Reforms of the Auditing Profession: Improving Quality Transparency, Governance and Accountability

Posted by Lynn E. Turner, Hemming Morse LLP, on Monday, December 28, 2020

Beginning with the passage of the 1933 Securities Act, Congress has required an Independent Audit for every public listed company in the United States. At the time the 1933 Act was debated by Congress, it was discussed as to whether to have audits performed by employees of the government. Banks regulated by the Federal Reserve, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) are all examined by government employed banking examiners. But in the end, the draft of the 1933 Act was modified to have the audits performed by a licensed accountant (CPA) who is “independent.” Today CPA’s who audit publicly listed companies are currently regulated by both the Securities and Exchange Commission and its Office of the Chief Accountant, and the Public Company Accounting Oversight Board (PCAOB).

Continuing Issues with Poor Audit Quality

There continue to be issues with the quality of audits performed by CPA’s. In October, 2008, a U.S. Treasury Committee on the Auditing Profession (ACAP) issued a report with many recommendations for the SEC, PCAOB, and auditing profession. This committee of business leaders, investors, former SEC regulators, and CPA’s studied the profession for a year before issuing its report. Yet today, ten years later, few of the recommendations have been acted upon by the audit firms, or their regulators. As a result, it appears the four large audit firms have become “two big to fail.” And many of those who are regulating the audit firms at the SEC or PCAOB have joined the regulators from these “Big 4” firms, and have returned to them, as highlighted in the recent action of the Department of Justice against auditors at KPMG.

Continuing issues affecting the credibility and trust in the auditing profession includes:

• Lack of Independence—Auditors view management of companies they audit as their “client” not the public. It is important to audit partners that they maintain the “annuity” received from the annual audit fees. Losing an annuity from a large company can impact a partner’s career. As a result, the need to maintain a lack of bias and professional scepticism runs head on into, and conflicts with, the need to maintain the annuity for the firm.

• Management provides them business opportunities to grow their revenues/profits.

• Management writes their check.

• Too often, in reality, audit committee’s delegate hiring and oversight of the auditor to management. Management and Audit Committees have often retained the same auditor for decades, even centuries, continuing to pay the annuity, and receiving “clean” audit reports.

• Auditors have testified under oath in court, that they do not have an obligation to detect material financial statement fraud and serve the public interest.

• Management provides the independent auditor with the accounting records and financial statements (numbers) to be audited. Then upon request from the independent auditor, management also provides the auditor with the evidence to support the numbers. When auditors talk of using “Big Data” in an audit, it too often is testing data in a data base created and maintained by management. As such, the numbers, and evidence and support the auditor examines, comes from the party that is the subject of the audit. It is doubtful that management is going to provide evidence that does not support the numbers they have created. Unfortunately, Generally Accepted Auditing Standards (GAAS) do not specifically address the need for the auditor to consider publicly available information that contradicts the information management has provided. And time and time again, it is this type of information that has resulted in analysts and other outside researchers bringing to light errors in financial statements and disclosures. And it is this information that auditors have failed to address in their audits.

• The government mandates management and the company MUST buy audits, rather than those who actually own the company. In this respect, auditing of publicly listed companies is like a publicly mandated utility.

• Lack of Transparency with respect to Audit Firm Performance and Audit Quality. Investors are not provided information necessary to inform them as to the quality of the audit of the financial statements and disclosures of the company they invest in and own. In that regard, investors are being asked to vote and ratify the auditor without information necessary to making an informed decision. Investors are consistently told in the audit report that audits have been done in compliance with GAAS set by the Public Company Accounting Oversight Board (PCAOB), a misleading statement in light of the very high deficiencies in compliance with GAAS reporting by the PCAOB and other audit regulators around the globe.

• Lack of Independent Governance of Audit Firms. The large audit firms, which audit the vast majority of publicly listed companies in the US as well as around the globe, all lack meaningful independent governance. This lack of governance, which is required for publicly listed companies, has resulted in a lack of quality, accountability, transparency, and governance when it comes to audit quality and performance.

• Very poor audits quality based on inspection reports from around the globe—so bad that the International Forum of Independent Audit Regulators (IFIAR) called senior leadership from each of the six largest firms in to discuss the poor audit quality. IFIAR’s Global Audit Quality (GAQ) Working Group and the GPPC networks undertook an initiative aimed to reduce the frequency of inspection findings. In accordance with a target established by the GAQ Working Group, the GPPC networks seek to improve audit performance, reflected in a decrease of at least 25%, on an aggregate basis across the GPPC networks over four years, in the percentage of their inspected listed PIE audits that have at least one finding. (See https://www.ifiar.org/)

• The 2016 Inspection report of IFIAR stated: “Inspected audits of listed public interest entities (PIEs) with at least one finding remained unacceptably high at 42%.” (See here.)

• Audit firms often state the deficiency rates are high because the regulators are picking “High Risk” audits which in some, but not all instances, is true. However, one would expect the audit firms to assign these audits to their very best auditors, and as a result, there would be fewer deficiencies.

• And finally, audit reports have failed to convey to investors—as well as audit committees—concerns of the auditor, even when they know management and companies are violating laws and regulations. Such reports are required for auditors of governments that receive federal funds, but are not required in instances such as seen in recent years, for audits of companies such as Wells Fargo.

Reforms to establish accountability to investors as owners of the company, enhance transparency and accountability

Below are ideas to address the issues with poor audit quality on audits of publicly listed companies. Some of these ideas or recommendations were put forward ten years ago by the U.S. Treasury ACAP.

• Remove the current requirement in the Securities Laws that a Company must have an audit by an independent auditor, thereby eliminating the federal government mandate.

• Replace it with a market based requirement, that every 5 years, a shareholder proposal be included in the annual proxy, asking if the investors want an independent audit of the financial statements by the independent auditors. Accordingly, it would be made clear that independent auditors work for, and serve the public interest of the owners of the company—the investors. I would expect that investors most often would vote for an independent audit, unless they saw little value in having one.

• If the stockholders do approve the independent audit requirement (and again, I think they almost always would):

  • The audit committee, not management, would select and nominate the auditor. This responsibility could not be delegated to management;

  • The stockholders would then be asked to vote on and approve the auditor;

  • The audit committee, not management, would then be tasked with and responsible for negotiating the fee to be paid to the auditor;

  • The audit committee would submit a bill for the audit fee to the PCAOB as necessary during the course of the audit.

• The PCAOB would collect a fee from each public company to cover the bill of the auditor for the audit. The PCAOB already has a mechanism in place for collecting fees it is required to get from public companies

• The PCAOB could require a company to tender their audit for proposal, if the PCAOB found the auditors had engaged in improper professional conduct as defined in SEC Rule 102(e), or had a material weakness in their own internal audit quality controls; or had significant deficiencies on an audit in which the auditor had failed to comply with GAAS as set by the PCAOB.

• In no event, could the audit firm serve as auditor for a publicly listed company for a period longer than what is permitted today by the EC which is 20 years.

• The new auditor report adopted by the PCAOB should be required on all audits of public companies. This new audit report will require the auditor to state and discuss in this new form of audit report, “critical audit matters” (commonly referred to as CAMS). The new audit report also requires the auditor to state: “A statement that PCAOB standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud.”

• However, the PCAOB exempted a wide swath of public entities and did not require communication of critical audit matters for audits of emerging growth companies (“EGCs”), brokers and dealers reporting under the Securities Exchange Act of 1934 (the “Exchange Act”) Rule 17a-5; investment companies (e.g., mutual funds), other than business development companies; and employee stock purchase, savings, and similar plans (“benefit plans”).

• If auditors through their audit work, become aware of a company or management breaking a law or regulation, that could have a material impact on the financial statements or operations of a company, they should be required to disclose it in their report, just as an auditor of a governmental agency subject to the GAO Yellow Book auditing standards is required to do so.

• In August, 2000, The Panel on Audit Effectiveness (O’Malley Panel) chaired by the former Chairman of PW recommended that each audit include a forensic segment of the audit. Consideration should once again be given to this recommendation including establishing within GAAS, the need for auditors to consider publicly available information that contradicts the evidence management has provided them.

• Require disclosure of audit quality indicators for each audit on which an opinion of the auditor is provided to investors in the company. These indicators should be disclosed in the Company’s proxy as part of the Company’s audit committee report to investors. Audit committees should also be required to disclose either in the proxy, or in the Charter of the Committee, the committees procedure for periodically tendering the audit. Audit firms should already be measuring audit quality on individual audits if in fact they are managing audit quality. But the audit inspection results from around the globe provide some evidence, that has not be occurring.

• Improving the transparency of the PCAOB. The PCAOB inspects a very small percentage of the audits of publicly listed companies each year, and provide a public inspection report for each firm with their findings. For those audits inspected, the PCAOB inspection reports are perhaps the best indicator of audit quality today. Yet the PCAOB has refused to provide the name of companies being audited, stating the Sarbanes-Oxley Act of 2002 (SOX) prohibits this. But that is false as there is not language in SOX that prohibits the disclosure of the name of the companies whose audits are inspected. What SOX does prohibit is disclosure of investigations and enforcement actions taken by the PCAOB with respect to a poor audit. Senator Sarbanes agreed to an amendment of the then draft of SOX (May 2002), to include a prohibition on public disclosure, until the PCAOB enforcement action is final, at the request of the audit firms and Senator Enzi who was negotiating on their behalf. Harvey Goldschmid, who would shortly thereafter become an SEC Commissioner, and I, pleaded with the Senator not to make this change, as enforcement actions taken by the SEC are not private, but are in fact public. Senator Jack Reed (D-Rhode Island and Grassley (R-Iowa) have introduced subsequently introduced legislation, supported by the PCAOB in the past, to reverse this change and make the actions public. Unfortunately, in the meantime, the audit firms have used this provision of SOX to hide and appeal and delay the actions until many years have gone by. Then the audit firm always makes a public statement that in essence says a final PCAOB action is years old and should be ignored.

• Currently the law requires that an audit partner be rotated off as the lead audit partner for a company, after no longer than five years. This is to provide a “fresh set” of eyes to the audit according to the congressional record. Yet there can be a number of audit partners on an audit, and it is not uncommon, to find the lead partner rotated off, and one who has been on the audit in the past, rotated into the lead audit partner position. As a result, there are incentives for partners not to bring up new problems from the past. Given the reforms cited above, this requirement, which has significant costs associated with it, could be eliminated.

• Require each auditor of public companies to issue an annual report, just as the companies they are required to audit must, containing its:

  • Financial statements prepared in accordance with generally accepting accounting principles (GAAP). This is important to assessing the financial health of these firms as they have become “too big to fail” as demonstrated by actions of law enforcement agencies and regulators.

  • A discussion of the firms quality controls regarding all aspects of the audit including independence, human resources such as hiring, training and supervision, performance of audits, selection and retention of companies they audit, and testing and enforcement of the quality controls.

  • A discussion of the firm wide, as opposed to individual audit engagement, audit quality indicators.

  • A discussion of the firm’s governance structure, process and procedures.

• The European Commission already requires each of the large audit firms to provide a report with some of this information. The US audit firms do publish an annual report on their own, but it discloses very limited financial information, and limited information on governing structures, accountability of executives, and performance measurement and improvement.

• Audit firms that audit more than 100 public companies should be required to have independent directors or members on the firm’s governing board.

• Audit firms need to abandon the “Pyramid”scheme they use for staffing today, and adopt a paraprofessional model used in law firms. The pyramid structure has resulted in talented, but young and inexperienced staff assigned to perform audit procedures, with respect to business transactions the staff are ill prepared to examine and challenge.

• All CPA’s should be required to have a master’s degree in accountancy. I believe the master of professional accountancy program is sorely needed. The actions of the large audit firms in which they encourage students to leave school and begin their careers before the student receives their master is disappointing in that it Highlights the lack of commitment to education by those firms. Actions speak louder than words.

• The SEC should revise its definition of what is a financial expert on the audit committee and adopt its initial proposal. The SEC should clarify the audit committee MAY NOT delegate this responsibility to the management of the Company, which is often done today.