Introduction[1]
Good morning. I’m Paul Munter, Chief Accountant for the Office of the Chief Accountant at the U.S. Securities and Exchange Commission (“Commission”). Thank you for giving me the opportunity to speak with you today.
Let me start by saying that my remarks today are provided in my official capacity as the Commission’s Chief Accountant and do not necessarily reflect the views of the Commission, the Commissioners, or other members of the SEC staff.
I should also note that I am here today wearing some other hats as well. As many of you know, I serve as the Chair of the Monitoring Group which oversees the international audit, assurance, ethics and independence standard setting system. The Monitoring Group is committed to advancing the public interest in international audit-related standard-setting and improving audit quality.[2] In that regard, the International Forum of Independent Audit Regulators (“IFIAR”) is an [incredibly] important member of the Monitoring Group, and I have greatly valued IFIAR’s collaboration and engagement as we work to drive improvements in the standard-setting system for the benefit of investors and other stakeholders.[3]
I also serve as the Chair of the International Organization of Securities Commissions’s (“IOSCO”) Committee on Issuer Accounting, Audit and Disclosure, which also focuses on the quality of international audit, assurance, ethics and independence standards as well as the quality of financial reporting and corporate reporting standards.[4]
Stage Setter
History of Public Company Accounting Oversight Board (“PCAOB”) Creation and Why
As this is a conference organized by the PCAOB, I’d like to start today with a bit of history about the creation and work of the PCAOB. Prior to the establishment of the PCAOB, the public company auditing profession in the U.S. was self-regulated under a peer review system. Through the audit profession’s trade association, the American Institute of Certified Public Accountants, audit practitioners wrote their own rules and inspected each other through a peer-review program. Public company auditors were, however, and still are subject to enforcement actions by the SEC.[5] Importantly, the rules of the road for conducting an audit were basically the same for both public company and private company audits.[6]
In the wake of the accounting and auditing scandals of Enron, Worldcom and a number of others in the late 1990s and early 2000s, Congress moved swiftly to enact the Sarbanes Oxley Act of 2002 (SOX) which provided for the creation of the PCAOB to regulate the public company auditing profession.[7] SOX also dictated that the PCAOB was subject to oversight from the Securities and Exchange Commission.[8] One of the Commission’s core responsibilities with respect to the PCAOB is the consideration and approval of PCAOB standards and rules prior to them becoming effective.[9]
In SOX and the Dodd-Frank Act, which extended the PCAOB’s responsibilities to oversight of the audits of registered broker-dealers,[10] Congress communicated that the role that public company auditors play in the U.S. capital markets is too important and investor confidence in the quality of the auditor’s work required independent standard-setting and oversight to hold public company auditors to the standards of audit quality appropriate for their important gatekeeper responsibilities.
In hindsight, it is clear that appropriate positive externalities did not exist in the legacy self-regulatory regime to combat the risks to audit quality leading Congress to conclude that independent regulation of the profession was needed to create the positive externalities and incentives to promote auditor behavior fitting a public interest profession.[11]
SOX granted the PCAOB standard-setting and rule-making authority, including with respect to quality control and audit performance standards,[12] subject to SEC oversight. One of the Commission’s primary oversight responsibilities with respect to the PCAOB is to consider, and, where appropriate, approve PCAOB standards and rules.[13] SOX also requires the PCAOB to pursue inspection and enforcement programs, which are necessary for the PCAOB to be able to hold auditors accountable for the protection of investors.[14]
The PCAOB’s standards drive everything an auditor does; it’s the playbook so to speak. It is what the Board’s inspectors inspect against and what the Board’s enforcers enforce against. Thus, independence in standard-setting is paramount, to avoid conflicts of interest and ensure the needs of all the stakeholders are met. Without robust standards, the other two prongs – inspections and enforcement – have limited effectiveness.
The importance of high quality PCAOB standards to the Commission’s enforcement program as it relates to auditor misconduct has become much clearer to me during my time at the Commission.[15] As Chair of the Monitoring Group, I am very proud of the improvements that have been made to the international audit, assurance, ethics and independence standard setting system, which have significantly enhanced the independence and public interest accountability of the International Auditing and Assurance Standards Board (“IAASB”) and the International Ethics Standards Board for Accountants (“IESBA”). But, as we all know, the quality of the standard-setting process is enhanced by the quality and quantity of the input that the standard-setters receive.
So let me take this opportunity to call on you all to make sure that you participate in the standard-setting process and make your voices heard where you see the need for improvements in standards that can make your inspection and enforcement remits more effective. I know this is a goal shared by IOSCO and IFIAR, and I greatly appreciate our collaborative efforts and information sharing in this regard.
The PCAOB Board under Chair William’s leadership has recognized the foundational importance of standard-setting and prioritized it from Day 1.[16] What the PCAOB has accomplished over the past three years to update critically outdated U.S. public company audit standards that were holdovers from the AICPA, pre-SOX era, was necessary and long overdue and is critical in creating those positive incentives to promote audit quality and, in many respects, to catch up with, and where appropriate, improve upon the work of the IAASB in recent years.
International Progress
Before I talk a bit more about core concepts in auditing, including due care, professional skepticism, and risk assessment, let me talk a bit more about the efforts of the Monitoring Group to improve the international audit, assurance, ethics and independence standard setting system. As many of you know, in July 2020, the Monitoring Group released recommendations to improve the independence, public interest responsiveness, and effectiveness of the international audit, assurance, ethics and independence standard-setting system.[17] Since that time, we have been implementing these recommendations which has led to clearer division of responsibilities within the three-tiered standard-setting structure and provided for important safeguards to guard against undue influence from any one stakeholder group while still encouraging participation from all stakeholders in the standard-setting process.
So what do these safeguards look like? They have the same tenor as what Congress looked to achieve through SOX– the focus internationally being on the independence of standard-setting, including through diversity in the sources of funding for the standard setting system, limitations to the number of practitioner board members at standard-setters, increases to the technical staff at the standard-setters so the board members can work from a more strategic perspective, and stronger oversight by an independent Public Interest Oversight Board.[18]
As you can tell today the focus of my remarks is on the quality of standard setting and the resulting standards. This raises a core question: what do good standards look like?
What Do Good Standards Look Like?
I believe that recently the PCAOB has done great work to modernize its standards to make them more effective in driving the behaviors that are most important for auditors to properly serve investors – reinforcing auditors’ responsibility to act with due professional care,[19] re-focusing the objective of the audit to anchor audits in the critical function of investor protection, and furthering the public interest in the preparation of informative, accurate, and independent audit reports.[20]
I have discussed over the last few years the need for auditors to re-focus on their responsibility to exercise of due professional care, which includes sustained professional skepticism,[21] engage in robust risk assessment,[22] and to ultimately take a skillful approach to auditing as opposed to a limits approach – and proposing good practices for auditors to achieve these ends.
These concepts taken together provide a framework for standard-setting that I believe results in standards that are fit for purpose of a regulated profession. Standards that are clear and understandable create expectations up front and also are better able to be inspected and enforced against on the back end. This also leads to increased accountability, improvements in audit quality and better protection for investors.
To consider how this presents in good standards, we must first acknowledge that an audit differs from the production of a widget. Each issuer is different and the risks vary across issuers and therefore audits – so that standards can’t prescribe everything. This requires that good standards be sufficiently risk-based and scalable to provide the auditor with the ability to design audit procedures that are responsive to the risks identified while also balancing the need for sufficiently prescriptive requirements. There are certain fundamental risks, and acknowledging those risks and creating core requirements are necessary components of high quality standards.
Standards designed in this way permit the auditor to exercise judgment but also establish a baseline of conduct elevating all registered firms’ performance. They also reduce inappropriate diversity in practice, including in areas where specificity regarding risk assessment or supervision assists the auditors in exercising their due professional care responsibilities.
Elevating the performance of the entire profession through an appropriate level of prescriptiveness improves audit quality by setting clearer expectations, provides investors with more clarity regarding what the auditor should be doing, and gives auditors more leverage to push back against management where appropriate.
Key Behaviors to Promote
Due Professional Care
So, let’s look at auditors’ responsibility to act with due professional care. Writing standards to “operationalize” this somewhat academic concept is a hallmark of good standards. As I have repeatedly emphasized over the years, accountants serve a trusted public interest role in promoting the integrity of our markets and the protection of investors. The value of an audit and auditors depends on their credibility and trustworthiness. Audit professionals in particular have a difficult job—they sometimes must make difficult determinations that pit the public interest against self- or firm-interest. But that is precisely how public accountants fulfill their gatekeeping function to help protect investors: by ensuring that difficult issues are promptly identified and addressed objectively.
In recent years, the PCAOB has taken steps to embody this mindset in its standards. An example of this comes by way of the adoption of AS 1000, the General Responsibilities standard.[23]AS 1000 not only modernizes the foundational standards of auditing, but, through the recent PCAOB updates, it re-focuses and re-orients the auditor’s responsibilities in its critical role of “public watchdog,” a term coined in the nearly forty-year old U.S. v. Arthur Young & Co. Supreme Court opinion.[24] AS 1000 critically advances the Board’s investor protection mandate under SOX by, among other things:
- First, placing fidelity to the investor at the center of the audit’s purpose by explicitly stating that the auditor’s fundamental obligation is to investors, not to management of issuers or any other parties;[25]
- Second, all too often we hear auditors speak of what they are not required to do or not responsible for instead of focusing on efforts that will best serve the public trust. These recent PCAOB amendments appropriately anchor an auditor’s responsibilities in the affirmative in terms of what is required, rather than including those requirements and other discussions on limitations of an audit and an auditor’s responsibility;[26]
- Third, the amendments re-affirm that auditors must fulfill their professional responsibilities with appropriate rigor and diligence. AS 1000 extends the requirement of due professional care to other areas of audit practice, including public reporting and documentation, and by aligning engagement partner supervisory responsibilities with the principle of due professional care;[27] and
- Finally, these recent PCAOB amendments emphasize the existing responsibility that an auditor needs to exercise professional judgment to determine whether financial statements are not materially misleading within the context of an applicable financial reporting framework by clarifying that “presents fairly” goes beyond mere technical compliance with the accounting standards.[28] Recognition of this principle in PCAOB auditing standards is long overdue.
Sustained Professional Skepticism
As I mentioned earlier, auditors have a difficult job - they sometimes must make difficult determinations that pit the public interest against self- or firm-interest. Applying professional skepticism can sometimes come at a cost, whether it is budget overruns, conflicts with management, or pressure from within the audit firm to maintain client relationships. But the audit engagement is not a standard business relationship between service provider and client, with profit as the primary goal and indicator of success. Good standards will work to mitigate these costs and make up for the lack of positive externalities, thus giving auditors the necessary incentives to exercise their responsibilities.
Sustained professional skepticism is integral to audit work. Academic research and common sense tells us that a strong firm culture and tone-at-the-top that prioritizes doing the right thing above all else makes auditors, and especially less-experienced auditors, feel empowered to exercise professional skepticism, including to challenge management where appropriate.[29] When auditors’ professional experience is anchored in doing the right thing, they are more likely to go on to lead audits with this same mindset.
How do you promote a strong tone-at-the top through standard-setting? One critical way is to promote accountability (emphasis added) – if you hold leaders accountable for the actions of the firm, they are incentivized to create a culture that encourages positive behaviors. The Board as well as the IAASB recognized this by incorporating the following into the new quality control standards, QC 1000 at the PCAOB and International Standard on Quality Management 1 (“ISQM 1”) at the IAASB by:
- Requiring individuals at the top of the firm to be assigned to specified roles and responsibilities with respect to the QC system. The firm’s principal executive officer has ultimate responsibility and accountability for the QC system, with other individuals having operational responsibility for discrete components of the QC system.[30]
- The Governance and Leadership component requires firms to have a process for receiving, investigating, and addressing complaints and allegations that must include individual protections from retaliation.[31]
- QC1000 also requires firms to evaluate the effectiveness of their QC system on an annual basis and report to the PCAOB. The reporting to the PCAOB includes, among other things, descriptions of any unremediated deficiencies, and a summary of remedial actions taken.[32]
Risk Assessment
Next, let’s talk about risk assessment. Risk assessment and professional skepticism go hand in hand. Risk assessment forms the basis of the audit process, and a lack of professional skepticism can result in an auditor not identifying or assessing risks appropriately. You can’t have a sound risk assessment without professional skepticism.
How does this present in standards? The PCAOB recognizes risk assessment as a foundational topic. Risk assessment underlies the entire audit process. The new PCAOB standards create new requirements to better assist the auditor in assessing and responding to risks at the entity under audit.
The PCAOB has taken particular care when drafting new Board standards and updating interim standards to align them with its risk-based framework, incorporating them in two ways. First, through cross-referencing to the Assessing Risk and Responding to Risk standards anchoring all the performance standards in the risks identified.[33] And second, by layering in prescriptive risk assessment procedures to guide auditor behavior to obtain information to make informed risk based decisions and then design sufficiently responsive procedures.[34] For example, in the Other Auditors standard, by creating a risk-based supervisory approach for lead auditors over Other Auditors the PCAOB highlights specific matters that the lead auditor needs to obtain an understanding over in order to assess the level of oversight needed of the Other Auditor.[35]
This concept on the importance of risk assessment applies not only to Board standards governing the performance of an audit but also to the firm’s system of quality control. There has been international recognition that quality control should be driven by a continuous iterative risk based approach. The PCAOB’s new QC standards require firms, on an annual basis, to assess the risks of not meeting the objectives of its QC system, and, additionally, to identify and assess new and evolving risks throughout the year with an explicit requirement to consider information from required monitoring and remediation activities.[36] The firm is required to design and implement effective responses to these assessed risks and this creates a feedback loop, driving continuous improvement of the QC system with a view to correcting current deficiencies and preventing future deficiencies.[37]
So here you can see that even within a risk centric approach, the balance between prescriptiveness and scalability is presented.
Conclusion
At its core, auditing is about investor trust and confidence in the transparency, accuracy, and reliability of financial information. Trust is earned through words and actions and can be nurtured or broken—it is neither static nor assumed. The audit profession must continue to focus, and in some respects do more, to maintain and nurture the public trust.
Ultimately, what is best for audit quality is when auditors take a skillful [as opposed to?] limits approach to auditing.
A “limits” approach is where an auditor does a check-the-box audit, planning and conducting procedures based on what it does not need to review, performing the bare minimum to support the conclusions in its audit report.
A “skillful” approach is where an auditor focuses not only on what they are minimally required to do, but also on what they should review and inspect, and thereby engages in a robust iterative audit process that supports high-quality, reliable financial statements upon which investors place their trust.
There are examples across all jurisdictions of auditors taking a limits approach. Troubling instances in which management and auditors appear too narrowly focused only on information and risks seen as directly impacting the financial statements, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls. Such a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information.
Recent Commission enforcement actions against audit firms and their personnel continue to highlight instances of improper professional conduct by auditors with respect to fraud risks. In these enforcement actions, the Commission alleged that auditors failed to comply with PCAOB standards by, among other things, ignoring red flags and contradictory information and failing to obtain sufficient and appropriate audit evidence.[38]
It is my hope that the profession turns away from the “limits” approach and strives instead for a skillful, robust, and iterative approach to auditing: this is what the audit profession should aspire to, and what our standards and out oversight regimes should demand and require.
While I encourage auditors to take a skillful approach, in the absence of positive externalities to promote such an approach, regulators have to step in with appropriate incentives, and I appreciate how the PCAOB and the many other audit regulators represented here have worked to engrain that into the fabric of their standard setting, inspection and enforcement programs.
Many of you here are on the front lines so while I opened with it, I would like to close with the same message. Input from you all is critical in improving the standards in your jurisdictions, whether it be through sharing your perspectives and commenting on IAASB and IESBA proposals, or encouraging incremental requirements in your jurisdictions. The standard-setters need to hear your feedback on potential pitfalls in the standards, loopholes that could be exploited, or areas where more rigor around the rules are needed.
I appreciate your time today and now I will take questions.
[1] This statement is provided in the author’s official capacity as the Commission’s Chief Accountant but does not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff. It is not a rule, regulation, or statement of the Commission. The Commission has neither approved nor disapproved its content. This statement, like all staff statements, has no legal force or effect. It does not alter or amend applicable law, and it creates no new or additional obligations for any person.
[2] See The Monitoring Group, available at https://www.iosco.org/v2/about/?subsection=monitoring_group.
[3] See IFIAR, What We Do, available at https://www.ifiar.org/about/#observers.
[4] See IOSCO, Committee on Issuer Accounting Audit and Disclosure (Committee 1), available at https://www.iosco.org/v2/about/?subsection=display_committee&cmtid=12#:~:text=Committee%201%20is%20dedicated%20to,of%20these%20standards%20in%20practice.
[5] See, e.g., 15 U.S.C. § 78u(d) (authorizing the Commission to bring an enforcement action in district court for the violation of the rules of the PCAOB by registered public accounting firms and their associated persons).
[6] See generally Auditing the Auditors: Creating the Public Company Accounting Oversight Board, available at https://www.sechistorical.org/museum/galleries/pcaob/pcaob02_race_to_restore.php.
[7] See Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).
[8] See Section 107 of SOX, 15 U.S.C. § 7217.
[9] See id.; Section 19(b) of the Securities Exchange Act of 1934 (“Exchange Act”), 15 U.S.C. § 78s(b).
[10] See Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010).
[11] See, e.g., 148 Cong. Rec. S7351 (statement of Sen. P. Sarbanes) (“This legislation establishes a strong independent accounting oversight board, thereby bringing to an end the system of self-regulation in the accounting profession which, regrettably, has not only failed to protect investors, as we have seen in recent months, but which has in effect abused the confidence in the markets, whose integrity investors have taken almost as an article of faith.”).
[12] See, e.g., Section 101(c)(2) and (g) of SOX, 15 U.S.C. §§ 7211(c)(2), (g); Section 103 of SOX, 15 U.S.C. §§ 7213.
[13] See supra note 7.
[14] See SOX Section 104, 15 U.S.C. § 7214 (inspections); SOX Section 105, 15 U.S.C. § 7215 (disciplinary proceedings).
[15] See supra note 5.
[16] See PCAOB Chair Williams Delivers Remarks at International Institute on Audit Regulation (Oct. 29, 2024) (“Under this Board, the PCAOB has issued proposals for 10 standard-setting and rulemaking projects and finalized six—nearly all of which were decades old. All six of those rules and standards adopted by the PCAOB have also been approved by the SEC . . . .”), available at https://pcaobus.org/news-events/speeches/speech-detail/pcaob-chair-williams-delivers-remarks-at-international-institute-on-audit-regulation-2024.
[17] See The Monitoring Group, Strengthening the International Audit and Ethics Standard-Setting System (July 2020), available at https://www.iosco.org/about/monitoring_group/pdf/2020-07-MG-Paper-Strengthening-The-International-Audit-And-Ethics-Standard-Setting-System.pdf.
[18] Id.
[19] See PCAOB AS 1015, Due Professional Care in the Performance of Work (rescinded by AS 1000); PCAOB AS 1000.09-.11, General Responsibilities of the Auditor in Conducting an Audit. AS 1000 is effective for audits of financial statements for fiscal years beginning on or after December 15, 2024, except for the 14-day documentation completion requirement, for which there is a phased approach to adoption. See General Responsibilities of the Auditor in Conducting an Audit and Amendments to PCAOB Standards, PCAOB Release No. 2024-004 (May 13, 2024); Public Company Accounting Oversight Board; Order Granting Approval of Auditing Standard 1000, General Responsibilities of Auditor in Conducting an Audit, and Amendments to PCAOB Standards, Release No. 34-100773 (Aug. 20, 2024) [89 FR 68217 (Aug. 24, 2024)] (Commission Order approving AS 1000).
[20] See PCAOB AS 1000.01.
[21] See PCAOB AS 1015.07-09; PCAOB AS 1000.09-.11,
[22] See PCAOB AS 2110, Identifying and Assessing Risks of Material Misstatement.
[23] See supra note 19 for the effective date of AS 1000.
[24] See United States v. Arthur Young & Co., 465 U.S. 805 (1984).
[25] See PCAOB AS 1000.01.
[26] See, e.g., PCAOB AS 1000.13 (stating that the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence to obtain reasonable assurance about whether, among other things, the financial statements are free of material misstatement whether due to error or fraud).
[27] See PCAOB AS 1000.09-.11.
[28] See PCAOB AS 1000.12.
[29] See, e.g., Jeffrey S. Pickerd, et al., An Examination of How Entry-Level Staff Auditors Respond to Tone at the Top vis-à-vis Tone at the Bottom, 27 Behavioral Research in Accounting 79-98 (2015).
[30] See PCAOB QC 1000.10-17, A Firm’s System of Quality Control; ISQM 1, paragraphs 20-22. The effective date for QC 1000 is December 15, 2025. See A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms, PCAOB Release No. 2024-005 (May 13, 2024); Public Company Accounting Oversight Board; Order Granting Approval of QC 1000, a Firm’s System of Quality Control, and Related Amendments to PCAOB Standards, Rules, and Forms, Release No. 34-100968 (Sept. 9, 2024) [89 FR 74324 (Sept. 12, 2024)] (Commission Order approving QC 1000).
[31] See PCAOB QC 1000.29; ISQM 1, paragraph 34(c) (“The firm establishes policies or procedures for receiving, investigating and resolving complaints and allegations about failures to perform work in accordance with professional standards and applicable legal and regulatory requirements, or non-compliance with the firm’s policies or procedures established in accordance with this ISQM.”).
[32] See PCAOB QC 1000.77, .79, .80.
[33] See PCAOB AS 2110; PCAOB AS 2301, The Auditor’s Responses to the Risks of Material Misstatement.
[34] See, e.g., PCAOB AS 2310.03-.04, The Auditor’s Use of Confirmation.
[35] See PCAOB AS 2101.06A, Audit Planning.
[36] See PCAOB QC 1000.18-20, .22.
[37] See PCAOB QC 1000.21.
[38] See, e.g., In the Matter of Friedman LLP, Release No. 34-95887 (Sept. 23, 2022) (settled Commission Order); In the Matter of RSM US LLP, Release No. 34-95948 (Sept. 30, 2022) (settled Commission Order).
