PCAOB Proves It Has Teeth

While some companies are unfamiliar with the Public Company Accounting Oversight Board (PCAOB), PCAOB has recently been making its presence known. PCAOB is a private-sector nonprofit corporation created by the Sarbanes-Oxley Act of 2002 (SOX), whose stated purpose is to “oversee the audit of public companies that are subject to the securities laws, and related matters, in order to protect the interests of investors … ” Section 101(a). Although some questioned whether PCAOB would ultimately have any real-world impact on accounting firms and the public issuers they audit, PCAOB has proven that it has the authority, ability and appetite to shape the heightened environment in which companies now operate following passage of SOX and its focus on restoring investor confidence in companies' financial reporting.

PCAOB's duties include:

• registering public accounting firms that prepare audit reports for issuers;
• establishing auditing, quality control, ethics, and independence standards;
• conducting inspections of the registered accounting firms; and
• enforcing compliance with the Sarbanes-Oxley Act, professional standards and the securities laws relating to the issuance of audit reports, including bringing disciplinary proceedings and imposing sanctions for violations. Section 101(c). Although it is too soon to know how aggressive PCAOB will be in enforcement, PCAOB has been extremely active since its conception in carrying out its registration, establishment of standards and inspection responsibilities.

Accounting Firms Flock to PCAOB Registration

All accounting firms that audit publicly held companies must register with the PCAOB. Section 102(a). So far more than 1300 firms have registered, including 465 non-U.S. firms. Moreover, PCAOB member Willis Gradison, stating that 80% of the registered firms had less than five issuer clients, with some having no public clients, predicted that PCAOB's standards will ultimately be applied to non-public companies as well as public companies. It is therefore far more likely than not that most companies' auditors are registered with, and so must abide by the standards of, PCAOB.

PCAOB Jumps into the Internal Control Fray

To date, PCAOB has established three auditing standards. PCAOB Auditing Standard 1, References in Auditors' Reports To the Standards of the Public Company Accounting Oversight Board, requires auditors' reports to state that the audit was conducted in accordance with the PCAOB standards, was approved by the Securities and Exchange Commission (SEC) on May 14, 2004 and was effective for audit reports issued after May 24, 2004. PCAOB Auditing Standard 3, Audit Documentation, addresses generation and retention of documents in an audit and review engagement, was approved by the SEC on Aug. 25, 2004, and is effective for audits of financial statements with respect to fiscal years ending on or after Nov. 15, 2004.

PCAOB Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, most directly impacts public companies. It addresses how auditing firms should audit management's assessment of the effectiveness of internal control over financial reporting, and requires that the internal control audit be integrated with the audit of financial statements. PCAOB Auditing Standard 2 builds on Section 404 of the Sarbanes-Oxley Act, which requires public company issuers to assess and document the issuer's internal control over financial reporting. This standard was approved by the SEC on June 17, 2004, and is effective for audits of internal control over financial reporting required by Section 404, which for most companies is for the first fiscal year ending after Nov. 15, 2004. One of the most controversial provisions of PCAOB Auditing Standard 2 requires auditors to judge the effectiveness of a company's audit committee, and report problems with audit committees to the company's board of directors.

PCAOB also recently adopted amendments to its interim standards to conform the text to PCAOB Auditing Standard 2. The original interim standards were the auditing profession standards applicable prior to PCAOB's creation. The conforming amendments revise the interim standards regarding interim auditing, attestation, and independence, including instructions on performing integrated audits of financial statements and internal control. The conforming amendments also apply PCAOB Auditing Standard 2 concepts to circumstances in which an auditor is engaged solely to audit financial statements. These conforming amendments are pending approval by the SEC. If approved, the amendments affecting integrated audit standards would be effective on Nov. 15, 2004, and the amendments affecting audits of financial statements only would be effective for periods after July 15, 2005. The PCAOB standards have now become the standards applicable to accounting firms and the audit of public companies, ending the auditing profession's self-regulatory regime.

Commenting on PCAOB Auditing Standard 2, William McDonough, PCAOB Chairman, stated the standard “is one of the most important and far reaching auditing standards [PCAOB] will ever adopt” and testing and examining internal control in detail “will add an important protection for investors because solid internal controls are the first defense against misconduct and one of the most effective deterrents to fraud.”

Why is the adoption of PCAOB Auditing Standard 2, and its incorporation into PCAOB's interim standards, important to public companies? A company's testing of and resulting documentation of internal control over financial reporting will necessarily need to be more extensive than its auditors' testing, so that the company can adequately support its assessment of its internal control over financial reporting. In other words, not only must a company assess and document its internal control over financial reporting, but it must also be able to defend its findings to its accounting firm.

Perhaps more importantly, the SEC recently emphasized the importance it places on the internal control assessment and auditing. Donald T. Nicolaisen, Chief Accountant of the SEC, remarked on Sept. 14, 2004 that “the internal control requirements may have the largest effect on improving the accuracy and reliability of financial reporting,” considering it of such importance that he is “willing to defer other initiatives, at least temporarily, to ensure that management and their auditors put the appropriate emphasis on these requirements and to get them right the first time around.” Nicolaisen echoed these comments again on Oct. 7, 2004, stating that “the most urgent financial reporting challenge facing a large share of corporate America and the audit profession between now and year end” is “the requirement for management and a company's auditor to report on the existence and effectiveness of internal controls over financial reporting.” Issues that are of interest to the SEC ultimately become issues of great importance to public companies. The message to public companies is clear: If it has not already, management needs to immediately dedicate the resources and time required to accurately and completely assess and document the company's internal control over financial reporting, and be prepared for the accounting firm's internal control audit.

PCAOB's Inspections of the Big Four Lead to Restatements,
with Much Broader Inspections to Follow This Year

PCAOB must conduct yearly inspections of accounting firms that provide audit reports for more than 100 issuers and triennially inspections of accounting firms that provide audit reports for less than 100 issuers. Section 104(b). PCAOB only conducted limited inspections of the Big Four accounting firms in 2003. On Aug. 26, 2004, PCAOB released its reports on the inspections of Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, and PricewaterhouseCoopers LLP. Although the scope of those inspections (reviewing only 16 engagements for each accounting firm) was relatively limited compared to PCAOB's 2004 inspections now underway, the 2003 inspections of the Big Four did identify deficiencies, including failures to identify or address Generally Accepted Accounting Principles (GAAP) exceptions, numerous documentation deficiencies, and departures from PCAOB standards and the firms' quality control policies.

Moreover, the inspections led to eight Deloitte client restatements, three Ernst & Young client restatements, seven KPMG client restatements and three PricewaterhouseCoopers client restatements. All but one of these restatements were made due to a misinterpretation of Emerging Issues Task Force (EITF) 95-22, dealing with the classification of long-term debt, following PCAOB's identification of the EITF 92-22 issue during the inspections. One KPMG client restated its financials following PCAOB's determination that an accrual did not meet the definition of a liability under Statement of Financial Accounting Standards No. 5, but only after KPMG and PCAOB failed to reconcile their views on this issue, the issuer consulted with the SEC (which concurred with the initial accounting), and the issuer ultimately determined to restate on a different basis.

Therefore, of the 64 total engagements reviewed by PCAOB, one-third of those clients restated their financial statements as a result of the PCAOB inspection. It is certainly possible, if not probable, that as PCAOB broadens the scope of its investigation, widening the number of accounting firms inspected and number of engagements reviewed, PCAOB inspections will lead to numerous restatements by issuers. It is also possible that PCAOB will identify other accounting principles, like EITF 95-22, that have been incorrectly interpreted and applied by issuers and accounting firms, leading to further restatements. The detrimental consequences of a restatement for companies, of course, are often a stock price drop, a call from the SEC, and the filing of numerous class action securities fraud actions.

Although PCAOB reports do not identify the issuers in question, they do discuss observations arising out of the review of specific audit engagements. PCAOB's Statement Concerning The Issuance of Inspection Reports confirms that when PCAOB identifies possible departures from GAAP in an issuer's financial statements, PCAOB “will encourage the firm to consider the issue and to review it with the audit client.” If, however, “it appears to [PCAOB] that the departure is material to the issuer's financial statements, [PCAOB]…will report the information to the [SEC],” because the SEC “has authority to prescribe the form and content of an issuer's financial statements, has direct authority with respect to issuers, and has long-established processes for addressing issuers' accounting practices.” Based on its comments, therefore, PCAOB sees itself as an important referral source to the over-worked SEC where PCAOB perceives there to be material misstatements of financial statements.

This year, PCAOB is inspecting nine accounting firms, including the Big Four and BDO Seidman, Crowe Chizek, Grant Thornton and RSM McGladrey. George Diacont, PCAOB's director of inspections and registration, confirmed that PCAOB would review an aggregate of approximately 500 engagements during its 2004 inspections. Diacont also stated that the PCAOB is “focusing on big-ticket items like fraud and adequate documentation.” PCAOB's stated focus on fraud indicates that it takes its role in protecting investors and restoring confidence in the integrity of the markets seriously, and sees itself working hand in hand with the SEC to further that goal. In public statements, the SEC has also referred to its “productive working relationship with the PCAOB.” Companies should not underestimate this connection between PCAOB and the SEC.

PCAOB's Future Direction

In addition to commencing a full-scale inspection program, PCAOB intends to enlarge its investigation and enforcement division, whose staff is currently much smaller than in its inspection division. PCAOB's Web site contains the “PCAOB Center for Enforcement Tips, Complaints and Other Information,” which encourages users to provide “any other information that may assist the PCAOB in carrying out its mission.” PCAOB's rules require accounting firms to cooperate with PCAOB investigations, and PCAOB has stated that it will demand cooperation from accounting firms much as the SEC does from public companies, and will bring lawsuits against accounting firms for non-cooperation. Of more importance to public companies, the PCAOB rules also permit PCAOB to seek information from other persons or entities during their investigations, including clients of registered accounting firms. Given its public statements regarding enforcement and its stance thus far, PCAOB likely will diligently carry out its enforcement duties.

In April 2004, PCAOB established a thirty-member Standing Advisory Group, consisting of persons with expertise in accounting, auditing, corporate finance, corporate governance, and investing in public companies, to assist with PCAOB's standards-setting duties. At least one member of the Standing Advisory Group, Cynthia Richson, the Corporate Governance Officer for the Ohio Public Employees Retirement System, stated in public comments that stricter auditor independence rules should be adopted, especially in the area of auditors providing tax advice. Richson also believes that the Sarbanes-Oxley Act requirement of rotating lead auditing partners every 5 years is not stringent enough, and advocates that companies be required to change auditing firms every few years. Whether PCAOB considers standards along these lines in the future remains to be seen. What is assured is that public companies should stay abreast of PCAOB actions, as PCAOB has proven that it does, and will, have a real impact on public companies and their accounting firms.

While some companies are unfamiliar with the Public Company Accounting Oversight Board (PCAOB), PCAOB has recently been making its presence known. PCAOB is a private-sector nonprofit corporation created by the Sarbanes-Oxley Act of 2002 (SOX), whose stated purpose is to “oversee the audit of public companies that are subject to the securities laws, and related matters, in order to protect the interests of investors … ” Section 101(a). Although some questioned whether PCAOB would ultimately have any real-world impact on accounting firms and the public issuers they audit, PCAOB has proven that it has the authority, ability and appetite to shape the heightened environment in which companies now operate following passage of SOX and its focus on restoring investor confidence in companies' financial reporting.

PCAOB's duties include:

• registering public accounting firms that prepare audit reports for issuers;
• establishing auditing, quality control, ethics, and independence standards;
• conducting inspections of the registered accounting firms; and
• enforcing compliance with the Sarbanes-Oxley Act, professional standards and the securities laws relating to the issuance of audit reports, including bringing disciplinary proceedings and imposing sanctions for violations. Section 101(c). Although it is too soon to know how aggressive PCAOB will be in enforcement, PCAOB has been extremely active since its conception in carrying out its registration, establishment of standards and inspection responsibilities.

Accounting Firms Flock to PCAOB Registration

All accounting firms that audit publicly held companies must register with the PCAOB. Section 102(a). So far more than 1300 firms have registered, including 465 non-U.S. firms. Moreover, PCAOB member Willis Gradison, stating that 80% of the registered firms had less than five issuer clients, with some having no public clients, predicted that PCAOB's standards will ultimately be applied to non-public companies as well as public companies. It is therefore far more likely than not that most companies' auditors are registered with, and so must abide by the standards of, PCAOB.

PCAOB Jumps into the Internal Control Fray

To date, PCAOB has established three auditing standards. PCAOB Auditing Standard 1, References in Auditors' Reports To the Standards of the Public Company Accounting Oversight Board, requires auditors' reports to state that the audit was conducted in accordance with the PCAOB standards, was approved by the Securities and Exchange Commission (SEC) on May 14, 2004 and was effective for audit reports issued after May 24, 2004. PCAOB Auditing Standard 3, Audit Documentation, addresses generation and retention of documents in an audit and review engagement, was approved by the SEC on Aug. 25, 2004, and is effective for audits of financial statements with respect to fiscal years ending on or after Nov. 15, 2004.

PCAOB Auditing Standard 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, most directly impacts public companies. It addresses how auditing firms should audit management's assessment of the effectiveness of internal control over financial reporting, and requires that the internal control audit be integrated with the audit of financial statements. PCAOB Auditing Standard 2 builds on Section 404 of the Sarbanes-Oxley Act, which requires public company issuers to assess and document the issuer's internal control over financial reporting. This standard was approved by the SEC on June 17, 2004, and is effective for audits of internal control over financial reporting required by Section 404, which for most companies is for the first fiscal year ending after Nov. 15, 2004. One of the most controversial provisions of PCAOB Auditing Standard 2 requires auditors to judge the effectiveness of a company's audit committee, and report problems with audit committees to the company's board of directors.

PCAOB also recently adopted amendments to its interim standards to conform the text to PCAOB Auditing Standard 2. The original interim standards were the auditing profession standards applicable prior to PCAOB's creation. The conforming amendments revise the interim standards regarding interim auditing, attestation, and independence, including instructions on performing integrated audits of financial statements and internal control. The conforming amendments also apply PCAOB Auditing Standard 2 concepts to circumstances in which an auditor is engaged solely to audit financial statements. These conforming amendments are pending approval by the SEC. If approved, the amendments affecting integrated audit standards would be effective on Nov. 15, 2004, and the amendments affecting audits of financial statements only would be effective for periods after July 15, 2005. The PCAOB standards have now become the standards applicable to accounting firms and the audit of public companies, ending the auditing profession's self-regulatory regime.

Commenting on PCAOB Auditing Standard 2, William McDonough, PCAOB Chairman, stated the standard “is one of the most important and far reaching auditing standards [PCAOB] will ever adopt” and testing and examining internal control in detail “will add an important protection for investors because solid internal controls are the first defense against misconduct and one of the most effective deterrents to fraud.”

Why is the adoption of PCAOB Auditing Standard 2, and its incorporation into PCAOB's interim standards, important to public companies? A company's testing of and resulting documentation of internal control over financial reporting will necessarily need to be more extensive than its auditors' testing, so that the company can adequately support its assessment of its internal control over financial reporting. In other words, not only must a company assess and document its internal control over financial reporting, but it must also be able to defend its findings to its accounting firm.

Perhaps more importantly, the SEC recently emphasized the importance it places on the internal control assessment and auditing. Donald T. Nicolaisen, Chief Accountant of the SEC, remarked on Sept. 14, 2004 that “the internal control requirements may have the largest effect on improving the accuracy and reliability of financial reporting,” considering it of such importance that he is “willing to defer other initiatives, at least temporarily, to ensure that management and their auditors put the appropriate emphasis on these requirements and to get them right the first time around.” Nicolaisen echoed these comments again on Oct. 7, 2004, stating that “the most urgent financial reporting challenge facing a large share of corporate America and the audit profession between now and year end” is “the requirement for management and a company's auditor to report on the existence and effectiveness of internal controls over financial reporting.” Issues that are of interest to the SEC ultimately become issues of great importance to public companies. The message to public companies is clear: If it has not already, management needs to immediately dedicate the resources and time required to accurately and completely assess and document the company's internal control over financial reporting, and be prepared for the accounting firm's internal control audit.

PCAOB's Inspections of the Big Four Lead to Restatements,
with Much Broader Inspections to Follow This Year

PCAOB must conduct yearly inspections of accounting firms that provide audit reports for more than 100 issuers and triennially inspections of accounting firms that provide audit reports for less than 100 issuers. Section 104(b). PCAOB only conducted limited inspections of the Big Four accounting firms in 2003. On Aug. 26, 2004, PCAOB released its reports on the inspections of Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, and PricewaterhouseCoopers LLP. Although the scope of those inspections (reviewing only 16 engagements for each accounting firm) was relatively limited compared to PCAOB's 2004 inspections now underway, the 2003 inspections of the Big Four did identify deficiencies, including failures to identify or address Generally Accepted Accounting Principles (GAAP) exceptions, numerous documentation deficiencies, and departures from PCAOB standards and the firms' quality control policies.

Moreover, the inspections led to eight Deloitte client restatements, three Ernst & Young client restatements, seven KPMG client restatements and three PricewaterhouseCoopers client restatements. All but one of these restatements were made due to a misinterpretation of Emerging Issues Task Force (EITF) 95-22, dealing with the classification of long-term debt, following PCAOB's identification of the EITF 92-22 issue during the inspections. One KPMG client restated its financials following PCAOB's determination that an accrual did not meet the definition of a liability under Statement of Financial Accounting Standards No. 5, but only after KPMG and PCAOB failed to reconcile their views on this issue, the issuer consulted with the SEC (which concurred with the initial accounting), and the issuer ultimately determined to restate on a different basis.

Therefore, of the 64 total engagements reviewed by PCAOB, one-third of those clients restated their financial statements as a result of the PCAOB inspection. It is certainly possible, if not probable, that as PCAOB broadens the scope of its investigation, widening the number of accounting firms inspected and number of engagements reviewed, PCAOB inspections will lead to numerous restatements by issuers. It is also possible that PCAOB will identify other accounting principles, like EITF 95-22, that have been incorrectly interpreted and applied by issuers and accounting firms, leading to further restatements. The detrimental consequences of a restatement for companies, of course, are often a stock price drop, a call from the SEC, and the filing of numerous class action securities fraud actions.

Although PCAOB reports do not identify the issuers in question, they do discuss observations arising out of the review of specific audit engagements. PCAOB's Statement Concerning The Issuance of Inspection Reports confirms that when PCAOB identifies possible departures from GAAP in an issuer's financial statements, PCAOB “will encourage the firm to consider the issue and to review it with the audit client.” If, however, “it appears to [PCAOB] that the departure is material to the issuer's financial statements, [PCAOB]…will report the information to the [SEC],” because the SEC “has authority to prescribe the form and content of an issuer's financial statements, has direct authority with respect to issuers, and has long-established processes for addressing issuers' accounting practices.” Based on its comments, therefore, PCAOB sees itself as an important referral source to the over-worked SEC where PCAOB perceives there to be material misstatements of financial statements.

This year, PCAOB is inspecting nine accounting firms, including the Big Four and BDO Seidman, Crowe Chizek, Grant Thornton and RSM McGladrey. George Diacont, PCAOB's director of inspections and registration, confirmed that PCAOB would review an aggregate of approximately 500 engagements during its 2004 inspections. Diacont also stated that the PCAOB is “focusing on big-ticket items like fraud and adequate documentation.” PCAOB's stated focus on fraud indicates that it takes its role in protecting investors and restoring confidence in the integrity of the markets seriously, and sees itself working hand in hand with the SEC to further that goal. In public statements, the SEC has also referred to its “productive working relationship with the PCAOB.” Companies should not underestimate this connection between PCAOB and the SEC.

PCAOB's Future Direction

In addition to commencing a full-scale inspection program, PCAOB intends to enlarge its investigation and enforcement division, whose staff is currently much smaller than in its inspection division. PCAOB's Web site contains the “PCAOB Center for Enforcement Tips, Complaints and Other Information,” which encourages users to provide “any other information that may assist the PCAOB in carrying out its mission.” PCAOB's rules require accounting firms to cooperate with PCAOB investigations, and PCAOB has stated that it will demand cooperation from accounting firms much as the SEC does from public companies, and will bring lawsuits against accounting firms for non-cooperation. Of more importance to public companies, the PCAOB rules also permit PCAOB to seek information from other persons or entities during their investigations, including clients of registered accounting firms. Given its public statements regarding enforcement and its stance thus far, PCAOB likely will diligently carry out its enforcement duties.

In April 2004, PCAOB established a thirty-member Standing Advisory Group, consisting of persons with expertise in accounting, auditing, corporate finance, corporate governance, and investing in public companies, to assist with PCAOB's standards-setting duties. At least one member of the Standing Advisory Group, Cynthia Richson, the Corporate Governance Officer for the Ohio Public Employees Retirement System, stated in public comments that stricter auditor independence rules should be adopted, especially in the area of auditors providing tax advice. Richson also believes that the Sarbanes-Oxley Act requirement of rotating lead auditing partners every 5 years is not stringent enough, and advocates that companies be required to change auditing firms every few years. Whether PCAOB considers standards along these lines in the future remains to be seen. What is assured is that public companies should stay abreast of PCAOB actions, as PCAOB has proven that it does, and will, have a real impact on public companies and their accounting firms.