Examining the POGO Report and Other Matters
It’s been twenty years since the Public Company Oversight Board (PCAOB) was created by the Sarbanes Oxley Act of 2002 (SOX). This is a good time to evaluate the mandate given to the board, it’s work during that period, and whether it is protecting the public interest.
One way to evaluate the work of the PCAOB is to examine the audit deficiencies identified in the inspection reports issued by the board. The board doesn’t inspect all public companies as that would be a daunting task. Instead, it looks for audits with a likelihood that material misstatements in the financial statements exist.
Protecting the Public Interest
Prior to forming the PCAOB, inspections of audits by accounting firms were conducted under a peer review system. Here, one firm would examine selected audits of other firms and issue an opinion. From the beginning, this system was flawed because firms were reluctant to point out deficiencies in their audits of other firms because those firms might wind up auditing the former.
The PCAOB was established as an independent agency answerable to the SEC. The impetus behind Congress’s forming the PCAOB through SOX was to respond to many accounting scandals in the early 2000s.
Has the PCAOB met its mandate? The answer is ‘yes’ and ‘no.’ While it’s fashionable to criticize the PCAOB, in part due to the continuing high level of reported audit deficiencies, the fact is the deficiency rate has been coming down in recent years. More about that later.
What Do the Inspections Show?
Deficiencies identified by the PCAOB fall into two categories as follows.
Part I—Inspection Observations
Part IA: Deficiencies that were of such significance that the board believes the firm, at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion on the issuer’s financial statements and/or internal control over financial reporting (ICFR).
Part IB: Deficiencies that do not relate directly to the sufficiency or appropriateness of evidence the firm obtained to support its opinion(s) but nevertheless relate to instances of non-compliance with PCAOB standards or rules.
Part II— Observations Related to Quality Control
Criticisms of, or potential defects in, the firm’s system of quality control. Notably, Section 104(g)(2) of SOX restricts the board from publicly disclosing Part II deficiencies unless the firm does not address the criticisms of potential defects to the board’s satisfaction no later than 12 months after the issuance of the inspection report.
It should be noted that the firm whose audits are being inspected has an opportunity to respond to a draft of the inspection report, excluding any portion granted confidential treatment.
One criticism of this system is to ask: Why should accounting firms have an extra year to improve their system of quality control before the PCAOB’s evaluation is made public? Don’t the deficiencies relate to specific audits inspected in a specific time-period? Determining whether to disclose in a prospective manner harms the public interest because investors have a right to know about these deficiencies right away, not after they may (or may not) have been corrected. Timeliness is the key.
The Project on Government Oversight (POGO) reviewed PCAOB annual inspection reports on the U.S. Big Four audit firms. On September 15, 2019, POGO published, an-depth investigative report, “How an Agency You’ve Never Heard of is Leaving the Economy at Risk.” The report notes that, since the PCAOB’s inception, its inspection reports have noted 808 instances in which audits performed by the U.S. Big Four were so deficient that the audit firm should not have certified a company’s financial statements and/or ICFR (i.e., rendered a clean audit opinion). The 808 was based on issuer audits listed in Part IA.
The stunning part is that the PCAOB took enforcement action in only 21 of these instances. With respect to individual fines, which the board is empowered to levy on members of accounting firm management who fail to reasonably supervise lower-level employees who violate audit rules, the PCAOB imposed a total of only $410,000. As POGO points out, that is less money than one partner at a Big Four firm can earn in one year.
The POGO report also notes that in more than 16 years (2002-2018), the PCAOB has levied less than one-half of 1 percent of the fines that it could have imposed on Big Four firms based on its findings of defective audits. This amounts to a total of $6.5 million in fines, rather than the $1.6 billion that were warranted, according to POGO. It also notes that the Big Four firms had $148.2 billion in combined global revenue in fiscal year 2018, obviously showing the fines were a ‘drop in the bucket.’
These results make it seem as though the PCAOB has been too lenient, at least with respect to the Big Four. However, when we examine the trend in audit deficiency rates, it does appear that the firms are starting to learn their lesson and the percentage of deficient audits is coming down. Just consider the following results of audit deficiencies noted in inspection reports (Part I).
The deficiency rates for 2018-20 were:
2018 2019 2020
Deloitte 11.5% 10.3% 3.8%
Ernst & Young 25.9% 18.0% 15.4%
KPMG 36.5% 29.0% 26.0%
PwC 25.5% 30.0% 1.9%
It does seem somewhat unbelievable that Deloitte and PwC’s deficiency rate for 2020 is so low compared to previous quarters. Nevertheless, it’s clear that there is a downward trend in audit deficiencies for all the Big Four and the PCAOB should be given some credit for that result.
It’s also reasonable to conclude that audit quality has improved, a key factor in determining whether the audit was conducted in accordance with appropriate standards and sufficient evidence was gathered and analyzed to render an audit opinion that the financial statements are free from material misstatements.
Administrative Concerns About PCAOB
In addition to its mandate to identify deficiencies in audit reports, the PCAOB has been criticized for its revolving door approach to membership on the board and a recent scandal where a former staffer joined KPMG ostensibly to find out which audits would be inspected by PCAOB.
POGO points out that a systemic conflict-of-interest problem exists, which is that SEC executive staff and PCAOB inspectors largely come from the Big Four. Moreover, in its report POGO found that more than 40 percent of PCAOB employees had worked for the Big Four. Also, more than 160 people working for the Big Four had previously worked for the PCAOB.
This revolving door phenomenon creates doubt that the PCAOB is protecting the public interest. Just ask yourself: Would it be a problem (i.e., is the public interest was not being served) if 40 percent of employees of the Internal Revenue Service leave it and join your firm? On the surface you might say ‘no.’ However, the appearance of a potential conflict-of-interest exists and that in and of itself violates ethical standards.
In my mind, one reason so many people question the validity and usefulness of the PCAOB is a relationship that existed between PCAOB and KPMG. On January 22, 2018, it was announced that a former PCAOB staffer, Brian Sweet, who was hired by KPMG in 2015, leaked confidential information about PCAOB's plans to audit the company. Most of the leaked information concerned which audit engagements the PCAOB planned to inspect, the criteria it was using to select engagements for inspection, and on what these inspections would focus. This gave the firm “inside information” that it could use to clean up some of the audits, such as improve the quality of their workpapers, that otherwise masked audit deficiencies.
There is little doubt that the hiring of Sweet and another PCAOB staffer by KPMG was motivated by the extraordinarily high rate of audit deficiencies dating back to at least 2016 (43% deficiencies) and 2017 (50% deficiencies), and, of course, the period of 2018-2020 reported above.
The bottom line is the jury is still out about whether the PCAOB is living up to all that was expected of it when it was formed by SOX. The downward trend of audit deficiencies is a positive sign and provides hope that the public will be able to rely on the accuracy of audits and the “reasonable assurance” audit opinion to inform their investment decisions.
On the other hand, the PCAOB should consider, with the support of the SEC, divulging more information in its inspections reports to the public, especially as it relates to ICFR. The internal controls are the backbone of a quality audit and more should be said publicly about it in PCAOB inspection reports. In particular, the disclosure of Part II deficiencies should be liberalized and treated more like Part I deficiencies.
Finally, let’s not throw out the baby out with the bath water.
Blog posted by Dr. Steven Mintz, The Ethics Sage, on February 1, 2022. You can sign up for his newsletter and learn more about his activities at: https://www.stevenmintzethics.com/. Follow him on Facebook at: https://www.facebook.com/StevenMintzEthics and on Twitter at: https://twitter.com/ethicssage.