Auditing and Its Regulators: Reforms after Enron
CRS Report for Congress
Auditing and Its Regulators:
Reforms after Enron
Specialist in Social Legislation
Domestic Social Policy Division
Accounting problems at Enron, WorldCom, and other companies have raised
important questions about the audits of corporate financial statements. These audits are
performed by independent accountants who are certified public accountants (CPAs);
they are supposed to be carried out in accordance with generally accepted auditing
standards (GAAS), rules which have a carefully defined technical meaning. The U.S.
Securities and Exchange Commission requires audited financial statements when public
companies register to sell new securities and annually thereafter.
Auditor assurances about company financial statements remove a barrier to the
efficient use of capital and offer some protection to third party investors. However, the
recent accounting scandals and numerous revisions of previously-issued financial
statements have eroded public confidence in auditing. While auditors are regulated by
both governmental agencies and professional organizations, many question whether this
oversight has been adequate.
In response to these problems, the 107th Congress enacted the Sarbanes-Oxley Act
of 2002 (P.L. 107-204), which the President signed on July 30, 2002. Among other
things, the Act creates a new oversight board for auditors, prohibits auditing firms from
providing certain consulting work for audit clients, and requires rotation of audit
partners at least every 5 years. It also imposes new requirements on corporate boards
and executives and increases governmental oversight and criminal penalties. The
oversight board has had a rocky start due to the resignation of William Webster, its first
chairman. The 108th Congress will likely monitor further oversight board developments.
What is Auditing?
Broadly speaking, auditing is a systematic process for obtaining and assessing
evidence regarding assertions of one kind or another in accordance with established
criteria. Serious accounting problems at Enron, WorldCom, and other companies have
raised important questions about financial statement audits of corporations and other
private sector organizations in which accountants express an opinion on financial
Congressional Research Service ˜ The Library of Congress
representations made by the management of these entities. Other types of audits include
compliance audits, which see if established policies and procedures are being followed,
and operational audits, which see if organizations are efficient and effective. Accountants
are also increasingly engaged in a widening array of other assurance services, which have
different standards and procedures than audits.
Financial statement audits of private sector organizations usually are done by
independent accountants (sometimes called external accountants). Today nearly all of
these audits are carried out or supervised by accountants who are certified public
accountants (CPAs). Independent accountants are owners or employees of private sector
firms that are separate from the entities they audit; they might be distinguished from
internal accountants, who work for the organizations being audited, and government
accountants, who do most auditing of governmental agencies. However, independent
accountants also do internal and government accounting work.
Financial statement audits of private sector organizations are to be conducted in
accordance with generally accepted auditing standards (GAAS); their basic objective
is to see if the balance sheet and related statements about income, retained earnings, and
cash flows are fair presentations, in all material respects, of certain financial information
in conformity with generally accepted accounting principles.
!GAAS are qualitative standards regarding who is to conduct audits, how
audits are to be planned and carried out, and how audit results are to be
reported; they are not lists of specific audit procedures.
!GAAS have a carefully defined technical meaning that clarifies both
what audits do and what they do not do; understanding these standards
is important when questions arise regarding audit engagements.
!GAAS and other standards for private sector audits are established
largely by the American Institute of Certified Public Accountants
Generally accepted accounting principles (GAAP) are the conventions, rules, and
procedures that define accepted financial accounting practices at a particular time; they
include both broad guidelines as well as detailed procedures.
!The most important source of GAAP for private sector entities is the
statements and interpretations of the Financial Accounting Standards
Board (FASB), a nongovernmental entity that began operating in 1973,
and similar issuances of its predecessors.
!Other sources of GAAP with lesser authority include issuances from
FASB task forces and staff and from the AICPA, widely accepted
industry practices, and other professional positions and literature.1
!The U.S. Securities and Exchange Commission (SEC) historically has
accepted GAAP developed from these private sources; however, it has
1 In November, 2002, FASB announced that it would help set the agenda and sign off on all
decisions that were subsequently made by its Emerging Issues Task Force (EITF). In addition,
it stated that the AICPA board that had been issuing technical standards that constitute GAAP
(the Accounting Standards Executive Committee) would cease doing so.
broad authority to establish accounting principles for the companies
within its jurisdiction (generally, public companies whose securities are
offered or sold in interstate commerce). The SEC issues bulletins that
express the views of its staff on various accounting issues.
Auditing plays a critical role in modern economies, which are characterized by large
multi-faceted organizations, complex economic exchanges, and remote relationships
between business managers and the owners and other investors. Managers have the
ability to obtain reliable information about their own firms, at least in theory, but it is
risky for outside investors and other creditors to rely on managers’ representations alone.
To the extent auditors provide assurances about these representations, they remove a
barrier to the efficient use of capital and offer some protection to parties that are indirectly
affected by investing decisions. Annual financial statement audits have become common
for nearly all large organizations because of the demands of outside investors (in the case
of business entities), outside supporters (in the case of not-for-profit organizations), tax
authorities, and government regulators. The SEC requires audited financial statements
when public companies register to sell new securities and annually thereafter.
Who Regulates Auditors?
Auditors are subject to regulatory oversight from both governmental agencies and
professional organizations. In addition, they can sometimes be legally liable for breach
of contract or for a tort (a civil wrong other than breach of contract).
State Boards of Accountancy. These governmental boards (or agencies that
perform similar functions) administer state laws governing accountants and accounting
services. They are responsible for licensing CPAs, for whom there is no national or
federal certification. All states require CPAs to have passed the Uniform CPA
Examination, and most now require new candidates to have at least 150 college credit
hours (i.e., 5 years of college), including courses in accounting subjects. Most states
require CPAs to have 30 to 40 hours of continuing education each year, and some require
practical experience before granting full licenses. State accountancy boards can require
CPAs and their firms to undertake remedial steps to continue their practice, and they
sometimes suspend and terminate licenses. Arthur Andersen, the auditor for Enron,
surrendered its license to practice in all states as of August 31, 2002.
American Institute of Certified Public Accountants. The AICPA is a
professional trade association of certified public accountants. In addition to establishing
auditing standards for the private sector, it has a Code of Professional Conduct for its
members with both general principles and rules of conduct. The six general principles
provide a framework for professional conduct; they deal broadly with CPA
responsibilities, the public interest, integrity, objectivity and independence, due care, and
the scope and nature of services. Members are required to comply with the rules of
conduct (for which formal interpretations provide additional guidance); they include
provisions on independence, engagement standards, confidentiality, contingent fees,
discreditable acts, advertising, etc. Violations are considered by the Professional Ethics
Division (PED) and may result in requirements for continuing education or prior
clearance of future work. Serious misconduct can result in suspension or termination of
AICPA membership. State CPA societies have similar though not always identical rules
for their members. Sometimes state societies and the PED conduct joint investigations.
Securities and Exchange Commission. The SEC is an independent federal
regulatory agency responsible for administering federal securities laws. It has authority
to regulate the initial issuance of securities and their subsequent sale; for both, it requires
companies to submit financial statements that have been audited by independent
accountants. Under Regulation S-X, Rule 2-01, it prescribes qualifications for these
accountants, including the rules just mentioned on auditor independence. Historically the
SEC has relied on the AICPA to oversee accountants, including those who audit public
companies, but under Administrative Rule 2(e) it may disqualify from its practice
accountants who are unqualified, lack character or integrity, engage in unethical or
improper professional conduct, or willfully violate (or aid and abet others to violate)
federal securities laws. Other sanctions include peer review, prohibitions on new
engagements, and requirements for continuing education. Arthur Andersen, Enron’s
auditor at the time of bankruptcy, ceased its SEC practice following its conviction on
federal obstruction of justice charges. The current Chairman of the SEC, Harvey Pitt,
announced his resignation on November 5, 2002, amidst criticism of his role in appointing
William Webster to the new accounting oversight board (see below). Mr. Pitt is
temporarily remaining with the Commission until his replacement is confirmed. (The
President nominated William H. Donaldson as SEC Chairman on December 10, 2002.
The Senate Committee on Banking, Housing, and Urban Affairs has scheduled a hearing
on Mr. Donaldson’s nomination on February 5, 2003.)
Public Company Accounting Oversight Board. The PCAOB was mandated
by the Sarbanes-Oxley Act of 2002 (P.L. 107-204) to oversee auditing of public
companies (i.e., SEC registrants). Though not a federal agency, the Board is subject to
SEC oversight. Among the major issues the Board will be considering are whether new
auditing standards are required, whether additional consulting restrictions should be
imposed on auditors, and whether foreign auditing firms should be exempted from some
of its oversight.
On October 25, a sharply-divided SEC voted to name William Webster, the former
head of the Federal Bureau of Investigation and of the Central Intelligence Agency, to be
the Board’s new Chairman. (Three of the SEC commissioners voted for Mr. Webster,
while the other two instead supported John Biggs, the outgoing chairman of Teachers
Insurance and Annuity Association–College Equities Retirement Fund (TIAA-CREF),
who had been a strong advocate for accounting reform.) The other four Board members
named were Kayla Gillian, Daniel Goelzer, William Gradison, and Charles Niemeier.
The following week, it emerged that Mr. Webster had been the chair of the audit
committee of U.S. Technologies, which has been accused of accounting irregularities and
shareholder fraud. Mr. Webster had informed Harvey Pitt, the Chairman of the SEC, of
his role at the company, but Mr. Pitt had not shared that information with the other four
SEC members. Mounting criticism of Mr. Pitt resulted in his announcement on
November 5 that he would resign, effective some future date.2 On November 7, BDO
Seidman, the audit firm that U.S. Technologies dismissed in August, 2001, challenged the
accuracy of Mr. Webster’s public statements about his role at the firm. On November 12,
Mr. Webster said that he would resign, though he continued to work on Board matters
2 For an analysis of these events, see the U.S. General Accounting Office report GAO-03-339,
Securities and Exchange Commission: Actions Needed to Improve Public Company Accounting
Oversight Board Selection Process.
temporarily afterwards. (On January 8, 2003, the SEC appointed Charles Niemeier to be
acting head of the PCAOB until a new chairman is named.)
The appointment controversy and resignations have overshadowed steps that the
PCAOB is taking to organize. At its initial formal meeting on January 8, 2003, the Board
ratified a lease for its Washington headquarters and retained Korn/Ferry International, an
executive search company, to help find people to fill the top staff jobs. In addition, the
Board set annual salaries for the Chairman at $560,000 and for the other members at
$452,000. These salary levels have provoked criticism from some Members of Congress,
though it is also argued that Board salaries, like those of the staff (of which there will be
several hundred), should be competitive with national accounting firms. First year costs
are anticipated to run between $25 and $50 million; under the Sarbanes-Oxley Act, the
amount is to be advanced from the SEC’s FY2003 budget and then reimbursed to the
Treasury once the Board begins to collect fees.
Other Legal Liability. Auditors can be sued for breach of contract by their clients
(the entities being audited) for failing to carry out their work with due professional care.
Among other things, clients usually must show they suffered damages and that there is a
close causal connection between the breach and the damages. To reduce this risk, most
accounting firms use engagement letters to clarify what they will do and identify client
Third parties normally can sue auditors only in a tort action, not for breach of
contract. (One exception would be if the third party is a subrogee of the client, such as
a trustee in bankruptcy.) Third parties must also show they suffered damages and that
there is a close causal connection between the auditor’s breach and the damages.
However, in some states, barring a showing of gross negligence or fraud, third parties may
be unsuccessful in their suit unless it is shown that the auditors actually foresaw the
parties would rely on the audit (or in some states, that the auditors might reasonably have
foreseen their reliance). Third parties may also sometimes bring suit against auditors
under provisions of federal securities laws.
107th Congress Highlights
Numerous accounting and auditing reforms were proposed during the 107th
Congress, including some by the accounting industry. Most of the leading proposals
would have established a new oversight board for auditors of public companies, though
they often differed on the scope of its powers, on its relation to the SEC, and on its
independence from the firms and accountants it would regulate.
The leading House bill was H.R. 3763 (Rep. Oxley), which was reported by the
Committee on Financial Services on April 22, 2002 and approved by the House on April
24, 2002. The leading Senate bill was S. 2673 (Sarbanes), which was reported by the
Committee on Banking, Housing, and Urban Affairs on June 25, 2002 and passed by the
Senate on July 15, 2002. The conference agreement (formally H.R. 3763) was approved
on July 24, 2002; it largely followed the Senate amendment, though modifications
proposed by the House were accepted. Both houses passed the conference measure onth
July 25, and the President signed it on July 30, 2002 (P.L. 107-204).
Known as the Sarbanes-Oxley Act, P.L. 107-204 among other things creates a new
oversight board for auditors, prohibits auditing firms from providing certain consulting
work for audit clients, and requires rotation of audit partners at least every 5 years. The
law also imposes new requirements on corporate boards and executives and increases
governmental oversight and criminal penalties. For details, see CRS Report RL31483,
Auditor Reform Proposals: A Side-by-Side Comparison, by Mark Jickling, and CRS
Report RL31554, Corporate Accountability: Sarbanes-Oxley Act of 2002 (P.L. 107-204),
by Michael V. Seitzinger and Elizabeth B. Bazan.
The AICPA and the largest accounting firms generally opposed strict external
oversight of auditing, arguing that new regulatory bodies would be cumbersome and lack
professional expertise. They generally opposed wide restrictions on their providing
consulting services for audit clients. For the most part, they favored the House bill (H.R.
3763) rather than the Senate bill (S. 2673). Since Arthur Andersen can no longer legally
perform audits (and in any case has largely collapsed), the so-called “Big-5" accounting
firms have been reduced to four: PricewaterhouseCoopers, Deloitte and Touche, KPMG,
and Ernst and Young.