Supercharging PCAOB Enforcement May Encounter Some Speedbumps

On September 22, Public Company Accounting Oversight Board Chair Erica Williams addressed the Council of Institutional Investors Fall Conference. In her remarks, Chair Williams announced that the Board intends to ramp up the use of its enforcement powers and to approach enforcement “with a renewed vigilance.” To underscore the point, she added that “we intend to use every tool in our enforcement toolbox and impose significant sanctions, where appropriate, to ensure there are consequences for putting investors at risk and that bad actors are removed. This includes substantial monetary penalties and significant or permanent individual bars and firm registration revocations.”

Where will these new cases be coming from? Chair Williams suggested that the Board’s inspection program will be an important source. “We are expanding our case identification process. We are strengthening the process for our inspections team to refer potential violations they find for investigation and enforcement.”

Chair Williams is certainly correct that strong enforcement encourages compliance with PCAOB standards and is key to investor protection. But there are some barriers built into the Sarbanes-Oxley Act that may limit what the Board can accomplish through enforcement, no matter how much it wants to dial up its efforts. And there is a risk that more closely linking the inspections and enforcement programs could backfire.

Structural Limits

Two features of SOX — the mandatory secrecy of PCAOB disciplinary litigation and the requirement to “coordinate” with the SEC — operate as checks on the scope of PCAOB enforcement.

First, SOX requires that PCAOB enforcement actions be non-public until the conclusion of the case — and, if the PCAOB loses, that the case remain non-public forever. Non-public proceedings encourage delay, discourage settlements, and deprive the public of a real-time understanding of the kinds of auditing lapses that the board believes require sanctions. In the past, the PCAOB has asked Congress to amend the law and make PCAOB enforcement actions — like SEC enforcement actions — open to the public, beginning with the decision to bring a case. However, the Board has not renewed these requests since at least 2016. (In contrast, SEC Chair Gensler has recently expressed support for such legislation.)

As long as the PCAOB’s cases are non-public, there will be an incentive for those it charges to litigate, rather than settle. Moreover, asking for high penalties and permanent bars — things Chair Williams stresses — also incentivizes litigation. From the defendant’s point of view, even if the risk of prevailing is slim, it is worth the cost, and, in any event, litigation delays the day of reckoning. But, for the PCAOB, litigating cases, especially those based on negligence or other less-than-egregious circumstances, is risky, time consuming, and expensive — and limits the number of cases the Board can actually pursue. Congress should change the law to make PCAOB proceedings public, but, until it does, the Board’s enforcement program will have one hand tied behind its back.

Second, SOX requires the Board to notify the SEC whenever a PCAOB investigation involves a violation of the securities laws and to coordinate with the SEC’s Division of Enforcement. In practice, cases involving audit failures also involve securities law violations, and “coordination” is likely to mean that the SEC’s staff will insist that it, not the Board, handle cases that involve substantial investor harm or that are otherwise nationally significant.

Two recent SEC enforcement cases may to be examples. On September 29, the SEC charged Deloitte Touche Tohmatsu (Deloitte-China), with failing to comply with U.S. auditing requirements in its component audits of U.S. issuers and its audits of foreign companies listed on U.S. exchanges. The following day, the Commission charged RSM US LLP and three employees with improper professional conduct for failing to properly audit a company’s financial statements over a four-year period. Both cases are based on violations of the PCAOB’s auditing standards.

These cases involved serious audit failures and made national headlines. Both could have been brought by the Board; indeed, the Deloitte-China order reveals that the SEC learned of the violations from the PCAOB after Deloitte-China brought them to the Board’s attention. Both may also illustrate that the PCAOB’s enforcement program is likely to be relegated to cases involving smaller firms or more technical violations of Board rules. Because of their overlapping jurisdiction, coordination between the PCAOB and the SEC’s Division of Enforcement would likely exist even without the statutory requirement. But the statute makes that a certainty.

Inspections and Enforcement

There are also reasons why the PCAOB’s inspections program may not turn out to serve as a major source of leads for a more activist enforcement effort.

Of course, inspections do occasionally uncover serious audit failures, and it makes sense that those would be referred to PCAOB enforcement. But the great majority of inspection findings, while technically involving violations of the auditing standards, do not rise to that level. It would not be feasible to pursue most inspection deficiencies as enforcement matters. Even if it were feasible, doing so could be counterproductive.

Tom Riesenberg and I addressed this issue in our 2019 post Would Auditing Improve If the PCAOB Brought More Enforcement Actions? As we pointed out there, applying the PCAOB’s standards in an audit requires considerable judgment, and it is not necessarily the case that most inspection deficiency findings could be persuasively repackaged as a basis for sanctions in litigation. The inspection staff does not seek to compile the kind of record to support its findings that would be necessary at a trial. As we also noted, if enforcement action were a probable consequence of an inspection deficiency, firms would likely conclude in many cases that the best course was to challenge the inspectors on all but the most obvious deficiencies. That would, at best, bog down the process and slow the issuance of inspection reports.

One of the reasons the inspections program has been successful in improving audit quality is that the firms have generally cooperated. Today, even if a firm privately believes that an inspection finding merely reflects a difference in professional judgment between the engagement team and the inspectors, the best course for the firm typically is to accept the finding and take steps to change its procedures and train its staff to avoid a similar finding in subsequent inspections. The result has been that the inspection program has driven steady improvement in audit quality over the years the Board has been operating.

If auditors think that each time an inspection results in a deficiency finding there is a real risk of an enforcement referral, the inspection process will become more adversarial and arm’s length. The incentives to accept the Board’s findings and concentrate on remediation will be replaced by incentives to reject the findings and concentrate on defending the audit. It is hard to see how that dynamic would improve audit quality or benefit investors in the long run.

* * *

The PCAOB should of course have a vigorous enforcement program. But the law under which it operates may not be conducive to the kind of high-volume, high-profile cases that some of the Board’s critics would like to see. And, more importantly, the PCAOB’s fundamental mission is to improve audit quality, not to conduct litigation. In some situations, more cases may not translate into better auditing. The Board needs to be judicious in deciding when use of its enforcement powers is consistent with improving audit quality and when progress can best be made through inspection and remediation efforts.