Auditing Watchdog Hides Information from Investors

This piece is part of a series. See the full series, or skip ahead to the next part, How Accountants Took Washington’s Revolving Door to a Criminal Extreme.

A federal regulator responsible for protecting investors is increasingly withholding information from the public.

The Public Company Accounting Oversight Board (PCAOB) polices accounting firms that audit and certify the financial reports of companies traded on U.S. stock markets. Its mission is to protect investors, including anyone who is counting on a pension or retirement fund, by reducing the risk that through fraud or error companies will present a false picture of their financial performance.

The oversight board has long suffered from a lack of transparency, partly because the law that created it limited what it can disclose about problems it uncovers. However, of late, the board has taken its secrecy to a new level.

The shift involves PCAOB enforcement actions against accounting firms or individual auditors for allegedly violating requirements.

It has become commonplace for the PCAOB to discipline auditors for misconduct without saying which companies’ audits were involved.

By not naming the audited companies, the oversight board shields them from public scrutiny. It leaves the shareholders of those companies in the dark about faulty audits. Further, it deprives investors of information they could use to hold corporate boards accountable for their choice of audit firms and their monitoring of corporate audits. 

The PCAOB’s actions raise the question: Is the oversight board protecting investors, or is it protecting auditors and corporations from investors?

A Project On Government Oversight (POGO) investigation published last month found that the agency rarely takes disciplinary action against major accounting firms for apparent auditing violations.

The oversight board’s recent pattern of not naming the audited companies in disciplinary actions it does take represents a sharp departure from past years, a new POGO analysis found. 

Through the first nine months of 2019, 18% of the oversight board’s disciplinary settlements named an audited company, POGO found. That contrasted with 60% in 2018, 72% in 2017, 63% in 2016, and 50% in 2015, POGO found.

A September 10, 2019, enforcement order illustrated the trend. 

In that case, the PCAOB said the accounting firm Marcum LLP “expressly touted” to prospective investors the quality of 62 companies Marcum was responsible for auditing. Marcum hosted an annual conference to showcase those and other companies for investors.

In essence, the PCAOB alleged, the audit firm, which was supposed to serve as a watchdog over those companies, had become a cheerleader for them. And, having done so, the audit firm staked some of its reputation on the companies living up to its praise.

Marcum’s actions over several years compromised its independence, the PCAOB said.

Describing the first of the annual conferences in 2012, Marcum stated that the conference would be “a unique opportunity for investors to uncover ‘hidden gem’ investment opportunities,” the PCAOB said.

The PCAOB referred to the companies as “issuers” because they issue securities, such as shares of stock.

“Marcum’s hosting and promotion of the conference: (1) involved publicly advocating for these issuer audit clients as high-quality investment opportunities; and (2) created a mutual interest between Marcum and these issuer audit clients with respect to whether those clients’ subsequent performance lived up to Marcum’s billing,” the PCAOB said.

The audit firm’s managing partner “characterized the presenting companies as having ‘high quality management teams,’” the PCAOB said. Another unnamed firm leader “called the presenting companies ‘exceptionally well managed,’ with ‘sound business practices,’ and predicted that the presenting companies ‘will be recognized by the investment community both for their business management success and for their investment potential,’” the PCAOB said.

The PCAOB disciplinary order did not name the 62 companies.

Without admitting wrongdoing, Marcum agreed to pay a $450,000 fine.

In other cases, the PCAOB has referred to the companies involved by generic terms such as “Issuer A,” “Issuer B,” or “Client Bank.”

In a speech last month, one of the five PCAOB board members implied that he was concerned about the oversight board’s increasingly limited disclosure and the criteria the PCAOB staff has been using to determine when to name companies whose audits were deficient.

The board member, J. Robert Brown, Jr., cited an undated document laying out the criteria, which he described as “recently published.” The PCAOB posted the document in August, oversight board spokesperson Torrie Matous told POGO by email.

“The three factors mostly involve circumstances where the identity of the issuer and the relevant behavior have already been made public,” Brown said in the September 6 speech.

“While I agree that in some circumstances omission of the identity of a public company is appropriate, I believe that the recently announced [criteria] could result in recommendations that would significantly expand the circumstances where nondisclosure would occur,” Brown said.

As of September 6, the PCAOB had issued 20 settled disciplinary orders this year, Brown said. The issuers were named in four of those orders and were not named in 16, he said. 

Since Brown gave that speech, the oversight board has posted two more disciplinary orders, neither of which named the companies whose audits were allegedly compromised. 

As a general matter, by not naming audited companies in enforcement orders, the PCAOB may prevent investors from learning which partners at the audit firms were responsible for the audits at issue. 

That undermines one of the rare reforms the PCAOB has implemented to make auditors more accountable to the public. In 2017, the oversight board added a searchable database called AuditorSearch to its website enabling the public to plug in the name of a company and find the name of the accounting firm partner who led that company’s audit. However, if you don’t have the name of the company referenced in an enforcement action, and if the partner isn’t charged in the enforcement action, you can’t look up the partner’s name.

The PCAOB’s enforcement staff “seek to balance concerns for transparency with fundamental fairness” toward audited companies, oversight board spokesperson Matous told POGO.

Consistent with the PCAOB’s statutory mandate, Matous said, the PCAOB’s investigations focus solely on the conduct of the audit firms and their personnel. The businesses that the auditors audit “are afforded neither due process rights in our investigations nor an opportunity to explain or defend themselves,” Matous added.

Confusingly, perhaps, the Public Company Accounting Oversight Board has a board of its own—a governing board whose five members vote on disciplinary actions and other decisions.

The criteria the oversight board posted in August apply to the recommendations the PCAOB’s staff makes to its governing board and do not bind the members of the governing board, Matous said.

As for the Marcum case, the violations in that matter “did not relate specifically to” the audited companies’ “financial statements or conduct,” she added. “The violations instead concerned unrelated actions taken by the audit firms and their personnel.”

It’s unclear how those last comments square with the PCAOB disciplinary order against Marcum. The order indicated that the companies participated in the conferences hosted by their audit firm and that the independence of their audits was compromised.

In her October 4 email to POGO, Matous said the oversight board’s enforcement staff posted the new criteria to “further the PCAOB’s strategic goal of enhancing transparency.”

But it appears that the criteria themselves reduce transparency.

Matous didn’t say what if anything prompted the change in approach at the PCAOB.

However, in a February 27 advisory, the corporate law firm Covington & Burling pointed to a possible turning point. Covington said that, in a departure from past practice, in disciplinary orders issued on February 26, the PCAOB had “protected the identity of the auditors’ client.”

“This positive development stems from Covington & Burling’s request to the PCAOB,” Covington wrote.

The only disciplinary orders the PCAOB issued on February 26 were against a pair of accountants accused of violations in their work on accounting firm Grant Thornton’s audit of the 2013 financial statements of a real estate finance company. The company was identified as “Issuer A.”

In their settlements with the PCAOB, the accused auditors neither admitted nor denied the charges.

Covington wrote at the time that it was unclear whether the February 26 orders signaled a sea change in the PCAOB’s approach, and it added that it expected the answer to emerge over the next year.

The PCAOB has a history of pulling punches. As a POGO investigation published in September 2019 found, the PCAOB has penalized the biggest audit firms in the United States for only a tiny fraction of the apparent violations its own staff has identified. The fines the PCAOB has imposed on the U.S. arms of the so-called “Big Four” accounting firms pale into insignificance compared to the fines it apparently could have imposed.

In addition to taking disciplinary actions against auditors, the PCAOB inspects a sample of the audits conducted by audit firms and publishes its findings in periodic inspection reports. The reports have described more than 800 instances in which the U.S. Big Four have botched audits. However, the inspection reports do not identify the companies whose audits were allegedly botched.

When it comes to disciplinary orders, some cases don’t involve audits of specific companies traded on U.S. stock markets, so there is no company within PCAOB jurisdiction for the oversight board to name. For example, in a 2017 case, an audit firm was disciplined for failing to inform the PCAOB about legal proceedings against the firm and some of its partners in a foreign country. 

Occasionally, cases involve generalized misconduct, with potential implications for a wide universe of companies audited by a particular audit firm. In some cases, the PCAOB charges an auditor with failing to cooperate with an investigation or backdating documentation pertaining to an audit—and the PCAOB disciplinary orders refrain from explaining what implications, if any, the alleged misconduct might have for the related audits.

Historically, the PCAOB refrained from naming companies in cases involving a violation of documentation standards or a failure to cooperate, Brown said in his recent speech.

But, in other cases, the PCAOB has named the auditor’s client, Brown said.

“Where the alleged behavior involved an audit failure, we would often include the name of the public company in the order,” he said.

As recently as last year, the oversight board identified long lists of audit clients in two settled enforcement orders. In a March 2018 disciplinary order, the PCAOB included an appendix identifying 53 “Audits & Attestations Not Performed in Accordance with AS 1220,” an auditing standard. In an August 2018 disciplinary order, the oversight board included a similar list of 135 audits and attestations and named each of the 111 clients.

The PCAOB has undergone other big changes under the Trump administration. All five members of its governing board were replaced in early 2018. In addition, many other senior officials have resigned or been forced out.

POGO found that the total number of enforcement cases being settled by the oversight board has declined sharply under the new governing board. The PCAOB has settled 22 cases so far this year and 20 last year. That was down from 54 cases in each of the two previous years.

The PCAOB’s governing board has held no public meetings since December 20, 2018, Francine McKenna of MarketWatch recently reported and the board’s public calendar shows. That puts the governing board in violation of its own bylaws, which require it to hold at least one public meeting each calendar quarter, MarketWatch noted.

The PCAOB answers to another regulatory agency, the Securities and Exchange Commission (SEC), with which it shares responsibility for policing corporate auditors. In its enforcement cases against auditors, the SEC also has refrained at times from naming companies whose audits were involved.

For example, in a September 23, 2019, enforcement order, the SEC alleged that, from 2013 through 2016, PricewaterhouseCoopers LLP (PwC) engaged in “improper professional conduct” in its relationships with 15 audit clients. PwC settled the case without admitting or denying wrongdoing.

The SEC did not identify the clients.

SEC spokesman John Nester declined to answer questions for this story.

Leaders of the Marcum audit firm, including Chairman and Chief Executive Jeffrey M. Weiner and Vice Chairman David C. Bukzin, did not respond to inquiries from POGO.

Questions they left unanswered show how accountability can suffer when the PCAOB refrains from identifying the companies whose relationships with auditors gave rise to enforcement actions.

If, as the PCAOB alleges, Marcum’s independence as auditor of 62 companies was compromised over several years, what, if anything, have those companies done to remedy the problems? Have they replaced Marcum with new auditors? Did they have the allegedly tainted audits redone? If so, at what cost?

And how, if at all, have the management and boards of those companies been held accountable?

The PCAOB left similar questions unanswered.