Breadcrumb

Statement

Three from the PCAOB

Washington D.C.

Today, we are considering three proposals—one rule and two standards—from the Public Company Accounting Oversight Board (“PCAOB”). The auditor’s calling is fundamental to the health of the capital markets. For this reason, we want to ensure that the standards and rules governing auditors are clear and sensible, do not rob auditors of their confidence to exercise judgment, and that they facilitate auditors’ focus on the critical job of ensuring that financial statements are reliable. The Commission’s review of the PCAOB’s rules and standards is integral to the process that Congress established to ensure the quality and effectiveness of the PCAOB’s work.

Commission review of PCAOB standard-setting is particularly important now. First, as evidenced by high audit deficiency rates[i] and much enforcement saber rattling,[ii] the PCAOB appears to be struggling with its critical mission of fostering audit quality. Second, the PCAOB is rushing new standards out the door without due regard for internal deliberation, public input, economic analysis, or implementation issues.[iii] Third, as many at the PCAOB and outside have noted, the audit profession faces challenges, including high rates of concentration, low rates of new recruits, and exits by seasoned auditors. While many factors contribute to these challenges, deliberate and prudent regulatory steps can mitigate them while hasty and ill-considered steps will exacerbate them.

Thank you to Chair Williams, Board Members Ho, Stein, Thompson, and Botic, the PCAOB staff, and SEC staff, including staff in the Office of the Chief Accountant, the Division of Economic and Risk Analysis, and the Office of the General Counsel. Your passion for high audit quality audits, which are so important to our capital markets, is evident in the work that you do.

Proposed Amendments to PCAOB Rule 3502 Governing Contributory Liability

I do not support the proposed change in the contributory liability standard from recklessness to simple negligence. This change is neither consistent with the requirements of the securities laws, nor necessary or appropriate in the public interest or for the protection of investors.[iv] It could have the unintended consequence of lowering audit quality and could worsen the trend toward fewer talented individuals entering the auditing profession. The more expansive liability standard reverses, without any clear reason for doing so other than “because we can,” the twenty-year old PCAOB decision not to adopt a negligence standard.[v] This decision reflects the PCAOB’s recent emphasis on aggressive enforcement.[vi] When placed in that context, the refusal to limit application of the new contributory negligence rule to multiple instances of negligent conduct is concerning.[vii] When paired with the PCAOB’s stated plan to “aggressively pursu[e] all statutory legal theories for charging respondents,”[viii] assurances that it “intends to deploy its prosecutorial discretion responsibly”[ix] provide little comfort. The PCAOB of course should enforce its rules, but bringing formal enforcement actions should not be the first tool a regulator grabs when deficiencies are identified -- particularly when the conduct at issue is merely negligent.

As many commenters on the PCAOB’s proposal pointed out, this change is unnecessary and could have adverse consequences on audit quality. The PCAOB already can and does pursue individual misconduct under its existing rules. The SEC, state accountancy boards, and audit firms already can respond to individuals’ negligent contributory conduct. The PCAOB interacts often with the SEC’s Office of the Chief Accountant and staff from the Division of Enforcement and can refer any instances of negligent misconduct to the SEC. The PCAOB’s own economic analysis estimates that this change will yield only two or three additional cases for the PCAOB each year.[x] The benefits are therefore likely limited, but the costs are likely to be high because audit professionals could be overcome by risk aversion as they fear being second-guessed by a PCAOB enforcement regime armed with the clarity found only in hindsight analysis. It adds yet one more reason for people to leave or never join the audit profession[xi] or to refuse to take on roles in important areas like quality control. The lower liability standard may be particularly challenging for small and foreign firms. The PCAOB acknowledges that “the amendment could lead some firms to exit the issuer audit market,” but rather than seriously grapple with this potential cost, the PCAOB instead looks forward to a “landscape . . . characterized by a higher concentration of more capable and compliant audit firms” as an outcome that mitigates “the negative impacts on the competitive landscape.”[xii] The PCAOB should work with audit firms to improve quality, rather than seek to clear the landscape of all but the biggest firms.

I have some questions:

  1. Several commenters questioned the PCAOB’s authority to adopt this amendment. The Commission’s order affirms the PCAOB’s authority under Sections 103 and 105 of Sarbanes-Oxley. The PCAOB also cites another provision as authority—the Sarbanes-Oxley directive that “[t]he rules of the board shall . . . provide for the operation and administration of the Board, the exercise of its authority, and the performance of its responsibilities under this Act.”[xiii] That provision seems inapt and, if used as authority for a rule like this one, potentially eviscerates any limits on the PCAOB’s authority. What are the limits to the PCAOB’s authority under Section 101(g) of Sarbanes-Oxley?
  2. How will this new negligence-based liability standard interact with what one commenter described as the PCAOB’s shift away from principles-based and toward rules-based standard-setting?[xiv]
  3. The PCAOB acknowledged that this rule and the quality control standard that the PCAOB recently finalized “could overlap to cover the same conduct in some circumstances” and explained the value of “the potential to be held individually liable for contributory negligence [which] may increase the amount of care and attention dedicated to QC by responsible individuals.”[xv] Are you concerned that this change in the liability standard could cause some people to avoid taking on quality control roles, particularly with a new and unfamiliar quality control standard potentially coming into effect?
  4. The PCAOB insists that it is not planning to use the standard to go after junior auditors, but one of the PCAOB’s arguments in favor of the rule change is that “the market-driven consequences relating to the auditor reporting model and identification of auditors on Form AP are felt primarily (if not exclusively) by the engagement partner on an audit, while Rule 3502 applies more broadly.”[xvi] Are you concerned that this rule could dissuade people from entering the audit profession because they will fear that an early career misstep could be the basis for a PCAOB enforcement action?
  5. After this change takes effect, in what types of self-protective behavior might associated persons engage to avoid being charged with contributory negligence, and how might such self-protective conduct undermine the collaborative nature and efficiency of audits?
  6. The PCAOB explained that “an increase in the number of regulators on alert for the same or similar violative conduct increases the likelihood of that conduct being detected and, consequently, the likelihood that the conduct would be sanctioned.”[xvii] Although it does not currently have the ability to bring negligence-based charges against individuals, the PCAOB nevertheless should be on the lookout for such conduct since it can make referrals to the SEC.
    1. How frequently has the PCAOB over the past two decades referred negligence-based misconduct by individuals to the SEC?
    2. In how many of those instances has the SEC declined to bring a negligence-based secondary liability charge?
  7. As one commenter noted, when the SEC brings negligence-based cases, it typically also brings a case under Rule 102(e) of the SEC’s Rules of Practice. For that rule to apply, there must be either “repeated instances of unreasonable conduct” or “a single instance of highly unreasonable conduct,” which means “higher than ordinary negligence but lower than the traditional definition of recklessness.”[xviii] Will the PCAOB be bringing cases that the SEC would not since the SEC in practice has not pursued instances of simple negligence?
  8. I appreciate the PCAOB’s assurances that it does not intend to use this new liability standard “to sanction isolated, good-faith errors in professional judgment,”[xix] but how do we ensure that the PCAOB does not use this lower standard to look through the unforgiving lens of hindsight to punish a well-intentioned auditor for her work on a highly complex and collaborative audit engagement that entailed judgments about which reasonable minds can disagree?

AS 1000, General Responsibilities of the Auditor in Conducting an Audit and Amendments to PCAOB Standards

I support this new auditing standard, which, in the words of the PCAOB, “reaffirm[s] the general principles and responsibilities of the auditor so that the foundation underlying our standards continues to be sound and appropriate for performing high-quality audits.”[xx] Undergirding my support is an expectation that the PCAOB will stand ready to provide guidance, answer questions, monitor for issues during implementation, and conduct a post-implementation review. The new standard, by modernizing, and consolidating a group of interim standards adopted at the PCAOB’s inception, should facilitate compliance and strengthen audit quality.

The adopting release is helpful in setting the basic parameters within which auditors operate. It reaffirms that the auditor’s fundamental obligation is to protect investors through the preparation and issuance of independent auditor’s reports. While this language does not change auditors’ obligations, it places appropriate emphasis on the investor. AS 1000’s shortening of the time period within which auditors must complete their workpapers also should be protective of investors. The PCAOB worked to balance principle-based standards with specificity in response to commenters’ questions.

Commenters also were generally supportive of AS 1000 but underscored the need for implementation guidance and post-implementation review. I have some questions:

  1. One commentator opined that “The adoption of AS 1000 is expected to have a profound impact on the auditing profession.”[xxi] Do you agree? If so, what do you anticipate being the biggest changes resulting from this standard?
  2. The adopting release states that auditors should pay attention to guidance, whether included in an adopting release or staff guidance, but that such guidance is not binding.[xxii]

Did the PCAOB put all guidance intended to be authoritative in the standard itself as opposed to in the accompanying release?

  1. Our order states: “For audits of stub periods, we believe the effective date of the document completion requirement is clear. Nevertheless, we encourage the PCAOB staff to consider the need to provide additional guidance which could be useful to firms.” What is the effective date of the document completion requirement for stub periods?
  2. The standard requires auditors to critically assess “audit evidence and other information that is obtained to comply with PCAOB standards and rules.”[xxiii] AS 1105 governs the critical assessment of audit evidence, but what standard applies to the critical assessment of other information that is obtained to comply with PCAOB standards and rules?
  3. This standard is applicable to audits of broker-dealers, but the adopting release barely mentions broker-dealer audits. Did the PCAOB adequately consider unique issues related to broker-dealer audits?
  4. At the open meeting adopting this standard, one of the PCAOB economists acknowledged the assistance of the SEC in preparing the economic analysis. What was our contribution to the analysis? What does the statute require of us and the PCAOB when it comes to performing an economic analysis?

Amendments Related to Aspects of Designing and Performing Audit Procedures that Involve Technology-Assisted Analysis of Information in Electronic Form

I support, albeit with reservations, today’s amendments to the PCAOB’s standards on Audit Evidence and The Auditor’s Responses to the Risks of Material Misstatement. These amendments should help to guide auditors as they increase their use of technology-assisted analysis of information in electronic form. These amendments should help to alleviate the uncertainty that has led to different practices across firms and has kept some firms from using data analytics. This standard is a good start, and I look forward to the PCAOB’s continuing efforts to provide regulatory clarity around how auditors can use—and respond to their clients’ use of—new technologies, including artificial intelligence and blockchain.

While these amendments provide clarity about the use of technology, the associated burden on auditors and their clients is unclear. This standard could be very expensive. The ambiguity around the cost of these amendments flows from how the standard was drafted coupled with questions about how it will be implemented. Our approval order addresses some of the concerns raised by commenters and “encourage[s] the PCAOB to provide further implementation guidance” affirming the acceptability of a risk-based approach. I still have some questions:

  1. Have you discussed with the PCAOB its plans with respect to developing implementation guidance, working with firms on implementation, setting up a mechanism for consulting on implementation questions, monitoring implementation, considering how this standard interacts with other forthcoming standards, and conducting a retrospective assessment of the costs and benefits of these changes?
  2. The final amendments require auditors, among other things, to “evaluate whether external information provided by the company in electronic form and used as audit evidence is reliable by “testing the information to determine whether it has been modified by the company and evaluating the effect of those modifications; or testing controls over receiving, maintaining, and processing the information (including, where applicable, information technology general controls and automated application controls)” and explains that such information includes “cash receipts, shipping documents, and purchase orders.”[xxiv] Given that this language sounds very expansive, commenters struggled to understand whether the amendments are truly risk-based. I would like to get your reaction to some of their concerns:
    1. Must “the auditor, in all circumstances and without regard to the auditor’s assessment of risk, . . . perform specific procedures to determine whether or not any intentional or unintentional modifications have been made to information a company receives from external sources and provides to the auditor in electronic form”?[xxv]
    2. Must an auditor look at the non-electronic source document? What if no hardcopy exists because “a purchase order [was] sent to the company in the form of a PDF attachment in an email or [was] submitted through an electronic portal), or the hardcopies themselves may routinely be digitized and discarded upon receipt”?[xxvi] Or does an auditor have to “test each piece of information received in electronic form by obtaining a copy of the electronic information directly from the original source of the external information”?[xxvii]
    3. An auditor may test controls instead of testing information, but the release states that “[c]ontrols over processing the information would include internal controls over any modifications made by the company to the information.”[xxviii] What is the significance of “any,” which was added at the adopting stage?[xxix]
    4. “If the company did not explicitly identify a risk of material misstatement related to the risk of modification . . . of the electronic information,”[xxx] does the auditor have to demand the company implement effective internal controls?
  3. In setting the effective date for this standard, did the PCAOB take into account work that auditors will need to do to incorporate elements of other standards that were recently adopted or proposed? For example, one commenter noted that “the PCAOB’s proposed amendments to AS 2301, The Auditor’s Responses to the Risks of Material Misstatement (specifically, new paragraph .40A), which are part of the PCAOB’s proposal to replace extant AS 2305, would create significant new implementation challenges for both issuers and auditors by broadening the scope of evidence subject to AS 1105.10A(b)’s prescriptive requirements.”[xxxi]
  4. Will companies need to implement or formalize controls or processes around information received from one or more external sources, which auditors will then need to check for appropriate design and implementation? If so, does applying the standard to audits of financial statements for fiscal years beginning on or after December 15, 2025 give companies enough time?

[i] See PCAOB Spotlight: Staff Update on 2023 Inspection Activities at 4 (Aug. 2024), (reporting that “[i]n our 2023 issuer audit inspections, aggregate deficiency rates have continued to increase across all inspection programs, and 46% of the engagements reviewed in 2023 had at least one Part I.A deficiency, excluding broker-dealer audit inspections,” but noting “Signs of ‘Leveling Off’ at the Largest Firms” and that “Outliers Heavily Influence Averages”) (footnote omitted), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/staff-update-2023-inspection-activities-spotlight.pdf?sfvrsn=2afb0f25_2.

[ii] See, e.g., Chair Erica Y. Williams, Press Conference Remarks: The PCAOB Will Not Tolerate Cheating, PCAOB (Apr. 10, 2024), (“This Board set a goal to strengthen PCAOB enforcement, and we are doing just that. As of today, the PCAOB has imposed $34 million in penalties this year alone, and it’s only April. We set a record in 2022. We broke that record in 2023. And we are breaking it again today.”), available at https://pcaobus.org/news-events/news-releases/news-release-detail/chair-williams-press-conference-remarks-pcaob-will-not-tolerate-cheating; Chair Erica Y. Williams, Remarks at CII Fall Conference (Sept. 22, 2022), (“[T]his Board is approaching enforcement with a renewed vigilance. . . . [W]e intend to use every tool in our enforcement toolbox and impose significant sanctions, where appropriate, to ensure there are consequences for putting investors at risk and that bad actors are removed. This includes substantial monetary penalties and significant or permanent individual bars and firm registration revocations.”), available at https://pcaobus.org/news-events/speeches/speech-detail/pcaob-chair-williams-delivers-remarks-at-cii-fall-conference.

[iii] The PCAOB’s Strategic Plan for 2022-2026 outlines its commitment to “one of the most ambitious standard-setting agendas in the organization’s history.” Strategic Plan 2022-2026 at 10, PCAOB (Nov. 18, 2022), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/about/administration/documents/strategic_plans/strategic-plan-2022-2026.pdf?sfvrsn=b2ec4b6a_4. See also Chamber of Commerce Comment Letter on Quality Control at 12 (July 15, 2024) (“The pace of PCAOB standard-setting and rulemaking, under short/condensed comment periods, compromises both due process and the quality of the resulting standards and rules.”), available at https://www.sec.gov/comments/pcaob-2024-02/pcaob202402-490483-1408586.pdf; Statement of Board Member Duane M. DesParte (June 6, 2023) (“Stepping back, this project is one of 14 on our ambitious standard-setting agenda. Each of the projects is significant. As we proceed one-by-one, I am increasingly concerned we are establishing new auditor obligations and incrementally imposing new auditor responsibilities in ways that will significantly expand the scope and cost of audits, and fundamentally alter the role of auditors without a full and transparent vetting of the implications, including a comprehensive understanding of the overall cost-benefit ramifications.”), available at https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposal-to-amend-pcaob-auditing-standards-related-to-a-company-s-noncompliance-with-laws-and-regulations-and-other-related-amendments.

[iv] The approval standard for PCAOB rulemaking is in Section 107(b)(3) of the Sarbanes-Oxley Act of 2002, , 15 U.S.C. § 7217(b)(3): “The Commission shall approve a proposed rule, if it finds that the rule is consistent with the requirements of this Act and the securities laws, or is necessary or appropriate in the public interest or for the protection of investors.”

[v] See PCAOB Adopting Release Ethics and Independence Rules Concerning Independence, Tax Services, and Contingent Fees, PCAOB Release No. 2005-014, at 12-13 (July 26, 2005) (rejecting the proposed negligence standard in favor of a recklessness standard, which “strikes the right balance in the context of this rule”), available at https://pcaobus.org/Rulemaking/Docket017/2005-07-26_Release_2005-014.pdf.

[vi] Compare PCAOB Strategic Plan 2022-2026 at 8, 13, supra n.3 (touting the PCAOB’s commitment to “[a]ssertive enforcement [actions] and meaningful sanctions,” announcing a “focus[] on aggressively pursuing all statutory legal theories for charging respondents and remedies available in executing our enforcement program,” and promising to “hold accountable” those who commit “violations that result from negligent conduct”) with PCAOB Strategic Plan 2020-2024 at 7 (Nov. 19, 2020) (committing to “prioritize our enforcement efforts to address those issues that pose the greatest risk to investors and are most likely to deter improper conduct”), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/about/administration/documents/strategic_plans/strategic-plan-2020-2024.pdf?sfvrsn=776073d3_4. See also Comment Letter to PCAOB by Accounting Professors, at 1, 4 (Nov. 2, 2003) (“[T]he proposal reflects a fundamental shift in the PCAOB’s approach to regulatory oversight, moving away from a supervisory approach and towards an enforcement approach. . . . [A]cademic research suggests that the PCAOB enforcement resources would be most effective when reserved for excessive auditor misbehavior that has resulted in actual investor harm or that threatens the PCAOB’s regulatory oversight.”), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/053/12_jdk.pdf?sfvrsn=3596acf9_4.

[vii] Amendment to PCAOB Rule 3502 Governing Contributory Liability, PCAOB Release No. 2024-008, at 64 (“Rule 3502 Adopting Release”) (insisting on retaining the “optionality” that would allow it “to bring a case that involves a single act of negligence”), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/053/2024-008-rule-3502-adoption.pdf.

[viii] PCAOB Strategic Plan 2022-2026 at 8, supra n.3.

[ix] Rule 3502 Adopting Release at 46, supra n.7.

[x] Id. at 44. The economic analysis does not appear to address the question of redundant enforcement authority for the additional cases, and so does not answer whether the incremental value of having the PCAOB, in addition to the SEC and state accountancy boards, vested with authority to bring the cases outweighs the potential costs.

[xi] See, e.g., Board Member Christina Ho, Auditing Challenges and Talent Trends for Public Companies, (May 16, 2024), (“[The ‘accounting talent crisis’] is a topic that I have lost sleep over because a vibrant and resilient U.S. capital market system needs a strong public company accounting profession pipeline. There has been a chronic decline in accounting graduates and CPA candidates since 2016. Most recently, we heard reports that just over 67,000 individuals took the CPA exams in 2022, a historic low over the past 17 years. To put this number into perspective, the number of individuals sitting for the CPA exams has declined by 34% since 2016 when a little over 100,000 individuals sat for the CPA exams. The Wall Street Journal reported in December 2022 that over 300,000 U.S. accountants and auditors have left their jobs in the past couple of years, a 17% decline in industry employment. To top it off, the U.S. Department of Labor’s Bureau of Labor Statistics projected approximately 126,500 openings for accountants and auditors each year, on average. If this alarming trend continues, the U.S. labor market will soon have 50% or more of the accountant openings unfilled each year.”)(citations omitted), available at https://pcaobus.org/news-events/speeches/speech-detail/auditing-challenges-and-talent-trends-for-public-companies.

[xii] Rule 3502 Adopting Release at 62, supra n.7.

[xiii] Sarbanes-Oxley Act of 2002 § 101(g)(1), 15 U.S.C. § 7211(g)(1).

[xiv] Comment by the Pennsylvania Institute of CPAs to the SEC at 3-4 (July 22, 2024), available at https://www.sec.gov/comments/pcaob-2024-04/pcaob202404-492763-1425946.pdf.

[xv] Rule 3502 Adopting Release at 9 and 12, supra n.7.

[xvi] Rule 3502 Adopting Release at 10, supra n.7.

[xvii] Rule 3502 Adopting Release at 10 (emphasis in original), supra n.7.

[xviii] Comment by PricewaterhouseCoopers LLP to the PCAOB A2-A3, (Nov. 22, 2023) (citing SEC 102(e) Release), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/053/6_pwc.pdf?sfvrsn=22a394f8_4.

[xix] Rule 3502 Adopting Release at 19 (emphasis in original), supra n.7.

[xxi] Taking a Closer Look at the New PCAOB Standard AS 1000, Thompson Reuters Tax & Accounting (May 16, 2024), https://tax.thomsonreuters.com/blog/taking-a-closer-look-at-the-new-pcaob-standard-as-1000/.

[xxii] Adopting Release at 48 (“Apart from the PCAOB auditing interpretations referenced in paragraph .15, the PCAOB also supports the implementation of and compliance with its standards in many other ways, including providing guidance in rulemaking releases that accompany standards, amendments, or rules, or issuing staff guidance. Although there is no requirement to follow these guidance documents, we continue to believe that it is important for auditors to pay attention to such guidance, if relevant, when conducting an audit in accordance with PCAOB standards because it may help the auditor understand and comply with complex provisions of those standards or rules.”) (footnote omitted).

[xxiii] AS 1000.11.

[xxiv] AS 1105.10A(b) and note 3B.

[xxv] Comment Letter from PricewaterhouseCoopers to SEC, at 1 (July 23, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-493823-1431206.pdf.

[xxvi] Comment Letter from PricewaterhouseCoopers to SEC, at 4 (July 23, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-493823-1431206.pdf.

[xxvii] Comment Letter from RSM US LLP to SEC, at 1 (July 23, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-493803-1431126.pdf.

[xxviii] Adopting Release at 30 (emphasis added).

[xxix] Comment Letter from Center for Audit Quality to SEC, at 3 (July 23, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-493483-1428986.pdf.

[xxx] Comment Letter from KPMG to SEC, at 2 (July 23, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-493883-1431266.pdf (emphasis in original).

[xxxi] Comment Letter from Ernst & Young LLP to SEC, at 1 (Aug. 12, 2024), https://www.sec.gov/comments/pcaob-2024-003/pcaob2024003-505515-1472962.pdf.

Last Reviewed or Updated: Sept. 20, 2024