United States Senate
Committee on Banking, Housing and Urban Affairs Subcommittee on Securities, Insurance, and Investment
Testimony of Cynthia Fornelli, Executive Director Center for Audit Quality
Mr. Chairman and Members of the Subcommittee, my name is Cindy Fornelli and I am the Executive Director of the Center for Audit Quality (CAQ). I appreciate the opportunity to testify today on how the audit and independent auditors can aid in preventing a future financial crisis, an important topic for all of us who are committed to protecting investors and maintaining confidence in our capital markets.
The CAQ was formed in 2007 to serve investors, public company auditors and the markets by enhancing the role and performance of public company auditors. We are a membership organization with nearly 700 public company auditing firm members that are registered with the Public Company Accounting Oversight Board (PCAOB). Our member firms are committed to the public interest role that auditors play in our markets.
As a public policy organization, we strive to assure that our efforts are infused with a public interest perspective. Our three independent public board members strengthen our focus on the public interest and also bring us expertise in financial reporting, securities law and corporate governance. The members of our Governing Board (which includes the CEOs of the eight largest accounting firms and the AICPA) have a keen understanding and appreciation of the important role the public company auditing profession has in serving the public interest and honoring the public trust.
To realize our vision, the CAQ works with investors, academics, audit committee members, preparers, internal auditors, and policy makers to explore issues and collaborate on initiatives that can advance audit quality. The CAQ consistently has supported the implementation of the Sarbanes-Oxley Act of 2002 (SOX or Sarbanes Oxley Act) and, working in collaboration with others with responsibility for financial reporting, has a number of initiatives underway to advance the deterrence and detection of financial statement fraud. We also support research on issues relating to investor confidence, public company auditing and the capital markets by issuing grants that fund independent academic research and other activities. In all that we do, we are particularly interested in investors’ views, as they are the ultimate users of the audited financial statements.
My testimony today is on behalf of the Center for Audit Quality and speaks to the policy issues before us. I cannot speak to the circumstances of any particular public auditing firm. In my role as the Executive Director of the CAQ, I focus on the public policy issues impacting the profession. I have a background in securities law and was previously a senior official of the Securities and Exchange Commission (SEC).
Following the past several years of global economic turmoil, there have been extensive examinations by panels and commissions to identify the root causes of the financial crisis and determine what could be done to reduce the risk of a future similar crisis. While none of the panels or commissions found that auditing was a root cause of the financial crisis, auditors, like all participants in the capital markets, have a responsibility to examine their role in light of lessons learned from the crisis and consider what improvements can be made in audit standards and what more they can contribute to market integrity and investor protection.
In my testimony today, I thought it would be helpful to provide my perspectives on the financial crisis, a brief description of our current regulatory environment and, more specifically, some thoughts on what an audit is and its role in our system of investor protection. I then will describe current activities being explored by various stakeholders (including the profession) pertinent to the central question posed in this hearing, which is whether the auditor can play a role in helping to prevent another financial crisis. The public company auditing profession welcomes discussions about enhancing their role.
The PCAOB has been examining the need for changes to the current auditor reporting model, and CAQ member firms have participated fully in the PCAOB’s outreach to stakeholders on this topic. We have suggested a number of areas to the PCAOB where the auditor’s report could be clarified or expanded. These include providing assurance in connection with Management’s Discussion and Analysis (MD&A) (including with respect to critical accounting estimates disclosed in MD&A); updating wording to include references to related disclosures in the notes to the financial statements and language related to the auditor’s responsibility for information outside the financial statements; providing additional information relating to audit scope and procedures; and, providing for auditor’s assurance or association with respect to an expanded report by the audit committee. As the PCAOB moves forward, we will continue to participate fully in the standard setting process. This effort may not fundamentally change the nature of the audit, but could offer additional information pertaining to the financial statements and the audit.
We believe strongly that the broader question of whether the auditor’s role should be expanded beyond the boundaries of the financial statement audit should be explored fully by the full range of stakeholders, including investors, regulators, policymakers, preparers, boards and audit committee members, academics and the profession, as well as other interested parties. The public company auditing profession can play, and is committed to playing, a constructive role in how their role should evolve.
In this regard, in January of this year, the CAQ initiated a program to convene stakeholders in a number of cities around the country to consider a range of issues relating to the role of the auditor. Some of the issues to be considered include the auditor’s current roles and responsibilities and whether they should evolve; the relationship and communication between the auditor and the audit committee, management and investors; and the role of standard setters, oversight bodies and regulators. A key focus of our effort will be identifying the information most needed by investors (including early warnings about business risks) and who can best provide that information.
II. Recent Financial Crisis
Much has been written about the causes of the recent financial crisis. Easy access to seemingly inexpensive credit to fund an increasing supply of residential housing, coupled with the proliferation of innovative financial instruments, as well as lax loan underwriting standards and documentation, led to an asset bubble that eventually burst the way asset bubbles tend to do. This was an economic reversal caused by a breakdown in risk management at many levels.
Consumers took on too much debt; lenders issued high-risk mortgages that were packaged and resold and those lenders held large amounts of risky, leveraged instruments; and investors purchased complex securities that they did not understand. The impact of the reversal was exacerbated by the interconnectedness of our financial system.
In response to the crisis, Congress adopted the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd Frank Act) – a far reaching and comprehensive piece of legislation designed to respond to the root causes of the financial crisis and prevent a similar crisis in the future. The Dodd Frank Act focused on risk management, leverage and capital at financial institutions, complex and unregulated financial instruments and industries, consumer protection, and substantially greater oversight and regulation of large, interconnected and systemically important financial institutions.
Company management and the board of directors are responsible for setting the company’s business strategies, including its risk tolerance and system of controls. Management also must prepare the company’s financial statements that reflect transactions completed by the company and present the company’s financial position as of a specific date. The role of the external independent auditor, under the oversight of the independent audit committee, is to determine whether the financial statements prepared by company management, taken as a whole, are fairly stated in all material respects in accordance with generally accepted accounting principles (GAAP). The auditor’s report is based on facts and circumstances known at the time it is issued.
In October 2007, as the crisis began to unfold and liquidity in the subprime markets began to decline, the profession’s response was to focus even more closely on appropriate fair value measures. With illiquid markets, financial institutions found it difficult to determine the fair value of highly leveraged and other assets because the relatively new and complex fair value accounting standards required the use of sophisticated modeling techniques to value their assets.
To help allay the considerable confusion on this issue, the CAQ Professional Practice Executive Committee prepared three white papers to assist auditors of public companies where the following topics might come into play: measurements of fair value in illiquid markets, consolidation of commercial paper conduits, and accounting for underwriting and loan commitments. While the white papers did not break new ground or establish new accounting or auditing standards, they had the effect of highlighting the valuation issues (i.e., the need for asset impairments) and consolidation issues (i.e., the need to consolidate structures because of changing risk characteristics) that needed to be addressed. These papers also reinforced consistency, skepticism and professional judgment by auditors working in this area and clarified the accounting for these instruments by financial institutions and other holders of these illiquid instruments and commercial paper conduits. But again, these efforts were focused on determining point in time valuations, not predicting market changes. And, many of the instruments that ultimately lost all of their value were actively traded right up to the collapse of the subprime mortgage market.
Annual reports (which include financial statements) of many financial institutions leading up to the financial crisis contained numerous warning signals about the leverage, falling asset values, and other information that served to alert users to the rising risk profiles of many of those institutions. A number of analysts and hedge fund managers reacted to the risks on a timely basis. But there were market participants and others who should have been among the first to recognize credit and liquidity risk within highly-regulated financial institutions but did not.
III. Our System of Investor Protection
By law, a publicly traded company must provide information about its liquidity, operations and past financial results to the public, and must comply with federal and state laws and requirements designed to protect investors and promote confidence in the U.S. capital markets. Ours is a system made up of a number of parties, laws and requirements designed to assure that public companies meet their obligations. A company’s CEO and CFO, the board of directors and the audit committee, internal auditors, external auditors, regulators and standard setters all have responsibilities for assuring that financial reports are accurate and fairly present the company’s financial position and operating results in accordance with GAAP. The SEC has authority to bring actions for fraud by any person in connection with the public securities markets, and specifically oversees publicly traded companies and sets their reporting requirements. A company must have an annual independent audit of its financial statements and the auditor’s opinion must be in its annual report. The auditors who perform these audits are a key contributor to our system of investor protection. Since 2003, the PCAOB has regulated auditors of public companies.
Sarbanes Oxley Act
The Sarbanes Oxley Act was passed largely in reaction to serious financial reporting frauds at several large publicly traded companies. SOX placed significant responsibilities on company CEOs and CFOs, audit committees, auditors and regulators that were designed to strengthen corporate governance and assure the integrity of financial reporting by publicly traded companies. It also created a new independent regulator for public company auditors.
Oversight of Public Company Auditing Firms. SOX overhauled regulation of the audit profession, ending self-regulation relative to public company audits. Only accounting firms that are registered with and regulated by the PCAOB may perform audits of public companies. The PCAOB sets the standards for the audit process, audit firm quality controls and other professional standards. It also regularly inspects the firms (annually for any firm that audits more than 100 public companies) and the quality of their audits, and, in appropriate circumstances, may initiate disciplinary proceedings against a firm or professional.
SOX strengthened the independence standards for auditors to increase capital market confidence in the objectivity of auditors. In fact, SOX prohibits the auditor from offering nine specific categories of non-audit services to a company that it audits and the PCAOB has imposed additional restrictions. As noted, an important aspect of assuring auditor independence is oversight of auditors by the audit committee, not company management. SOX also mandates audit partner rotation for lead and engagement quality review partners every five years to strengthen the auditor's independence from management. Every year, audit committees operating on behalf of investors make recommendations to shareholders on the appointment of a new auditor or the reappointment of the existing auditor.
Changes to the Role of Audit Committees. SOX mandated significant governance changes for all public companies, many of which had a direct impact on public company auditors. For example, prior to the enactment of SOX, company management often controlled the process for the selection of the auditor and management had the authority to hire or dismiss the auditor. This responsibility now lies with the audit committee. SOX placed on audit committees – a committee of the board of directors – particular responsibilities to investors. It placed responsibility for financial reporting and auditor oversight directly with the audit committee, rather than on the company’s management. The audit committee must be completely comprised of individuals who are independent from the company and its management.
SOX changed the role of audit committees with respect to:
Auditor selection and approval of fees;
Audit and non-audit services pre-approval;
Review of critical accounting treatments; and
Internal complaint procedures including "whistle blower" protections.
To fulfill its responsibilities, the audit committee meets regularly with financial management of the company and its external auditors to discuss issues related to accounting policies and judgments embedded in the company’s financial reports and determine whether they are appropriate.
IV. The Value of the Audit
It is important to have an appreciation for what a financial statement audit represents today before one can reasonably consider whether the audit should be changed. The audit opinion, the form of which is prescribed by the PCAOB’s auditing standards, is issued at the completion of the audit. The audit itself is a robust process, in which the audit team tests transactions and management’s assertions and challenges the quality of the accounting, selection of accounting policies and, ultimately, the company's financial reporting.
The Financial Statement Audit Today
The financial statement audit examines a company’s annual financial statements, which provide a point in time snapshot of the company’s financial position at the end of its fiscal year and its results of operations and cash flows for that fiscal year. In essence, the auditor performs a series of tests to collect evidence that provide reasonable assurance whether the public company’s financial statements, taken as a whole, are fairly presented in accordance with GAAP.
The external audit firm is hired by and reports to the company’s audit committee of the board of directors, which monitors the scope and performance of the audit, as well as the firm’s continuing independence from the company;
The audit team is made up of professionals led by a certified public accountant who is a partner of the firm. Members of the audit team are assigned based on their individual skills relative to the specific requirements of the particular audit, including knowledge of the company’s business and industry, and experience with the types of transactions and business operations covered in the financial statements;
The auditor is required to conduct a risk assessment of the potential for the financial statements to contain a material misstatement due to error or fraud on the part of the company’s management, personnel or reporting systems. As part of the risk assessment, auditors specifically consider the risk of fraud. The fraud risk assessment includes brainstorming by the audit team about how and where they believe the company's financial statements might be susceptible to misstatement due to fraud, with appropriate adjustments to the audit plan;
The auditor must exercise professional skepticism in planning and conducting the audit. Professional skepticism requires objectivity and a questioning mindset in assessing the audit evidence. The auditor must be attentive to inconsistencies or other indications that something may not be right and challenge management when necessary. The audit team uses its experience and judgment in selecting the areas to be tested in light of the risks identified. The audit team’s focus can include complex transactions, weak controls over the financial reporting process, and issues affecting the industry as a whole;
Auditors are responsible for obtaining audit evidence through the testing of the assertions made by management and the amounts and disclosures included in management’s financial statements. Based on its risk assessment, the audit team must gather sufficient and appropriate evidence to support its opinion as to whether the company’s financial statements fairly present the company’s financial position, and results of operations and cash flows in accordance with GAAP. The process includes reaching out to the audit committee to discuss accounting issues during and at the end of the process;
The audit team documents its risk assessment, the work performed to address the
identified risks and its conclusions. Prior to issuing an opinion, the audit team must consider whether there is substantial doubt about the company’s ability to continue as a “going concern” for a reasonable period, generally interpreted as the next 12 months. The evaluation is based upon facts and circumstances in existence and known at the time the opinion is issued;
Before the audit opinion is issued, an experienced auditor outside of the audit team reviews the scope of work and the judgments and conclusions made by the audit team to evaluate the quality of the audit. The engagement quality review is just one of the many processes firms implement to assure high quality audit work;
If the financial statements comply with GAAP and fairly present the company’s financial position, the auditor issues an unqualified or “clean” opinion; if the auditor concludes that the financial statements do not comply with GAAP in some respects or do not provide a fair presentation of the company’s financial position, the auditor must issue a qualified or adverse opinion.
For companies with market capitalization greater than $75 million, the audit report also contains an opinion on the effectiveness of the company’s internal control over financial reporting. We believe that the auditor’s involvement in providing an opinion on the effectiveness of internal control over financial reporting has enhanced the reliability of financial statements.
V. Should the Auditor’s Report Be Expanded?
The PCAOB has been examining the need for changes to the current auditor reporting model, which has not changed much over the years, while the size and complexity of companies and their annual reports and financial statements have grown exponentially. In recent months, the PCAOB staff and its Investors Advisory Group (IAG) each have canvassed a number of investors and other stakeholders to determine whether the audit opinion is still useful to users of financial statements. The IAG presented its findings to the PCAOB Board on March 16, 2011; PCAOB staff shared its findings with the Board at a public meeting on March 22, 2011, described below. Both found that investors value the independent audit and the current audit report.
According to this outreach, investors understand that the true value of the audit is not the opinion itself, but rather the very extensive amount of work that was performed in order for the auditor to provide reasonable assurance that the financial statements are free of material misstatement. They understand that in large global companies, audits can require teams made up of hundreds of individuals and partners, can take many thousands of hours, and can include audits of foreign subsidiaries.
Both PCAOB staff and the IAG did find, though, that investors want more information in addition to the auditor’s opinion to help them assess the quality of financial reporting at the company and the scope and quality of the audit. We have heard this from investors as well.
It is clear to me that auditors can continue to enhance the role that they play and the value they provide to investors and the capital markets. Moreover, others with responsibility – particularly the audit committee, which has responsibility for overseeing the quality of the company’s financial reporting and the external audit firm – also are in a position to improve the quality and relevance of information that they provide to investors. These changes should be made thoughtfully and should not merely result in a “piling on” of more disclosures that do not provide meaningful improvements to investors’ ability to understand a company’s financial results and other disclosures. Moreover, good public policy requires that a cost-benefit analysis of changes to the audit report or auditor’s role be examined before additional requirements are put in place.
The Profession’s Suggestions for Improving the Auditor’s Report
The profession is actively engaged with the PCAOB and has suggested a number of areas where the auditor’s report could be clarified or their role could be expanded to provide more information about the audit process and key areas of focus, some of which may require SEC action before being implemented. These areas include:
Auditor association with critical accounting estimates disclosed in Management’s Discussion and Analysis (or, alternatively, a separate supplemental auditor communication on critical accounting estimates);
Auditor association with the entire Management’s Discussion and Analysis;
Additional wording in the standard audit report to include:
- Reference to “related disclosures in the notes to financial statements” in both the scope and opinion paragraphs; and
- New language related to the auditor’s responsibility for information outside the financial statements;
Additional information/communication relating to audit scope and procedures, including:
Providing a “link” within the auditor’s report to a separate document that
describes the audit process, including a discussion of the responsibilities of
auditors, management and audit committees; and,
A discussion of specific audit procedures performed.
The PCAOB has stated that it plans to issue a Concept Release this June, followed by a roundtable discussion, with a proposed rulemaking in early 2012. Based on PCAOB staff comments during the recent PCAOB public meeting and a subsequent meeting of the PCAOB’s Standing Advisory Group, the PCAOB may propose ways to provide more detail to supplement the current form of the opinion. Some options discussed include adding wording to the opinion indicating that the auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement “whether caused by error or fraud”; explaining that reasonable assurance is a high level of assurance but is not absolute assurance; adding wording that the auditor is independent as required by applicable rules and regulations; and adding a requirement that the auditor’s report be addressed to both the board of directors and shareholders. The profession supports these clarifying changes in addition to those I noted above.
We hope the PCAOB will consider the suggestions of the profession. We also hope that the PCAOB will work with the SEC to explore the benefits of an expanded audit committee report to investors and consider whether auditor association would be appropriate, which also was discussed with the PCAOB Board at its March 22 open meeting.
VI. Should the Role of the Auditor Be Expanded?
Even as the PCAOB’s consideration of the auditor’s reporting model continues throughout this year, the CAQ has for some time believed that the broader question – whether the auditor’s role should be expanded beyond the boundaries of the financial statement audit – should be fully and openly discussed by the full range of stakeholders, including the profession, preparers, audit committees, investors, regulators, standard setters, policy makers, advisors, analysts, legal counsel, academics, and other interested parties.
The CAQ has informed the SEC and the PCAOB of its plan to convene stakeholders across the country to:
Consider the public company audit profession’s current roles and responsibilities, including obligations of professional objectivity and skepticism; and consider the roles of management and audit committees in the financial reporting process;
Discuss whether there is a need for the role of the auditor to further evolve in order to improve the quality and delivery of information provided to stakeholders, and consider how such changes fit with the current reporting model and whether such changes would further improve audit quality and investor protection;
Discuss how the role of the auditor intersects and relates with audit committees, management, advisors, analysts and others and examine the potential need for those roles to evolve as well given interdependencies in serving the interests of investors;
Consider the role of policy makers (including standard setters and oversight authorities) in effecting improvements in the quality and delivery of information provided to stakeholders and consequential impacts on audit quality and investor protection; and
Identify areas of consensus and open issues, and recommend short and longer term actions that would have a positive impact on the capital markets and the value of the audit to investors and other stakeholders.
Some of the issues we hope to discuss include identifying what information investors rely on most in making investment decisions and where they find that information; the extent to which annual reports and financial statements are useful; whether auditors should provide some level of assurance on nonfinancial information disclosed in the annual report, as well as whether auditors should provide some level of assurance on information disclosed outside of the annual report (such as press releases). We also want to explore whether auditors could – and should – provide some level of assurance around forward looking information provided by a company, and how auditors and other experts could manage the risks of being associated with such information. An important element of these discussions will be to consider what information will be truly useful to investors. Certainly the issues raised today will help to inform our discussions.
We will need to guard against changes to the role of the auditor that would undermine the legal and ethical responsibilities of CEOs and CFOs to assure the integrity of their companies’ financial reporting processes, and of audit committees to oversee the company’s financial reporting process and the performance of the auditors. Any exploration of the change in the auditor’s role should strengthen and not undermine the responsibilities of these parties.
Finally, we will want to explore, as a practical matter, the extent to which auditors may be able to provide early warnings if they identify business risks as distinct from risks of material misstatement of the financial statement due to error or fraud.
Our hope is that these discussions will expose stakeholders to these potentially paradigm- changing issues in a way that encourages hard thinking around the cost-benefits of various proposals, and identifies areas of consensus. In this way, our work on the role of the auditor will inform policy decisions here, including the PCAOB’s upcoming standard-setting on the auditor’s reporting framework, and abroad, where the role of the auditor also is being examined.
A number of major efforts are underway to implement the numerous requirements of the Dodd Frank Act, which represent Congress’s set of priority responses to the recent financial crisis. Assuring that the SEC is adequately resourced to meet its statutory objectives is critical to assuring investor confidence and participation in our capital markets. While Congress did not choose to streamline regulatory regimes over financial firms and markets, simplification of these regimes is of great importance to maintaining efficient markets that attract issuers and investors. We would like to see the SEC and the Financial Accounting Standards Board continue efforts to remove unnecessary complexity from accounting standards in the United States and move toward a single set of high-quality global accounting standards.
One final recommendation: given the global nature of our companies and markets, I strongly urge policy makers and regulators in all jurisdictions to work together to achieve consistency in approaches to allow the profession to meet the needs of investors.
I appreciate the opportunity to speak with the Committee today. I applaud you for recognizing that the role of the audit and the auditor is important. Our discussions today reflect a deep interest in finding the best way to serve investors and users of financial information. The CAQ will continue to participate in these discussions and work with all stakeholders to determine the best ways forward.
Thank you. I look forward to answering any questions you might have.