Late summer/early fall brought further PCAOB commentary, offering insight into the direction of the PCAOB’s permanent inspection proposal, which is expected by the end of 2016. On August 18, 2016 the Public Company Accounting Oversight Board (“PCAOB”) issued its annual report on the interim inspection program related to audits of broker-dealers (the “Fifth Report”), and conducted a forum for auditors of broker-dealers (the “Forum”) on September 24, 2016 in Jersey City, NJ. The Fifth Report disclosed many of the same recurring deficiencies that were noted in the previous four reports, and the Forum provided additional insight on the PCAOB’s thought process.
The PCAOB gives auditors substantial feedback on their audits through its interim inspection program, the annual interim inspection reports (2012-2016), staff inspection briefs, various industry forums, and staff guidance. Auditors use this feedback to improve their audits and design audit procedures that both address the appropriate risks of material misstatement and meet the PCAOB auditing standards (in effect since June 2014). If an audit is not performed in accordance with these standards, the consequences can be both dire and costly.
At a recent meeting with the PCAOB and the SEC in Washington, D.C., this author led a contingent from the New York State Society of Certified Public Accountants Stockbrokerage Committee to discuss industry issues from the auditors’ and FINOPS’ perspective. At the meeting, the PCAOB reaffirmed that deficient audits can cause the need for a re-audit, a recall of the issued report, and even referrals to regulators, namely the SEC and FINRA.
The PCAOB and SEC representatives also stressed that accurate financial reporting is management’s responsibility. The meeting further demonstrated that regulators continue to seek input from all constituencies to develop well-rounded context and perspective from various stakeholders.
The Fifth Report
The sample size for this year’s inspection was 75 firms and portions of 115 broker-dealer audits. A deficiency was noted in 77% of the inspections, down from 87% from the previous year’s inspection. On a somewhat positive note, the percentage of those audits that had independence findings was 7%, down from 25% in 2015.
This article focuses on the areas of significant or troublesome deficiencies, including independence (7%), revenue (70%), fair-value measurement (44%), risks of material statement due to fraud (42%), and engagement quality review (57%). Several other areas that noted deficiencies also were discussed in the report, including net capital, exemption and compliance reports, and related parties (note that the comments in the Fifth Report regarding related party audit procedures are based on AU Sec. 334, rather than the new related parties auditing standard [AS 2410, formerly AS 18]).
The PCAOB and SEC continue to bring independence sanctions against auditors of broker-dealers, although the rate of deficiencies has improved, as noted above. SEC Rule 17a-5 requires that an auditor must be independent in accordance with Rule 2-01 of SEC Regulation S-X. Currently, certain carve outs exist under PCAOB standards for non-issuer broker-dealers. The carve outs include partner rotation and the ability to perform tax compliance services for those in financial reporting roles.
At the Forum, Kevin Stout, SEC Senior Associate Chief Accountant, noted that although the SEC is encouraged that independence has improved somewhat, he cautioned auditors, reminding them that Rule 2-01 includes considerations regarding circumstances that may place auditors in the position of auditing their own work, or situations in which an auditor’s acting in a management capacity (or in an advocacy role) would impair independence.
The regulators also confirmed that the conversion from GAAP-based to cash-basis financials to prepare the tax return is allowed. In addition, the regulators reminded auditors that although editorial suggestions to clarify client-prepared disclosures are allowed, and publicly available educational materials can be supplied to the client, it is paramount that the auditor not be the decision maker in the financial reporting process, either in fact or appearance.
On September 15, 2016, the PCAOB announced sanctions on three accounting firms that prepared financial statements and accounting records for the client. Per the PCAOB, the accounting firms performed the following prohibited services: calculation of the tax provision; preparation of journal entries; preparation of report and cash flow statements, including footnotes; input of client trial balance into firm software to prepare statements; aggregation and disaggregation of line items; data entry; and maintenance of sub-ledgers for fixed assets and depreciation. One accounting firm even noted “prepare financial statements” as an audit step in its audit program. In another instance, the accounting firm hired a bookkeeper to prepare the books and records of the broker-dealer, and paid a fee to that bookkeeper from the fees it charged the broker-dealer. Obviously, the accounting firms involved either were not educated about, or chose to ignore, rules that have been in existence for many years.
The PCAOB states that among continuing issues in the inspections, when testing revenue the auditor did not test all of the material classes of revenue, “did not sufficiently test controls to support their reliance on controls to reduce their substantive testing, and did not appropriately design and perform sampling procedures to test revenue transactions.” These comments should cause the auditor to consider whether adequate testing of income streams has been considered, as aggregated income line items may have different characteristics (and risk assessments) that warrant further consideration. Another consideration is whether controls are sufficiently designed to enable the auditor to reduce substantive testing. When using sampling, the auditor must ensure that all items in the population have a chance of being selected, and that specific time periods or amounts do not limit sampling.
Another issue regarding revenue is auditing the information produced by the service organizations (AS 2601). When an auditor relies on controls at the clearing organization, the auditor must follow several procedures. First, the auditor must test the operating effectiveness of the complementary user entity controls (“CEUC”) as noted in the SOC 1 report, and consider whether further testing of the service organization’s controls is necessary. If a sub-service organization is mentioned in the SOC 1 report, the auditor must consider that provider’s CEUCs. At the Forum, the PCAOB also noted that based on the risk assessment of the area being audited, when the period covered by the SOC 1 report does not coincide with the audit period, the auditor should perform substantive testing for that stub period (above and beyond requesting and receiving a “bridge letter” from the service organization). The effect of the above could conceivably make the auditor conclude that additional procedures and increased testing are necessary.
Deficiencies in this area center on two points: first, the auditor’s failure to understand the broker dealer’s process for fair-value measurement, and second, the testing of fair value. In the first instance, a description of the methodology is not sufficient. The auditor must consider the inputs used in the valuation, including how they were obtained, and whether they can be verified and tested, etc., all of which are essential in gaining comfort in the fair value. In the testing of fair value, the PCAOB noted that in some instances the auditor tested fair value by using the clearing broker’s confirmation, and did not consider any additional procedures. At the Forum, a point was made about the auditor’s failure to validate adequately the disclosures of the fair-value hierarchy, including those of Level 1 securities.
Risks of Material Misstatements
The PCAOB notes in the Fifth Report, “When identifying and assessing the risks of material misstatement due to fraud, the auditor should presume that there is a fraud risk, and evaluate which types of revenue, revenue transactions or assertions may give rise to such risks”, or document the reasons why no fraud risk exists. The presumption is that revenue recognition is always a fraud risk. If that is not the case, the auditor must document the reasons supporting that conclusion. Additionally, the auditor must identify fraud risk and address management override of controls. Journal-entry testing should be designed to identify controls in place. The timing of testing should include not only year end, but also the period under audit, as the population for the entire period must be considered.
Engagement Quality Review (“EQR”)
The engagement quality review process is, in many cases, the last step an accounting firm uses to ensure a quality audit. The Fifth Report also noted that for seven of the engagements selected, an EQR was not performed. This was quite surprising, as this was the second year of auditing under PCAOB standards, and it is a significant difference from auditing under AICPA standards. The PCAOB’s comments in this area centered on the insufficient review of the engagements. Besides reviewing the report and work papers that are essential in developing an opinion, the EQR’s responsibilities include evaluating the audit response to identified risks; reviewing for compliance regarding independence; and reviewing the engagement-completion document. The pertinent areas of the EQR’s review can be accomplished with the diligent completion of an EQR checklist, and substantiating that those procedures were indeed performed. It is essential that the EQR have the expertise and knowledge to perform its responsibilities in accordance with the standards.
Broker-Dealer’s Auditor Landscape
Auditor selection continues to be a serious exercise for the broker-dealer. Judging from the statistics released in the Fifth Report, which reaffirmed the previously issued inspection reports, many firms may view the risk of auditing a broker-dealer to be too high, as standards require a broker-dealer to be audited similarly to that of an issuer with certain carve outs. Resource constraints and the lack of expertise required also could be reducing the number of broker-dealer auditors. The Fifth Report noted its audit inspections showed 541 audit firms audited 3,958 broker dealers in 2015, down from 800 firms that audited approximately 4,400 broker-dealers in 2012. Further market contraction may result, as 199 firms audit only one broker-dealer. The PCAOB also noted the correlation between those firms that audit more broker-dealers and issuers and the lower deficiency rate in those firms’ audit inspections. Many smaller firms still have not been inspected, which could further affect the market.
Forum for Auditors of Broker Dealers
The Forum had a related-party transactions panel that presented the concerns the FINRA and the PCAOB had regarding such transactions.
Ann Duguid, Director of Regulatory Development at FINRA, noted that FINRA continues to focus on related-party transactions. A key question FINRA considers is whether related-party transactions are put in place to manipulate the broker-dealer’s capital. Ms. Duguid also pointed to the guidance in FINRA Notice to Members No. 03-63 (the “Notice”) regarding the recording of expenses and liabilities by the broker-dealer. The Notice provides insight into FINRA’s position and thought process, and should be a valuable guide to broker-dealers in considering how they account for related-party transactions.
Kate Ostasiewski, Lillian Ceynowa, and Mike Walters of the PCAOB also led a discussion on related-party transactions (both on the panel and via a case study). The deficiencies noted were related to AU Sec 334; however, broker-dealers and auditors should be aware of the strengthened requirements under AS 2410. Some key items the auditor should consider:
- Has the auditor obtained an understanding of the related-party transactions (including executive compensation)? Has the auditor discussed the related-party transactions at the “right” levels? Oftentimes, FINOPs at the broker-dealer may not be privy to all of the context and business reasoning behind transactions. Additionally, inquiry of the Compliance Officer should be considered.
Ms. Ostasiewski stated that in the PCAOB’s inspection process it has noted:
- Auditors did not consider whether the expense allocation to the broker-dealer was reasonable and valid.
- The auditor relied on controls for related-party transactions, but did not test these controls.
- The auditor did not identify related-party transactions (or entities) that were noted in the board minutes of the broker-dealer.
In addition, the Forum included regulators’ discussion of concerns regarding transfer of customer funds to nonregulated entities, and that proper reporting (Compliance or Exemption Report and regulatory approval) should be documented if there is a deviation from the expected report.
The PCAOP staff expects to put forth to the PCAOB a detailed, permanent inspection plan proposal for broker-dealers by the end of 2016. The Board will review the plan and potentially issue a proposal for comment, or ask the staff to revise the proposal. If the proposed inspection plan is presented to the public for comment, once the comments are received, the PCAOB will consider any changes to the proposal, and then move to set a final, permanent inspection program that is approved by the PCAOB, but subject to SEC approval. The SEC will then review and approve the inspection program, or may also issue it for comment to the public. It is unclear how long it will take for the permanent inspection program to be in place; however, it is important that auditors and broker-dealers give input to the Board’s and SEC’s proposals, as the permanent inspection program could have a sizable effect on the industry in terms of cost, frequency of inspection, potential carve outs, and, ultimately, audit quality.