How does the PCAOB, which oversees corporate audits, select targets for inspection? A George Mason University accounting professor built a model to help capture the process.
2024 marked the 20th anniversary of the launch of the inspection program by the Public Company Accounting Oversight Board (PCAOB), the non-profit responsible for overseeing financial audits. It was also a banner year for PCAOB’s disciplinary activity, with 51 finalized enforcement actions netting a record $35.7 million in monetary penalties.
Although the PCAOB belongs to the private sector, it is not immune to the problem of limited resources that affects government regulators. As it is, as few as two percent of the engagements of annually-inspected U.S. audit firms are selected for inspection by PCAOB in a given year. With more than 4,000 publicly traded companies being audited annually, it makes all the difference how the non-profit chooses targets for inspection. Yet the PCAOB is understandably cautious about revealing information about its internal workings that might tip its hand to auditors and their clients.
Research by Min Shen, associate professor of accounting and a Philip G. Buchanan fellow at Costello College of Business at George Mason University, provides a rare glimpse beneath the PCAOB’s veil of secrecy. Her purpose is not to second-guess the board, but rather to evaluate how its inspection program fits with its broader mission of improving audit quality.
Her paper, recently published in Management Science, was co-authored by Daniel Aobdia of Penn State University, Edward Xuejun Li of Baruch College and K. Ramesh of Rice University.
Shen and her co-authors relied upon SEC log files, which record the IP addresses that have accessed individual company filings through the online EDGAR platform, for the period 2007-2016. By cross-referencing the log files with the American Registry for Internet Numbers, the team was able to identify PCAOB-affiliated IP addresses and which filings they engaged with. The resulting data-set comprised 46,101 observations across auditors, issuers and years.
The researchers used two methods to verify that the PCAOB search activity tracked in the log files was indeed related to inspections rather than other objectives (e.g. enforcement or general monitoring). First, they compared search activity during stated inspection years for triennial audit firms (which are inspected only once every three years) to activity during non-inspection years — during inspection years, audit firms saw a 61-132% increase in search activity. Second, the research team mined transcripts from the 2019 United States of America vs. David Middendorf trial. Middendorf, the former head of KPMG’s Department of Professional Practice, illegally obtained confidential PCAOB inspection-selection information between 2015 and 2017 from former PCAOB staff who had moved to—or were seeking jobs at—KPMG. As Shen explains, “We were able to pick out 40 KPMG client names from the transcripts, and we know for sure that these issuers were on PCAOB’s list.”
Based on these strong hints as to which companies were inspected and when they were inspected, the researchers could form evidence-based theories about the characteristics and conditions that piqued PCAOB’s interest.
“For example, large issuers — Meta, JPMorgan Chase, Apple, etc. — will be inspected almost every year,” Shen says. “Another indicator is auditor change, especially when the issuer changes from a Big Four to non-Big Four audit firm. That raises red flags, because that change usually doesn’t happen for no reason.”
Another interesting finding was that CEO turnover did not seem to trigger an investigation, but CFO turnover did. “PCAOB only monitors auditor quality, not financial quality,” Shen says. “CEO turnover could have any number of causes, such as failed investment strategy, etc. But CFO turnover could signify that the company has some accounting and auditing irregularities, or departure from internal control standards.”
“PCAOB only monitors auditor quality, not financial quality,” Shen says. “CEO turnover could have any number of causes, such as failed investment strategy, etc. But CFO turnover could signify that the company has some accounting and auditing irregularities, or departure from internal control standards.”
— Min Shen, associate professor of accounting and a Philip G. Buchanan fellow at Costello College of Business at George Mason University
Next, Shen and her co-authors funnelled all their data into a predictive model designed to estimate the likelihood that a particular Big Four audit, in a particular year, would be inspected by the PCAOB. The model assumed no insider knowledge, i.e. no information from EDGAR on search activity, basing its predictions solely on data in the public domain. For a sample of Big Four audits, the model’s estimates closely approximated PCAOB search activity. In other words, it came close to capturing the process that brought certain audits to the PCAOB’s attention, but not others.
“We cannot make the model perfect,” Shen cautions. “An unknown number of audit engagements are chosen for inspection at random every year, so that makes it harder. Also, there may be other important indicators that future researchers can use to build upon our model.”
The overall view of the PCAOB that emerges from Shen’s research is that of a regulatory body treading carefully, somewhat hemmed in by resource challenges (and possible political sensitivities). “You could say that the PCAOB tends to operate reactively instead of pre-emptively. They hear of an event, like CFO turnover, then they go and check the SEC filings. In practice, the PCAOB can monitor only a small fraction of issuers each year, which might help explain the approach that they take. Maybe AI could help them monitor more closely, scan a wider range of audit engagements and capture signals at an earlier stage,” Shen says.