PCAOB Points to Audit Progress
The head of the Public Company Accounting Oversight Board launched a charm offensive this week, praising audit firms for falling rates of deficient audits and stressing that the PCAOB plays an important role in investor protection. I’m sure Republicans’ anti-PCAOB mood these days was just a coincidence.
Erica Williams, chair of the PCAOB, spoke Wednesday at the annual AICPA conference on public company reporting — a who’s who of the audit and internal control world, where a parade of regulators talk about accounting, audit, and SEC reporting challenges. Williams took the opportunity to say that audit deficiencies, which she scorched in 2023 as “absolutely unacceptable,” are now declining.
“Today I am pleased to stand before you and deliver the news that PCAOB inspectors are seeing significant improvements in the … deficiency rate from the largest firms,” Williams said in her speech. “It appears our staff’s work is bringing about positive change as it is now being reflected in the results of our inspections activities… I urge you not to let this momentum slip away.”
Alas, Williams didn’t offer any specific deficiency rates or other statistics to the crowd. Those numbers won’t come until mid-2025, when the PCAOB publishes its annual review of audit firm inspections. The audits being inspected are the ones performed earlier this year, on companies’ 2023 financial reports.
Why does this matter? Because in the immediate term, pressure that the PCAOB places upon audit firms ultimately flows through to a company’s internal audit or financial reporting team: more demands for evidence, more demands for control testing, more expansive risk assessments, and all the other stuff that drives you crazy.
Those demands have been rising in recent years because the PCAOB kept finding painfully high rates of deficient audits. If deficiency rates are now falling, that means your audit firm is getting better at doing the audit work — and so perhaps those demands, as exasperating as you might find them, are here to stay.
But that brings us to the rest of Williams’ speech.
‘Work to Better Tell the Story’
Williams also spoke extensively about how the PCAOB is trying to make the audit industry better, and more useful to investors and corporate audit committees. For example, she said the agency has made transparency a priority, so that all parties involved understand why the PCAOB’s work is important:
We continue to work to better tell the story behind the inspection reports — what they mean for investors, how firms can improve, and ultimately, how users can better understand the results… Providing audit committees with information as they engage in a robust dialogue with their auditors every step of the way, from auditor selection to completion of each audit, is indeed a method of protecting investors.
Yes, all that Williams says is true at an abstract level; but we’d be remiss if we didn’t consider the political situation swirling around her and the PCAOB right now. The Trump Administration will swoop into town next month, hellbent on looking for ways to curb regulatory activity. The incoming SEC chairman, Paul Atkins, was a critic of the PCAOB when he was an SEC commissioner in the 2000s, and he’s likely to cast a very critical eye at the agency now. So it’s no surprise that Williams is talking up the importance of her agency and all the progress it has made in the three years that she has been there. She wants to protect her legacy and her staff.
We should review the history here. The PCAOB was a deeply dysfunctional agency in the 2010s, especially during the first Trump Administration. That eventually led the SEC to fire four of the five PCAOB board members in 2021; Williams was one of the four new board members who arrived at the start of 2022 to clean things up.
Williams was re-appointed to a second term as chairman this fall, and in theory she should remain at the board until 2029. In practice, it’s quite likely that Atkins will oust her ASAP. (Yes, the SEC chairman can do that.) Then Atkins can name a more audit industry-friendly successor who presumably will relax the challenging inspection regime Williams has overseen.
Will that be good for corporate audit teams? Yes and no. On one hand, a PCAOB that takes a lighter touch to regulating audit firms might result in those audit firms driving you a little less crazy with documentation demands. On the other hand, audit firms will still want to keep raking in those audit fees somehow; so I’m skeptical that lighter oversight on them will magically translate into smaller audit fees for you.
Meanwhile, you might still have weak internal controls that could still explode in your face. Just look at Macy’s and that cuckoo story of a single employee who hid $151 million in shipping expenses. It’s preposterous that a company as large and sophisticated as Macy’s would have internal controls weak enough to allow that to happen, and plaintiff lawyers are already drafting their shareholder lawsuits.
So regardless of any relaxed compliance burden that might arise from the Trump Administration, internal control teams still have lots of financial reporting risks that won’t go away just because the Williams regime does.
Audit Inspection Priorities in 2025
As luck would have it, this week the PCAOB also announced its inspection priorities for 2025. These would be audits that happen early next year, of corporate financial results you’re compiling right now.
Some of those priorities are industry-specific. For example, the PCAOB says it will pay close attention to audits in the banking and real estate industries, because both sectors still have challenges with the value of commercial real estate. The agency will also target IT companies, which tend to have complex revenue-recognition processes and tricky inventory issues since the value of chips and intellectual property can gyrate widely.
The PCAOB also said it will look to inspect audits of companies that have changed their supply chain or logistics operations lately — a criteria that could apply to lots of companies lately as they rush to on-shore their operations to avoid tariffs, sanctions, or other supply-chain risks. Said re-jiggering of your supply chain could stress your controls for inventory (and for inventory fraud), or the impairment of facilities you no longer use.
Even better, the PCAOB will also continue to focus on “audits of public companies with known cybersecurity incidents.” This is a particular peeve of mine because of high-profile cyber incidents like the thousands of companies affected by CrowdStrike’s IT failure earlier this year.
Recall that CrowdStrike pushed out a flawed software upgrade; so every company implementing that flawed patch was guilty of allowing a third party to push a software update without proper testing. That’s a violation of basic IT general controls. Therefore, every company that fell victim to the CrowdStrike disaster should have disclosed a material weakness in its IT general controls, and every audit firm inspecting those IT general controls should issue some sort of qualified opinion. Right? Right?
Yeah, I’m not holding my breath either. The PCAOB did say it will “review the audit firm’s response” to companies with cyber incidents and “how [the auditor] may have modified its audit approach, if appropriate.”
Here’s hoping that effort sticks. Williams has been doing good work so far and it would be a shame to see that progress wither if she leaves.