Audit Standards in Transition: An Interview with PCAOB Chief Auditor Douglas R. Carmichael

Standards Setting: A Privilege with Responsibilities

By Robert H. Colson

Douglas R. Carmichael, PhD, CPA, CFE, was appointed the first chief auditor and director of professional standards for the Public Company Accounting Oversight Board (PCAOB) in April 2003. Carmichael spent the previous 20 years at Baruch College, City University of New York, where he was the director of the Center for Financial Integrity and the Wollman Distinguished Professor of Accountancy. Before joining the faculty at Baruch, he was vice president for auditing at the AICPA. Many CPAs are familiar with the numerous books and articles Carmichael has written about accounting professional and technical matters. In addition, Carmichael is a noted expert on accounting and auditing issues. Carmichael grew up near Chicago and received his PhD from the University of Illinois in 1968.

Carmichael met with CPA Journal Editor-in-Chief Bob Colson in late spring 2004, and they have had supplemental discussions on recent developments.

The CPA Journal: You’re the first chief auditor for the PCAOB, which is still somewhat in its organizational stages. How would you characterize your accomplishments so far?
Douglas R. Carmichael:
I’ve been at the board now for just over a year. Much of my work has centered on bringing together and developing a first-rate staff to address standards setting. My highest sense of accomplishment comes from the quality of the staff that we have been able to assemble so far.

The assignment given the board by Congress is enormous, when you think about all the standards setting, registration, inspection, and enforcement mandates that are part of the Sarbanes-Oxley Act. What we have accomplished in standards setting so far is:

  • We developed a very substantial new standard on internal control over financial reporting, which the SEC has approved. We have also issued staff implementation guidance on that standard.
  • We changed the reference in the standard audit report from GAAS to the standards of the PCAOB.
  • We issued a new standard on audit documentation.
  • We held the first meeting of our Standing Advisory Group [SAG]. At that meeting we had auditors, preparers, and investors all contributing to establishing auditing policies.

Staffing Plans and Priorities

CPAJ: How large will your staff eventually be?
I anticipate eventually having a staff of about 25 in the standards-setting area. With that staff we’ll be covering auditing and related attestation standards, independence standards, quality-control standards, and ethics standards. The standards-setting staff is actually one of the smaller units. The largest unit, as you’d expect, is the inspection staff. The board will probably have more than 150 inspectors within the next year.

CPAJ: How far along are you in the hiring process?
So far we have hired about a dozen people for the standards-setting group, and about 80 inspectors. We have about 200 people in total, including staff to handle administrative, public and governmental relations, logistics, systems, and all the other things we’ll need to fulfill the PCAOB’s mandates. Right now, it looks like we’ll need to add about 100 more people in the next year or so to address all the issues on the board’s agenda and to carry out the ongoing registration, inspection, standards setting, and disciplinary activities of the board.

CPAJ: How do you plan to organize the staff of the Office of the Chief Auditor?
In addition to the chief auditor, there is a deputy chief auditor—a position that we’ve been very fortunate to fill with Tom Ray [formerly a partner in KPMG LLP in its department of professional practice and director of audit and attest standards at the AICPA]—and several associate chief auditors in charge of certain areas. [See the Sidebar for a list of the staff of the Office of the Chief Auditor.]

Standards-Setting Process and Protocols

CPAJ: Describe the work process in creating the first PCAOB standards.
Our first standards were really created by everyone in the Office of the Chief Auditor pitching in and working on the issue at hand. Although one day there will be a division of labor within the office that mirrors our different responsibilities—audit, quality control, ethics, and independence—it will be some time before we’re fully staffed. Even then, the chief auditor and deputy chief auditor will work very closely with the rest of the staff on most standards-setting projects.

CPAJ: What role will the staff have in preparing standards?
The PCAOB staff of the Office of the Chief Auditor has significant responsibilities, including drafting standards for the board to approve or send back to us for more work.

CPAJ: How did the PCAOB standards-setting process work in the development of your internal control attestation standards?
When we began the process for this standard, only Tom Ray and I were on board in the office. We were fortunate to be able to hire Laura Phillips shortly afterwards. Laura Phillips, the associate chief auditor responsible for the internal control project, had extensive background with similar internal control certifications and attestations that went into effect in the banking industry around 1993. The three of us worked on writing the standard, and everyone contributed to getting the final standard approved by the SEC.

When we looked for precedents, the best examples we could find were in banking regulations. We talked at length with the banking regulators, and, of course, Laura Phillips knew those requirements well. The input of the banking regulators had a very positive effect because they were able to tell us their experiences with the implementation problems encountered over the previous six or seven years. We were able to learn quite a bit from those sources.

Because we had not yet formed our SAG, we also held a public roundtable discussion about the issues and about our initial approach to the standard. We invited a cross section of users, auditors, preparers, and others, in order to hear and understand all viewpoints. In addition, we had to pay attention to the SEC regulations on section 404 because auditors’ attestations would address management’s certifications that are either filed with or forwarded to the SEC, depending on which section of the Sarbanes-Oxley Act applies. We communicated regularly with the SEC about our proposals because, ultimately, no PCAOB standard takes effect unless the SEC approves it. We could tell from our roundtable that some pieces of our final standard would be controversial, so we wanted to make certain that all parties in the regulatory arena were kept informed of our reasoning and progress.

In addition, the board seeks public comment on proposed standards. We analyze those letters very carefully, as does the Office of the Chief Accountant at the SEC, and we try to address the major issues that come up as part of the comment process. The comment letters we received were very helpful in moving forward to the final standard. Our final standards include a background and basis for conclusions section that provides a record of the major issues raised in the development process and how those issues were resolved. The SEC also opens a comment period on proposed rules after the PCAOB sends them for approval.

CPAJ: Would the process you described be fairly typical?
Yes, especially the consultative aspects. The big change as we move into the future will be the involvement of the SAG in the process. We didn’t have time to form the SAG before completing our work on the internal control attestation, so that consultation was not part of the picture. For future standards, the SAG will play an important advisory and consultative role.

CPAJ: The open process sounds like an important element of the PCAOB’s standards development program.
A fair and transparent process is not only important, it’s necessary. Although the PCAOB is a not-for-profit organization rather than a government agency, its authority comes from Congress with oversight from the SEC. We have to be extremely aware that the public—Congress, the people of our country, and many others from around the world—will expect the auditing standards we produce to be the best in the world. An open process and consideration are important for us in order to fulfill those expectations.

CPAJ: Do you anticipate that the PCAOB will receive many proposals from accounting societies or other organizations?
The PCAOB has a public responsibility to listen to various stakeholders and to accept and evaluate serious proposals submitted by them. We would encourage organizations, businesses, and individuals with helpful proposals dealing with our various mandates to forward them to us. Several proposals that have been developed independently would be more helpful than a single proposal resulting from a process of filtering by one group. So, we encourage all organizations with an interest in our work to initiate proposals. In the end, however, the PCAOB and its staff are responsible for standards setting and we will have to develop our own content for standards.

Auditing Standards Reassessment

CPAJ: How will you decide to spend your time and resources in the near term?
Over time, one of the most important tasks of the PCAOB will be a comprehensive reassessment of auditing standards. The volume of auditing standards is immense, with over 900 pages of text. We won’t be able to start at page 1 and work our way through page by page, because some areas are more pressing than others. That’s where the SAG will come in. One of its first tasks has been to help us determine high-priority items in current auditing standards.

Our staff has begun studying the restatements filed with the SEC, looking for patterns as they relate to auditing issues and where changes in auditing standards could improve the record on restatements. Restatements are extremely costly to everyone, and it would be far more cost-effective for management to get the accounting right the first time and for auditors to have the standards necessary to support their part in making sure that the accounting is right the first time.

The staff has also studied the report of the O’Malley Panel on audit effectiveness, which had a number of recommendations for improving auditing standards. Several of them are really important for enhancing the audit process.

As a staff, we have put together a preliminary set of proposed high-priority items based on the O’Malley report, the restatement study, our discussion with other standards setters, and our past experiences. We’ve taken that list to the SAG for its assistance in adjusting and prioritizing the list. We’ll spend the next two years or so working on developing standards dealing with the items on the final list.

CPAJ: Many O’Malley Panel recommendations were not addressed directly as audit standards, but had to do with organizational and business issues, including starting salaries. Do you plan to address any of these nonaudit issues in the near future?
Yes, we do, especially as they relate to quality-control standards. The PCAOB has adopted for the time being all the AICPA quality-control standards and certain related SEC Practice Section [SECPS] requirements. One quality-control concern we anticipate addressing early in the process will be standards on the recruitment, appropriate supervision, and development of audit firm staff. We will also have a much better idea of the extent of our quality-control issues after the PCAOB inspectors have gone through their process for a representative number of firms. They have completed initial inspections of the Big Four for 2003 and are currently performing the 2004 inspections of all firms that audit more than 100 issuers as well as a selection of other firms. We may find that the quality-control issues vary somewhat by the size and nature of the firm. The standards-setting staff will closely monitor the results of the inspections to point us to areas where new standards should be written or where refinements of existing standards might be needed.

CPAJ: What do you expect will occur with independence and ethics standards?
So far, the PCAOB has adopted as its interim standards Rule 101, Independence, and Rule 102, Objectivity and Integrity, of the AICPA’s professional standards, and the related interpretations and rulings, and the standards of the Independence Standards Board [ISB]. Right now, the staff is working with the board to establish how to move forward on independence standards. In addition, we recently held a public roundtable discussion on independence and tax services.

CPAJ: The AICPA, the ISB staff, and IFAC all endorsed or adopted a threats-and-safeguards conceptual framework for offsetting independence standards. Will the PCAOB consider a similar approach?
The PCAOB will have to consider whether it wants to adopt a threats-and-safeguards approach to standards setting. Although such an approach might work for a standards setter, there is a risk that firms would want to apply that approach themselves to current or new practice areas. Currently, firms inquire of the SEC if no current guidance is related to a new practice area. If the firms adopted the threats-and-safeguards approach, however, they would begin to make such decisions based on their perceptions of the threats and available safeguards, without approaching the SEC. In addition to substantially changing how the regulator keeps abreast of auditor independence issues, business entities such as CPA firms may also be prone to underestimate the threats and overestimate the safeguards, especially when large prospective fees are involved.

Fundamental Issues: Communication and Education

CPAJ: You mentioned earlier that you were looking carefully at the recommendations of the O’Malley Panel in order to identify potential areas for standards-setting activities. What are some of the top items you plan to pursue from the panel’s report?
Two of the O’Malley Panel’s suggested improvements prompted the ASB to issue auditing standards dealing more comprehensively with fraud (SAS 99, Consideration of Fraud in a Financial Statement Audit) and with a hierarchy of auditing literature (SAS 95, Generally Accepted Auditing Standards). SAS 95 was developed before Congress created the PCAOB; we will have to assess the hierarchy as developed by the AICPA and amend it to reflect subsequent events. The hierarchy also brings up a more fundamental issue related to wide public dissemination of and education about auditing standards. It’s no longer enough to aim auditing standards solely at auditors; the public has a fundamental interest in auditing standards because of their relationship to public reporting and, as a result, there will also be the need for a more extensive public dissemination of and education about auditing standards.

The issues surrounding the auditor’s responsibilities for fraud were also set in a new direction by the Sarbanes-Oxley Act and the creation of the PCAOB. The act treats top management’s responsibility for fraud very seriously. CEOs and CFOs face severe penalties for improperly signing certifications about their financial reports and internal control systems. Auditors are not subject to the same penalties as CEOs and CFOs, but it should be clear that auditors also should be very serious about their responsibilities for detecting and reporting financial statement fraud. The O’Malley Panel recommended that auditors adopt a more aggressive forensic approach to financial statement fraud. Auditors’ responsibility for financial statement fraud, especially as it relates to management overrides of the accounting system and journal entries, was a topic that the SAG addressed in their first meeting. We are working on a staff response to those recommendations.

CPAJ: What other auditing standards issues did you discuss with the SAG?
We eventually plan to address the entire set of auditing standards and their organization, but let me discuss briefly a few areas we specifically considered with the SAG.

Almost all of the financial reporting scandals we have been through recently had problems with related-party transactions, revenue recognition, or loss reserves. We need to address those areas, particularly the auditing for fraud aspects, as well as the increasingly important topic of auditing fair values. The SAG identified the need for standards in these areas as a high priority. Additionally, the Sarbanes-Oxley Act mandates a new standard on what has been called a concurring partner review, so that is also a high priority. The act also expands audit committee responsibilities, meaning that a new standard in that area is also a priority.

In addition to these priorities, we will also be working on the following areas:

  • Currently, auditing standards allow auditors to rationalize decisions not to confirm account balances in circumstances when they really should. Our examination of enforcement actions underscores the importance of confirming account balances. We found that a number of problems arose when confirmations were not performed.
  • Recent FASB changes to APB 20 have also highlighted issues related to auditing and the consistent application of GAAP, and we will have to issue some direction on report language to deal with restatements following discretionary accounting changes.
  • Current auditing standards allow different approaches to materiality evaluation decisions. These different approaches can lead to very different results in terms of identifying and correcting potential financial reporting problems. The SEC is working on this topic, and we will need to coordinate our requirements for auditors with the requirements the SEC sets for issuers.

Other Issues

CPAJ: You’ve discussed some initiatives you anticipate in independence, ethics, and auditing standards. Are there any pressing needs for quality-control standards?
Right now, most quality-control issues are being handled through the PCAOB inspection process, which is considering such things as the governance of the CPA firm, its compensation arrangements, and its overall organization, in addition to its conduct of SEC audit engagements. The inspection teams have completed their first round at the Big Four firms, so we’re beginning to form some first impressions about the state of quality control as reflected in the inspection results. As the inspections move to non–Big Four firms, we will continue to learn more about quality-control systems and how firms implement them. New standards, and refinements of existing standards, will flow from what we find in the inspections. A new standard on quality control is also mandated by Sarbanes-Oxley, and that makes it a priority.

CPAJ: Do you plan to tackle the problems that arise in auditors’ career advancement when they face the dilemma of following professional standards or pleasing a client or firm management?
We’re certainly aware that auditors sometimes face pressure from clients and firm business leaders to subordinate their professional judgment to a business goal. Those auditors that do the right thing, that make certain GAAP is followed, should not be penalized in their advancement opportunities, their compensation, and their careers because a client is unhappy or the business loses some other revenue stream. The public really expects CPA firms’ business goals to be subordinate to their professional responsibilities as auditors.
Auditors should have the support of professional standards as well as their firms when they challenge clients on accounting issues. Too often, in the past, the challenges did not occur, because the auditor or the firm feared losing the client’s business.

CPAJ: The PCAOB’s auditing and related professional practice standards apply to the audits of public companies. Do you have a sense as to whether stakeholders in nonpublic companies, nonprofit organizations, governmental bodies, and other entities are looking for PCAOB audits?
Congress created the PCAOB to perform a number of functions that involve auditors of SEC registrants, but a number of private companies and not-for-profit organizations will probably want their auditors to use the standards of the PCAOB for audit and attestation purposes. Likewise, it’s not out of the question that a private client might ask that its auditor follow PCAOB quality-control standards, or that a firm would simply prefer them. In fact, many firms may prefer to run one quality-control system that satisfies PCAOB standards rather than two. Firms with no SEC audit clients may also find that the PCAOB quality-control standards, or any of the other standards that we create, work well for them in terms of both their professional responsibilities and their acceptance by the public.

CPAJ: How does the PCAOB work with other groups involved in audit standards setting?
PCAOB representatives meet regularly in a forum on auditing standards setting with the U.S. Government Accountability Office [GAO] and the AICPA’s Auditing Standards Board, which established the standards that the PCAOB uses today on an interim basis. In addition, we have a nonvoting seat at the International Auditing and Assurance Standards Board’s meetings on international auditing standards, because of the importance of convergence of international standards at a high level of quality.

CPAJ: Thanks for spending the time with us. What final thought would you like to convey?
I’d like to reiterate how fortunate I have been in being able to assemble a first-rate staff for the Office of the Chief Auditor, to get the wholehearted support and participation of the board members in the standards-setting effort, and to get active participation in standards setting through the SAG from investors, audit committee members, and others interested in protecting investors. All the people at the PCAOB are very talented and publicly spirited. Standards setting is really a privilege. It’s not always easy, but auditing standards will become increasingly important to the public as reliance on the capital markets grows.

Robert H. Colson, PhD, CPA, is Editor-in-Chief of The CPA Journal.