IATP has long commented on or used in our research performance audits by the U.S. Government Accountability Office (GAO) or by agency inspector generals, e.g., on the Department of Agriculture’s delegation of its meat and poultry inspection authorities to meatpackers. However, health and safety risks are not the only ones affecting food and agriculture. In June, we responded to a rule proposed by the U.S. regulator of financial auditing and to its invitation to nominate Critical Audit Matters, i.e., issues that could affect the financial and operational viability of a company but that are not currently required to be audited.
We submitted two letters to the Public Company Accounting Oversight Board (PCAOB), which sets standards for auditing the financial statements of companies that are registered by the Securities and Exchange Commission (SEC) to trade their shares on SEC-regulated exchanges. One of the letters concerned mandatory and reportable metrics for auditing firms to foster high quality audits. The other letter responded to PCAOB’s request for nominations for Critical Audit Matters (CAMs) that are currently not required to be audited. We nominated Climate Value at Risk (CVAR), a financial metric that reports fiscal year and longer-term projected losses, expenditures and investments to manage a company's climate-related risks. We also nominated a CAM that includes expenditures, investments and losses related to Artificial Intelligence (AI) safety programs. (In June, IATP published an article, “AI use in and risk to derivatives markets,” which discusses AI safety issues in the research, trading and back-office completion of commodity futures contract transactions.)
Third party or external financial audits should provide shareholders, prospective investors and regulators with assurance that the financial statements and related reporting to the SEC are accurate, comprehensive, transparent and comparable with other companies in a sector. (IATP’s comments on the proposed SEC rule on climate financial-related disclosures supported the inclusion of third-party auditing assurance of disclosed information, including corporate greenhouse gas emissions.) External audits, as an unbiased examination of a company’s internal audit, also provide a company’s auditing committee with an evaluation of both the company’s operational and financial controls and performance.
What can the PCAOB do to improve audit quality?
Unfortunately, mainstream media reporting about audits usually concerns failures or scandals, such as the SEC’s prosecution of BF Borger CPA, the former auditor of the Trump Media and Technology Group, for having filed 1,500 fraudulent regulatory filings with the SEC. More commonly, some part of an audit is deficient in substantiating its opinions about the financial statements of audited firms. For example, PCAOB reported that the deficiency rate in 215 audits of public companies by three of the largest accounting firms averaged 24% in 2023, compared to 13% in 2021. Since PCAOB cannot intervene in audits as they are being conducted, what can it do to improve audit quality?
After a survey and study process, in April 2024, PCAOB proposed mandatory firm-level metrics and engagement level metrics that would, for example, require disclosure of the extent to which senior staff were engaged in auditing and the supervision of contract employees who performed the detailed analysis of the audited clients’ financial statements. PCAOB wrote,
Investors and audit committees cannot easily observe the services performed by auditors. This can limit investors’ ability to make informed decisions about investing their capital, ratifying the selection of auditors, and voting for members of the board of directors, including directors who serve on the audit committee, and audit committees’ ability to choose among and monitor the performance of auditors. At the same time, there is a lack of incentive for firms, acting on their own or collectively, to provide accurate, standardized, and decision relevant information about their firms and the engagements they perform. (p. 3)
IATP derived our comments about the PCAOB proposed rule from an American Financial Reform Education Fund letter that identified eight areas for improvement in the PCAOB proposal. (IATP was a signatory to that letter.) We selected three of the eight recommendations for amplification.
First, we wrote that the PCAOB should require auditing firms to report on senior staff supervision of its audits and how many hours were spent on the supervision of firm employees and of specialists contracted specifically for a given audit. Prospective investors, shareholders and a company’s audit committee would benefit by knowing the extent to which an auditing firm depends on a contract worker to substantiate, for example, a company’s claim about its climate-related financial risks. They would want to know how many hours senior staff spent directing and reviewing the contract workers’ analysis of a company’s financial statements. A lightly supervised audit, largely conducted by contract workers, might be of concern to shareholders, prospective investors and/or the SEC.
Second, we advised the PCAOB to include metrics for staff time and technology used to examine possible fraudulent information in a financial statement. We pointed to the auditor’s use of AI to detect financial fraud but asked the PCAOB to require auditors to quantify and report their fraud detection errors, as well as the time required to recode detection algorithms to reduce or eliminate detection errors in an audit. The senior staff should be able to substantiate how data surveillance determined no fraud in financial statements, as well as substantiating incidents of fraud originating within the audited firm and/or its customers.
Finally, we supported the PCAOB proposal for standardizing how financial documents are electronically tagged to enable automated reading of financial data reported in different SEC forms, including those pertaining to the foreign subsidiaries of U.S. parent firms. We wrote, “Filing in one machine language will allow shareholders to compare more efficiently and comprehensively the audit results with reporting in the SEC registrant filings. The comparisons will be useful both for investment decision making and for shareholder voting on whether to retain the auditor.”
IATP nominations for Critical Audit Matters (CAMs)
Whereas IATP’s first letter to PCAOB responded to a 237-page proposed rule, our second letter nominated two candidates for PCAOB’s Investor Advisory Group to develop as proposed CAMs. Each nomination was limited to 500 words. Our decision to nominate Climate Value at Risk (CVAR) and AI safety as CAMs was determined by the body of research that could be used to define the reporting requirements for each CAM.
Our letter cited the work of the International Auditing and Assurance Standards Board on the auditing of climate-related risk in financial statements. CVAR modeling of climate-related expenditures, losses and associated capital and insurance costs is one of several climate metrics used by asset managers in their portfolio analyses. Although CVAR modeling is considered a methodological work in progress, shareholders, prospective investors and company audit committees may soon expect auditing firms to use CVAR analysis as a standard auditing tool.
We proposed that PCAOB consider how companies should report to the SEC not just their use of AI in product applications but also on the staffing, research and testing expenditures to ensure that their AI use is safe for the firm and its customers. The auditing of the use of AI by companies should include a comprehensive risk assessment of the safety of AI models whether they are developed by companies themselves, or/and are purchased and then adapted to a company’s needs.
The lack of AI safety controls, relative to the growth in the application of AI models, made front-page news on June 4, when 13 employees and former employees wrote to their bosses at Open AI, Anthropic and Google Deep Mind to ask that they be released from broad non-disclosure agreements and receive whistleblower protection so that they could identify major safety shortcomings in Open AI and Google AI products without fear of retaliation. On July 1, Open AI employees wrote to the SEC that their supervisors were illegally blocking the employees from informing the public about AI risks to humanity and called for the SEC to investigate Open AI.
Our letter cited a survey of auditing firms, according to which, the reluctance of those firms to use AI was due to an ”Inability to access usable client data.” We advised the PCAOB that there are mediated access protocols to protect their clients’ proprietary data while enabling auditors to use AI tools to risk assess whether a company’s use of AI models was safe for the company and its customers. As companies, including agribusiness firms, use AI in their operations and product development, auditors will do their clients a disservice if they do not have the capacity to risk assess their client’s AI safety risks, expenditures and AI-related exposure to financial losses and liability.
IATP hopes that the PCAOB’s Investor Advisory Group will select our CAMs nominations for further research and development and perhaps rulemaking. Only two nominations will be selected. If CVAR and AI safety are not selected, we are confident that they will remain salient auditing issues. For example, since agribusiness companies are making more claims about their commitments to reduce their greenhouse gases and adapt to climate change, shareholders and prospective investors will expect such companies to verify their commitments by reporting such climate metrics as CVAR. If these CAMs are not selected this year but PCAOB invites nominations next year, IATP will renominate them because CVAR and AI safety are crucial issues for investors, companies and the public interest.