he objective of the Sarbanes-Oxley Act of 2002 was to make registrant audit committees, corporate management and the auditing profession work together to mitigate the risk of catastrophic audit failures. But as an experienced auditor, I fear the current business and regulatory environment may hinder achieving that objective.
THE PCAOB ROLE
How does the PCAOB perceive its role? In April 2003 PCAOB Chairman William J. McDonough said the board’s job was to provide “guidance in a constructive manner and, when necessary, to be a tough overseer to protect the public’s interests” ( www.sec.gov/news/extra/mcdonough41503.htm ).
But I believe it’s important to strike the right balance between guidance and tough oversight. With a board and management consisting primarily of former regulators and staff of the SEC’s enforcement branch, the PCAOB has a clear bias toward oversight. The absence of members of the profession from senior positions on the board is evident but not surprising—the PCAOB was created in response to the profession’s audit failures.
The PCAOB made it clear the profession must regain the public’s confidence or face severe censure. But the board’s decision to use an inspection process to perform its oversight creates a high-risk environment for the profession. In a February 2004 speech at the Economic Club of Chicago, McDonough said the PCAOB inspection process would consist of reviews of audit engagements to ensure compliance with securities laws, the rules of the SEC and the PCAOB and the highest professional standards.
Unfortunately, experience shows this approach provided little assurance of mitigating the risk of audit failure. Even though such reviews were an integral part of the internal quality control programs of audit firms for years, they weren’t very effective in preventing audit failures. Why would the PCAOB’s experience be any different? When I visited the PCAOB several months ago and posed that question to George H. Diacont, the PCAOB’s director of registration and inspections, he answered, “We’ll do it better.”
I believe the problem with the inspection approach is that audit failures could occur in engagements not inspected. And in the post-Enron world another audit failure would be disastrous for the firm(s) responsible and for the profession. Such an outcome would benefit no one and irreparably harm many. With that specter in mind, it’s fair to ask whether ceding audit responsibility to a government agency is in the best interests of the investing public. There is an alternative, but before we consider it, examining the nature of audit failures may prove enlightening.
THE ROOT CAUSE OF AUDIT FAILURE
In addition some auditors’ skills are questionable. For example, WorldCom recorded millions of dollars in expenses in asset accounts without audit detection, and Healthsouth created income by manipulating its contractual allowance account. The inept auditing that failed to detect these violations was likely due to deficiencies in training, supervision and basic audit judgment. These examples confirm the findings of our study: Audit failures are due to systemic flaws in quality control programs. Logic suggests the inspection process must detect these flaws before they result in audit failures.
So, to identify the best inspection strategy for detecting systemic flaws in quality control systems, let’s compare the relative merits of engagement reviews and risk management reviews.
Furthermore, this approach provides assurance only with respect to engagements reviewed. The PCAOB would be exposed to criticism if an engagement not selected was subsequently found to be deficient. What if Enron’s audit hadn’t been selected?
RISK MANAGEMENT REVIEWS
Focus on systemic issues, the fundamental determinant of audit quality.
Be consistent with the spirit of Sarbanes-Oxley’s focus on internal control compliance. It is proactive, timely and collaborative, rather than reactive. Its objective is to build quality into the product. CPAs are expert at developing and reviewing internal quality control systems. They provide these services to their clients. Presumably they could create them internally. A detailed description of such a system is contained in my January 2003 JofA article (see “ Maintain Excellence, Cut Risk ,” page 75).
Provide a better return on time expended. Improving risk management heightens the quality of all audit engagements.
Be measurable, because compliance would be contemporaneously documented.
Actually work. At Coopers & Lybrand in the 1990s my colleagues and I adopted it after concluding engagement inspections weren’t providing enough quality assurance. We identified and examined each process that affected quality and then enhanced and integrated them into an overall, comprehensive risk management program. We also continuously monitored compliance and made it a major factor in determining partner compensation. An auditor who failed to comply with the firm’s quality control program faced possible termination.
Our total focus on audit quality produced impressive results. In 1996 and 1997 we terminated high-risk clients from which we had earned more than $30 million in fees. Because auditing these companies consumed disproportionate amounts of our time and effort, ending our relationships with them freed us to serve new, low-risk clients worth nearly $50 million in fees. That move paid off in other ways too. From 1996 to 1998 we had no significant audit failures, and none has emerged relative to that period. In addition, our enhanced economic performance reduced the pressure to generate fees, a factor that can jeopardize audit quality.
MAKE IT HAPPEN
Stop the finger-pointing, most of which is directed at the profession by SEC-registered public companies protesting the cost of complying with section 404 of Sarbanes-Oxley and by the PCAOB, which views the profession as a problem to be managed. It’s time for all concerned to cooperate.
Identify and promulgate quality-control best practices by forming—under the direction of the PCAOB—a committee of major and second-tier firm representatives charged with defining best practices every firm must adopt and developing criteria for measuring compliance.
Require that every audit firm develop an internal monitoring process acceptable to the PCAOB and that each firm’s CEO and senior management team attest to the results of the process.
Focus PCAOB oversight inspections on compliance and actions taken to correct control system deficiencies. The inspection process would continue to examine selected engagements, with an emphasis on determining compliance with quality control procedures as well as with GAAP and GAAS.
This approach would be substantive, cost-effective and easily understood by the investing public. It would capitalize on the profession’s expertise and enhance audit quality.
WORK WITH THE PCAOB
PATRICK J. McDONNELL is president and CEO of McDonnell Company, an audit committee member for two SEC-registered public companies and the author of Everybody Wants to Go to Heaven: 6 Steps to Organizational Excellence. He’s the former vice-chairman of business assurance at Coopers & Lybrand and partner and global director of assurance services at PricewaterhouseCoopers. His e-mail address is firstname.lastname@example.org .