Seeing Through the Regulatory Looking Glass: PCAOB Inspection Reports

J. Robert Brown, Jr. is a Board Member at the Public Company Accounting Oversight Board. This post is based on his recent remarks to the Corporate Disclosure Policy Council and the Capital Markets Policy Council of the CFA Institute.

Thank you, Sandy [Peters] for the kind introduction.

It is a pleasure to have an opportunity to speak with you today. CFA Institute members have always been a key constituency for the Public Company Accounting Oversight Board (PCAOB) because of your thoughtful and practical perspectives on the capital markets, investors, and the approach taken by regulators. We learn a great deal from you, and I hope, after this talk, we will learn even more.

Before I continue, I want to remind you that the views I share today are my own and do not necessarily reflect the views of the PCAOB, my fellow Board members, or the staff of the PCAOB.

All of us spend a tremendous amount of time focusing on quality. We all want to purchase high-quality goods and services. We strive for quality time with our family and friends, perhaps even more so in an era of COVID-19. Quality is also critical to the financial reporting process. The independent audit is a big part of ensuring that the information investors receive is reliable and high quality.

Information on audit quality can come from a variety of sources, including management of the company, audit committees and independent auditors. The information can also come from regulators like the PCAOB. We provide you and other investors in the market with information that can be relevant to the quality of audits conducted by audit firms. We do this mostly by issuing public reports for firms that we inspect.

While we are legally required to make our inspection findings public, the form and content of the reports are mostly left to the PCOAB’s discretion. Back in the early days of the PCAOB, the Board determined what should go into these public reports. A decision was made to include only limited categories of audit deficiencies, to not reveal the identity of the public company where the audit firm’s deficiencies occurred, and to not provide observations or descriptions about an audit firm’s system of quality control.

Recently, this Board reconsidered one of those early decisions. In June of this year, we issued public inspection reports for the six largest firms using a revised template. The template included a new section that disclosed additional types of deficiencies uncovered during the inspection process. The information provides investors and the public with additional insight into the inspection process and audit quality. But other early decisions about the content of the reports were not changed and, in my opinion, bear re-examination.

Today, I want to talk about the PCAOB’s recent trip through the regulatory looking glass and our resulting decision to become more transparent about our inspections. While we undertook revisions to our inspection reports, there are more lessons to be learned and additional ways to make these reports useful to investors and those who rely on them.

I’ll begin by telling you those “Impossible Things to Know Before Breakfast,” those things that an investor should understand about PCAOB inspections. Then I’ll relate how the first Board created the early reports and came up with a framework for the information to be included, a framework that resulted in disclosure of some findings from an inspection but left others on the cutting room floor.

Next I’ll talk about our decision to revisit one of these early decisions and, while perhaps “Late for a Very Important Date,” how, after 15 years, we decided to alter the content of these reports to make them more useful to investors and the public.

Finally, in what may seem “Curiouser and Curiouser,” I will discuss other aspects of the reports that went unchanged and would benefit from additional discussion. And as “No Fish Would Go Anywhere Without a Porpoise,” I will end by talking about how decisions to disclose additional data should always be accompanied with thoughts about increasing accessibility.

Impossible Things to Know Before Breakfast: What Investors Should Understand About Inspections

As you know, public companies and broker-dealers registered with the SEC must obtain an independent audit of their financial statements from a firm registered with the PCAOB. Our inspections program looks over the shoulder of the auditors. I have observed a number of these inspections in person. The fieldwork conducted by PCAOB inspectors is intense and professional and can last anywhere from a few days to a few weeks depending on the size and complexity of the engagement.

We typically inspect over 160 firms that audit issuers and 60 or so firms that audit broker-dealers each year. We inspect annually the firms that issue audit reports with respect to more than 100 issuers in the prior year. Many of these firms have a global presence with affiliates all over the world. We inspect those affiliates as well, visiting approximately 30 different countries each year. Smaller firms, those that do not audit more than 100 issuers in any of the three prior years, must be inspected on at least a triennial basis.

With each inspection, we don’t usually look at every audit engagement undertaken by the firm. Instead, we select a handful of public company engagements based on a risk assessment that also can factor in market capitalization and random selection. For the largest firms, we examine around 50 to 55 of their public audits each year.

In conducting an inspection, our teams typically focus on high-risk areas of the audit. When examining the relevant areas, we may review the relevant SEC filings and other sources of public information, a category that can include news articles, and the company’s press releases and quarterly earnings calls and the work papers and related documentation. The teams may also interact with the audit engagement team. To the extent the audit firm attests to a public company’s internal control over financial reporting (ICFR), we also may consider some of this work as well.

The inspection does more than examine the audit evidence supporting an opinion on the financial statements or the internal control over financial reporting. The inspection team also assesses compliance with other standards. For example, depending upon the audit engagement, we may look at communications with the audit committee or the fraud inquiries undertaken by the firm. Further, our inspection teams may assess compliance with our new disclosure standards, such as the auditor’s reporting on certain audit participants and communicating critical audit matters. The inspection team also may review the role of the engagement quality reviewer.

Down the Rabbit Hole: Creating the First Report Card

Once we have completed an inspection of a firm, we issue a public report. Decisions were made in the early days of the PCAOB that the public portion of an inspection report would include only the most serious categories of deficiencies. Our reports, therefore, have largely been limited to findings that were “of such significance” that the firm was considered to have “issued an opinion without obtaining sufficient appropriate audit evidence that the financial statements were free of material misstatement and/or the issuer maintained effective ICFR.” In other words, the reported deficiencies had to be so serious that, in our view, the audit firm could not provide reasonable assurance that the financial statements were free from material misstatement due to error or fraud.

The public report includes some but not all of our findings from an inspection. Other inspection findings were left on the cutting room floor or not included in the public portion of the report. Firms typically learned about these deficiencies, either directly from the inspection team or when discussed in the non-public portion of the report. Investors and the public, in contrast, were either not made aware of the deficiencies or sometimes made aware in anonymized reports that did not identify the audit firm where the deficiency occurred.

I’m Late, I’m Late for a Very Important Date: PCAOB’s Inspection Report Card 2.0

These early content decisions remained in place for more than a decade. In June 2020, we issued new inspection reports for the six largest firms using a revised template. The new format seeks to improve readability and accessibility by making greater use of plain English, reducing jargon, including an executive summary, and providing comparative charts and tables.

We have also for the first time “characterized” the inspection findings using a relatively objective but modest classification system. We clustered the audits inspected by the PCAOB into three categories: (1) those that included an accounting violation (e.g, U.S. GAAP or IFRS) that resulted in a restatement or the withdrawal or modification of an ICFR report; (2) those that involved multiple deficiencies, or (3) those with a single deficiency.

In my view, and recalling Justice Louis Brandeis’ admonition that sunlight is the best disinfectant, our most important step with respect to the revised template was the addition of a new section that provides greater transparency on our inspection process and the quality of audits.

In addition to the traditional category of findings that we have always disclosed, a new Part I.B includes additional deficiencies that have previously been missing from public reports. The June 2020 reports reveal a number of instances where audit firms did not comply with our rules that were unrelated to the sufficiency and appropriateness of audit evidence or ICFR testing. Examples of this new information include:

  • The failure to make certain required communications to the audit committee;
  • The failure to make required inquiries of the audit committee concerning fraud;
  • The failure to lock down a complete and final set of audit documentation within the required time frame;
  • The failure to file an accurate or timely Form AP, the form that requires disclosure of the engagement partner and the other firms used in the audit; and
  • The failure to document discussions with audit committees about the audit firm’s independence, including the potential effects of certain permissible tax services.

We also specified the number of audit engagements where a deficiency occurred based upon the review.

In short, the new Part I.B says more about the type and number of deficiencies uncovered during the inspection. In doing so, the new report gives investors and the public additional insight, or sunlight, into the quality of audits performed by audit firms.

I think it is safe to say that the contents of this section may change as our framework continues to evolve. The creation of a new section may provide all kinds of interesting possibilities. I encourage all interested investors and the public to share with us with their thoughts on what this section might include.

Moreover, new Part I.B may also increase investor awareness about our inspection process. A lack of disclosure in Part I.B of deficiencies under a standard that is particularly important to investors may occur because no issue is uncovered during the inspection process, because we don’t disclose those types of deficiencies, or because we don’t review compliance with that particular standard. After more experience with Part I.B, investors may have questions about whether our inspections process adequately focuses on those standards that do not concern the sufficiency or appropriateness of audit evidence that they consider to be of particular importance.

It’s No Use Going Back to Yesterday: The Future of PCAOB’s Inspection Reports

The addition of Part I.B is an important step forward. It reflects a willingness to reexamine decisions made in the early days of the PCAOB. More, however, can be done to improve the quality of these reports and to make the information easier to integrate into investment and voting decisions.

There are a number of areas that would benefit from reevaluation and additional discussion. I want to suggest three of them:

  1. revealing the identity of the public companies where audit deficiencies occurred;
  2. describing a firm’s system of quality control; and
  3. improving the accessibility of PCAOB data.

Curiouser and Curiouser…

In the early days of standing up the PCAOB, the Board opted to omit from the inspection report, apparently with some disagreement, the identity of any specific issuer where a deficiency occurred. Instead, the PCAOB anonymized the names by using alphabetic references. Our new template continues to rely on this early protocol.

The anonymization of issuer names has significant consequences with respect to the relevance and usefulness of our reports.

First, audit committees, in their oversight role, may never know about the deficiencies uncovered during an inspection. Audit committees may ask, and audit firms may answer, but this is not required. Without disclosure of the identity of the issuer in the public portion of the report, therefore, audit committees may be denied important information in exercising effective oversight.

Second, investors making investment decisions or resolving voting matters at public companies will not know about possible concerns over the quality of the audit where the deficiency occurred.

The information is also relevant in the communication process between investors and directors. Investors know that a deficiency in an audit does not necessarily mean that the financial statements were wrong. At the same time, however, the matter may spur discussions about audit quality and audit oversight.

Third, the information about a deficiency by an affiliate audit firm used by the lead auditor in a group audit may not be known to the lead auditor. The affiliate may voluntarily inform the lead auditor or someone from the global network may attend the inspection, become aware of the deficiencies, and communicate them to the lead auditor. But this is neither required nor guaranteed. Identifying the issuer in the inspection report would ensure that the lead auditor learns of the deficiencies.

Fourth, the inability to identify the issuer reduces the value of the information to academics. Academics mine public data and develop observations about audit quality. They can provide a sort of a report card on the effectiveness of the PCAOB, including our inspection and enforcement programs. They can also provide insights that can be used to conduct inspections, augment or amend the standards, or otherwise exercise oversight in an appropriate and cost-effective manner. Without disclosure of the identity of the issuer, we lose the benefits of this free and insightful research.

Nondisclosure is also an uncomfortable place to be for an organization charged with promoting audit quality for the benefit of investors and the public. We are keeping the information secret even though disclosure could positively affect audit quality. Let’s face it. No firm wants a report that publicly identifies deficiencies in a particular client’s audit. The main way to avoid this is for the firm to reduce the number of deficiencies.

Finally, the potential “harm,” if any, from disclosure to issuers seems negligible. Our deficiency determinations are not based upon a finding of problems with the underlying financial statements. Disclosure that a firm had deficiencies in an audit of a specific company, therefore, does not automatically raise issues with the financial statements of the company. Moreover, this type of disclosure frequently occurs in SEC enforcement actions with little apparent harm.

To the extent we were to reconsider our determinations in this area, there are a variety of possible approaches that could be taken.

First, the PCAOB could disclose in the inspection reports the identity of issuers where the audit deficiencies occurred.

Second, the PCAOB could disclose in the inspection report for each firm a complete list of the issuers whose audits were inspected that year.

Third, we could at least publish on a regular basis (every three years, for example), a list of all public companies whose audits are inspected. This would at least provide insight into our engagement selection process and provide greater accountability to investors and other stakeholders.

“Who am I? Now that’s the Great Puzzle”: An Audit Firm’s System of Quality Control

As we know, the key to sustained quality is a robust system of quality control. The safety of our planes, the quality of our medicine, and the health of our food supply depends upon the system of quality control. Unfortunately, the public portion of the PCAOB’s inspection reports do not address the system of quality control implemented by the audit firm.

We are statutorily prohibited from disclosing “criticisms of or potential defects” in a firm’s system of quality control unless the audit firm fails to remediate the deficiency within 12 months after the Board issues the report. So long as we don’t cross that line in our public reports, we are allowed under our enabling statute to talk about other quality control matters. The fact that we do not is, therefore, a policy decision.

In certain respects, ironically, a decision to address the system of quality control in an inspection report would entail a return to the past. In the first set of reports issued by the PCAOB with respect to the Big Four in 2004, we examined certain attributes of a firm’s system of quality control and included our observations. In addition, the reports also discussed “the consistency with which the practice offices applied the policies and procedures established by the national office, and evaluated whether communication from the national office were effective and were reinforced within the practice offices.”

In ultimately deciding to drop discussions of these systems from the public portion of the report, the Board did so for practical reasons. As the Board explained at the time:

This limitation [in the statute] has led the Board to decide, as a policy matter, that the public portion generally will also not include any other discussion of a firm’s quality control systems. The Board is concerned that discussing aspects of a firm’s quality controls, in a context where criticisms and potential defects cannot be discussed, may create a distorted and misleading impression.

With significant additional experience and feedback from investors, we have perhaps arrived at the moment when we should consider whether to revisit this decision. Certainly, investors have, in connection with our concept release, asked for greater transparency about a firm’s system of quality control. Additional transparency could come directly from the relevant firm. In addition, the PCAOB could also contribute to the increase in transparency through discussions in the public portion of the inspection report. The logistical problems expressed in 2004, it seems to me, are surmountable.

Including disclosure about an audit firm’s system of quality control would have the added benefit of conforming with what Congress intended in adopting the Sarbanes-Oxley Act. Under the statute, a firm is expressly required to describe, as part of its registration process, the quality control policies for its accounting and auditing practices. The disclosure in the registration application can, with time, become out of date and stale. Public disclosure of updated information on a firm’s quality control policies in an inspection report, therefore, would help provide investors and the public with more current information as the system of quality control evolves over time.

No fish would go anywhere without a porpoise: Data Accessibility

What we disclose is important, and so is the ease of accessing and analyzing the information. The PCAOB is in a unique position to provide useful information and data about audit firms to investors, audit committees, preparers, and the public. Our website publishes a collection of different types of information relating to registered audit firms and their associated persons. This includes information provided by audit firms, whether the initial registration applications, annual and special reports, and the forms filed following completion of each engagement disclosing the other auditor and identifying the engagement partner on Form AP. In addition, the PCAOB posts inspection reports and enforcement cases.

Accessing this information could be easier. We made important progress in improving data accessibility with the launch of AuditorSearch database. With the structured data, download feature and other functions, this resource is user-friendly and facilitates public access and research. AuditorSearch, however, is limited to Form AP data only and does not incorporate the other PCAOB regulatory data on our website.

Currently, registration applications, annual and special reports, inspection reports, and enforcement matters are all posted in PDF format. They are unstandardized and lack clear identifiers, which often requires time-consuming manual review. In addition, different types of regulatory information (i.e., registration, inspection, and enforcement) are scattered among different databases on our website. As a result, searches can take an investor considerable time and effort.

Simplifying and centralizing access to the PCAOB’s public data would enhance accessibility and further investor knowledge on audit quality. There are several ways for potential improvement.

First, we could create an integrated database for all PCAOB’s public regulatory data. This database would incorporate all of our registration, inspection, and enforcement data. It would allow investors to conduct advanced searches to obtain all relevant information relating to a firm through a centralized search feature.

Second, we could make the data available in a structured format that facilitates research and analysis.

Third, we could include a download feature that would facilitate the use of the database by those conducting research.

“We must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”

Our new template for inspection reports represents a meaningful step forward in providing more information about audit quality. Taken together with our disclosure standards for audit firms—including the audit firm’s tenure, the name of the engagement partner, and the inclusion in audit reports of critical audit matters—the revised approach demonstrates a serious commitment by the PCAOB to improve the quality of information available to investors and the public.

We are making progress but we should keep pushing forward. The content of inspection reports should evolve with changed circumstances and the needs of investors. In deciding how to do this going forward, we need to hear from investors and the public. For example, we describe Part I.B as including “other instances of non-compliance.” That’s an amorphous description. Help us determine those “other instances.”

In addition, as I have discussed, there are other types of information that could be added, whether the identities of the relevant issuers or information about quality control matters. Your thoughts on how to improve the quality of inspection reports is very much needed. They will help in any future discussions by the Board and the staff at the PCAOB on additional ways to make these reports more useful.

Thank you for listening. Again, CFA Institute members have always provided thoughtful and meaningful insights to regulators. I look forward to furthering our relationship.

The complete publication, including footnotes, is available here.

Both comments and trackbacks are currently closed.