Driving Audit Quality Forward: Where We’ve Been and Where We’re Heading

I.  Introduction

Good afternoon, everyone. Thank you, Alan [Wilson, WilmerHale Partner], for your kind introduction. And thank you to the Center for Audit Quality (CAQ) and WilmerHale for inviting me to speak here today. I’m honored to be part of this series of discussions focused on recent developments in accounting, auditing, and the law.

As a self-confessed capital markets enthusiast, accounting, auditing and the law are three of my favorite subjects. That’s why I am delighted each month when I receive Dan’s [Goelzer, former PCAOB Board Member and Baker & McKenzie partner] Audit Committee and Auditor Oversight Update in my inbox.

Today’s session focuses on recent trends at the Public Company Accounting Oversight Board (PCAOB). You will hear shortly from a panel of experts on enforcement and inspection trends, as well as standard-setting efforts at the PCAOB. There is much activity underway in each area.

I’d like to focus my remarks on achieving high audit quality through two symbiotic components: quality control (QC) systems, and the metrics that measure audit delivery and firm operations. Rather than diving deeply into either topic, I’d like to explore how they are each important and interconnected. I’ll also touch briefly on the PCAOB’s firm reporting proposal as it relates to cybersecurity and incident reporting.

But let me start with the punchline. In my view, the PCAOB’s recently adopted QC standard offers the promise of transforming the effectiveness of the governance and operations of public company auditing practices. The board’s proposals around firm and engagement metrics and firm reporting, if adopted, will also better arm investors and other stakeholders with consistent, comparable, and decision-useful information on firm operations and audit practices. Together they offer the potential to shift the current paradigm and heighten audit quality and investor confidence.

Before I explain my thinking, let me share some context.

II. Background

Last week we received sad news. William H. Donaldson, the 27th Chairman of the Securities and Exchange Commission (SEC), passed away. Reading his obituary and other tributes, we are reminded of his extraordinary leadership during some of the Commission’s most challenging times. Back then the daily headlines were filled with high-profile accounting scandals and record bankruptcies at large public companies. Enron, Tyco, and WorldCom to name a few. Investors lost hundreds of billions of dollars. Faith in the integrity of financial reporting was weakened. Trust in audits and the opinions of auditors was undermined. Public confidence was shaken. I’m sure some in the audience remember those days.

With the passage of time, though, we sometimes forget the details. How dark those days were for investors, the capital markets, the country. We also risk failing to recognize just how far we have come since then. The Sarbanes-Oxley Act has made a meaningful difference.

Governance and controls around financial reporting and disclosures have improved. Independent oversight by audit committees has been vital. Vital, too, has been the work of the PCAOB, driving improvements in audit quality.

But precisely determining the health of financial reporting and the state of audit quality at any specific moment in time can be difficult, especially for investors and other stakeholders who do not deal directly with the preparers of financial statements and auditors. The challenge is that audit quality is not a singular concept or measurement. It is multidimensional with multiple attributes.

As a result, audit quality has largely been inferred from proxies. Three of these proxies are financial statement restatements, inspection deficiencies, and enforcement actions. Each can provide unique insights into historical, macro trends.

III. Recent Trends in Restatements, Inspections, and Enforcement

The panel will discuss details around each proxy. I’ll share a top-line for each.

First, financial statement restatements remain at or near historical lows, with the caveat that a spike occurred in 2021, due to what many experts and investors largely viewed as a technical trip-up by special purpose acquisition companies (or SPACs).[i]

Second, for the past three years, PCAOB inspectors have found year-over-year increases in significant deficiencies in the audits they reviewed at the six largest audit firms. These types of deficiencies – colloquially referred to as Part A.1. findings – most recently ranged from 9 to 66 percent at individual firms and averaged 30 percent across the group.[ii] This group of deficiencies are rightfully a point of focus because they mean that the audit firm did not obtain sufficient appropriate audit evidence to support its opinion. An important caution, however, they do not necessarily mean that the underlying financial statements were materially misstated or that undisclosed material weaknesses existed in relevant internal financial controls.

Similarly, the latest report from the International Forum of Independent Audit Regulators (or IFIAR) indicated that overall audit deficiency rates for the largest six firms was just under a third (32 percent). While ticking up to its highest level since 2020, the overall deficiency rates are down from the 47 percent reported when the survey began 10 years ago.[iii]

Finally, last year the PCAOB publicly disclosed 46 disciplinary actions, up from 42 in 2022 and 21 in 2021.[iv] These numbers are well short of the high-water mark of 54 in 2016 and 2017. However, the recent civil money penalties imposed by the PCAOB have dwarfed historical norms. So far this year penalties have reached over $35 million. This follows last year’s all-time high of $20 million in penalties, which nearly doubled the $11 million imposed in 2022.

IV. Lagging Indicators

The directional trends revealed by these three proxies for audit quality are mixed but are not necessarily reflective of what is happening today. They help identify violations and shortcomings, but these are lagging indicators. A look in the rearview mirror. As such, it is hard to say definitively whether the results reflect anomalies or material changes in direction.

Inspection findings typically reflect concerns with audit reports issued nearly two years ago, possibly longer. While important, reported audit deficiencies are only a single and imprecise measure of audit quality. Of note, the PCAOB’s inspections of individual audits are largely risk-based. Inspectors typically focus on high risk audits and thorny audit areas, probing some of the most challenging or inherently uncertain parts of the financial statements, such as estimates, like the valuation of intangible assets. But, even for a risk-based program, a change in trajectory deserves added attention.

Also, the conduct underlying settled disciplinary proceedings is typically several years in the past or more, especially if they relate to substantive areas of the audit. And these settled matters are only part of the picture. The Sarbanes-Oxley Act mandates that PCAOB disciplinary proceedings that are contested remain confidential unless and until the board imposes sanctions and those sanctions become final after nonpublic proceedings. As a result, public notice of some of the most serious alleged audit and regulatory lapses can be delayed for years. Short of a statutory change by Congress, this veil of secrecy will remain.

V. How to Move the Needle on Audit Quality

A. Leading Indicators

What could or would move the needle and push sustained improvement in audit quality and enhance transparency? Adding leading indicators into the mix is one way. Instead of focusing solely on historical outcomes, leading indicators are inputs that can help better predict audit quality on individual engagements, at firms, and across the profession.

Think of it this way: When economists assess where the economy is heading, they first look to lagging indicators – like the unemployment rate and the consumer price index – to see where the economy has been. Then they add in leading indicators – such as retail sales and housing starts – to help better assess where the economy is going. This gives them a fuller picture of how the economy is performing and what, if anything, needs to be done to nudge the economy in a positive direction.

Taken together, lagging and leading indicators can balance your view, creating a set of binoculars of sorts. One lens focusing on the past, retracing the steps already taken. The other lens peering over the horizon, helping to predict what likely lies ahead.

The PCAOB’s recent proposals around firm and engagement metrics and firm reporting, if eventually adopted, would add a standardized set of leading indicators into the mix. When combined with current lagging indicators, firms as well as investors and other stakeholders will have greater transparency into where audits have been and where they are heading. But to be really transformational, we need confidence in the governance and operations of the firms and their audit practices as well as their ability to produce predictable results. Quality control systems can provide that confidence.

B. Quality Control Standard

Last month, the PCAOB adopted a new quality control standard that combines a risk-based approach with a set of mandated requirements.[v] If approved by the SEC, the new standard will replace the current badly dated ones, that were adopted near the time of the PCAOB’s inception, largely based on requirements established by auditors when they regulated themselves. So, we are talking about those bygone days of green-ruled ledger paper.

The current standards also largely predated the emergence of enterprise risk management (ERM) programs, which have changed the way we think and talk about risk today.

Much like the ERM systems currently operated by companies and organizations, the new QC standard would require audit firms to identify their risks and design a system to guard against those specific risks. Audit clients and stakeholders will understand the value this brings.

The QC standard also recognizes the essential roles that governance, leadership, ethics, and independence play in better ensuring the delivery of high-quality audits. Importantly, the standard builds in monitoring and remediation, creating a continuous feedback loop for improvement. This dynamic is designed to provide upward pressure for improvements in the processes and controls around delivery of audit services.

This approach to QC systems also offers the potential for audit firms to self-identify, self-correct, and self-report deficiencies before audit opinions are ever issued and relied on by investors and other stakeholders. This could be a game changer. Likewise, systematic improvement in quality control environments across firms could be the force multiplier needed to better ensure the sustainability of high quality audits across the profession.[vi]

C. Firm and Engagement Metrics

As important as QC systems are, they are only part of the solution. The other part of this transformation is the tracking and sharing of standardized performance indicators based on inputs.

If adopted, the PCAOB’s proposal on standardized firm and engagement metrics could provide those indicators, at least for firms that audit large public companies. The 11 currently proposed metrics would offer insights into areas ranging from supervision, workload, expertise, and retention to performance measures around a firm’s internal quality system. Ideally, some or all of these metrics will eventually provide early indicators of emerging risks to audit quality. Or better yet, the metrics could provide insights into the types of attributes, or inputs, at a firm- or an engagement-level that are associated with audit quality.

Take metrics on auditor workload for example. Using crowd-sourced data from the employee review platform Glassdoor.com, academics found interesting relationships between perceived work-life balance and audit quality.[vii] Not surprising, they found a positive association exists between audit employees’ perception of work-life balance and audit quality. Unexpectedly, however, the researchers did not similarly find a significant association between audit quality and audit employees’ overall job satisfaction – measured by employees’ perceptions of their career opportunities and views of the quality of their firm’s senior management and culture and values.

These results suggest that audit firms may be able to keep their employees highly satisfied by offering them great career opportunities, strong senior management and compelling cultures and values. But even highly satisfied audit employees cannot produce high-quality outputs when they are overworked.

This research raises a number of questions, such as: how many hours are too many? Do the number of hours triggering excessive workloads vary by positions? If so, how? And at what point do sleep deprived, overworked audit teams increase the likelihood of material errors? The answers to these and similar questions could help with developing mechanisms to monitor and mitigate risks stemming from excessive workloads.

Audit committees could use information on workload and the other proposed metrics to compare the performance of their engagement team and audit firm against peer institutions and practices. The largest firms provide annual transparency reports with some key firm specific metrics. But because these reports are voluntary and the metrics provided can be different among the firms, comparability is difficult. And while individual firms provide metrics to client audit committees, again, the ability to compare across firms is challenging. Standardized metrics could help.

Beyond arming audit committees with standardized data to aid in their oversight, the metrics would for the first time provide investors and other stakeholders with consistent, comparable, and decision-useful information on audit firm practices and operations.

Why is this important? As academic and management theory expert Peter Drucker famously said: “What gets measured gets done.” Or, as baseball legend Yogi Berra astutely noted: “You can observe a lot by just watching.”

D. Data, Technology and Cybersecurity

Standardized or not, investors and the markets want more data for analysis. They want insights. This desire is not going away. Across the globe we are in the midst of a transformation, continuing the shift from analog to digital. Audit firms and the companies they audit are becoming more data-driven and technology dependent.

Even if the PCAOB proposals are not adopted, investors and other stakeholders will continue to press for more meaningful information around audits and their processes. Artificial intelligence and similar technology and tools will help ease the burden around collecting and reporting performance metrics. But now is the time for interested parties and experts to weigh in on the right mix of metrics and how to calculate them to provide meaningful insights. The comment process around the PCAOB’s proposal will hopefully get us there.

Now let me briefly touch on the PCAOB’s proposal on cybersecurity controls and incident reporting. This was an area of focus for me while I was on the PCAOB board, as it was for Board Member Steve Harris before me.[viii]

If adopted, the proposal would require audit firms to confidentially report to the PCAOB significant cybersecurity incidents within five business days. The proposal would also require firms to periodically provide a brief description of that firm’s policies and procedures, if any, to identify and manage cybersecurity risk.

Given the growing cyber threats and substantial harms that can be caused by significant events – such as public exposure of confidential information – this is an important area for the PCAOB to address. In my experience, many investors and other stakeholders believe that the firms already have the obligations outline by the proposal.

It is also worth noting that public companies currently have similar cybersecurity disclosure and incident reporting obligations, albeit with the obligation to report events within four business days. Here too I’ll be interested in the comments received on the proposal and whether ultimately the timing of any required incident reporting will align with the current obligation of public companies.

VI. Conclusion

High-quality standards, robust inspections, judicious enforcement actions are all key regulatory ingrediencies for driving audit quality forward. Transparency is important as well.

We are still in the midst of the journey that began with Sarbanes Oxley. But, as American philosopher Ralph Waldo Emerson said: “It’s not the destination, it’s the journey.”

In that regard, it is important to remember that we have come far but we have much more work ahead.

Thank you for your attention.

Endnotes