Comment Letter on IOSCO Consultation Report on Audit Committee Good Practices from Samantha Ross

Mr. Jonathan Bravo
International Organization of Securities Commissions

Calle Oquendo 12
28006 Madrid

By email:

Re:      Public Comment on IOSCO Consultation Report on Good Practices for Audit Committees in Supporting Audit Quality


To the Board of the International Organization of Securities Commissions:

Thank you for the opportunity to comment on your thoughtful Consultation Report on Good Practices for Audit Committees in Supporting Audit Quality. IOSCO plays a critical role in maintaining and enhancing investor protection and, ultimately, fostering global economic growth, by promoting high standards of regulation in order to maintain just, efficient and sound capital markets worldwide. I commend the Board’s initiative to study and report on the role that audit committees can and should play in supporting audit quality.

I was one of the founding staff of the Public Company Accounting Oversight Board, which was established by the Sarbanes-Oxley Act of 2002 in the United States following the Enron and Worldcom frauds to promote the investing public’s interest in informative, accurate and independent audit reports by developing and maintaining a rigorous system of auditor oversight. I am grateful to have had a variety of opportunities, over the course of 15 years, to contribute to this mission, and that work has given me some insights that may bear on the Board’s consideration of good practices for audit committees.

I strongly endorse your statements that the accuracy, integrity, and comparability of issuer disclosure is essential for maintaining investor confidence and therefore facilitating a stable international financial system and that the quality of a company’s financial report, supported by an independent external audit, is key to market confidence and informed investors. The consultation report rightly focuses on the quality of the audit process as critical to investor protection, but it is the communication of the results of that process in the audit report that gives investors a basis for confidence in a company’s assertions and the integrity of a market. With this in mind, in recent years many IOSCO members have updated and enhanced their respective audit reporting models. These changes are based on the idea that more informative audit reports that address matters of concern to investors will boost investors’ confidence in the reliability of financial reporting. In order to support members’ efforts in this regard, I encourage the Board to acknowledge in the final report that informative, accurate, independent audit reports are also key to market confidence and informed investors.

I also agree with the Board’s proposed good practices, including the Board’s proposal on voluntary public reporting by audit committees, and have the following suggestions for further elucidation or amplification in the final report:

  1. Audit committees should do more to learn about investors’ concerns and encourage the auditor to design the audit to address those concerns, including concerns about specific aspects of the financial statements or other information outside the financial statements that investors believe is important to their decisions about capital allocation. In my experience, audit committees that engage early and often with investors, analysts and other stakeholders better understand what is important to gaining and maintaining investor confidence. In particular, as we emerged from the financial crisis, I observed that certain audit committee chairs played crucial roles in rebuilding investor confidence. These audit committee chairs used engagement and deep listening to develop actionable insights about how to design the audit to provide stakeholders the assurance they needed to believe in the company’s ability to emerge successfully from the crisis. In my view, these are good practices that would improve the quality of reporting and auditing at every public company, contribute to earning the trust and support of long-term investors (facilitating companies’ ability to make and execute long-term strategic plans), and make our securities markets more resilient in times of crisis.
  2. Having engaged in deep listening, audit committees should do much more in their own reports to explain how they designed the audit to address investor concerns, with specificity about those concerns. I commend the Board for recognizing the importance of audit committee reporting, even where not required by law. An informative audit committee report can show investors how the audit committee has assessed and addressed risks to the quality and independence of the audit. In those jurisdictions where investors approve or otherwise ratify the selection of the auditor, the audit committee report should include enough information about the rationale for the selection of the auditor so that investors can make an informed judgment.

Many U.S. companies’ proxy statements in the 2018 proxy season included more detailed audit committee reports than ever before. Unfortunately, many others still resorted to unenlightening boilerplate or conclusory statements, perhaps out of a mistaken assumption that disclosing facts and providing insight is riskier than not disclosing and addressing them. For example, when there are circumstances that could be perceived to challenge an auditor’s independence, an audit committee risks nothing by acknowledging their existence and stands to gain investor trust by explaining what it did to protect the integrity of the audit. On the other hand, investors harbor skepticism about audit committees that appear not to be concerned about, or even aware of, what a reasonable investor would see as obvious risks to an auditor’s objectivity. These include common sense concerns that weaken investor confidence in audits, such as that the size of an engagement, in terms of the audit fee as well as the number of auditors needed to be employed to execute it, puts the auditor in a structural dependency on the audit client. When an audit committee acknowledges such a risk and persuasively demonstrates due diligence to ward against it, the audit committee banks credibility with investors and increases the likelihood that the company will obtain a high quality audit.

I encourage the Board to undertake a review of a robust sample of audit committee reports, including both informative and unilluminating specimens, and include in the final report a discussion, with or without attribution, of how certain audit committees have used their reports as opportunities to build investor confidence and how others have gained little, or even jeopardized investor confidence, with stock text that leaves investors questioning whether the audit committee is up to the task.

  1. Audit committees should do more to analyze the strengths and weaknesses of potential engagement partners and affiliated firms engaged to contribute to the audit. In recent years, a treasure trove of new disclosures about audits has begun to be publicly available. Audit committees can use this information to conduct more robust comparative analyses of a partner’s record than ever before. These analyses should include the quality of information and insights in the partner’s new, expanded audit reports, and whether any of the partner’s opinions were withdrawn after issuance. The audit committee should also ask the audit firm for the partner’s inspection record and for an analysis of how it compares to other partners at the firm. In addition, when significant portions of an audit are to be conducted by other firms, the audit committee should understand the quality of those other firms, among other ways by checking inspection reports on those firms by the applicable regulators.[1]

The audit committee should take advantage of all the new, public information available about auditors in selecting the audit team and passing on the audit approach, and then it should demonstrate to investors that it conducted such a robust analysis by discussing it and the reasons for their choices in the audit committee report. This will not only improve investor confidence, but it will also improve audit quality, by demonstrating to auditors the characteristics the audit committee values and how deeply the audit committee cares about quality.

  1. Finally, if there is disclosure outside the financial statements that a reasonably diligent audit committee would know is important to investors, the audit committee should obtain auditor assurance on it. As the consultation report reiterates, “One of the IOSCO principles for issuers is that there should be full, accurate, and timely disclosure of financial results, risk, and other information that is material to investors’ decisions” (emphasis added). I believe this principle is fundamental to achieving the Board’s stated goals of protecting investors, ensuring that markets are fair, efficient and transparent, and reducing systemic risk. In preparing the final report, I encourage the Board to include practices that are not yet common but will facilitate realization of the Board’s goals. Considering whether certain information is so important that it should be subject to specific third-party assurance is such a practice.[2]

Examples of other information that is material to investors’ decisions include long-standing, industry-specific non-GAAP measures and pay-for-performance measures that are intended to drive operational improvements. They can also include, in the words of the Chairman and CEO of Blackrock, Inc., the world’s largest asset manager, metrics relating to issues “ranging from climate change to diversity to board effectiveness” that are believed to “have real and quantifiable impacts” over the long term.[3] These are areas where investors have negotiated for expanded disclosure.  When it comes to implementation, though, investors still depend on the honor system.  That presents real challenges to the reliability of the measures, especially those measures that relate to management compensation.

In the most recent two annual public meetings of the PCAOB’s Investor Advisory Group, members pressed for a mechanism to obtain assurance that metrics important to investors’ decisions are reported accurately and consistently. In a presentation at the October 2017 meeting, the IAG’s Working Group on Non-GAAP Financial Measures (or, NGFMs) put it directly: “Investors benefit from the increased disclosures provided by NGFMs, but the lack of standardization and auditing has made NGFMs potentially dangerous to the stability and efficiency of the markets.”[4] I believe these investor concerns warrant audit committee action, and inclusion of a new good practice in the Board’s final report, to encourage audit committees to consider the need for third-party assurance on important information.[5]

*                             *                               *

Taken together, I believe these suggestions will give audit committees important tools to signal to their respective auditors that building investor confidence on the basis of a solid commitment to investor protection is both the committee’s and the auditor’s paramount concern. As the consultation report notes, auditors are responsible for audit quality. Based on many years of experience, I have observed that each of the major firms and a wide variety of smaller firms are capable of high quality auditing. But the audit business model is at best awkward and challenging, and shortsighted interests in meeting short-term objectives often impede quality. The audit committee’s tone has an enormous impact on whether the auditor it selects delivers on their investor protection mandate, or succumbs to the pressures inherent in their business model.


The audit committee should take the long view and approach the audit as a powerful tool to foster trust. It is in companies’ long-term interest to earn investor confidence through reliable communication on matters that are important to investors. Investor confidence maximizes a board’s opportunities for capital formation at the lowest cost. Boards also need the trust and support of investors – even passive, indexed investors[6] – to execute on long-term strategic plans. Meeting minimum regulatory requirements at the lowest cost is irrelevant to these goals. The board and all the company’s stakeholders depend on the audit committee to manage audit with skill, care and creativity, using depth and breadth to build and maintain investor confidence.


Congratulations, again, on producing such a thoughtful consultation report on an initiative that, in my view, has the potential to meaningfully improve investor trust in our public capital markets. Thank you for the opportunity to provide my comments.




Samantha Evans Ross

[1]           Audit committees should also be attentive to the heightened risk to audit quality when an audit involves a firm that cannot be inspected, such as a firm based in China. Under prevailing audit standards, the principal auditor is required to perform certain procedures in order to use another firm’s audit work, but it is not directly accountable for the work of the other firm. Thus it is particularly important to maintaining quality that the audit committee discuss such risks with the lead auditor and explain in the audit committee report how they were addressed. See, e.g., “The Chinese Blind Spot in U.S. Companies’ Financials,” Wall Street Journal (July 21, 2018) (“The Chinese Big Four were long believed to be helping U.S. firms in auditing U.S. multinationals. But that wasn’t confirmed until a new PCAOB rule last year required auditors to disclose other contributors to an audit,” revealing that “[a]t some companies, auditing just a small portion of the business can equate to billions of dollars in revenue.”).


[2]           See, e.g., The Coca Cola Company’s 2016 Sustainability Report: Assuring the Accuracy of our Disclosures (Aug. 18, 2017).


[3]           “Here is the Letter the World’s Largest Investor, BlackRock CEO Larry Fink, Just Sent to CEOs Everywhere,” Business Insider (Feb. 2, 2016) (calling for companies to “develop financial metrics, suitable for each company and industry, that support a framework for long-term growth” and for “[c]omponents of long-term compensation [to] be linked to these metrics”).


[4]           See Report from the Working Group on Non-GAAP Financial Measures, PCAOB Investor Advisory Group Meeting Materials (Oct. 24, 2017), at 5.


[5]           In a recent paper, the U.S.-based Center for Audit Quality acknowledged both investors’ need for non-GAAP measures as well as the risks associated with unaudited measures, particularly for management compensation. See Non-GAAP Measures: A Roadmap for Audit Committees, Center for Audit Quality (March 2018). The paper recommended that audit committees “[d]iscuss[] with the external auditors what their views are on the company’s non-GAAP measures, including whether the measures are consistent with the auditors’ understanding and knowledge of the company’s performance.” Similarly, in June 2018 the Financial Reporting Council in the U.K. released a report on reporting of performance metrics based on interviews of investor representative and others. See Performance metrics – an investor perspective, Financial Reporting Council (U.K.) (June 2018). The report found that investors seek clarity as to the level of scrutiny that metrics are subject to, including scrutiny by external auditors, and it recommended that audit committees ask themselves the following questions –


Do we explain the level of scrutiny to which metrics are subject to allow an assessment of whether they are fair, balanced and understandable? Do we outline the Audit Committee’s (or other Executive or non-Executive Committee) oversight and whether they consider the appropriateness of specific metrics or adjustments in addition to the way in which the metrics are reported? Do we explain what additional scrutiny may be given to adjusted metrics used in remuneration?


Conscientious oversight by audit committees is a good start, but it is not an audit; audit committees will be limited in the comfort they can pass on to investors. In order for investors, companies and markets to realize the benefits of these important disclosures, investors have called for and need actual assurance.


[6]           The influence of such passive investors is significant and growing because they are long-term owners and they vote their shares.  Given the size of their investments, they can often determine who is on the board.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s