The promise of the Sarbanes-Oxley Act was simple: the accounting profession could no longer be trusted to grade its own homework.
Two decades on, after the collapse of Arthur Andersen, a quiet retreat is underway. Driven by shifting political winds and fanned by lobbying efforts of the Big Four, the Public Company Accounting Oversight Board (PCAOB) is falling victim to "regulatory capture” - a phenomenon where the regulators begin to serve the very industry they are meant to police.
The capital formation mandate I wrote about in my first article has provided the perfect cover for this pivot. With the appointment of Paul Atkins as SEC Chair, the directive is clear: rein in the watchdog. However, the evidence suggests that the PCAOB began wavering on its mission well before the most recent change in leadership.
Reversion to a broken model of oversight
Take for example, the backslide on its Quality Control Standard 1000 (QC1000). The standard requires firms to monitor their audit operations, a baseline health check for any professional service. Yet in a move that mirrors the failed self-regulatory model of the 1990s, audit firms will decide for themselves “what to monitor” and define their own “reasonable levels of performance”. In its simplest form, the audit firm’s report under QC1000 is a confidential self-evaluation submitted only to the PCAOB.
Not only has the fox been handed the keys to the henhouse, the fox now decides how many missing hens constitute a ‘reasonable success’.
The PCAOB was created specifically to replace the honor system with independent oversight. By granting firms the autonomy to set their own bar, the bitter irony is that the PCAOB has adopted the very posture that necessitated its own creation.
The threat of EPM’s transparency
If QC1000 is the PCAOB’s tool for internal accountability - requiring firms to evaluate and privately report their system effectiveness - then Firm and Engagement Performance Metrics (EPM) was the tool for market accountability, designed to provide investors and audit committees with the objective data that could be used to differentiate between firms.
EPM was a separate regulatory initiative that acknowledged audits are not widgets stamped out with perfect uniformity and tried to address the issue of quality objectively. What the EPM effort showed was that proxy indicators proposed touched too raw a nerve for public consumption.
Had the initiative been approved by the SEC as originally crafted by the PCAOB, it would have exposed the realities of the large audit firm staffing model that are not conducive to audit quality (due to heavy workloads, high turnover, and low year-over-year continuity of professionals at the engagement level). The metrics ultimately advanced by the PCAOB to the SEC for approval were:
- Partner and manager involvement: The hours worked by senior professionals relative to junior staff at both the firm and engagement levels.
- Workload: Average weekly hours worked by senior professionals on a quarterly basis to monitor for burnout.
- Training hours: Average annual training hours for partners, managers, and staff (added after the initial proposal).
- Experience of audit personnel: Average number of years worked at a public accounting firm by senior professionals.
- Industry experience: Average years of career experience senior professionals have in specific industries.
- Allocation of audit hours: Percentage of hours incurred prior to and following an issuer’s year end across the firm’s large accelerated and accelerated filer engagements and on the specific engagement.
- Retention (Firm-level only): Data on the continuity and turnover of senior professional staff.
- Restatement history (Firm-level only): The frequency of past required corrections to financial statements issued by the firm.
Both QC1000 and EPM were intended to work together: one, an internal framework for operating a quality control system, and the other focused on publicly reporting the quantitative results of that system.
When the EPM was under public consultation, the SEC received public comments from 39 unique respondents. The results tabled below are a stark indictment of regulatory capture:
It’s hardly surprising that CPA firms voted against the EPM but who were the dissenting 12? Not that their vote would have swung the outcome but it would have been less of a humiliating defeat for investors.
The 12 respondents were the AICPA, the Center for Audit Quality (CAQ), Canadian CAQ, The Small Firm Section of the CAQ, 3 State CPA societies, 2 letters from representatives of academic organizations, the US Chamber of Commerce and 2 consulting firms providing services to audit firms.
None of these respondents saw fit to disclose the economic relationship (and therefore to some extent, dependency on cash flows either directly or indirectly from audit firms) between themselves and the CPA firms. As auditors, we are trained to identify conflicts in both appearance and in fact. Had the 12 respondents made reasonable disclosures of their conflicted interests, I may not have been as discouraged.
Nihilistic defense
The objective of the EPM was to enable audit committees to make more informed auditor appointment and retention decisions. Despite the PCAOB clarifying the intention was not about defining audit quality, the overwhelming response against the standards was centered on a specious argument that because audit quality could not be definitively measured, then it should not be measured at all.
The real question should have been, “Are audit committees better off with this information than without?”
Firms compete primarily on the basis of cost. That’s been the history of the profession and it has been disastrous for investors and for the firms.
The EPM standard was a threat because it would have forced firms to compete on quality instead. As former PwC senior partner and SEC Chief Accountant Don Nicolaisen noted: “The firms compete primarily on the basis of cost. That’s been the history of the profession and it has been disastrous for investors and for the firms.”
Oversight without insights
The defeat of the EPM was 18 years in the making, tracing back to the 2007 – 2008 deliberations of the Advisory Committee on the Auditing Profession. Its eventual withdrawal came down to a matter of political timing and the calendar. With days to Trump’s inauguration, the outgoing SEC Chair Gensler was unlikely to approve EPM knowing how strongly opposed the incoming administration would be to it. While the politics are temporary, the structural damage to audit oversight is not.
The Oracle of Omaha’s advice on audit committees from 2002 is as relevant then as it is today. “Audit committees can’t audit” and that it “must make sure that the auditors [should] worry more about misleading [the company’s shareholders] than about offending management." As established by the Sarbanes–Oxley Act, the audit committee is intended to be independent of management and to oversee the external auditor in order to safeguard the auditor’s independence from management.
Auditors [should] worry more about misleading [shareholders] than about offending management.
In reality, committees often defer to management for auditor retention recommendations - a fact that auditors know all too well. This forces auditors into a compromised role: they must be tough enough to ensure quality, but not so tough that they can’t be retained for the next year's contract.
This phenomena only exists because audit committees have limited visibility to what happens during the audit. SEC Chief Accountant Paul Munter pinpointed this exact risk in 2024, noting that without transparency, committees can end up looking “to protect the interests of the issuer and its management over the interest of investors.”
Munter’s solution was unequivocally clear - that audit committees must use “relevant firm or engagement-level metrics” to ensure that auditors “compete for engagements based on their ability to perform a high-quality audit, with the requisite degree of professional skepticism”.
Less than one month into Trump’s second administration, the PCAOB withdrew its request for the SEC to approve the EPM standard. Rather than suffer a demoralizing “disapproval” by the SEC, I suppose the PCAOB thought to shelve the initiative until a more favorable political and regulatory climate presented a future opportunity for approval. Unfortunately, it may take another Enron / WorldCom calamity or a “Credit Crisis” / Great Recession for that to happen.
A victory of status quo
The standard was hardly perfect, but in a normal regulatory environment, it would have been refined through dialogue, not abandoned.
Investor advocates who supported the EPM - the Council for Institutional Investors, the Chartered Financial Analyst Institute, Consumer Federation of America, the AFL-CIO, the American Association of Retired Persons, three former PCAOB board members who together penned one public comment and yours truly - are now left to lament a generation of stalled progress.
We should also not forget that four out of the five PCAOB board members express enthusiastic support for Firm and Engagement Performance Metrics (with George Botic calling EPMs the “democratization of the audit process”) as did the PCAOB’s own independent Investor Advisory Group.
Could we be headed into a Perfect Storm?
In my next article, I plan to explore the hazards of a pendulum swing in the direction of self-regulation. Can we expect the audit firms to stave off the next calamity, or will the audit firms merely show up at the scene of the next train wreck to report, “There has been a train wreck”?
