William D. Duhnke III
Public Company Accounting Oversight Board
1666 K Street NW
Washington, DC 20006-2803
Via email: [email protected]
Subject: Comment in Response to the Public Company Accounting Oversight Board’s Plan to Revise Its Inspection Reports
Dear Chairman Duhnke:
The Project On Government Oversight (POGO) makes the following recommendations to help you better communicate to the public the important work the Public Company Accounting Oversight Board (PCAOB) is entrusted to do. These recommendations are in response to the board’s plan to revamp the format and substance of inspection reports.1 Given that the PCAOB encourages all interested parties to comment on proposals and documents,2 POGO believes these recommendations can help improve the quality and usefulness of the oversight board’s inspection reports and better protect investors and the American economy. POGO is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing. We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles.
On September 5, 2019, POGO published an investigative report, “How an Agency You’ve Never Heard of Is Leaving the Economy at Risk,” in which we reviewed 16 years’ worth of the PCAOB’s annual inspection reports on the U.S. arms of the Big Four audit firms: Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers.3 POGO’s report found that the oversight board’s inspection reports noted 808 instances where the firms issued defective audits that should not have vouched for a company’s financial statements, internal controls, or both. However, compared to the 808 instances of defective audits, the PCAOB brought only 18 enforcement cases, involving a total of 21 audits, against the U.S. Big Four or employees of the firms.
Accompanying the report, POGO published a list of recommendations to address the need for increased transparency and accountability in the board’s inspections and enforcement proceedings.4 The recommendations proposed both legislative and administrative actions to help strengthen the audit industry to protect investors and safeguard savings the public may have invested in the stock market, pension or retirement funds, and even their paycheck and employment benefits.
For the purpose of helping the PCAOB improve its inspection reports, POGO has described below each of the recommendations that relate to the inspection reports. These recommendations include: identifying companies referenced in the board’s inspection reports, identifying the individual auditors responsible for the alleged auditing failures listed in inspection reports, publishing the total number of alleged violations in each defective audit, and listing each alleged violation along with its corresponding potential fine. POGO additionally makes several recommendations on how to better incorporate data from inspection reports into the oversight board’s annual report.
1. The PCAOB should clearly identify the companies referenced in inspection reports.
In the public portions of its inspection reports, where it describes botched audits, the PCAOB does not currently name the audited companies. By not naming the companies, the oversight board fails to warn investors which companies were audited inadequately.
Section 104(g)(2) of the Sarbanes-Oxley Act states that inspection reports shall be “made available in appropriate detail to the public,” subject to certain confidentiality requirements “and to the protection of such confidential and proprietary information as the Board may determine to be appropriate, or as may be required by law.”5 As a result, the PCAOB has previously determined that the law prohibits it from naming the affected companies,6 even though there has been some disagreement about whether this is a proper interpretation of the law, as highlighted in POGO’s report.
The statute does not explicitly address whether the oversight board is prohibited from naming the affected companies. In fact, former PCAOB board member and general counsel Lewis H. Ferguson told POGO that that the law is “ambiguous,” and that “there was a sense that the issuers themselves”—the audited companies—“would have gone berserk if their names were disclosed.”7 Further, in POGO’s report, Kayla Gillan, one of the PCAOB’s first board members, said that the decision not to name the companies was “a matter of interpretation on which the original board was divided.”8 Gillan, who favored disclosure, added that she thought the argument by the Securities and Exchange Commission (SEC), which has oversight authority over the PCAOB, that naming the affected companies would hurt their stock prices, was a “frivolous argument.”
The PCAOB’s mission is to oversee the audits of public companies and SEC-registered brokers and dealers in order to protect and further the public interest through the preparation of informative, accurate, and independent audit reports. However, by not naming the companies, the oversight board refrains from warning investors which companies were audited inadequately. Adding the company names would certainly help to “better meet the needs of investors and audit committee members, as well as the broader public,” as you stated was the goal of revamping the inspection reports during the board’s open meeting on November 19, 2019.9
Just as the board determined in 2004 that the law indicated that it could not publish the names of the companies that were audited, the board could issue a reinterpretation of the law allowing it to disclose the companies’ names. The PCAOB should be focused on protecting investors, not on protecting companies from potential negative outcomes of the oversight board’s work.
2. The PCAOB should clearly identify the individual auditors responsible for the alleged auditing failures listed in inspection reports.
In addition to leaving out the names of the affected companies, the public portions of the oversight board’s inspection reports discussing botched audits name audit firms but not the individual auditors responsible for the alleged auditing failures. Listing the individual auditors, in particular the engagement partners and senior managers involved in the audit and its review, would make auditors more accountable, as their errors would be made public for everyone to see, including the committees of corporate boards that choose and oversee audit firms.
Listing the individual auditors who worked on the audits would also build upon the PCAOB’s “AuditorSearch” database, for investors and others to know more about who is leading and participating in audits. While AuditorSearch is a searchable public database of engagement partners and audit firms participating in audits of U.S. public companies, listing the auditors in the inspection reports would add further transparency to better inform investors and corporate boards. Listing the individual auditors in the inspection reports reduces the steps one must take to identify who was behind the alleged violation.
Inspection reports evaluate compliance with the applicable laws, rules, and “professional standards, in connection with the firm’s performance of audits, issuance of audit reports, and related matters involving U.S. public companies.”10 Given this, committees of corporate boards would greatly benefit from knowing if individual auditors, engagement partners, and senior managers were thorough, proficient, and accurate when auditing their companies. Audit committees of corporate boards would then have more knowledge and a higher level of confidence when choosing firms to conduct their company’s audit.
In addition, naming individual auditors could be valuable to the audit firms themselves. The firms would have more information to make better hiring decisions because they would be able to see prospective employees’ performance records and could tell if a current or prospective employee was a thorough and effective auditor. Audit firms would have an incentive to hire the best auditors because doing so would increase their chances of obtaining additional audit contracts from companies looking to hire them to correctly conduct their audit. Moreover, if individual auditors could be named in the inspection reports, they would be made more accountable by the additional incentive to ensure their work is accurate, in order to maintain their reputation as a thorough and precise auditor.
And, given the PCAOB’s statutory requirement to fund a merit scholarship program for those studying accounting11, this practice would further support the oversight board’s mission of helping to educate future auditors and further develop their skills.
3. In each inspection report, the PCAOB should publish the total number of alleged violations in each defective audit, and should list each alleged violation along with its corresponding potential fine.
The Sarbanes-Oxley Act spells out some basic requirements the oversight board must fulfill when conducting an inspection of an audit firm’s work. One is to identify anything the firm has done or failed to do that may amount to a violation of the law or the rules of the PCAOB or SEC. Another is to “begin a formal investigation or take disciplinary action, if appropriate, with respect to any such violation,” according to Section 104(c)(3) of the Sarbanes-Oxley Act.12 In many cases, inspection reports list multiple deficiencies or ways the auditors failed, but do not state the total number of violations detected. Because inspection reports are a key source of leads for PCAOB investigations, which can result in enforcement actions and sanctions, they should be as detailed and clear as possible.
Besides auditing the auditors, another major responsibility of the PCAOB is to enforce applicable laws and rules of the oversight board and the SEC. The Sarbanes-Oxley Act gave the board the authority to penalize audit firms as much as $2 million per violation for ordinary violations and as much as $15 million per violation for more serious violations—those that involve intentional or knowing conduct, including recklessness, or, in the wording of the law, “repeated instances of negligent conduct.”13 Identifying the potential fines that could be levied on alleged violations would undoubtedly increase awareness of the severity of these alleged violations and compel auditors to be more thorough as a means to avoid potential penalties in the first place.
As the oversight board revamps the substance and format of its inspection reports, POGO recommends that each report include the total number of alleged violations found in the inspection. Inspection reports should also clearly list each alleged violation with its corresponding potential fine. While there are many ways the oversight board could do this, presenting the information in a table format may be the easiest and clearest way for individuals, firms, companies, and investors to read and comprehend.
4. The PCAOB should incorporate more data from its inspection reports into the board’s annual report.
Inspection reports are valuable in assessing auditing firms’ compliance with laws, rules, and professional standards. With 153 inspection reports filed in 2018, these reports can provide meaningful data and important insight about the auditing industry as a whole, as well as the activities of the oversight board during that year.14 Therefore, POGO recommends that the oversight board incorporate more data from inspection reports into its annual reports. This data should include the total number of alleged violations detected in all inspection reports for the past year and the total number of enforcement actions that resulted from inspection reports.
First, while the oversight board’s annual reports currently include the number of inspection reports issued that year, publishing the total number of alleged violations associated with those inspection reports would give the public critical information to evaluate the board’s inspection programs and the industry as a whole. It would be in the public interest to know, for example, if out of the 153 inspection reports in 2018, the oversight board found a total of 10 alleged violations or 100 alleged violations.
Second, disclosing in its annual reports the total number of enforcement actions that resulted from inspection reports would help to better highlight the value and effectiveness of the oversight board’s inspection reports. Similarly, the PCAOB should publish in its annual reports all enforcement actions resulting in sanctions against auditing firms and individuals, and the total number of auditing firms and individuals who are the subject of pending but undisclosed disciplinary charges. Identifying the total number of pending and resolved enforcement actions, regardless of how the allegation was initially brought to the oversight board’s attention, would give the public critical information to evaluate the board’s enforcement program.
Thank you for your consideration of this comment. As the board implements its strategic plan and reforms the substance and format of its inspection reports, POGO hopes you will incorporate our recommendations, or provide an explanation in instances where you do not. The PCAOB plays an important role in protecting investors and furthering the public interest in the preparation of informative, accurate, and independent audit reports. POGO’s recommendations can help improve the quality and usefulness of the board’s inspection reports and better protect investors and the American economy.
J. Robert Brown Jr., Board Member
James G. Kaiser, Board Member
Duane M. DesParte, Board Member
Rebekah Goshorn Jurata, Board Member