Here’s commentary from Lynn Turner:
There’s a serious issue brewing at the PCAOB – and SEC – regarding auditor independence. This summary report issued by the PCAOB a few months ago about inspections conducted over 2016 year-end audits states on pages 14-15 that independence issues were found. That apparently caused the PCAOB to delay issuing inspection reports. Inspection reports for the Big 4 were issued in the August-November time-frame during the prior year. For 2017, only one report – about Deloitte – has been issued so far. This also highlights the periodic lack of transparency & timeliness of the PCAOB inspection process.
Fight Over Independence Disclosures
It’s my understanding that PCAOB inspectors found independence violations by the audit firms that were not reported to either investors or audit committees. This would mean these violations were not reported in writing as required by PCAOB Rule 3526, as noted in the PCAOB’s summary report. As an investor & audit committee member, I find this misleading disclosure to be troubling. Footnote 30 of the report (pg. 14) states: “PCAOB Rule 3520, Auditor Independence, requires auditors to satisfy all independence criteria applicable to an engagement, including the criteria in PCAOB rules and the criteria in the rules and regulations of the SEC.”
The Big 4 firms have prepared a white paper – collectively – that they submitted as a group to the PCAOB and its inspection group. The firms are apparently arguing they should not have to make the necessary disclosures – and despite the violations, can still publicly tell investors they are independent. I understand that white paper hasn’t been made public.
The firms argue that if they engage in a violation, they should be able to somehow “fix” the problem. But that is clearly not how the auditor independence rules work. The SEC has stated that the independence rules are prophylactic – so as to ensure investors can have trust & confidence in the audit. Yet, apparently in the instances found by inspectors, the auditors failed to notify the proper people (audit committee, PCAOB, SEC, investors) about the problems. Similar issues were found by regulators in the Netherlands a number of years ago, who found that one could not rely on the auditors to put in place “safeguards” for their independence, as the auditors put in place self-serving “remedies” in some cases.
The Use of Indemnification Clauses
The PCAOB’s summary report also notes that auditors continue to put indemnification clauses in their audit engagement contracts – despite the fact the AICPA has a clearly stated rule, as does the SEC, that indemnification clauses are not permitted for public company audits. In the recent Colonial Bank case, the judge ruled that PWC had improperly included an indemnification clause in one of its engagement letters and was therefore not independent.
The SEC also brought an enforcement case against an auditor in Florida for including an indemnification clause in the audit engagement letter (the auditor’s second enforcement action within a few years). It appears some auditors believe they can “slip one by” if no one notices these. In fact, to the PCAOB’s credit, they have been citing auditors for violations of the professional standards and GAAS for indemnification clauses for a number of years. This raises the question of why doesn’t the PCAOB take enforcement actions instead of just writing up the deficiencies in inspection reports. Clearly, the latter action is not having the necessary impact.
The SEC’s independence rules (Regulation 210.2-03) have a provision to exempt an audit firm if an inadvertent violation occurs, The exemption applies provided the person or persons on the audit: (1) were not aware of the circumstances giving rise to the violation, (2) the firm had adequate internal controls for independence in place, (3) violation was promptly corrected, (4) the firm had a training program in place, and (5) had an enforcement mechanism in place. But the SEC’s rules don’t permit an exemption if at the time of the violation, the auditor knew – or should have known – they were violating the rules. Here’s a lawsuit involving such an example.
The SEC & PCAOB rules are very clear. The auditor must follow the independence rules throughout the audit year. The firms are required to have training programs in place to require this. These rules are not new to anyone – and any professional knows they are serious and to be followed. In fact, GAAS states that a violation of independence is a violation of one of the ten primary “Generally Accepted Auditing Standards” – and that such a violation cannot be corrected through other auditing procedures.
Will the States Be Brought In?
It will interesting to learn if the PCAOB has involved the “National Association of State Boards of Accountancy” in these discussions as the State Boards each have independence rules which are built around compliance with the rules of the SEC, PCAOB and AICPA. If you can’t trust an auditor to follow the laws & regulations, what can you trust them for? Particularly if they engage in covering up their violations.
Transcript: “Handling the Proxy Season – The In-House Perspective”
We have posted the transcript for our recent popular webcast: “Handling the Proxy Season – The In-House Perspective.”
– Broc Romanek