The Honorable Gary Gensler
Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549
Via electronic submission: [email protected]
Dear Chair Gensler:
Congratulations on your recent confirmation as chair of the Securities and Exchange Commission (SEC). I write to you on behalf of the Project On Government Oversight (POGO) to provide several recommendations for the Public Company Accounting Oversight Board (PCAOB)that the commission can implement immediately on its own, and several where the commission can work with Congress to strengthen the laws governing this oversight system. These reforms will help President Joe Biden deliver on his promises to ensure that government will work for all Americans.
POGO is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing. We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles.
The commission is facing several pressing issues. These include hot news topics, like GameStop, Robinhood, short selling, and meme stocks, as well as climate risk disclosures and the disclosure of payments by resource extraction issuers. However, addressing these issues should not distract from the commission’s duty to conduct oversight of the PCAOB. In the coming months and years, your agency will play a vital role as the economy begins recovering from the economic downturn caused by the ongoing coronavirus pandemic. This includes ensuring that audit firms thoroughly examine companies’ books to protect investors and Americans’ retirement savings. Making sure that the PCAOB is an efficient and effective enforcer is a critical task.
In wake of the accounting scandals of the early 2000s, Congress passed the Sarbanes-Oxley Act creating the PCAOB, supervised by the SEC, to oversee the audits of public companies. The PCAOB periodically inspects more than 1,700 public accounting firms. Given their size, the PCAOB annually inspects the “Big Four” firms: Deloitte & Touche, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC).1 According to a 2017 report by Audit Analytics, the Big Four audited 99% of companies in the S&P 500 index of large corporations.2 Furthermore, as of 2019, they audited about 47% of all publicly traded companies in the United States.3
As a nonprofit corporation, the PCAOB is not subject to the Freedom of Information Act, and unlike the SEC’s Rules of Practice,4 the Sarbanes-Oxley Act prevents the board from publicly disclosing pending charges and enforcement proceedings against firms and auditors.5 In the theme of secrecy, POGO is also particularly concerned about reports that the new PCAOB advisory meetings will be held behind closed doors and the meeting minutes will no longer be made public as they previously were, further keeping investors and the public in the dark.6
PCAOB Is Not Effective
Because of the size and value of the companies audited by the Big Four, it is especially important for the PCAOB to ensure the accounting firms are doing their jobs correctly. However, since its inception, the PCAOB has often seemingly ignored improper behavior by accounting firms. This approach has resulted in minimal enforcement actions.
According to a 2019 POGO report, in the board’s first 16 years the PCAOB cited 808 instances where the U.S. Big Four issued audits that were so defective that the audit firms shouldn’t have vouched for a company’s financial statements, internal controls, or both. But in that period, the PCAOB brought only 18 enforcement cases, involving a total of 21 audits, against the U.S. Big Four or employees of the firms.7
Fines and charges by the SEC and PCAOB against the Big Four seem to be inconsequential and have not resulted in increased respect for auditing standards. POGO’s report shows that over the board’s first decade and a half, it could have fined the Big Four a minimum of $1.6 billion. But records indicate that the board fined the firms only $6.5 million—less than one half of one percent of the potential fines. Moreover, as of 2019, the PCAOB had fined individuals at the Big Four firms just $410,000. As POGO noted, this total is less money than a partner at any big accounting firm can make in single year.8
Global revenue at the Big Four accounting firms rose more than 10% in 2018, their strongest annual growth in at least a decade, as they continued a long shift toward consulting over their core auditing businesses. The four firms had $148.2 billion in combined global revenue in fiscal year 2018.9 Considering their substantial revenue, any small penalties they face from the PCAOB do not deter the companies from committing violations.
Last year, in responding to a question from Representative Brad Sherman (D-CA), chair of the House Committee on Financial Services Subcommittee on Investor Protection, Entrepreneurship and Capital Markets, PCAOB Chairman William D. Duhnke III testified that he believed that audit restatements reaching an 18-year low showed an improvement in audit quality. Duhnke added that he thought this could be attributed to the board’s inspection reports and enforcement actions.10 This is troubling because the rate of audit deficiencies in the most recent annual inspection of the Big Four firms for which the PCAOB has reported results varies between 20% and 50%.11 In other words, according to the PCAOB, between one-fifth and one-half of the audits of the biggest U.S. corporations do not comply with auditing standards. The Big Four, the PCAOB, and Congress should not be impressed or satisfied with this rate of audit quality.
A series of scandals involving the Big Four further demonstrates that the firms have not been deterred by the PCAOB’s inspection and enforcement regimes. In 2019, KPMG payed a $50 million penalty for hiring PCAOB employees to learn inside information on the oversight board’s plans in order to cheat on upcoming inspections and exams.12 Also in 2019, the SEC charged Deloitte Japan with knowingly violating auditor independence rules.13 In 2018, the PCAOB fined Deloitte Canada $350,000 for failing to maintain independence over three consecutive audits.14 In 2016, EY paid $11.8 million for audit failures that included failing to detect years-long fraud schemes designed to inflate earnings.15 And, according to a November 2019 whistleblower disclosure, Mattel and its auditor, PwC, allegedly buried an accounting error that increased the company’s reported loss for the third quarter by $109 million.16
The Revolving Door
We must also point out a systemic conflict-of-interest problem: SEC executive staff and PCAOB inspectors largely come from the Big Four. Indeed, a 2020 POGO report found that as of November 2019, according to profiles on the LinkedIn professional networking site, more than 40% of PCAOB employees had worked for the Big Four. Our research also found that, also according to LinkedIn profiles, more than 160 people working for the Big Four had previously worked for the PCAOB. For current employees who went directly from the Big Four to the PCAOB or vice versa, half of the LinkedIn profiles POGO analyzed indicated they did so with a gap of two months or less.17
The career of Wes Bricker, the former chief accountant of the SEC, demonstrates how the revolving door can introduce conflicts of interest that undermine enforcement in PCAOB’s work. These conflicts of interest can make the public wonder who the audit board is actually working to protect—the industry or investors. These fears are compounded given that the PCAOB hasn’t met with an internal advisory group tasked with promoting the interests of investors since 2018, and are further compounded by the fact that the group was dissolved earlier this year.18 Mr. Bricker came from PwC, became chief accountant at the SEC, and then left to rejoin PwC as its vice chair. Right after Mr. Bricker’s departure, the SEC sanctioned PwC with a nominal fee of just under $8 million for having violated independence on 19 public company engagements.19 This fine pales in comparison to the firm’s self-reported global revenue of $42.4 billion in fiscal year 2019.20 This example illustrates the improper relationship when officials rotate between industry and the regulator.
Another fundamental issue that the SEC needs to examine is how the current auditing system discourages auditors from reporting issues. As POGO reported, “audit firms have a built-in conflict of interest: They are hired by the companies they audit.”21 Researchers at the Walton College at the University of Arkansas found that auditors’ reputations suffer when they identify issues with companies’ audits.22 The researchers found that auditors who flag weaknesses are “perceived as less attractive in the audit market,” and as a result, this “disincentivizes auditors from disclosing internal-control information that could make their clients look bad.” Making their clients look bad could hurt their firm’s chances of being rehired by the client, or even the auditor’s own hiring prospects at other firms. How can we ensure audit quality when the system itself discourages proficient and accurate auditing?
To assist you in addressing the issues we’ve outlined, we are enclosing a list of policy recommendations made by POGO. This country cannot afford another economic crisis, and the Public Company Accounting Oversight Board has a responsibility to do everything in its power to ensure that regulators are adequately policing auditors. In order for the PCAOB to succeed in its mission, the SEC must do a better job of holding it accountable.
Again, congratulations on your confirmation, and thank you for your consideration of this matter. Should you have any questions, please contact Tim Stretton at [email protected].
The POGO policy team drafted these recommendations to address the systemic issues identified in our 2019 investigative report, How an Agency You’ve Never Heard of Is Leaving the Economy at Risk.
Recommendations for Administrative Action:
- In each inspection report, the board should publish the total number of alleged violations in each defective audit, and should list each alleged violation along with its corresponding potential fine. The Sarbanes-Oxley Act spells out some basic requirements the oversight board must fulfill when conducting an inspection of an audit firm’s work. One is to identify anything the firm has done or failed to do that may amount to a violation. Another is to “begin a formal investigation or take disciplinary action, if appropriate, with respect to any such violation,” according to Sec. 104(c)(3) of the Sarbanes-Oxley Act. In many cases, inspection reports list multiple deficiencies or ways the auditors failed, but do not clearly state the total number of violations detected. Inspection reports are one of the main sources of leads for PCAOB investigations, which can result in enforcement actions and sanctions, and should therefore be as detailed and clear as possible.
- The board should make all enforcement actions fully transparent by identifying in the disciplinary orders the companies whose audits were botched for each enforcement action. While the enforcement actions listed on the board’s enforcement webpage name the audit firms, the PCAOB does not consistently name the companies whose audits were botched. The board often identifies these companies only as “issuers.” By not publicly naming the companies, the board deprives investors and the public of critical information necessary to evaluate companies’ performance and financial well-being.
- Given that the board has a history of settling violations for much less than the law authorizes it to collect, the board should disclose in its disciplinary orders: (1) the maximum potential fine for the violation; (2) the actual imposed fine for the violation; and, when relevant, (3) the justification for why the actual imposed fine differs from the maximum potential penalty. When the board resolves a violation for a fraction of what’s authorized under law without a stated justification for the reduced amount, it represents a lack of accountability and transparency, as well as a failure to serve the public.
- The board should disclose in its annual reports the total number of alleged violations detected in each inspection. While the board’s annual reports currently include the number of inspection reports issued that year, publishing the total number of alleged violations associated with those inspection reports would give the public critical information to evaluate the board’s inspection programs. Identifying the number of inspection reports along with the total number of alleged violations could give valuable insight into the thoroughness of the board’s inspection regime.
- The board should also disclose in its annual reports the total number of enforcement actions resulting in sanctions against auditing firms and individuals, and the total number of auditing firms and individuals who are the subject of pending but undisclosed disciplinary charges. The board should also identify if these enforcement actions resulted from the board’s inspection reports. Identifying the total number of pending and resolved enforcement actions would give the public critical information necessary to evaluate the board’s enforcement program.
- To better oversee the industry, the board should incentivize whistleblowers to come forward when they suspect violations of the Sarbanes-Oxley Act, PCAOB rules, and other laws, rules, and professional standards governing the audits of public companies, brokers, and dealers. Whistleblowers should receive a reward if their report results in a PCAOB enforcement action. Whistleblowers are a critical tool in the fight against waste, fraud, abuse, and corruption. These individuals keep a watchful eye on the government and industry. Whistleblowers could help make enforcement of the audit firm industry easier and more effective. The board should protect from retaliation workers who make protected disclosures, deter efforts to discourage people from coming forward, and provide resources so workers know the right way to bring information to light. Such a program could be modeled on the whistleblower offices at the SEC and the Internal Revenue Service, which are both authorized by Congress to provide monetary awards to individuals who come forward with information that leads to enforcement actions. Congress has a long history of financially rewarding whistleblowers—dating back to the False Claims Act in 1863, when Congress was concerned that suppliers were ripping off the Union Army during the Civil War.
Recommendations for Legislative Action:
- Congress should amend the Sarbanes-Oxley Act to allow for congressional access to the information held by the PCAOB. Signed into law in 2002, the Sarbanes-Oxley Act was unfortunately written in a way that prevents Congress from seeing confidential information from the board’s inspections and investigations. The board could potentially use this provision to deny requests for information from the legislative branch, which could hinder congressional investigations. The board should be accountable and transparent to Congress, and Congress should have the necessary information it needs to conduct proper oversight.
- Congress should amend the Sarbanes-Oxley Act to make all Public Company Accounting Oversight Board (PCAOB) charges, hearings, notices, orders, and motions available to the public online. Such a change could be modeled on the Securities and Exchange Commission’s (SEC) Rules of Practice, under which hearings and related notices, orders, and motions are available to the public. Under the Sarbanes-Oxley Act, while the PCAOB is litigating charges against an auditor, the public and investors are deprived of information necessary to evaluate companies’ performance and financial well-being. Unless the accused consents, the charges and the ensuing proceedings are not publicly disclosed. In contrast, when the SEC files charges in an enforcement action, the charges are made public, thus making important information available to the public and investors.
- Congress should amend the Sarbanes-Oxley Act to clarify that the PCAOB shall clearly identify the companies referenced in the board’s inspection reports. In the public portions of its inspection reports, where it describes botched audits, the board does not name the audited companies. Section 104(g)(2) of the Sarbanes-Oxley Act states that inspection reports shall be “made available in appropriate detail to the public,” subject to certain confidentiality requirements, “and to the protection of such confidential and proprietary information as the Board may determine to be appropriate, or as may be required by law.” As a result, the PCAOB has previously determined that the law prohibits it from naming the affected companies, even though there has been some disagreement about whether this is a proper interpretation of the law. By not naming the companies, the board fails to warn investors which companies were audited inadequately. While the board could change its interpretation of the law to disclose the companies’ names, a new board could subsequently change it back again. Amending the Sarbanes-Oxley Act would give it permanent clarity and intent.
- Congress should amend the Sarbanes-Oxley Act to clarify that the board shall clearly identify the individual auditors responsible for the alleged auditing failures listed in inspection reports. In the public portions of its inspection reports where it describes botched audits, the board names audit firms but not the individual auditors responsible for the alleged auditing failures. Listing the individual auditors, in particular the engagement partners and senior managers involved in the audit and its review, would make auditors more accountable, as their errors would be made public for everyone, including potential future employers, to see. Consequently, auditing firms would also be made more accountable because they would be able to see prospective employees’ performance records and could tell if a potential employee was a thorough and effective auditor. In addition, this information could be especially useful to the committees of corporate boards that choose and oversee audit firms.
- Congress should amend the Sarbanes-Oxley Act to require that the board make public its inspections of audit firms’ quality control systems in its inspection reports. Currently, problems involving firms’ quality control systems go undisclosed if the audit firm corrects them within a year. According to one board member, “inadequate quality control systems present missed opportunities to prevent, detect, and remediate deficiencies before audit reports are issued and relied upon.” Inspection reports’ discussions of quality control systems should be made public to inform companies seeking the most effective auditing firm possible. Making these sections of the inspection reports public would help the public and shareholders hold boards of directors accountable by ensuring they hire the most effective auditors. Furthermore, requiring that these sections of the reports be made public is particularly important because PCAOB officials have publicly said they plan to focus more on quality control systems, meaning they plan to emphasize and prioritize work that is not currently publicly available.