The PCAOB and the Future of Oversight

Originally published in The Journal of Accountancy, December 2004
The PCAOB and the Future of Oversight

The key question is whether audit failures are caused by isolated errors or more systemic factors. As vice-chairman of business assurance at Coopers & Lybrand in 1993, I began a study to identify the causes of audit failures. My colleagues and I found they occurred in the presence of several systemic factors: poor audit supervision, lack of training, judgment errors in dispute resolution and serving high-risk clients

The objective of the Sarbanes-Oxley Act of 2002 was to make registrant audit committees, corporate management and the auditing profession work together to mitigate the risk of catastrophic audit failures. But as an experienced auditor, I fear the current business and regulatory environment may hinder achieving that objective.

The PCAOB role Sarbanes-Oxley created the Public Company Accounting Oversight Board (PCAOB), which assumed responsibility for overseeing the auditors of public companies. How the board fulfills its mission is, therefore, of interest to the profession and the investing public.

How does the PCAOB perceive its role? In April 2003 PCAOB Chairman William J. McDonough said the board’s job was to provide “guidance in a constructive manner and, when necessary, to be a tough overseer to protect the public’s interests”

But I believe it’s important to strike the right balance between guidance and tough oversight. With a board and management consisting primarily of former regulators and staff of the SEC’s enforcement branch, the PCAOB has a clear bias toward oversight. The absence of members of the profession from senior positions on the board is evident but not surprising—the PCAOB was created in response to the profession’s audit failures.

The PCAOB made it clear the profession must regain the public’s confidence or face severe censure. But the board’s decision to use an inspection process to perform its oversight creates a high-risk environment for the profession. In a February 2004 speech at the Economic Club of Chicago, McDonough said the PCAOB inspection process would consist of reviews of audit engagements to ensure compliance with securities laws, the rules of the SEC and the PCAOB and the highest professional standards.

Unfortunately, experience shows this approach provided little assurance of mitigating the risk of audit failure. Even though such reviews were an integral part of the internal quality control programs of audit firms for years, they weren’t very effective in preventing audit failures. Why would the PCAOB’s experience be any different? When I visited the PCAOB several months ago and posed that question to George H. Diacont, the PCAOB’s director of registration and inspections, he answered, “We’ll do it better.”

I believe the problem with the inspection approach is that audit failures could occur in engagements not inspected. And in the post-Enron world another audit failure would be disastrous for the firm(s) responsible and for the profession. Such an outcome would benefit no one and irreparably harm many. With that specter in mind, it’s fair to ask whether ceding audit responsibility to a government agency is in the best interests of the investing public. There is an alternative, but before we consider it, examining the nature of audit failures may prove enlightening.

The root cause of audit failure

The key question is whether audit failures are caused by isolated errors or more systemic factors. As vice-chairman of business assurance at Coopers & Lybrand in 1993, I began a study to identify the causes of audit failures. My colleagues and I found they occurred in the presence of several systemic factors: poor audit supervision, lack of training, judgment errors in dispute resolution and serving high-risk clients. It appears that similar causes underlie other recent audit failures such as those at the Baptist Foundation of Arizona, Colonial Realty, Sunbeam and WorldCom.

In addition some auditors’ skills are questionable. For example, WorldCom recorded millions of dollars in expenses in asset accounts without audit detection, and Healthsouth created income by manipulating its contractual allowance account. The inept auditing that failed to detect these violations was likely due to deficiencies in training, supervision and basic audit judgment. These examples confirm the findings of our study: Audit failures are due to systemic flaws in quality control programs. Logic suggests the inspection process must detect these flaws before they result in audit failures.

So, to identify the best inspection strategy for detecting systemic flaws in quality control systems, let’s compare the relative merits of engagement reviews and risk management reviews.

Engagement reviews

The PCAOB conducts in-depth reviews of individual audit engagements to determine compliance with GAAS and GAAP. But this approach is based on the flawed premise that reviews will detect any substandard audits and require corrective action by the firms responsible. Presumably, the path of inquiry leads to the control system. So why not start there, instead of with reviews of completed audit engagements? By the time reviewers discover any defects, the audit firm has issued its opinion and investors have made their decisions.

Furthermore, this approach provides assurance only with respect to engagements reviewed. The PCAOB would be exposed to criticism if an engagement not selected was subsequently found to be deficient. What if Enron’s audit hadn’t been selected?

Risk management reviews

There is an alternative. While continuing to examine selected engagements, the PCAOB also could support the profession’s enhancement of its quality control processes and direct audit firms to focus on measuring compliance. This approach would

  • Focus on systemic issues, the fundamental determinant of audit quality.
  • Be consistent with the spirit of Sarbanes-Oxley’s focus on internal control compliance. It is proactive, timely and collaborative, rather than reactive. Its objective is to build quality into the product. CPAs are expert at developing and reviewing internal quality control systems. They provide these services to their clients. Presumably they could create them internally. A detailed description of such a system is contained in my January 2003 JofA article (see “Maintain Excellence, Cut Risk,” page 75).
  • Provide a better return on time expended. Improving risk management heightens the quality of all audit engagements.
  • Be measurable, because compliance would be contemporaneously documented.
  • Actually work. At Coopers & Lybrand in the 1990s my colleagues and I adopted it after concluding engagement inspections weren’t providing enough quality assurance. We identified and examined each process that affected quality and then enhanced and integrated them into an overall, comprehensive risk management program. We also continuously monitored compliance and made it a major factor in determining partner compensation. An auditor who failed to comply with the firm’s quality control program faced possible termination.

Our total focus on audit quality produced impressive results. In 1996 and 1997 we terminated high-risk clients from which we had earned more than $30 million in fees. Because auditing these companies consumed disproportionate amounts of our time and effort, ending our relationships with them freed us to serve new, low-risk clients worth nearly $50 million in fees. That move paid off in other ways too. From 1996 to 1998 we had no significant audit failures, and none has emerged relative to that period. In addition, our enhanced economic performance reduced the pressure to generate fees, a factor that can jeopardize audit quality.

Make it happen

It’s in the best interests of the profession, investors, lenders and the PCAOB to focus on quality control to improve the processes by which individual firms monitor the performance of their leaders, employees and clients. I described this strategy in greater detail in my earlier JofA article. These are its components:

  • Stop the finger-pointing, most of which is directed at the profession by SEC-registered public companies protesting the cost of complying with section 404 of Sarbanes-Oxley and by the PCAOB, which views the profession as a problem to be managed. It’s time for all concerned to cooperate.
  • Identify and promulgate quality-control best practices by forming—under the direction of the PCAOB—a committee of major and second-tier firm representatives charged with defining best practices every firm must adopt and developing criteria for measuring compliance.
  • Require that every audit firm develop an internal monitoring process acceptable to the PCAOB and that each firm’s CEO and senior management team attest to the results of the process.
  • Focus PCAOB oversight inspections on compliance and actions taken to correct control system deficiencies. The inspection process would continue to examine selected engagements, with an emphasis on determining compliance with quality control procedures as well as with GAAP and GAAS.

This approach would be substantive, cost-effective and easily understood by the investing public. It would capitalize on the profession’s expertise and enhance audit quality.

Work with the PCAOB

If audit firms are to survive, the PCAOB must adopt a broader, more effective approach to oversight. Auditors therefore must persuade the PCAOB of the need to adopt a strategy that anticipates and prevents audit failures. They can do this by communicating to the PCAOB the need to work with auditors to improve the profession’s systemic quality control processes and thereby improve the quality of all audits, not just those selected for review. In this way auditors can help ensure their profession continues to serve the business community and its investors.

Speak Your Mind