August each year brings another PCAOB Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers (the “Seventh”). With no clarity on the PCAOB’s direction in proposing a final inspection program since the inspection of August 2017, can this be the year that a permanent program is finally implemented? Maybe or maybe not.
On one hand, the Trump administration has made significant personnel changes at the decision makers – the SEC and PCAOB. During 2017, Jay Clayton was named Chairman of the Securities and Exchange Commission, and in 2018 three new Commissioners rounded out the five-person Board.
In December 2017, five new Board members were appointed to the PCAOB followed by considerable turnover in staff in 2018. The new Board is interested in obtaining formal and informal feedback on the broker-dealer inspection process.
But wait there’s more! The Small Business Audit Correction Act of 2018 was proposed. If enacted, this legislation would exempt most broker-dealers from PCAOB auditing standards, reverting us to the days of auditing under AICPA standards.
Both the House and Senate bills call for those non-custodial broker-dealers, with less than 150 registered persons, in good standing, to be exempt from the PCAOB standards. With Congress back from recess, both bills, H.R. 6021 and S. 3004 may see movement soon. By a vote of 36 yeas to 16 nays in the House Financial Services Committee, H.R. 6021 took one step further in committee where it will be revised and continue to progress though the bill making process.
It is important to review the current inspection report regardless of whether the PCAOB remains in the picture. Many of the comments in the report would be applicable under both PCAOB and AICPA standards. The Seventh was issued on August 20, 2018, with many of the same comments and high deficiency rates found in the preceding six inspection reports. Clients and auditors should discuss the key areas emphasized in the report to understand audit implications of their business activities.
Annual Inspection Report Selection
For the fiscal year ended June 30, 2017, the population consisted of 475 audit firms who audited 3,829 broker-dealers, as compared to 531 audit firms who audited 3,933 broker-dealers for the fiscal year ended June 30, 2016.
Overall, since the initial interim inspection covering the 2011 fiscal year, there has been a downward trend in the number of firms auditing broker-dealers, a decrease of approximately 41%, while the number of broker-dealer filings decreased by approximately 13%. Is regulation and audit risk contributing to contraction?
Source: Data from PCAOB Annual Reports on 2011-2017 Inspections (https://pcaobus.org/Pages/BrokerDealers.aspx)
The PCAOB selection for the Seventh was 75 firms and 116 audits, a consistent sample compared to prior years. The PCAOB selected 7 firms to review randomly and another 68 based on firm characteristics defined in the report, including:
- The number of broker-dealer audits performed
- Whether the firm audits issuers
- Previous history of inspections
- History of the firm or firm personnel in auditing broker-dealers
- Existence of disciplinary actions against the firm or engagement partner.
The PCAOB’s selection process, since the inception of the interim inspection program, resulted in 310 audit firms and 630 audit engagements inspected. Some firms have been inspected multiple times, and a significant number of auditors have not been inspected under PCAOB standards.
Due to the decrease in auditors each year, and some auditing firms being inspected multiple times, it is difficult to ascertain how many firms have not been inspected. The statistics show as of this past inspection year, that there were 157 auditors who audited only 1 broker-dealer, and 280 auditor who audited 2 to 20 broker-dealers. However, during the period that audits have been under PCAOB standards only 59 auditors have been inspected of those who audit only 1 broker-dealer, and 211 audit firms who audit 2 to 20 broker-dealers.
The inspection noted 91% of the firms inspected with a deficiency, down from 97% in the prior year’s inspection.
The engagements inspected had the following rates of deficiency in particular areas, which were consistent with last year.
- Independence (8% from 10%)
- Revenue (73 % from 66 %)
- Risks of material misstatements due to fraud (64% from 57%),
- Engagement quality review (59% from 57%)
Other deficiency areas included net capital, fair value measurement, exemption and compliance reports, and related parties. Interestingly, these deficiencies are similar to those noted in the first interim inspection. The PCAOB statistics show that there is a significantly better deficiency rate for those auditors who audit a greater number of broker-dealers, and who audit issuers.
Clients should discuss with their auditors the results of the auditor’s inspections. Auditors should be able the to perform a quality audit, and the client needs to perform due diligence to ascertain the auditor’s ability to execute. Inquiring regarding various relevant audit quality indicators such as firm leadership, audit experience of the partners and staff, training, workload, the monitoring process, and ability to keep abreast with the ever-changing landscape enables the client to distinguish one auditor from another.
The PCAOB and SEC continue to bring independence sanctions against auditors of broker-dealers. SEC Rule 17a-5 requires that an auditor must be independent in accordance with Rule 2-01 of SEC Regulation S-X.
Currently, certain carve outs exist under PCAOB standards for non-issuer broker-dealers. The carve outs include partner rotation and the ability to perform tax compliance services for those in financial reporting roles. Might these carve outs change in the future?
Considerations where a mutual or conflicting interest may exist, or where the accountant is placed in the position of auditing his or her own work, or acts in a management capacity, or an accountant advocates for the client are all prohibited pursuant to SEC Rule 2-01.
The Seventh inspection revealed, as in prior inspections, instances where the auditor prepared or assisted in the preparation of the financial statements or provided bookkeeping services. While editorial suggestions and educational materials can be supplied to the client, it is important to realize that the auditor is not the decision maker in the financial reporting process. Once again, as in previous years, there was one instance where an engagement letter included an indemnification clause, which is also prohibited.
Independence is essential in the auditing profession. An auditor who performs audits of broker-dealers and is not complying with the independence rules is providing a disservice to the client, as the audit cannot be relied upon, may subject the broker-dealer to re-audit, and the auditor to sanctions. Clients should question the auditing firm as to what systems are in place to monitor independence. Appropriate communication to management regarding independence should occur periodically, at a minimum annually.
The PCAOB points out that the deficiency rate in this area has remained constant at 65% (66% previous inspection).
The PCAOB notes instances where auditors have not properly performed procedures (26%) in accordance with AS 2110, Identifying and Assessing Risks of Material Misstatement. An auditor needs to understand and document an understanding of the client’s revenue streams, and controls over financial reporting, including controls at the service organization such as the clearing broker for any material stream of revenue. Revenue sources that are grouped together in the financial statements, need to be separately analyzed.
For example, if the commission line consists of products which are processed differently, one would have to sufficiently understand and test each material revenue stream. If separate clearing brokers are used for a product, one would also have to understand and test those processes. Other considerations might include a change in personnel where processes may change. It’s important for the auditor to gain this understanding as early as possible, preferably in the planning stages.
Regarding controls with the clearing organization, clients need to establish controls to get comfort that what they are inputting to the clearing broker is being properly captured. Simply accepting what the clearing firm has recorded without procedures in place does not give the auditor comfort that all transactions are being properly recorded.
The Seventh also notes that in a large portion of audits reviewed, 38%, the extent of testing was insufficient, and not in accordance with AS 2301, The Auditor’s Responses to the Risks of Material Misstatements. In addition to the insufficient testing of various revenue streams discussed above, there were instances of insufficient sample sizes, inappropriate samples selected, samples not representative of the population, and remaining material balances left untested.
Much of the cost associated with auditing a broker-dealer is contingent upon the number and processes involved in the revenue steam. Effective planning through understanding of the aspects of the broker-dealer’s business can make the audit more cost efficient and effective, especially when considering the new Revenue Recognition accounting standards. Ineffective planning resulting in insufficient audit procedures can cause the audit to be deficient, which could result in a re-audit and regulatory oversight or action for both the broker-dealer and auditor.
Once again, the PCAOB also found numerous instances where the auditor did not properly evaluate the service auditor’s report (“SOC-1” report). When an auditor relies on controls at the clearing organization with the purpose of decreasing substantive testing, the auditor needs to consider several procedures.
First, the auditor must consider testing the operating effectiveness of the user controls as noted in the SOC- 1 report. If a sub-service provider is mentioned in that report, the auditor must also consider that sub-service provider’s user controls. The PCAOB also noted that where the period included in the service organization report does not coincide with the audit period, the auditor would have to perform substantive work for that uncovered period.
The effect of the above could conceivably make the auditor conclude that substantive procedures and, therefore, increased testing, is the practical approach, and not rely on a service provider’s SOC-1 reports.
Clients who prepare documentation and perform procedures to ensure that they maintain the user entity controls prescribed in their agreement with the service provider protect themselves and their customers. Ensuring that their internal control environment intertwines with the service provider’s control environment enhances their risk management program and heightens the protection of their customers’ assets. In addition, sharing this documentation with the auditors enables the auditors to connect the dots to thoroughly understand the control environment in place at the client.
This understanding is required under PCAOB auditing standards, regardless of whether or not the auditor is able to perform tests of controls that could decrease the amount or type of substantive testing. Always remember, that tests of controls alone are not sufficient audit procedures.
Assessing and Responding to the Risks of Material Misstatements Due to Fraud
This area saw a 64% deficiency rate, compared to 57% last year.
In last year’s inspection report, the PCAOB noted, “when identifying and assessing the risks of material misstatement due to fraud, the auditor should presume that there is a fraud risk.” The presumption is that improper revenue recognition is always a fraud risk. When the auditor concludes that improper revenue recognition is not a fraud risk, the rationale supporting this conclusion must be thoroughly documented.
This year’s inspection commented on how collaboration of others beyond the CEO is essential in identifying and assessing the risks of material misstatement.
The auditor needs to identify fraud risk and address management override of controls. Journal entry testing should include the following considerations:
- Include a sample not only during the year, but at the end of the reporting period
- Comfort that there are controls in place that is not overriding controls
- Perform inquiries of management and document such procedures
- Include test of detail of the journal entry testing
- Design testing to specifically address fraud risks
Clients and auditors need to discuss what keeps the client up at night related to fraud risks. While journal entry testing can shed light on fraud risks, it is imperative for the auditor to go beyond the accounting department. Seeking input from management and non-management personnel from all areas of a broker-dealer, including compliance, trading, and back office operations, diversifies the information the auditor processes during the planning and execution of the engagement.
Engagement Quality Review (“EQR”)
The Seventh noted a 59% deficiency rate existed in EQR review.
The engagement quality review (“EQR”) process is, in many cases, the last control an accounting firm utilizes to ensure a quality audit. While in a few cases there was no evidence of any EQR being performed, a substantial portion of the deficiencies were due to an insufficient review being performed.
The EQR should include reviewing the report and work papers that are essential in developing an opinion, evaluating the audit response to identified risks, reviewing for compliance with independence, and reviewing the engagement completion document. In other words, step into the engagement partner’s shoes and perform a thorough review to gain comfort that sufficient work has been performed to issue an audited report.
The EQR responsibility of challenging the engagement team demands that the person in this role possesses the requisite knowledge, experience, and fortitude to take and maintain a position as deemed necessary.
Clients need to gain comfort that the firm engaged has sufficient expertise and resources to ensure that a qualified EQR will be conducted by a person with the appropriate qualifications, as discussed above in relation to assessing the qualifications of the engagement team. Smaller firms who may not have a suitable in-house partner, or the equivalent, for this role, may need to farm out this function to a qualified individual.
The Audit Landscape, The Future
As the number of qualified auditors continues to shrink, and standards continue to evolve, broker-dealers need to be even more diligent in auditor selection. Further contraction in the number of auditors is certainly possible. If the Small Business Audit Correction Act of 2018 is enacted, resulting in a reversion to AICPA standards, some audit procedures may change the auditor’s work, but most of the auditing principles remain the same, with much of broker-dealer auditing remaining unchanged.
The PCAOB has scheduled its annual Forum for Auditors of Broker-Dealers on November 2, in Jersey City, NJ. The forum brings additional insight on the PCAOB’s thought process and enables attendees to address their concerns.
As we wait to see whether the inspection program will become final or there will be changes in the law, auditors and broker-dealers should be aware that quality audits are important not only to avoid regulatory issues but to maintain high standards in the industry.