I thought about a number of possible topics for discussion today.
I considered talking about the relationship between the SEC and the PCAOB. There’s also the role, if any, of the auditor in providing assurance on non-GAAP and ESG metrics and the possible role of the PCAOB in leading the discussion.
I think it would be interesting to talk about the use of academic research in driving the regulatory mission of the PCAOB, particularly insights gleaned from the non-public data that the PCAOB receives from audit firms. And then there’s the issue of audit firms in China.
But instead of those topics, I thought I would talk about trust.
Audits are about trust. Trust in the audit raises investor and public confidence in the company’s financial disclosure. Confidence in the financial disclosure in turn drives the capital markets.
The PCAOB’s mission, to put it succinctly, is to ensure trust in the audit.
To do this, Congress expected the PCAOB to be independent of the audit profession—another topic for future discussion by the way—and to act in the interests of investors and the public. While Sarbanes-Oxley included a number of mechanisms designed to address independence, the investor protection part of the equation mostly fell to the PCAOB to implement.
So let’s step back and ask the question, has PCAOB oversight resulted in investor trust in the audit?
I think it’s fair to say that the PCAOB has improved the auditing process, at least when measured against conformity with PCAOB standards. PCAOB conduced inspections increased investor confidence.
Nonetheless, I wonder whether we can say that investors and the public truly trust the audit and the role of the auditor. As we watch failures like Wirecard and the debate taking place globally over audit quality, there are clear indications of concern from investors that they are not receiving the quality that they want and expect from auditors.
So what does the PCAOB need to do to address this problem of insufficient trust in the audit?
In a nutshell, the PCAOB must do more to ensure that the audit reflects the interests of investors and the public. That means better understanding investor concerns with financial disclosure and integrating those concerns into the standard setting and inspections process. This also means placing less emphasis on the importance of deficiencies in an audit as a primary indication of audit quality and more on the role of the audit in enhancing the reliability and comparability of financial disclosure.
So today I want to talk about the importance of trust, the consequences that occur when trust is not present, and the role of the PCAOB in helping to ensure investor trust in the audit process.
The Importance of Trust
Let’s start with why trust is so important.
Auditors are gatekeepers that look over the shoulders of management in connection with the preparation of the financial statements. The audit is designed to improve the reliability and quality of financial reporting.
What does this mean in actual practice?
Investors want financial statements that are complete and accurate. That won’t happen if the numbers don’t add up, if fraud has occurred, or if the financial statements fail to conform to GAAP.
But quality is more than that, much more than that.
Financial statements increasingly consist of estimates and valuations. These are areas of the financial disclosure process that are subject to judgment and prone to management bias. While the subjectivity associated with these determinations cannot be eliminated, an audit can ensure that they are undertaken in a comparable and reliable manner.
The quality of an audit though depends upon “an auditor’s competence, effort level, and independence,” Yet these elements are, for the most part, unseen by investors and the public. Nor can they be gleaned from the relevant auditing standards. Principles based, an approach designed at least in part to reduce litigation risk, standards are mostly guide posts, leaving the step actually taken up to the judgment and discretion of audit firms.
Notwithstanding this lack of transparency, investors and the public are nonetheless asked to trust that audits were adequately executed. And they are asked to do so despite structural concerns about an audit firm’s independence, objectivity and quality.
The method of compensating audit firms raises concerns about the adequacy of the audit.
As we all know, audit firms are paid by the client that they audit. The goal of maintaining the account and the resulting revenue stream can conflict with the obligation to exercise sufficient professional skepticism and result in in excessive deference to judgments made by management.
There is also the commercial nature of audit firms. Audit quality is a cost. Firms often, if not usually, have a difficult time competing on the basis of quality. As a result, investments in audit quality may not improve the bottom line. This can result in an approach that favors profitability over audit quality even in circumstances where it shouldn’t.
The audit profession during the era of self-regulation attempted to address some of these concerns. In order to promote investor trust in the audit, firms voluntarily agreed to subject themselves to peer review, to continuing professional education requirements, and to the implementation of a system of quality control that met applicable standards.
Self-regulation didn’t work. There was no meaningful role for investors, inadequate transparency, and insufficient accountability to the public. The system largely depended upon the profession’s willingness to act in “[e]nlightened self-interest”. And let’s be blunt, enlightened self-interest wasn’t enough to ensure sufficient audit quality.
When Enron and Worldcom occurred, trust did not disappear. It was not there to begin with.
Trust and the PCAOB
That PCAOB was expected to play a major role in returning trust to the audit.
Congress advanced this goal at the PCAOB in two ways. The new regulator was to be independent of the auditing profession. And the PCAOB was to exercise oversight in the interest of investors and the public.
To improve investor confidence, the PCAOB scaled up an inspection program. The focus was on whether audit firms met the relevant standards, with any significant deficiencies set out in a public inspection report. Audits likely improved, at least as measured against compliance with auditing standards. But the approach was at best a beginning and, standing alone, not sufficient to ensure trust in the audit.
(March 6, 2002) (“Despite a series of SEC cases and private litigation which revealed clearly substandard auditing work, no major firm appears to have been publicly sanctioned as a result of a peer review.”).
For one thing, measuring audit quality through compliance with standards did not set a sufficiently high bar. When opening its doors, the PCAOB adopted the existing standards written during the era of self-regulation.
They were the same standards in place when Enron and Worldcom collapsed after receiving clean audit opinions. They were the same standards written with inadequate investor input and criticized during the hearings on Sarbanes-Oxley. And while some of them were subsequently rewritten or amended, they mostly continued to reflect the “principles” based approach developed and favored by the audit profession.
For another, the focus on ensuring compliance with auditing standards was largely disconnected from the impact of the audit on the quality of the financial statements. In fact, inspection reports specifically disclaimed any such relationship and the reports failed to provide investors with perhaps the single most useful piece of information, the identity of the issuer where the deficiency was discovered.
The approach also created the potential incentive for firms to excessively focus on a reduction in deficiencies rather than improvements in financial disclosure. And this occurred as academic literature suggested that investors did not rely on the number of deficiencies as a means of assessing audit quality.
However, our results suggest that shareholders seem not to incorporate the inspection reports as an indicator of auditor quality in their decisions of auditor ratification.”). See also Lisa Milici Gaynor, et al., Understanding the Relation between Financial Reporting Quality and Audit Quality, 35 AUDITING: A Journal of Practice & Theory 1–22. (2016) (“inspection deficiencies are rarely linked to misstatements, restatements, or even to incorrect audit opinions (e.g., issuance of an unqualified opinion when a material misstatement was present). Thus, though PCAOB-cited deficiencies provide some information about audit quality with respect to process, they rarely provide a measure with respect to outcome.”).
Ensuring Investor Trust in the Audit
More needs to be done by the PCAOB to ensure trust in the audit. Specifically, the views and goals of investors and the public must be better integrated into the oversight process. To do so, the PCAOB needs to take a number of affirmative steps.
The PCAOB cannot act in the interests of investors and the public if it doesn’t know what those interests are. There needs to be a well-developed feedback loop with investors that involves constant effort, constant interaction, and constant solicitation of views, with what is learned integrated into the oversight process. If anything, the PCAOB has in recent years gone in the opposite direction.
And in putting in place this feedback loop, the PCAOB has to ask the right questions. The conversation should not be limited to technical advice on standards or approaches. The feedback loop should be used to identify areas of concern by investors with financial disclosure and the role that the audit can play in addressing these concerns. These comments must then be integrated into the oversight process, including inspections and standard setting.
With respect to auditing standards, let’s be frank. The existing set of standards do not collectively reflect the interests of investors and the public.
For investors to trust the audit, the standards need to better incorporate their views and expectations. This requires at least two broad changes.
Bringing Balance to Standard Writing
First, investors generally favor an approach to regulation that involves a mix of principles and prescriptive requirements. Prescriptive requirements establish a floor for an audit and allow investors to know that certain procedures will always be performed. Investors know that firms will observe inventory, a rare prescriptive requirement that emerged from financial scandals in the 1930s. This approach should also recognize the significant differences in firms with respect to size, resources and number of clients.
Implementation of this approach will of course generate criticisms that audits are becoming a checklist, with insufficient opportunity for professional judgment. Such a criticism, however, would be misplaced. Prescriptive requirements and principles are a balance. Right now the balance weighs almost entirely in one direction.
Audit Quality and Commercial Interests
Second, standards should more explicitly address the conflict between audit quality and commercial interests. In particular, this requires the use of governance mechanisms designed to ensure that the latter does not improperly influence the former. This is particularly true with respect to the systems of quality control implemented by audit firms. Any system of quality control that does not seek to structurally insulate audit quality from commercial interests will be susceptible to claims that commercial interests predominated and drove the decision making process, even when it shouldn’t have.
An area where this tension between commercial interests and audit quality likely exists is with respect to the use of technology in audits. Technology can qualitatively improve an audit. Full population testing, rather than sampling, is one area of significant promise.
But the standards do not require or even encourage this approach. Instead, the most that can be said is that they don’t “preclude” the use of technology. With the principles based approach in this area recently reaffirmed at the PCAOB, the matter has been left to the discretion of each firm. And while firms may have a commercial incentive to introduce technology that promotes efficiency and facilitates interaction with clients, they may not have the same incentive to develop and introduce technology designed to improve audit quality.
With respect to inspections, this is the place where the PCAOB has made the biggest difference. But more needs to be done.
Inspections and Financial Disclosure
The focus of inspections needs to shift away from a primary emphasis on deficiencies to actual improvements in the quality of financial disclosure. In part this means inspecting audits of issuers that have a higher risk of fraud or GAAP violations and, in selecting areas of the audit to inspect, placing greater emphasis on areas of qualitative materiality.
It also means using inspections to more directly improve the quality of financial disclosure, particularly with respect to areas identified by investors as inadequate.
Academic research shows that the PCAOB has the ability to significantly alter audit firm behavior. When the PCAOB targets an area for inspection, audit firms react, a powerful tool for generating improvements to financial disclosure. The PCAOB could publicly identify for upcoming inspections areas of concern noted by investors in the financial statements. Audit firms would presumably devote greater effort to these areas.
Footnote disclosure comes to mind. Targeting particular footnotes might not result in a significant number of deficiencies given the vague nature of the disclosure requirements under GAAP. But it would focus firm attention on the areas, potentially generating improvements in the quality of the disclosure And if it didn’t, the results, when made public, could be used as a basis for amending the relevant accounting standards.
Inspections and Accounting Comparability
Improvement in financial disclosure also means a more explicit effort to use inspections to provide investors and the public with the information they need to trust what is in the financial statements. One place where this could occur is with respect to the comparability of financial disclosure.
Accounting standards are designed “to consistently measure and report an outcome across different companies. . .” Audit firms play a role in ensuring comparability.
In conducting an audit, firms review the reasonableness of assumptions used by management in making estimates and valuations. The omission of a significant assumption common to the industry could affect both reasonableness and comparability. The valuation of long term assets in the hydrocarbon industry may lose their comparability to the extent some companies consider the impact of climate change while others don’t. The PCAOB could use the inspections process to provide the public with insight into the degree of comparability in the financial statements and the role of the auditor in ensuring comparability.
Inspections and Management Bias
Finally, inspections should take into account more explicitly the potential bias that arises from the payment of audit fees by the client. This means targeting audits and areas of the audit that involve an elevated risk of excessive deference to management.
I can think of at least two circumstances where audits may be particularly prone to increased pressure from management.
One involves earnings releases. Companies often issue earnings releases before the audit of the annual financial statements has been completed. To the extent the audited numbers differ significantly and adversely from those in the earnings release, a company’s stock prices may decline and the tenure of management may be shortened. Management, therefore, has additional incentive to put pressure on audit firms to make sure this does not occur, potentially affecting the quality of the audit.
There is also a risk of excessive deference in connection with efforts to seek an increase in audit fees once the audit is underway. Although fees are commonly negotiated in advance, unexpected circumstances arising during an audit may result in a request for additional fees. Data from overseas suggests that this occurs frequently and that management may refuse to approve the increase. Engagement partners seeking approval of an increase presumably have an incentive to maintain a positive relationship with management, something that could result in excessive deference.
These are only a few examples of instances where audit firms likely have less incentive to challenge management and to exercise the necessary degree of professional skepticism. I’m sure there are plenty of others. They should be regular targets for the PCAOB inspection process.
Finally, to repeat something that I have said numerous times before, independent oversight will not ensure trust in the audit absent adequate transparency. Without transparency there can’t be accountability.
Accountability is necessary because all regulators, sometime during their lifecycle, invariably go through periods where they lack the incentives to fulfill their statutory mission. But transparency is particularly important to the PCAOB. The most significant failure of the self-regulatory period was the lack of public insight into how oversight was actually exercised. This lack of transparency raised concerns that decisions were made in the interests of the profession rather than those of the public.
The same concern can arise with respect to the PCAOB.
While transparency is to some degree a balance, the PCAOB, in my view, does not have the balance right. Little is done today in a transparent manner. Unlike the early days of the PCAOB, public meetings are rarely held. Advisory groups, groups designed to explore issues of interest to investors and other stakeholders, don’t hold open meetings. Disclosure in inspection reports remains inadequate, particularly the non-disclosure of the public companies where the deficiencies were uncovered.
Indeed, transparency appears to be going in the wrong direction. This can be seen with respect to changes to the disclosure in enforcement settlements. In settling actions against auditors, the PCAOB traditionally revealed the identity of the company where the problem audit occurred, rare exceptions aside. That, however, changed in 2019. The issuer is today rarely disclosed, reducing the value of the information to investors and the public. The PCAOB took this step by fiat, without first seeking input from investors and the public.
And let’s be clear, this absence of transparency is selective and disproportionately affects the public.
So coming full circle, trust in the audit, in my view, remains an elusive, unmet goal.
Without change, there is an eventual risk of a return to the pre-Enron era when there was acquiescence by investors but not trust. To the extent that deficiencies are declining, as some recent public statements have suggested, this may well be reminiscent of the clean opinions given in the era of self-regulation. From a peer review perspective, everything looked good. Then there was Enron.
Perhaps some would say that the strengthened role of audit committees, another SOX innovation, addresses these concerns. While a topic for future discussion, suffice it to say that this is another area where investors are asked to trust without much transparency.
Ensuring investor trust in the audit can be accomplished without changing the statute. The basic tools are there. In addition, the PCAOB has a highly qualified and professional staff committed to the investor protection mission. So what’s missing? Investor pressure. The mission is designed to protect investors and the public and they must insist on a more investor oriented approach to audit oversight.