Perceived Flaws in Sarbanes-Oxley Implementation

By Bernard H. Newman and Mary Ellen Oliverio

E-mail Story Print Story

The 234 comment letters related to the first roundtable meeting in April 2005 included expressions of discontent beyond the cost and insufficient guidance for internal control assessment. Gradison’s reference to “other actions” was reassuring. Comments in some letters, illustrative of perceived flaws in the implementation of SOX, included the following:

The requirements … seem largely unrelated to the root cause of the scandal-based business failures of the past several years—fraudulent behavior by senior managers of a small minority of corporations. [A] “one-size-fits-all” strategy that leads to check lists, focuses on form of documentation rather than the substance of the matter.

We recognize that public accounting firms have been under the microscope for several years. The Public Oversight Board was ineffective, and consequently disbanded itself early in the new century.

In this environment, it is not surprising that accounting firms have taken a very conservative approach to the implementation of the internal control standard. The focus is on “will this pass the inspection?”

Perceived Flaws in Implementation

Requests for comments often provide a list of questions to be answered. In the requests for comment letters for both the first and second roundtables, however, respondents were not given questions; they were allowed to respond in any manner they chose. Therefore, comments were made that went beyond the specific guidance of Auditing Standard 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. The authors’ review focused on comments that went beyond the plea for more detailed guidance or relief from the cost of meeting AS 2’s requirements. Among such comments were the following perceived flaws:

Flaw 1: Redundancy of opinions by auditors. SOX section 404 merely states the following:

With respect to the internal control assessment required by subsection (a) each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.

That statement does not require two opinions. However, implementing section 404 resulted in two opinions. In the authors’ search for a discussion of the rationale that led the PCAOB to go beyond what was required in section 404, no information was discovered.

What, then, was the rationale? On what basis was what is perceived to be redundant justified? What is achieved by two opinions? The extent of repetitive activity, often without identification of risks, is perceived to have little relevance in assuring that internal controls are adequate.

At this point, no evidence is available to explain why section 404’s requirement was deemed to be insufficient. The auditor’s responsibility for internal control as it relates to performing a sufficient audit should be revisited. The decision of the Financial Reporting Council in the U.K. about external auditor involvement in internal control may be worthy of consideration. That council’s conclusion seems far more reasonable than that of the PCAOB.

Flaw 2: Rule setting and oversight provided by the same body is a questionable combination. Should an oversight board set its own rules for the process it oversees? Are conflicts of interest possible? How effective are internal controls when rules are formulated by the same group that enforces them?

While self-assessment can be even more brutal than assessment by others, the preponderance of evidence does not support objectivity when viewing one’s own work.

SOX did not establish a requirement that auditing standards were to be formulated by the PCAOB. Sarbanes-Oxley gives the PCAOB the option of formulating auditing standards or accepting that this task be done by another body. At the PCAOB’s April 16, 2003, meeting, a proposal that auditing standards be formulated by the board was approved. There was no discussion of the combination of duties in one body or the rationale for doing so. One member asked, “The Board could have allowed another body to actually formulate auditing standards, but the proposal states that the Board itself would be the rule-making body, is this true?” The response to this inquiry was “yes,” with no further comment from any of those present.

Flaw 3: Auditing standards-setting under two bodies in one country is costly and inefficient. This flaw is related to Flaw 2. There has been no discussion of audit guidance inadequacies that led the PCAOB to conclude that a totally new set of auditing guidance was necessary, not to mention whether it would be the board’s responsibility. As noted earlier, SOX did not require that the board assume rule-making responsibility.

The authors were unable to find a single objective investigation of an audit failure reported in the last five years that stated that inadequate audit guidance was the critical factor in the deficient audit. For decades, the SEC’s administrative hearings have relied on the professional guidance provided by the Auditing Standards Board and predecessor bodies of practitioners to determine the nature and extent of violations. For example, in the administrative hearings involving auditors at Tyco, WorldCom, and Xerox, there were no comments that the scope of an investigation was limited because of insufficient guidance related to what the auditor was expected to do. To our knowledge, not one of the highly discussed audits of the last five years was investigated in the manner of, for example, the McKesson & Robbins audit that was disclosed in December 1938. An investigation might determine where audit guidance needs to be revised.

The PCAOB’s rationale for assuming the role of auditing standards–setter was not revealed. During the presentation discussed under Flaw 2, one PCAOB board member noted that what was “presented was a blueprint to construct a process, rather than the process itself. … [T]his is a task we are not likely to do ourselves … this is a work in process.” Further comments indicated that there would be a large advisory committee with representatives of accounting and auditing firms, public companies, investors, and other interested groups: “There would be representation of public accountants, but they would not be a majority … this is not a closed process.” Another comment suggested that “the profession should create or maintain its own bodies to review and make recommendations.” There were no follow-up statements to support or challenge these comments.

During the portion of the board meeting devoted to accepting the current audit standards on an interim basis, one member stated, “I shall vote for accepting the standards as interim standards, but I so wish we today could have a completely new set of standards. I realize this is unrealistic.”

What would a “completely new set of standards” look like? The first standard released by the PCAOB requires that reference to standards in the auditor’s report must indicate that they are the standards of the PCAOB. The second standard is related to internal control. The third standard deals with audit documentation and does not represent a conceptual change from existing professional standards. The fourth deals with reporting on whether a previously reported material weakness continues to exist. The second and fourth standards both deal with the implementation of section 404, as interpreted and specified by the PCAOB.

We cannot responsibly judge at what rate the task of standards setting should proceed. As of August 13, 2006, the following was posted on the PCAOB website (www.pcaob.com) under Proposed Statements:

“There are currently no standards or related rules proposed by the Board.” The first chief auditor was appointed in April 2003. Time was needed for establishing an appropriate operating system. The standards-setting group deals with other matters that have undoubtedly required attention. Are the PCAOB’s accomplishments to date on target?

Auditing is a generic process. Why is a new standards-setting group needed? The PCAOB issued its first Staff Audit Practice Alert on July 28, 2006. The alert is “Matters Related to Timing and Accounting for Options Grants,” and it is interesting to note that references are made to 10 sections of Interim Standards, which are the standards promulgated by the Auditing Standards Board. The usefulness of Auditing Standards Board statements for an emerging problem is impressive.

With international bodies attempting to provide a single set of auditing standards to be used globally, professionals in other countries are perplexed at our two sets of auditing guidance. When such practitioners—from Beijing, China, to Milan, Italy—have asked the question “Why two sets of standards?” the authors find it difficult to provide a convincing response. Such inquiries also question the propriety of an oversight board establishing the standards they inspect.

Flaw 4: Stripping the profession of standards-setting responsibility means that accountants auditing publicly owned business are not professionals. Professional status provides privileges and it also imposes responsibilities. Public accounting was deemed a profession in the United States through state rulings regarding licensing and the expectations implied thereby. When the PCAOB, at its April 13, 2003, meeting, proposed that the board would become the auditing standards-setting body for public companies, it assumed the only remaining task that reflects a professional responsibility. Those who audit publicly owned companies are not technically functioning as professionals.

Does the PCAOB understand what “being professional” means? At PCAOB board meetings, for example, there are references to the “profession,” yet the auditors of publicly owned companies are not meeting the technical expectations of a profession. Among the criteria applied to a group of specialists with the designation “profession” are those that relate to the participation of the practitioners in their field of specialization. Self-regulation—which allows for participation in determining codes of conduct, establishing rules that govern their work, and monitoring the performance of the members—is critical in maintaining responsibility for the public interest. Such responsibilities had been promoted by early leaders of accounting who believed the field should be a “professional service” rather than a “commercial service” in the United States. At the first meeting of the newly created SEC in 1934, the commissioners assessed the work done by practitioners and concluded that the group had performed in such a manner that they could be delegated responsibilities that the SEC could have assumed for itself. The failure of auditor oversight led to SOX. What evidence supports an oversight board taking on standards-setting responsibility, too? How wise is it to strip a large, significant group of accountants of their professional status?

Of course, if there continue to be two sets of auditing standards in the United States, the second set promulgated for nonpublic entities by the ASB under the auspices of the AICPA, then one segment of public accounting in the United States will maintain professional status.

One might ask, “What difference does it make if all public accounting continues to be called a profession? Why be so literal?” It is a question that requires a lengthy answer, but, stated briefly, there has been an assumption that the acceptance of the title of Certified Public Accountant imposed a personal, professional responsibility for supporting the group’s self-imposed rules and for individual responsibility. For example, for the inevitable judgments required in performing auditing tasks, an audit partner assumes a high level of personal responsibility for all staff members, including newly hired ones. It is not clear that the PCAOB understands this shift. For example, note what the PCAOB stated in Release 2005-009 (May 16, 2005):

Auditing Standard No. 2 is no different from any other auditing standard in that it does not prescribe detailed audit programs. For as long as the profession has established auditing standards, auditors have used those standards to tailor their own audit plans, in a manner that addresses the nature and complexity of the audit client.

Many participants in the Roundtable, as well as others, have noted, however, that some auditors have in fact failed to use tailored audit plans in their first year of meeting section 404 requirements. … Those auditors have instead used a one-size-fits-all audit plan driven by standardized checklists. [Italics added]

As noted in the first paragraph quoted above, the PCAOB does not realize that the contemporary environment for auditing practitioners who audit publicly owned companies is not the same as it was formerly. Contrary to the PCAOB’s claim, there is a difference. The frequent request in comment letters for more detailed guidance from practitioners is for assurance that what is done is proper because the board that issued the ruling is the same board that inspects the work of the auditors.

The PCAOB seems to believe that auditors ought to continue “tailoring their own audit plans,” yet the board continues to give detailed instructions. Thoughtful sociologists and psychologists might be able to provide some valuable insight about professionalism and optimum rules and regulations, as well as barriers to entry, when in fact, the group in question is not a profession.

The Wisdom of the Sarbanes-Oxley Act

The crisis of confidence in the profession justified the passage of SOX. The writers of the law were astute. They left open some critical decisions, as noted earlier. At this point, however, the question is: Is the the PCAOB optimally structured to provide the type of oversight envisioned by the Sarbanes-Oxley Act? Illustrative of the performance to date are the efforts at designing new guidance related to internal control. Internal control is not a new concept. Yet, so many questions of interpretation developed that it was necessary to schedule two PCAOB Roundtable meetings as well as publishing five sets of “Staff Questions and Answers.”

The results of the new guidance in the PCAOB’s AS 2 are difficult to interpret. An individual unacquainted with the prior internal control responsibilities of auditors and their clients could quickly conclude that the PCAOB requirements relate to a concern that had received no attention previously. The reality, however, is that there have been decades of requirements and guidance.

It may be too late to search for reasons for the apparent failure to respond to the legal requirement for an adequate system of internal control in the Foreign Corrupt Practices Act of 1977, which included an amendment of the Securities and Exchange Act of 1934 related to internal control requirements. It may be too late to determine why there was seemingly little response to the recommendations of the Treadway Commission Report (1987), which was initiated because many still perceived an intolerable level of fraudulent financial reporting, even a decade after the requirement for a system of internal control. The COSO report Internal Control—Integrated Framework (1992) provided further guidance relative to internal controls. The latter was the basis of significant revisions to the guidance provided in section 319 of the AICPA’s Professional Standards, revisions aimed at meeting the GAAS requirement that an auditor obtain “a sufficient understanding of internal control … to determine, the nature, timing and extent of tests to be performed.”

Candid, Objective, Comprehensive Review Needed

The PCAOB’s structure as designed by the board itself is flawed. The implementation of SOX to date has added a great deal of auditing work, yet questions of relevance reamain unanswered.

A number of participants in the May 10 PCAOB roundtable raised serious questions about the effectiveness of the implementation. There is a perception of unnecessary regulation. One interesting comment provided by the representative of the New York Stock Exchange concerned the significant drop in listings by foreign companies on U.S. exchanges between 2000 and 2005. It was reported that many foreign companies, however, were obtaining capital in the United States from private sources, thus bypassing the need to meet governmental regulations.

To date, the authors’ search—for empirical review of alleged audit failures, for working papers, and of transcripts of thoughtful debates—has not found any information that reveals the analyses and rationales for decisions made by the PCAOB in determining the tasks the board would assume.

It is time for a candid, objective, comprehensive review of the PCAOB. At this point, there is no need for legislative action on the part of the U.S. Congress. The SEC, as the body responsible for oversight of the PCAOB, has the wisdom to initiate and carry through the review required now.