Please ensure Javascript is enabled for purposes of website accessibility

PwC Loves CAKE and Other Interesting Things from the Expanded PCAOB Inspection Reports

I don't know if anyone else has noticed this, but reading about audit procedures is incredibly dull. It's nearly as dull as actually performing some of these procedures which probably explains why the PCAOB was forced to release Part II for the 2008 and 2009 inspection reports.

Luckily, reading about the failure of the most prestigious auditing firm on Earth to perform these procedures is slightly more interesting and we've dug up some of the more notable things from the two — TWO! I still can't believe it! — expanded reports that the PCAOB posted just a short time ago.

Before we get to the gory details, it's worth mentioning that the firm requested to issue a statement in conjunction with the PCAOB's announcement and the ever-so-gracious Board granted the request. Here's the portion that echos what Bob Moritz wrote in his memo/email that was leaked to Reuters:

The Release is based on the Board's determination that we did not address the matters contained in the Part II comments to the Board’s satisfaction during the 12 month period following issuance of the reports. We believe that our actions in response to the Part II comments were significant, but we acknowledge the Board’s determination with a view toward continued cooperation with the Board and in furtherance of our commitment to audit quality. 

The Part II comments relate to some of the most complex, judgmental and evolving areas of auditing. Our actions relating to those areas, during the 12 months following issuance of the comments and thereafter, have included providing our audit professionals with enhanced audit tools, training and additional technical guidance to promote more consistent audit execution. We believe that these efforts have been important positive contributors to audit quality at our firm. We are proud of our focus on continuous improvement and of the dedication and high quality audit work performed by our partners and other professionals.
In other words, "This stuff is harder than it looks, so, sorry, we're not sorry for giving it the ol' college try."   
Now that we've got that out of the way, shall we get to the fun stuff? Yes? Grand.
We'll start with the 2008 report and it gets personal right away, noting that in certain cases, supervision in some key areas was lacking:

The deficiencies identified in areas with a high degree of judgment and potential for management bias, and in areas involving the application of complex accounting  literature (such as * * * * and fair value), similarly suggest that the audit personnel * * * * were not adequately supervised. In addition, the deficiencies suggest the possibility that senior members of the engagement team were not devoting sufficient attention to developing an appropriate audit strategy for these areas and that quality review partners were not devoting sufficient attention to reviewing the audit strategy for these areas.

So, not only were the supervisors not supervising, it sounds like the supervisors of the supervisors weren't supervising. That's a whole lotta, um, not supervising going on. In theory, that might sound fun — I imagine auditors performing walkthroughs without pants — but supervison is a pretty important part of auditing and the Board wanted to point that out.
Moving on — this particular passage probably won't surprise anyone:

[D]eficiencies identified by the inspection team suggest that engagement teams may be placing too much reliance on management's responses to the teams' inquiries and not sufficiently challenging or evaluating management's assumptions, and that they may not be applying an appropriate level of professional skepticism in subjective areas susceptible to management bias.

Honestly, anyone who pays attention to the audit world knew that some auditors take one look at a client's response to their questions and say, "Good enough for me," and go on their merry way. Now it's in the written public findings of the regulator. It doesn't probably remove the feeling of dread from the stomachs of those who wish it wasn't true, but there it is.
Speaking of problems that we're all aware of:

The inspection team observed that the engagement partners for three of the six audits discussed in Part I.A had a significant number of issuer audit clients with year ends at or around December 31. For one of these three engagements, the hours reported by the engagement partner on the audit represented approximately 2.1 percent of the lead office audit hours. This was approximately 45 percent less than the average percentage of lead office engagement hours reported by the engagement partners on the other 49 issuer audits selected for inspection. The engagement partner for another audit described in Part I.A was responsible for four issuer audit clients with a calendar year end, an average market capitalization of approximately $2.7 billion, and average audit fees of approximately $1.1 million. These facts and the significance of the deficiencies in these engagements suggest that the Firm may not sufficiently monitor partners' workloads to ensure that they do not negatively affect partners' ability to effectively participate in the planning and execution of their audits and to appropriately supervise and review their audits. 

Okay, so partners work a lot. Not news. But I guess the question some people might ask is, "Are there not enough capable partners out there to lighten the load?" How about this poor bastard with four issuer clients all with December 31 year-ends? Is (s)he just hogging all the wealth for him/herself or is there really no one else that could take one of these clients? Jesus, go find someone else at KPMG to help out if that's what has to happen.
Finally, the most amusing thing from '08 gives us a little taste of PwC's creativity:

In certain instances, in interactions with the inspection team or in responses to comment forms, engagement teams have asserted that cumulative audit knowledge and experience ("CAKE") represented a meaningful component of their audit assurance. The aforementioned concerns may indicate that engagement teams rely on CAKE to a greater degree than is appropriate. Although CAKE can be useful in planning and scoping the audit, using CAKE as a source of substantive assurance to address issues that arise during the execution of audit procedures may cause engagement teams to misjudge the level of audit comfort actually obtained.

 Judging by this, everyone wants to have CAKE and audit too and the PCAOB is NOT comfortable with that.

Okay, that was hard and it wasn't even everything in 2008 but we have to keep going. 2009 is next.

The 2009 report is shorter which could be explained by one of two things — 1) PwC was trying harder or 2) the PCAOB inspectors were exhausted. Just a couple of things, starting with:
In four audits, the inspection team identified deficiencies in the testing of these entity-level controls. Specifically, the Firm failed to 1) test that the entity-level control would operate at a level of precision sufficient to prevent or detect a material misstatement in the financial statements, 2) test the completeness and accuracy of the data used in the performance of the control, or 3) perform procedures, beyond confirming the occurrence of a meeting or observing evidence that the issuer's management had reviewed meeting documents, to test the operation of the control.
For me, #3 is the doozy here. Can't you just picture this? A young auditor approaches an assistant controller or some other person in the accounting department and asks about meetings between all the principals in the accounting/finance group. The assistant controller provides a schedule of all the meetings that occured throughout the year. The auditor looks it over and asks, "So all these meetings happened?" The assistant controller says, "Yep. They always provide a nice breakfast, so I'm sure not to miss it," and the auditor goes on his/her way. That's not good. Why? Well, relying on these procedures reduces the substantive testing (i.e. the audit procedures no one wants to do) so you better be damn sure that the entity-level stuff is top notch. That didn't happen in this case — nay, four cases — and that made the inspectors feeling really icky. 
The only other notable thing from '09 fell back into the "relying on someone else just cuz" camp:
[I]n one audit, the Firm used the work of the issuer's internal audit group as a source of assurance, including for substantive audit evidence, but there was no evidence in the audit documentation, and no persuasive other evidence, that the Firm had assessed the competence and objectivity of this group or the quality and effectiveness of the internal auditors' work. In addition, in reviewing this audit, the inspection team identified deficiencies in the internal auditors' testing, which further suggests that the Firm failed to sufficiently review and evaluate the internal auditors' testing.
Relying on internal auditors is great! Except when it isn't. Again, the PCAOB isn't going to be satisfied with your scan of a completed internal audit checklist and then a check mark on your own checklist. And God help you when the internal auditors turn out to be slacking on the job too. Everyone loses in that case.
Whew! That's about all the fun I can handle for one day. If I overlooked anything, please share your thoughts on these or the other findings in the expanded reports. At this point, PwC probably won't mind a little more feedback, even something as simple as: "Lay off the CAKE."