you to continue consulting with the staff in OCA as you find appropriate. OCA’s PPG has several staff members devoted to addressing your questions on independence matters. Mike Husich, who works closely with me in leading our independence consultation function, will discuss some of the more frequent areas of consultation on the next panel. Information about OCA’s consultation process is available on the SEC website under Information for Accountants.[x]
Having been in my current role for five years and having been involved in the SEC’s oversight over the PCAOB for nine years in total, I have observed periodic interest in understanding how the SEC oversees the PCAOB as well as understanding how our working relationship has evolved. In remarks delivered at this conference in my prior tenure on the SEC staff a decade ago, I provided my insights on how the SEC and the PCAOB interact on a day-to-day basis and how through those interactions the Commission effectively discharges its oversight responsibilities.
Those remarks, which were cited in an amicus brief to the Supreme Court in support of the PCAOB’s constitutionality, remain available on the SEC’s website and have served as a useful frame of reference for those with interest.[xi] I stated then that, “The Office of the Chief Accountant (OCA) has a significant role in leading and coordinating the Commission's oversight work; however, the responsibilities extend across many of the offices and divisions within the Commission.” I covered the Commission’s ability to conduct periodic, special, or other examinations of the records of the Board and the Commission’s process for considering whether to approve the PCAOB’s budget. I mentioned that the PCAOB is also required to submit an annual report to the Commission containing audited financial statements. I also addressed in some level of detail the nature of the Commission’s and staff’s involvement in PCAOB standard setting[xii] and the PCAOB’s inspection program. Although the SEC’s oversight over the PCAOB continues to evolve a decade later to adapt to current circumstances, much remains the same. There are some aspects that have been formalized over the years, such as the implementation of certain rules that have been codified in Regulation P for matters related to the Commission’s consideration of the PCAOB’s annual budget[xiii] and the review of inspection findings pursuant to Rule 140.[xiv]
Overall, I am quite proud of the accomplishments we have made working closely with the PCAOB and the processes that we have established to ensure that our cooperation is as seamless as possible as we work together to protect investors.
Those who have been coming to this conference for many years are also aware that I have been transparent in describing areas which I believe are in need of improvement.[xv] In that respect, I have been extremely pleased with the work that the PCAOB has undertaken to review the performance and management of its standard setting agenda. I strongly believe that the PCAOB’s review will help to identify and address the obstacles that have hindered progress. Meanwhile, many individuals at the PCAOB have worked hard for many years on projects that haven't yet advanced to a Board proposal. These projects include auditing estimates, including fair value measurements, use of other auditors, use of the work of specialists, and going concern. I look forward to seeing these projects advance. [xvi]
Investors are counting on the continued development and maintenance of a set of high-quality standards that establish the expectations for auditor performance. It has become increasingly clear to me over the years that the inputs necessary for timely, high-quality audit standard setting extend beyond those that have been utilized by the PCAOB to-date. Nevertheless, I am optimistic that significant and meaningful progress is around the corner. While I will leave it to the PCAOB to discuss the details at the appropriate time, I believe that one natural outcome of its standard setting review will be increased transparency in their work and more opportunities for stakeholder input throughout the standard setting process. The PCAOB has already shown this can be done with very positive results through, for example, its audit quality indicators project, where significant transparency and ongoing opportunity for public input led to a robust concept release that was developed in a transparent manner and resulted in the project attracting interest and attention globally.[xvii] In fact, I understand that some audit committees began to experiment with the use of some of the AQI’s even as the PCAOB was developing them.
The PCAOB has accumulated a wealth of information about audit quality through its inspection program, and it is making process improvements that will enable the Board and its staff to better leverage this information throughout the standard setting process. The PCAOB’s success in standard setting will, in part, depend on your support to promote the development of standards that play an important role in the production of credible and reliable financial reporting for the benefit of investors. Whether you are a preparer or auditor or a member of an audit committee, I encourage you to take an interest in supporting the PCAOB’s evolution of its standard setting function going forward.
Thank you for your attention, and I look forward to the ICFR panel this afternoon and answering any questions you may have during the end of day Q&A panel.
[ii] See FR-77, Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 (June 27, 2007), available at http://www.sec.gov/rules/interp/2007/33-8810.pdf.
[iii] See SEC, Staff Accounting Bulletin No. 99 – Materiality (August 12, 1999)
[iv] See SEC Release No. 33-9862, Possible Revisions to Audit Committee Disclosures (July 1, 2015), available at http://www.sec.gov/rules/concept/2015/33-9862.pdf.
[v] The majority of audit committee disclosure requirements, which exist in their current form principally in Item 407 of Regulation S-K, were adopted in 1999.
[vi] See, e.g., Center for Audit Quality, Audit Committee Transparency Barometer (2015), available at http://www.thecaq.org/docs/default-source/reports-and-publications/2015-audit-committee-transparency-barometer.pdf?sfvrsn=2.
[vii] See Comments on Concept Release: Possible Revisions to Audit Committee Disclosures, available at https://www.sec.gov/comments/s7-13-15/s71315.shtml.
[viii] See Center for Audit Quality, op. cit.
[ix] See Preliminary Note of Rule 2-01.
[x] See OCA, Guidance for Consulting with the Office of the Chief Accountant, at http://www.sec.gov/info/accountants/ocasubguidance.htm.
[xi] See Brian T. Croteau, Remarks Before the 2005 AICPA National Conference on Current SEC and PCAOB Developments (December 5, 2005), available at http://www.sec.gov/news/speech/spch120505bc.htm.
[xii]See Brian T. Croteau, op. cit.: “...the Commission is required to approve all PCAOB rules and professional standards in order for them to become effective. Once approved by the Commission, PCAOB rules also become enforceable by the Commission. The SEC is designated as an official observer, with speaking rights, on the Board's Standing Advisory Group. In addition, Commission staff meets regularly with the Board's staff to discuss emerging practice matters and to provide input on standard-setting activities. The goal is for SEC staff to provide input and insights, recognizing that it is the PCAOB's rule to draft and interpret. OCA and PCAOB staff positions generally become reasonably close before the PCAOB staff takes a proposal to their Board. Of course, the Board and staff can always make changes, but if the process works properly, rare will be the occasion where the Chief Accountant does not recommend that the SEC adopt a PCAOB rule. Once rules or standards are adopted by the Board, they are filed with the Commission. The Commission generally publishes the proposed rule or standard for public comment in the Federal Register. After consideration of the comments, the Commission votes on whether to approve the rule or standard. If approved, the rule or standard becomes effective in accordance with its terms. Finally, the text of the Commission order is printed in the Federal Register. The Commission must vote for or against a rule or standard in the form it is submitted by the PCAOB. The law does provide a process by which the SEC can, by order, amend, delete, or add to the rules or standards of the Board; however, the Commission has not issued any orders of this nature to-date.”
[xiii] See Rule 190 of Regulation P (17 CFR 202.190), Public Company Accounting Oversight Board budget approval process
[xiv] See Rule 140 of Regulation P (17 CFR 202.140), Interim Commission review of PCAOB inspection reports
[xv] See, e.g., Brian T. Croteau, Remarks Before the 2014 AICPA National Conference on Current SEC and PCAOB Developments (December 8, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370543616539; Remarks Before the 2013 AICPA National Conference on Current SEC and PCAOB Developments – Audit Policy and Current Auditing and Internal Control Matters (December 9, 2013), available at https://www.sec.gov/News/Speech/Detail/Speech/1370540472057; Remarks Before the 2012 AICPA National Conference on Current SEC and PCAOB Developments – Audit Policy and Current Auditing and Internal Control Matters (December 3, 2012), available at http://www.sec.gov/News/Speech/Detail/Speech/1365171491828; and Remarks Before the 2011 AICPA National Conference on Current SEC and PCAOB Developments – The Role of the Audit Performance Feedback Loop in Audit Policy Decision-Making (December 5, 2011), available at http://www.sec.gov/news/speech/2011/spch120511btc.htm.
[xvi] See PCAOB, Standard Setting Agenda (September 30, 2015) for current status of PCAOB’s standard setting projects, available at http://pcaobus.org/Standards/Documents/201509-standard-setting-agenda.pdf. The project related to auditing accounting estimates, including fair value measurements, has been on the PCAOB’s agenda since 2008, projects related to supervision of other auditors, auditor’s use of the work of specialists, and going concern – since 2009.
[xvii] See PCAOB Release No. 2015-005, Concept Release on Audit Quality Indicators (July 1, 2015), available at http://pcaobus.org/Rules/Rulemaking/Docket%20041/Release_2015_005.pdf.