PCAOB Proposes Turnover Metrics and Other New Disclosures for Audit Firms

April 9, 2024 

Firms would have to report cybersecurity risk as well as data ranging from auditor retention to partner involvement and work experience under a pair of proposals

The Public Company Accounting Oversight Board wants audit firms to disclose metrics on the involvement and turnover of their auditors and provide new details on fees and cybersecurity vulnerabilities, in a pair of proposals aimed at standardizing the information provided to investors.

Audit firms currently must publicly identify the lead partner on the audits they perform and the other firms that helped with that work. Firms also annually share information such as a list of their public-company audit clients and the addresses of their offices. Some firms voluntarily disclose firm-level data such as average staff turnover and employee-survey results on culture, but the metrics aren’t consistent and widespread across firms.

The board on Tuesday voted unanimously, 5-0, to require hundreds of firms to publicly disclose a set of 11 metrics, ranging from auditor turnover to partner involvement, workload and work experience. Firms would have to provide these metrics for both their individual audit efforts and overall audit practices, but there are exceptions.

For example, firms would have to share the percentage of hours incurred by individual partners and managers on an audit, as well as the percentage of hours they spent on areas of significant risks. Firms would also have to show how partners’ quality performance ratings affect their compensation.

These requirements would apply to firms that audit at least one company with $100 million or more in annual revenue and a public float—the market value of shares held by the public—of $75 million or more. That means more than 200 audit firms would be affected, based on 2023 filings with the U.S. audit regulator.

These metrics aren’t guaranteed predictors of audit quality, PCAOB Chair Erica Williams said. “They do provide an important window into how a firm manages its resources and conducts its audits that, with context, will empower audit committees, boards of directors and others to hold firms accountable,” she said. “And accountability begets quality.”

Board member Christina Ho said she “cautiously” supported the proposal, due to concerns that the suggested metrics wouldn’t result in useful information for investors and that the proposal didn’t clearly convey how such disclosure fits into the PCAOB’s goals.

The PCAOB in 2015 considered mandating similar metrics, but held off on formally proposing the changes.

The board on Tuesday also voted, 4-1, on a separate proposal strengthening the requirements around firms’ reporting annually and for special circumstances, such as a filed lawsuit—the most substantial changes since 2008.

Under the proposal, all firms would have to report the dollar amounts of various fees they receive from clients, rather than the percentages currently required. In addition, firms that issue more than 200 audit reports annually and have more than 1,000 audit personnel would need to confidentially submit financial statements annually to the PCAOB. Six firms, Deloitte, PricewaterhouseCoopers, Ernst & Young, KPMG, BDO and Grant Thornton, would meet that criteria.

All audit firms would have up to 14 days to file a form to disclose significant events such as whether they are the subject of a lawsuit or enforcement case, down from 30 days. The PCAOB last month fined PwC’s Australian unit $600,000, saying it failed to disclose details about an investigation of the firm by the Australian Tax Practitioners Board in a timely fashion.

Firms would have to confidentially inform the PCAOB about any significant events that threaten their liquidity or financial resources. Events might include a firm raising doubt about its survival, a planned acquisition of another company or a restructuring.

The proposal would also mandate cybersecurity disclosure for the first time, as cybercrime becomes a growing risk to businesses. All firms would need to publicly describe their policies to spot and manage cybersecurity risks. They would be required to confidentially report any significant cybersecurity events within five business days. In December, public-company clients of these firms had to start disclosing material cyberattacks under a new rule from the Securities and Exchange Commission, which oversees the PCAOB.

Disclosure by all firms on their legal structure, ownership and other governance issues is also sought in the proposal.

“Together these provisions strengthen the PCAOB’s ability to protect investors, while also providing investors with additional data to inform their own decisions and empowering audit committees with consistent data to analyze and compare as they are selecting and monitoring audit firms,” Williams said.

Ho dissented, saying she is “deeply troubled” by the “excessive” reporting burdens and record-keeping costs to comply with the proposal. “The proposal appears to be erroneously premised on the assumption that more disclosure by every single registered firm, regardless of size or circumstance, equates to better disclosures for investors and for our oversight function,” she said.

Government officials and investors have sought both sets of proposed changes for years in a bid for greater transparency from audit firms. The U.S. Treasury Department’s advisory committee on the auditing profession in 2008 issued a report calling for many of these moves by the PCAOB. The regulator’s advisory groups have recommended the moves as well.

The public has until June 7 to provide feedback on both proposals.

[The Wall Street Journal]