SEC Chief Accountant Paul Munter has posted a new Statement. What’s on his mind? Apparently, he is disturbed that, in recent inspections of audits, the PCAOB has reported a “troubling” increase in deficiency rates—meaning the PCAOB found that there was insufficient audit evidence obtained to support the auditor’s opinion. Deficiency rates went from 29% in the PCAOB’s 2020 inspections to 34% in its 2021 inspections, up now to 40% in its 2022 audit inspections. This, he warned, was a “troubling trendline in PCAOB inspections results”—emphasis again on “troubling.” What does he prescribe? A “commitment to high-quality audits,” which, “in turn, calls for the auditor to exercise objective, impartial judgment and rigorous professional skepticism in gathering and evaluating evidence throughout the audit to support the audit opinions provided.” To be sure, both auditors and audit committees “should pay particularly close attention to areas that have been frequently identified as causes of deficiencies in PCAOB inspections.” In addition, he advises that “auditors should conduct engagements with a mindset that the investors, rather than management, are the audit client.” This commitment to high-quality audits, he contends, is the only way for auditors to protect the investing public. He offers advice for both auditors and audit committees.
Recommendations for auditors. Munter identifies several areas where he believes auditors should “pay particularly close attention” in exercising professional skepticism. For example, Munter observes that, for the past three PCAOB annual inspections, in audits that required auditors to attest to management’s assessment of internal control over financial reporting, auditor testing of management review controls has had the highest rate of deficiency. With that in mind, Munter reminds “auditors of their responsibility to exercise professional skepticism in the gathering and evaluating of evidence, including related to internal controls, and approaching management’s judgments in these areas with professional skepticism.” When external conditions are dynamic, “evolving risks may require changes to accounting policies, processes, and [ICFR] to maintain a financial reporting environment capable of producing reliable financial disclosures.” Another area is fraud. While fraud is always a risk, when companies face challenges, the risk of fraud may increase, and auditors should “be aware of areas of common audit deficiencies, as well as conditions that may create or change incentives, pressures, and opportunities, or facilitate rationalization for management and corporate misconduct. In the face of heightened fraud risk, auditors must consider whether a proper exercise of professional skepticism requires more persuasive evidence to corroborate management’s assertions.”
Munter recommends four practices for auditors to enhance their exercise of professional skepticism:
- Auditors “should frequently and proactively engage” with issuers’ independent audit committees about events affecting financial reporting, including “any red flags, arising from management responses. In this vein, the auditor should not agree to truncated or summary presentations of their concerns with management or management responses to audit concerns with the audit committee.”
- Auditors should engage and “effectively integrate specialists and other experts into the engagement team to assist in auditing complex areas or where specialized knowledge is needed,” a practice that will “help ensure that the auditor has adequate expertise to challenge management’s assessments and assertions.”
- Auditors should “ensure that engagement teams are appropriately trained on biases that can affect auditor judgment and decision-making, and that might undermine professional skepticism.”
- Audit staff must be “empowered to exercise their professional skepticism and challenge the judgments of management,” and it is the responsibility of the audit firm and lead engagement partner to enable them. Empowerment could involve “supporting audit staff in exploring areas of heightened risk and red flags, insulating audit staff from any undue pressure to accept less than persuasive audit evidence, and refusing management requests or demands to replace audit team members.” Munter notes that, depending on the circumstances, “acceding to this type of request or pressure may, among other things, impair the auditor’s independence in the analysis required under Rule 2-01(b) of Regulation S-X.”
But professional skepticism can sometimes exact a price, such as “budget overruns, conflicts with management, or pressure from within the audit firm to maintain client relationships.” Munter advocates taking the high road. An audit engagement is not a “standard business relationship between service provider and client, with profit as the primary goal and indicator of success. Instead, as the Supreme Court recognized, the auditor’s ultimate responsibility is to the investing public.”
Recommendations for audit committees. Munter also raises concerns about audit committee objectivity. Citing academic studies, he points out that, “in executing their mandate, audit committees may look to protect the interests of the issuer and its management over the interests of investors. This risk can arise out of an audit committee’s association or coziness with the issuer or its management or through management’s influence over the audit committee’s supervision of the auditor.” In particular, he notes studies that found that “social ties between management and the audit committee are present in 39% of the companies in [the study] sample and may reduce the quality of the audit committee’s oversight” as well as studies “finding that greater audit committee co-option—measured as the share of audit committee members who joined the board after the current CEO’s appointment—results in lower financial reporting quality as evidenced by a higher probability of misstatements and higher absolute discretionary accruals.”
Munter advises that, in selecting an auditor, the audit committee “should prioritize audit quality” and, to that end, should “frequently evaluate its process for assessing the auditor’s performance, including relevant firm or engagement-level metrics,” such as whether the committee takes into account:
- “results of the auditor’s PCAOB inspections, the firm’s internal monitoring programs, or other firm audit quality reporting;
- whether the engagement team has appropriate industry expertise, and whether the engagement partner is sufficiently engaged and provides leadership to the engagement team;
- the engagement team’s total hours and staffing mix (such as, the use of specialists, the composition of experience within the engagement team, or portions of the engagement performed by other auditors); and
- significant changes (or the lack thereof) in hours or staffing mix from previous audits.”
Munter also encourages the audit committee to “work to support the auditor’s independence and facilitate the auditor’s exercise of professional skepticism,” including forming “a strong professional relationship with the auditor, independent of management, which can reduce the auditor’s barrier to exercising professional skepticism and focusing on its responsibilities to investors.” More specifically, Munter recommends that audit committees:
- “meet with the auditor, independent of management, through formal or informal meetings;
- have an open dialogue that provides adequate time for in-depth discussions of financial reporting and internal control matters with the independent auditor;
- dedicate time to asking the auditor probing questions to assess audit quality;
- speak directly with the audit engagement team about the importance of professional skepticism and the audit committee’s support of the engagement team;…
- avoid substituting management’s judgments or interactions with the independent auditor for the audit committee’s own judgments and engagement with the independent auditor[; and]
- leverage their unique oversight position to help set and monitor the tone for management’s relationship with the auditor, [including evaluating] the frequency and quality of the auditor’s interactions with management.”