In response to numerous perceived audit failures in the USA, the requirement to have audits inspected by a government regulator was established with the passage of the Sarbanes-Oxley Act of 2002 (SOX), which also created the Public Company Accounting Oversight Board (PCAOB) to oversee the audits of public companies. Since then, similar regulators have been established in 54 jurisdictions around the world as evidenced by membership in the International Forum of Independent Audit Regulators (IFIAR). For example, this responsibility was taken on by the Financial Reporting Council in the UK in 2003, the Australian Securities and Investments Commission in 2004, and the Financial Markets Authority in New Zealand in 2012. Collectively, the members of IFIAR have varying audit oversight responsibilities in their own jurisdictions, and inspections are a common and powerful tool for fostering audit quality by the members of IFIAR.
Since the beginning, inspections have generally identified a high rate of findings in inspected files. For example, IFIAR’s first attempt at aggregating a global measure of audit regulator findings indicated at least one inspection finding in 47% of files. PCAOB inspections have consistently had a 30% to 35% rate of inspection findings over the years. As audit regulation has matured, one might expect that the collective inspection of audits over many years will have fostered an increase in audit quality. However, audit quality as seen through the inspector’s lens—volume of findings—has not necessarily improved to the extent one would expect given the huge investments made by regulators and audit firms. IFIAR’s 2020 survey of global regulators states “the recurrence and level of findings reflected in the survey continue to indicate a lack of consistency in the execution of high quality audits and the need for a sustained focus on continuing improvement”. The frequency of inspections with at least one finding has fallen from 42% in 2016 to 32% in 2020, but this is still considered to be unacceptably high. Nevertheless, the 25% drop in findings has often brought forth complaints of “going easy” on audit firms rather than being perceived as an improvement in audit quality.
At the same time, many users, preparers, auditors, and individuals in governance perceive that audit quality has improved significantly in the past two decades. The Center for Audit Quality’s Main Street survey in the USA tells us that 78% of investors are confident in audited financial information released by publicly held companies and 83% of investors have confidence in Public Company Auditors—both measures have increased by more than 10% over the past ten years. A 2020 KPMG study showed 89% of audit committee chairs believed they received high quality audits. Similarly, the Australian Financial Reporting Council’s recent survey of Audit Committee Chairs indicated they have remained very satisfied with the quality of their external auditor with 94% rating their auditor as ‘Above Average’ or ‘Excellent’. Chartered Accountants Australia and New Zealand’s Retail Investor Confidence polls have consistently indicated more than 90% confidence in audited financial information in both Australia and New Zealand.
Some Possible Explanations
There are a number of reasons why the public perceives that there has been limited improvement in inspection outcomes in spite of the general perception among users, auditors, and the governance community that audit quality has improved over the past two decades. We will discuss six possible explanations for this divergence:
- Differences in outcome and process quality.
- Risk-based selection.
- Lack of a stable audit quality target.
- Real time versus ex post expectations.
- Economic motivations.
- Cognitive influences.
Differences in outcome and process quality: Most investors think of audit quality as an auditor arriving at the “correct” conclusion about the fairness and reliability of the financial statements, i.e., whether financial statements are free of material misstatements. That is what the auditor’s report is intended to communicate and high audit quality would indicate that the residual risk of an incorrect opinion is very low (but not zero). An audit inspection generally focuses on the audit process to make sure that auditors have conducted appropriate tests and provided adequate documentation of their conclusions. An inspection finding in the audit process does not suggest that there are undetected material misstatements in the financial report. That is, a finding is not the same as an audit failure. An auditor can learn from inspection findings but very few result in a financial restatement or modified audit opinion.
Risk-based inspections: Audits to be inspected are typically selected based on a regulator’s undisclosed risk criteria. This risk selection applies to both the engagements selected, as well as the areas of the audit to be examined. Risk-based selection means that audits chosen for inspection are the most likely to have problems in the eyes of the regulator. This risk-based approach is important in regulatory best practice simply because regulators cannot directly inspect all aspects of an audit, so must focus their efforts where issues are more likely to be unearthed. They are not necessarily representative of the average audit conducted by an audit firm. Nevertheless, many commentators talk about the rate of audit “failures” (which really means findings) in a firm as if the inspected audits were representative and every finding somehow denotes there has been a “failure”. The essence of this assertion is undermined by some simple math. If a firm has 100 clients and the inspector examines the 10 that are the riskiest and identifies 4 audits with findings, the inspection finding rate in the sample is 40%, which sounds really bad. However, if we assume that the rate of findings is potentially lower in the remainder of clients because they are less risky or complex, say 20%, than a total of 22 audits would have inspection findings for an overall rate of 22% (4% x 10 + 20% x 90). This might still be undesirable but what if the actual rate in the remainder of the engagements was only 5%? In short, while audit firms may prefer to avoid any findings, their overall performance depends critically on what the underlying rate of inspection findings is in the unsampled pool of less complex or less risky engagements.
Lack of a stable audit quality target: In the early days of auditor inspections, neither the audit firms nor the regulators were quite sure how an inspection regime should be implemented. There was a learning curve on both sides. The early focus was likely on the conduct of test procedures. This focus was eventually supplemented with a concern about risk assessment and planning. As inspectors became more comfortable with those aspects of the audit, they began to include more consideration of the evaluation and testing of internal controls (at least in the US). Thus, the learning curve and focus of inspections have evolved over time as inspectors expanded their consideration of different aspects of the audit process. Also, because of risk-based selection, what an auditor may have learned in one inspection in one area of an audit may not have led to improvements in areas that would be the subject to future inspections. This creates a potential moving target over time as auditors learn more about what inspectors want to see in different parts of an audit but the inspection focus may shift to different areas in the future. Past improvements may not receive much credit as inspectors look at new areas for new findings.
Real time versus ex post expectations: By definition, inspections can only be performed after an audit is completed. The typical audit team has to conduct the engagement in “real time” based on contemporaneous events and developments, within established reporting deadlines, and usually with significant time constraints. Inspectors have the luxury of evaluating audit quality after these deadlines have passed. Regulators have the benefit of hindsight and the final say on what an audit standard means (sometimes referred to as a “shadow” standard), and they do not have to be comprehensive in their evaluation given the risk-based selection of areas of the audit to examine. While this timeline is unavoidable, it should be remembered that what an inspector may conclude with the benefit of hindsight and a much more open timeline for review, may differ from what might have been an optimal approach toward minimizing audit risk in the heat of the reporting period.
Economic motivations: Economists have studied why regulation does not always accomplish its intended goals. Auditors and regulators often face significant pressures and constraints in their roles. Establishing relevant behavioral incentives in a thoughtful way is critical to promoting audit quality and avoiding unintended consequences in regulation. There are two behavioral economic theories that are potentially relevant to the auditor/inspector relationship. First, the theory of moral hazard observes that people will undertake more risky behavior if they believe that others will be responsible for any potential negative outcomes. For example, an auditor may feel that simple compliance with the standards as signaled by the outcome of an inspection may shift some responsibility to the regulator, i.e., the auditor is doing what they are told to do. Given the substantial judgement and professional ethics needed to deliver quality audits, this ‘comfort in box ticking’ is problematic. Second, the theory of risk compensation observes that the safer people feel, the riskier behavior they will adopt. Thus, an auditor who has passed one inspection may feel that they are appropriately “calibrated” to professional standards and place less emphasis on the unique or idiosyncratic aspects of other engagements. In either case, by changing the incentives of individuals, their behavior may be influenced in a manner that is counter to regulatory goals.
Cognitive influences: The final issue related to the effectiveness of regulation arises from the cognitive processes of individuals. Two theories are potentially relevant: (1) moral reasoning, which observes that people will use a virtuous action to excuse a more questionable behavior (e.g., this theory is used to explain apparently contradictory behavior by individuals such as eating ice cream after a strenuous workout), and (2) the theory of resistance behavior, which observes that people that do not agree with regulatory intervention may work to undermine the imposed requirements (e.g., this theory is obvious to anyone who has raised a teenager but can also be observed in some public responses to COVID policies). In either case, individuals will convince themselves that they are “in the right” even though their behavior may not be consistent with regulatory expectations. Again, there may be many ways that these influences will manifest in the conduct of audits and audit inspections but human nature suggests that some auditors will filter a regulatory intervention through their own cognitive lens to decide what behavior to undertake going forward, especially if they feel that a regulation is unreasonable or that they cannot ever satisfy an inspector. Similarly, regulators face incentives to mark down audits in order to deliver findings underpinning both relevance and credibility, and may feel standards should be harsher or more specific in some areas. Like auditors, regulators bring their own preferences and history to the spectrum of possible judgements and different ways of meeting audit objectives—this will also vary depending on the capacity and maturity of particular inspections programs across different jurisdictions.
Conclusion and Recommendations
We have discussed some reasons why audit inspections may not always lead to improved perceptions of audit quality. Some of these reasons arise from the fundamental nature of the process, e.g., the timing of inspections, the need for risk-based sampling, and the potentially conflicting incentives of auditors and inspectors. Being sensitive to these conditions can lead to more effective audit inspections. Ultimately the objectives of inspectors, auditors and all the key players in the reporting and audit chain should be aligned with a focus on high quality audits and reliable reporting. While incentives may not always lead to such alignment, feedback between these players is helpful and ideally can create a virtuous cycle, clarifying standards, strengthening regulation and inspections and ultimately improving audit quality. However, it is important that the outcomes of successive inspections do not create a discordant feedback loop such that the reaction to this year’s inspection findings lays the foundation for future findings by ratcheting up standards and regulations, misdiagnosing compliance findings and differences in judgement as a need for more prescriptive rules.
Discordant feedback loops are amplified by the conversation generated in the media and politics. Much misunderstanding and confusion can ensue in these public forums. No matter how well regulators caveat and explain them, inspection finding rates create an irresistibly simple, hard hitting headline (i.e. “One in X Audits Failing”, “Beware the Next Enron”). Conversely, these public forums do not have much room for nuances such as the judgements involved in audit, risk-based approach to the findings, or whether the statistics generated are even appropriate for extrapolation or comparison.
When an inspection reveals a finding in an audit, it is natural to wonder if that finding is the result of a random error or is representative of a more systemic problem. Random or accidental errors may arise because of human error or because internal systems are not well calibrated to existing standards. Such findings can be remediated internally and are unlikely to create a need for a systematic intervention by regulators. In contrast, a perception of a broader systemic problem may be addressed through revised standards and regulations. Failure to distinguish between different types of potential findings can create two types of problems for the profession. First, a new standard applies to all engagements, whether or not the issue is relevant or is likely to arise in a given audit. From an economics perspective, this creates a dead weight loss on the market for audit services since the new standard or regulation must be applied in every engagement regardless of applicability, potentially raising the costs of all audits. The benefits of the change may out way these costs but consideration should be given whether this is likely or not.
Second, new standards and regulations can increase the complexity of an audit and the compliance aspects of an engagement. Failure to comply with the new standard will lead to more inspection findings in some engagements. This then creates the aforementioned feedback loop as standard-setters and regulators perceive a lack of quality—or at least compliance—across audit engagements, which can lead to further tightening of standards and regulations. Given the potential consequences to an auditor of non-compliant findings in inspections, the risk arises that auditors begin to worry more about compliance than actual audit quality. While we can hope that audit quality and compliance with standards are highly correlated, they can never be the same. Standards are guideposts and boundaries, not a map. The credence goods nature of the audit in general, combined with the idiosyncratic challenges of a specific audit client, means there is more to delivering quality outcomes, reliable reporting, than simply compliance with the standards—indeed in some cases there may be divergence between a purely compliance-based approach (process quality) and audit quality (addressing audit risk and reporting accuracy).
These problems are not confined to audit. Many industries and professions face the same quandaries, including those that deal with life and death situations on a daily basis. Take for example the aviation industry, operational health and safety, or pharmaceuticals manufacturing. The concern about catastrophic dangers faced in these industries have focused minds on the social impact of regulation and uncovered some counter-intuitive insights that “more” regulation is not always “better” regulation. As a result, a rich literature and multilateral accord have developed in the field of regulatory policy (including the role of inspection activities). The 2018 OECD Regulatory Enforcement and Inspections Toolkit states “using volume of activities (inspections) or violations detected (and sanctions) as indicators gives perverse incentives to inspecting agencies, since they then have an incentive to achieve low compliance levels”. Rather, “performance should be assessed against the achievement of social well-being (safety, health, environmental protection etc.) and, as an intermediate step towards this and a proxy for these goals, against improvements in compliance. It is indispensable that this be defined as a central task and indicator for inspection and enforcement structures”. That is, regulation should result in better actual outcomes, not the simple appearance of better outcomes.
As the profession debates the next generation of standards and regulations, and auditors continue to adopt advanced audit technologies that were not even imagined a decade ago, surely it is time for a conversation on how the widely adopted principles of Regulatory Policy can inform the turning of a new chapter in audit regulation. The trappings of regulation, including inspection, are relevant to improving audit quality but the achievement of the desired social benefit depends critically on devising, and revising, a system of regulation to maximize the promised benefits of that regulation.