The state of audit quality is strong—and getting stronger. Annual tallies of financial restatements have dropped dramatically from post—Sarbanes-Oxley Act of 2002 peaks and have held steady at lower levels for several years, according to the Audit Analytics report “2014 Financial Statement Restatements” by Don Whalen, Olga Usvyatsky, and Dennis Tanona. At the same time, investor confidence in the U.S. capital markets, audited financial statements, and public company auditors remains robust, as indicated by the Center for Audit Quality’s (CAQ) 2015 Main Street Investor Survey. Commenting on these developments, SEC Chair Mary Jo White recently stated that “the positive signs are attributable, at least in part, to improvements in audit quality and the enhanced role that auditors generally now discharge in providing an essential check in the financial reporting process” (“Maintaining High-Quality, Reliable Financial Reporting: A Shared and Weighty Responsibility,” keynote address, 2015 AICPA National Conference).
Improvements in audit quality go hand in hand with efforts to enhance auditor communication and transparency. The auditing profession continues to work constructively with policy makers and partners to respond to audit committees’, investors’, and other stakeholders’ increasing interest in gaining greater insight into the audit process. In multiple areas related to auditor communication, the profession has stayed proactive and has endeavored to find practical approaches that work in today’s global markets. It has been highly mindful of the risk of policies that might produce disclosure overload, a “check-the-box” mentality, or disclosure for disclosure’s sake. Capital markets cannot function without good information—information that is accurate, tailored, timely, and meaningful—and this proposition holds as true in the audit context as anywhere else.
Developing Audit Quality Indicators
The global push to develop audit quality indicators (AQI) provides an excellent example of striving for a workable approach to effective auditor communication. Policymakers have been particularly active in this area—for example, in 2015, two years after announcing it would pursue a project to define key elements of audit quality, the PCAOB issued a concept release seeking public comment on 28 potential quantitative AQIs, including more than 70 illustrative calculations. [Regulators and professional bodies overseas have also been active: the International Auditing and Assurance Standards Board (IAASB) has published “A Framework for Audit Quality,” and Singapore issued its “Audit Quality Indicators Disclosure Framework.”]
Improvements in audit quality go hand in hand with efforts to enhance auditor communication and transparency.
Leveraging perspectives from an AQI stakeholder advisory panel formed in 2012, the CAQ published its “Approach to Audit Quality Indicators” in April 2014. The report identified a set of potential AQIs and a strategy for communicating them. In an effort completed in the first quarter of 2015, CAQ member firms (30 issuers and 10 audit firms of varying sizes) tested the approach and provided feedback on the efforts required to collect AQI information. This also generated feedback from audit committees on the usefulness of the proposed AQIs in fulfilling their oversight responsibilities.
The pilot testing was illuminating: the results validated some aspects of the CAQ approach but also showed where more work is needed. To further evaluate the approach, the CAQ convened a series of roundtable discussions with audit committee members in Chicago, New York, London, and Singapore in summer 2015. There, participants shared their views on the potential benefits and challenges of identifying and developing a set of AQIs.
Key findings from the roundtables included the following (“Audit Quality Indicators: Journey and Path Ahead,” CAQ, January 2016):
- Participants expressed desire for information that can assist audit committees in assessing an audit’s more qualitative aspects (e.g., an engagement team having the right mind-set to bring forth professional skepticism and auditor judgment).
- Audit committee members recognized that AQIs can help them oversee the quality of their external audit, even if this is just one aspect of quality financial reporting.
- Most participants endorsed a flexible approach that would allow an audit committee, working with the external auditor, to tailor the selection and portfolio of AQIs to best suit specific information needs. They agreed that the process of identifying and evaluating AQIs will require continuous assessment and refinement in order to meet audit committees’ changing information needs.
- While supporting the concept of AQIs, some roundtable participants said they already have the tools necessary to gauge the quality of their audit.
- Audit committee members agreed that AQIs alone—without the context that comes from a dialogue with the engagement team—cannot adequately communicate the factors relevant to any particular audit engagement or audit firm.
- Audit committee members expressed concerns that public disclosure of engagement-level AQIs could lead to unintended consequences. A strong consensus emerged that any disclosures of engagement-level AQI information should be voluntary.
Despite this progress, further dialogue and collaboration are required to determine an approach to audit quality that works for all stakeholders.
Enhancing Audit Committee Disclosure
As illustrated by the discussion around AQIs, the audit committee has become a hub for key activity related to the financial reporting process. Recognizing the importance of strong audit committees, regulators have shown increasing interest in their work—for example, the PCAOB has conducted outreach to audit committees, including its Audit Committee Dialogue project, launched in May 2015 (http://pcaobus.org/sites/digitalpublications/audit-committee-dialogue). Two months later, the SEC published a concept release seeking public comment on possible revisions to audit committee reporting requirements, focusing on the audit committee’s oversight of independent auditors.
The profession in recent years has made the case that the best route to promote informative and relevant audit committee disclosures is through a voluntary, market-driven approach. In a comment letter on the SEC’s concept release, the CAQ cited the continuing positive trend of enhanced audit committee disclosures, pointing to encouraging findings from the 2015 edition of the Audit Committee Transparency Barometer, an annual publication by the CAQ and Audit Analytics. Among other findings, it showed that, in 2015, 25% of Standard & Poor’s (S&P) 500 companies had enhanced discussion of the audit committee’s considerations in recommending the appointment of the audit firm, up from 13% in 2014.
As illustrated by the discussion around AQIs, the audit committee has become a hub for key activity related to the financial reporting process. Recognizing the importance of strong audit committees, regulators have shown increasing interest in their work.
As efforts around audit committee disclosure continue in 2016, all must keep abreast of these positive trends. Imposing prescriptive requirements could stifle innovation and interfere with the progress being made.
Updating the Auditor’s Report
Standards setters have also been actively trying to update the auditor’s report. Presently, the PCAOB is working on reproposals for its project and anticipates issuing one focused on disclosure of “critical audit matters” in 2016. A recommendation for changes related to the auditor’s responsibility over “other information” is also expected this year. Meanwhile, the IAASB has finalized its revised rules (effective for 2016 audits). In addition, the new U.K. auditor reporting requirements have been in place for more than two years. As noted recently by PCAOB Chairman James Doty, these rules “have brought new relevance to the audit” (http://pcaobus.org/News/Speech/Pages/Doty-AICPCA-2015-keynote.aspx).
The U.S. auditing profession has provided substantial input to help inform the policy process around the auditor’s report. This has included multiple comment letters with concrete suggestions for a workable approach, as well as findings from a comprehensive initiative that field-tested the critical audit matters included in the PCAOB’s 2013 proposal on the auditor’s reporting model. Throughout this work, the CAQ has emphasized several principles that should guide changes in this area. For example, it has stressed that auditors should not be the original source of information about a company’s financial statements and other financial information or its system of internal control over financial reporting (ICFR); the responsibility to consider such information for disclosure belongs squarely to company management.
Of course, given the activity of policy makers worldwide on this issue and the increasingly global nature of economies and markets, international coordination and regulations that work across borders are key to updating the auditor’s report.
The continuous evolution of cybersecurity has implications for public company auditors.
Audits Related to ICFR
ICFR audits represent another area that demands coordination among stake-holders. The PCAOB has repeatedly expressed concerns about the number and significance of deficiencies identified in firms’ ICFR audits. Many of the board’s recent inspection findings focus on an auditor’s failure to provide persuasive evidence that ICFR is operating effectively.
ICFR audits are a multifaceted challenge, and robust communication is an essential part of effective execution. To enhance their ICFR audit work, auditors must communicate successfully with management and internal audit, working to identify a set of controls that are properly responsive to audit risk. Auditors also must maintain an active dialogue with regulators. To this end, the CAQ has established an ICFR task force that engages in discussions with the PCAOB and SEC.
The centrality of audit committees is also evident here, as regulators have stressed. “I strongly encourage regular discussions among management, auditors, and audit committees on existing and emerging issues in assessments of ICFR,” said SEC Deputy Chief Accountant Brian Croteau. “After all, ICFR is an area subject to audit committee oversight as part of its financial reporting oversight responsibilities” (AICPA National Conference on Current SEC and PCAOB Developments, December 2015, http://www.sec.gov/news/speech/croteau-2015-aicpa.html).
Future Challenges and Opportunities
As an indispensable part of today’s dynamic financial system—with change driven by innovation, technological advances, evolving investor needs, and emerging business practices and challenges—auditors must respond to market developments, adapting as necessary and communicating with stakeholders to ensure clarity on roles and responsibilities. One especially important issue is cybersecurity; educating the public on the auditor’s role with respect to cyber-security should be one of the profession’s priorities.
When performing a mandated audit, an auditor must obtain an understanding of how the company uses information technology (IT), the effect of IT on the financial statements, and the extent of the company’s automated controls (as they relate to financial reporting). When a cyber-breach occurs, the external auditor must assess its potential impact on financial reporting and ICFR, including management’s financial statement disclosures. (For more information, see the CAQ resource, “Understanding Cybersecurity and the External Audit,” http://bit.ly/20BOgSB.)
The continuous evolution of cybersecurity has implications for public company auditors. Separate and apart from a mandated audit, audit firms can be a valuable resource for attestation services related to cybersecurity. These services could include providing independent insights to management, the audit committee, and others charged with governance. Working closely with the AICPA, which is currently updating the existing framework of attestation standards to accommodate auditor work in this area, the CAQ is exploring auditor assurance services around cybersecurity. These services have great potential to benefit investors, audit committees, and other stakeholders.
To echo SEC Chair White once more, auditors provide an essential check in the financial reporting process. The initiatives discussed above are several among many that promise to strengthen and enhance that role.