The Continuing Evolution of Auditor Reporting in the Broker-Dealer Industry: Issues and Opportunities Free

Broker-dealers (BDs) execute all public trades in the U.S. financial markets and are entrusted with safeguarding clients' assets in their care.¹ Thus, this industry is critical to the financial well-being of all American households with a pension, college fund, or investment account, and thus to the stability of the U.S. economy as a whole.² Accordingly, under Securities and Exchange Commission (SEC) regulations in effect for decades (SEC 1975), BDs have been required to register with the SEC, and periodically file financial statements and reports on industry-specific conditions (e.g., the level of net capital) to that agency. As the vast majority of BDs are not affiliated with public companies, BD auditor oversight had been, until recently, the responsibility of state licensing/examination boards, with standard setting the responsibility of the AICPA. In addition to auditing the BD's financial statements under Generally Accepted Auditing Standards (GAAS), auditors have long been required to attest to management's compliance with specific conditions set by the SEC.

With the growth of the financial services industry and its expansion into risky products in the late 1990s and early 2000s, the shortcomings of this regulatory system became increasingly evident. The Sarbanes-Oxley Act (SOX, U.S. Congress 2002) amended securities regulations to require that all BD auditors register with the Public Company Accounting Oversight Board (PCAOB). The SEC exempted auditors of privately owned BDs from this requirement until late 2008. The requirement to register with the PCAOB became effective as of 2009, shortly following discovery of the massive Ponzi scheme at the wealth management arm of a major privately owned broker-dealer, Bernard L. Madoff Investment Securities LLC. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank, U.S. Congress 2010) then further expanded the PCAOB's jurisdiction by granting it full regulatory authority over BD audits. Through these two laws, oversight of BD audits shifted from self-regulation (through the AICPA) to a quasi-governmental regulator (the PCAOB), thus establishing the BD sector as the only industry in which the PCAOB oversees audits of both public and private entities.

Since that shift in oversight, the SEC has amended BD reporting requirements and the PCAOB has begun to exercise its audit standard setting, inspection, and enforcement authority with the goal of improving audit quality. Bedard, Cannon, and Schnader (2014) detail historical regulation and practices within the BD industry and summarize changes in regulation and audit/attestation standards initially proposed by the SEC (2011) and PCAOB (2011). While those proposals were designed to enhance investor protection, Bedard et al. (2014) present some concerns regarding the adequacy of those proposed standards to address long-standing BD regulatory issues. Since that writing, the SEC and PCAOB have both revised and finalized new regulations and standards in this sector (SEC 2013; PCAOB 2013b).

This paper builds on Bedard et al. (2014) by discussing key events in the BD sector since that publication, and by describing the current status of client and auditor reporting, as well as auditor oversight. We first provide background by briefly reviewing the prior regulatory regime for BDs and their auditors, followed by a summary of the PCAOB's interim inspection results for audits conducted prior to the change from AICPA to PCAOB standards. We then summarize regulations for BDs and the related attestation standards for their auditors that were recently finalized by the SEC and PCAOB, respectively, highlighting important differences from former regulatory reporting requirements. Proceeding beyond a discussion of standards, we next summarize the PCAOB's inspection observations released since the implementation of the new regulations, which demonstrate continuing issues with audit quality.³ Finally, we discuss outstanding questions for auditors under the new regulatory regime, and we conclude with thoughts on the current regulatory environment and opportunities for future research.

Regulation of BDs has historically been governed by the Securities Exchange Act of 1934 (U.S. Congress 1934) and the Securities Acts Amendments of 1975 (U.S. Congress 1975).⁴ (Table 1 provides a summary timeline of regulatory events discussed in this paper, and Appendix A defines selected terms relevant to the BD industry.) For over 30 years, BD industry regulations as codified in SEC Rule 17a-5(g)(1) remained “substantially unchanged” (SEC 2011), even though the volume, variety, and complexity of trading financial assets increased considerably during that period. SEC Rule 17a-5(g)(1) required BD audits to be performed “in accordance with generally accepted auditing standards that shall include a review of the accounting system, the internal accounting control, and procedures for safeguarding securities” (SEC 2013; emphasis added). This review was required to obtain sufficient evidence to achieve reasonable assurance that any “material inadequacies” would be disclosed (SEC 2013). As noted by Bedard et al. (2014), a review by definition implies a moderate, not reasonable, level of assurance; thus, the prior authoritative guidance was internally inconsistent.⁵ The SEC's concern about compliance with this standard is evidenced by a letter issued by the Office of the Chief Accountant to the AICPA Stockbrokerage and Investment Banking Expert Panel (SEC 2010). This letter explicitly stated the expectation that attestation standards be applied, emphasizing that auditors must provide reasonable assurance over the compliance activities defined in Rule 17a-5 (i.e., whether a material inadequacy exists). As the term “material inadequacy” was not defined by auditing/attestation standards at that time, the SEC letter also specified the exact location of the material inadequacy definition in the SEC rule.

In 2011, the PCAOB began an interim program of inspecting BD audits conducted under GAAS and the existing regulatory regime, which reflected the Securities Acts Amendments of 1975. Authority to perform these inspections was granted under the Dodd-Frank Act (U.S. Congress 2010). Inspection results revealed troubling insights about the state of auditing practices at that time. Initial inspections identified audit deficiencies in all the audit engagements inspected (PCAOB 2012), prompting the PCAOB to begin in-person and web forums to educate BD auditors (e.g., Gustafson 2015).⁶ Despite these efforts, the PCAOB noted in 2015 that deficiencies “continue to occur at unacceptably high levels” (PCAOB 2015b). The PCAOB (2015b) continued to inspect audits conducted under the existing regime through December 31, 2014, identifying deficiencies in 87.1 percent of those inspected. Although the PCAOB (2015b) stated that BDs selected for inspection may not have been representative of the BD population at large, they also noted that the selections were, as a whole, less risk-weighted than the issuer inspection program (PCAOB 2015c). This suggests that these BD inspection findings are more generalizable to the BD population than issuer inspection findings are to the issuer population.

Furthermore, deficiencies were observed more frequently in smaller firms and those without experience in auditing issuers (PCAOB 2015b), which is particularly troubling given their extensive presence in the BD audit market. While global network firms (GNFs) audit many larger BDs (especially those affiliated with public companies), this industry has many very small entities audited by small firms with little industry or public issuer audit experience (Bedard, Cannon, and Schnader 2017). Small audit firms cannot achieve the economies of scale of larger firms. They cannot spread research, systems development, and training costs across many clients like the larger firms. Further, audit firms having no issuer clients lack experience with the PCAOB inspection process and their personnel may not be familiar with PCAOB expectations.⁷

Registration with the PCAOB became mandatory for all BD auditors, whether their BD clients are publicly or privately owned, beginning with fiscal years ending on or after January 1, 2009. Bedard et al. (2017) show that the registration requirement had a strong effect on the BD audit market because in 2008, the year before PCAOB registration became mandatory, fewer than 30 percent of auditors were registered and fewer than 10 percent of BD audits were subject to PCAOB oversight (whether registered or not) because of affiliation with a public company. That paper also shows that a significant number of BD auditors ceased auditing in this sector prior to mandatory registration, consistent with seeking to avoid PCAOB oversight (Bedard et al. 2017). Even with this exodus of less experienced auditors following mandatory registration, 79 percent of BD auditors in 2014 still had fewer than five BD clients (Gustafson 2015, 8). The consolidation trend continued in 2015, the first year following implementation of new BD reporting regulations and auditing standards, when a majority of BDs switching auditors hired larger audit firms, and an additional 32 percent of auditors with only one BD client in the prior year left the market (Gustafson 2015, 10). Despite these audit market changes, many remaining auditors still have limited industry experience. As of mid-2015, 64.9 percent of all BD auditors did not have any issuers in their client portfolios (PCAOB 2015b, 5). Thus, many BD auditors have limited experience following more demanding PCAOB standards.

Further complicating the BD audit landscape is the plethora of privately held BDs that are likely unaccustomed to reporting under the heightened scrutiny of SOX and public markets, and lack experience supporting a PCAOB-compliant audit. For instance, the PCAOB (2013a, 2014, 2015b) notes that smaller BDs have historically hired their auditors to perform bookkeeping services and/or create the financial reports under audit, even though such actions violate the SEC's auditor independence rules.⁸ This suggests that reporting systems of smaller BDs are less developed, thus complicating their adjustment to the new requirements.

While the BD audit market landscape was changing following the PCAOB registration requirement, regulators were also working on changing standards. These changes began to emerge after the Dodd-Frank Act specifically authorized the PCAOB to set auditing standards and inspect audits in this sector. In the summer of 2011, the SEC (2011) proposed amendments to BD reporting requirements and the PCAOB (2011) proposed new attestation standards. After a period of feedback from stakeholders and internal deliberations, the SEC amendments were finalized on July 30, 2013 (SEC 2013) for fiscal years ending on or after June 1, 2014. Shortly after, the PCAOB (2013b) finalized its new auditing/attestation standards that follow the reporting structure adopted by the SEC. Thus, as of June 1, 2014, all BD audits must be conducted in accordance with the new PCAOB standards.

The SEC's (2013) new reporting requirements for BDs are summarized in Table 2. Under this new regulatory regime, all BDs are required to file financial statements audited to PCAOB standards. Beyond the financial statement audit, there are additional reporting responsibilities that differ between “carrying” BDs (which hold assets for customers) and non-carrying BDs (which must promptly transmit funds to carrying BDs upon receipt). For carrying BDs, a “compliance report” is now required. The objective of this report is for management to inform regulators and other interested parties about the adequacy of certain key conditions and controls related to consumer protection, termed “Financial Responsibility Rules” (FRRs; summarized in Table 2, Panel A). In contrast, non-carrying BDs are only required to file an “exemption report.” The exemption report simply asserts that the BD does not maintain custody of customer accounts. In bifurcating reporting for carrying/non-carrying BDs, the SEC seeks to target more stringent regulation toward those entities with more extensive custodial responsibilities and reduce the regulatory burden on pass-through entities.

While the prior regulatory regime emphasized adherence to financial reporting, accounting controls, and protection of customer funds for all BDs, the SEC's (2013) final amendments to Rule 17a-5 increase the focus on custody procedures. As in the prior regulatory environment, both carrying and non-carrying BDs are required to file audited financial statements.⁹ Beyond that, however, the new regulations differ considerably from the prior regime. First, the new reporting requirements specifically omit coverage of financial reporting controls for all BDs. Further, reporting requirements, previously similar for carrying and non-carrying BDs, now diverge.

In the following subsections, we elaborate on the new regulations surrounding BD responsibilities with respect to the more extensive compliance report for carrying BDs and the exemption report for non-carrying BDs. We also discuss the new auditor attestation responsibilities for these new reports given in the PCAOB's (2013b) new attestation standards. Table 3 summarizes the key differences between the coverage of old and new attestation rules.

Under the SEC's final regulations, maintaining custody of client assets triggers a requirement for the BD's management to file a compliance report that addresses the full set of FRRs, as well as other conditions. (The required compliance report statements are presented in Table 2, Panel B.) Management must then engage an independent auditor to perform a risk-based examination (i.e., an audit), coordinated with the financial statement audit, to provide reasonable assurance that Statements 2 through 5 are fairly stated in all material respects (AT No. 1, PCAOB 2013b).¹⁰ To achieve this assurance, the auditor must test and report on the operating effectiveness of internal controls over compliance (ICCs) throughout the year (Statement 2) as well as at year-end (Statement 3). Requiring attestation for the full fiscal year is unique to BDs, as evaluation of control effectiveness under SOX Section 404 is limited to year-end. The assertion of ICC effectiveness throughout the year (and related attestation) cannot be made if a material weakness existed at any time during the fiscal year, even if remediated by year-end.¹¹ For example, a reportable material weakness in ICC could indicate that at some point during the year the BD failed to segregate the appropriate amount of the customer's cash from the firm's cash (Statement 4), or failed to follow rules for regular counts of securities. Auditors must also attest that the information used for reporting net capital levels and proper segregation of customer funds was derived from the BD's books and records (Statement 5).

Non-carrying BDs can avoid the above reporting requirements by filing an exemption report limited to statements presented in Table 2, Panel C. The exempt BD must engage an independent auditor to provide moderate assurance that conditions do not exist that would cause management's exemption report to not be fairly stated in all material respects (PCAOB 2013b, AT No. 2). Thus, this standard requires a risk-based review coordinated with the audit of the financial statements. This review must include performing inquiries to understand management's controls for evaluating exemption compliance and identifying exceptions, reading relevant internal reports, and completing any other procedures necessary to obtain moderate assurance. Consistent with moderate assurance, relevant controls over management's exemption assertion need not be tested for effectiveness.

For some non-carrying BDs, meeting the exemption provision might not be a trivial matter. For example, Rule 15c3-3(k)(2)(i) allows an exemption if, when the BD comes in possession of customer assets, it transmits all customer funds by noon of the next business day. Since failure to promptly transmit even once would technically violate the exemption and trigger the more onerous compliance requirements, the SEC allows filers that have had violations to still claim an exemption and avoid filing a compliance report. These filers must identify and describe all exemption violations in their filing with the SEC. The requirement to report details of any violations by exempt BDs is warranted, as Gradison (2011) notes that in the past, non-carrying BDs have been liquidated by the Securities Investor Protection Corporation for embezzlement of customer assets.¹² Requiring the BD to disclose the dates and descriptions of any violations occurring during the reporting period allows the SEC and other regulators to assess the gravity of the violations and the appropriateness of the exemption claim. The unspoken threat of regulator action for these violations incentivizes BDs to strengthen controls that “facilitat[e] consistent compliance” (SEC 2013), and thus provides auditors with leverage to induce improvements to BD internal control systems surrounding customer assets.

Bedard et al. (2014) discuss the regulatory regime under which the BD industry conducted business for many decades, as well as changes to those regulations and to oversight of the industry that had been proposed by the SEC. The authors suggest that conflicting language and unconventional terminology in regulations and standards, as well as relatively lax oversight, might have led to wide variation in the extent of controls testing performed by auditors during that time period. While the final regulations provide some clarifications, other issues remain; namely, how auditors should determine materiality in this context, and the relationship between financial reporting controls and compliance controls.

First, Bedard et al. (2014) note that numerous comment letters responded to the PCAOB's proposed standards with requests for help in determining materiality as it relates to noncompliance with FRRs. The final SEC regulations clarify that any violation of either SEC Rule 15c3-1 (Net Capital Rule) or 15c3-3(e) (amount of customer cash that must be held in segregated accounts) is inherently material. However, the final rule provides little guidance for determining materiality as it applies to other FRRs; i.e., the Security Count Rule [17a-13], any Account Statement Rule, or all paragraphs of the customer protection rule (except for the segregated cash portion).¹³ Existing material weakness guidance from the public company domain does not necessarily inform materiality judgments in BD reporting, as the FRRs do not relate to items reported in the financial statements. For example, it is not clear how to determine if the mispricing of a security on a customer's statement is material. Is the materiality baseline established at the level of the security, the customer, the BD, or the market? What is an appropriate materiality threshold once a baseline is established? Informal conversations with practitioners suggest that uncertainty over materiality judgments such as these makes it difficult to determine key controls, plan the extent of control testing, and evaluate results.

Second, the proposed amendments to SEC Rule 17a-5 explicitly stated that the independent public accountant would not be required “to opine on … internal control over financial reporting” (SEC 2011, 24). Removing the requirement that auditors opine on accounting controls reduces the breadth of information conveyed by the BD auditor's report.¹⁴ Schnader et al. (2018) find that auditor disclosures of control and compliance problems under the prior reporting regime can be useful for predicting future BD sanctions imposed by the Financial Industry Regulatory Authority (FINRA). This implies that the adjusted scope of the BD auditor's report under the new reporting regime might reduce value-relevant information communicated to stakeholders.

The Center for Audit Quality's (CAQ 2011) comment letter on the proposed standards sought clarification of the relationship between internal controls over financial reporting (ICFR) and internal controls over compliance. In its explanation of the final rule, the SEC repeats that the auditor is not required to opine on ICFR but adds no clarification as to how potentially overlapping controls should be considered. Deloitte's (2011) comment letter notes that, “many aspects of the FRRs are derived, at least in part, from the basic financial statements.” For example, the starting point for the Net Capital Rule (Rule 15c3-1) calculation is net worth as presented on the Statement of Financial Condition. Without examining ICFR, it is unclear how an auditor would be able to conclude whether misstatements in the numbers used to compute net capital would be prevented or detected on a timely basis. While the relationship of ICFR to ICC was a topic of discussion between regulators and auditors in the early years of the amended SEC rules, our current understanding is that auditors are responsible for testing ICFR only to the extent that the control affects the ability to conclude on the adequacy of ICC. However, we are not aware of any public SEC or PCAOB statement that clarifies this point.

The first round of annual report submissions made under the new regulations began with fiscal years ended on June 30, 2014, and audit quality issues were immediately apparent. Of those BDs with a June 30 year-end, the PCAOB sampled 170 audited reports for a limited review, noting that approximately 20 percent either did not include all required reports, or their auditors filed the wrong type of attestation report.¹⁵ Furthermore, 9 percent of auditor opinions in this sample incorrectly describe the relevant rules as U.S. GAAS rather than the applicable PCAOB standards. Additionally, the PCAOB noted deficiencies in each of the first five audits selected for full inspection. In response to these adoption issues, the PCAOB issued an unprecedented special report in January 2015 “to provide timely insight” to inform in-process audits of December filers (PCAOB 2015a, 1).

In 2016, the PCAOB (2016) issued its first full report on interim inspections conducted on engagements under the revised attestation standards. This report covers 115 engagements with fiscal year-ends from September 30, 2014 through June 30, 2015, noting a continuing high rate of deficiencies (77 percent of all inspected audits) (PCAOB 2016). Many of the detected deficiencies relate to the “fundamentals of auditing,” including deficiencies from auditing revenue in 70 percent of inspected engagements (PCAOB 2016). The PCAOB (2016) also notes deficiencies in 78 percent of examination reports and 34 percent of review reports. They show that in many cases, auditors were not meeting the standard of reasonable assurance for examination engagements, which implies testing of management's assertions. Inspection findings under the former reporting regime similarly found many instances of failure to test controls to achieve reasonable assurance. While Bedard et al. (2014) raised the possibility that conflicting language in AICPA guidance may have contributed to prior inspection findings of insufficient testing, the PCAOB's expectation for reasonable assurance is explicit in the new standards. Despite this clarification, the PCAOB determined that testing is still insufficient in a high proportion of engagements inspected to those standards.

In its second report on the BD inspection program under the new regulations, the PCAOB (2017) again notes high rates of deficiencies overall (an increase to 83 percent of all inspected audits). However, both the 2016 and 2017 reports also note that the rate of deficiencies is lower for audit firms that also audit issuers, as compared to those who do not. For example, of engagements inspected in which the BD issued a compliance report, 74 (100) percent of audits performed by auditors with issuer (no issuer) clients had audit and other deficiencies, and 68 (100) percent of examinations had attestation and other deficiencies (PCAOB 2017, 48). While this implies that familiarity with the public company regulatory environment continues to be associated with higher audit quality, deficiencies remain frequent and are not declining appreciably over time.

While deficiencies in compliance with auditing and attestation standards clearly remain at problematic levels, the rate of independence violations declined from about a quarter of inspected audits in previous years, to a new low of 7 percent (PCAOB 2016). As firms that audit issuers were already found to have a low rate of independence violations, this improvement is primarily attributable to firms that do not audit issuers; their rate of independence problems dropped from approximately half to 13 percent. This suggests that the PCAOB can achieve improvements in this dispersed industry given time, continued focus, and use of incentive-modifying penalties.

In this paper, we build on Bedard et al. (2014) by discussing the recent overhaul of the reporting environment for U.S. BDs and their auditors. From this discussion, we identify three main take-aways. First, the revised attestation standards issued by the PCAOB (2013b) clarify the level of assurance that is required for each type of auditor report established by the new SEC regulations (SEC 2013). As noted by Bedard et al. (2014), the previous reporting regime used unconventional language, and audit guidance about the expected level of assurance was vague. That paper suggests that the extensive audit deficiency findings of the PCAOB's interim inspection program may have been, in part, attributable to these ambiguities. The SEC's amended rule (summarized in Table 2) removes these ambiguities, thus providing much needed clarification.

Second, while the new attestation standards are more precise as to the assurance required, some information to stakeholders has been lost in the new regime due to a reduction in scope and breadth in coverage of BD and auditor reporting to the SEC.¹⁶ Regarding the scope of reporting, auditors no longer attest to internal accounting controls for BDs, unless the BD is part of an accelerated filer covered under SOX Section 404. Regarding the breadth of coverage, information previously available to the markets has been lost as auditors now provide assurance on specific procedures and controls only for carrying firms, while auditors of non-carrying BDs need only attest to the claimed exemption. Audit Analytics data clearly show the overall reduction in auditor disclosures from the combined reductions in scope and breadth: in 2013 (the last year before the change in standards), auditors reported control and compliance problems for 6.2 percent of BDs, while in 2014, that rate fell to 0.9 percent. This reduction in scope contrasts with the public company sector, which also experienced a transition from AICPA to PCAOB oversight; however, information disclosed by both issuers and auditors greatly increased at that time due to the internal control provisions of SOX Sections 302 and 404.

Third, the PCAOB inspection program provides regulators with a valuable mechanism for motivating improvements in BD auditing procedures. Although informal conversations with practitioners suggest that progress in improving audit quality has been made, inspectors continue to report high rates of deficiencies. This is despite considerable PCAOB outreach efforts, six years of inspection reports (giving time to strengthen compliance processes), a new reporting regime with reduced scope, and updated rules providing greater clarity for expected assurance. While recent inspection findings do show some progress in reducing auditor independence violations, the number of procedural deficiencies has not appreciably diminished.

Given the BD industry's importance to the health and smooth functioning of the financial markets, it is important that research investigate audit quality issues in this sector. Our analysis of the current regulatory environment suggests two main topics. First, research could investigate the impact of the recent regulatory changes in both the SEC's BD reporting requirements, as well as the PCAOB's accompanying changes in auditing/attestation standards. The impact of regulatory changes on audit quality is a topic of consistent interest for auditing research and practice, but with few exceptions (e.g., Lennox and Pittman 2011), prior research is confined to public/listed companies. An additional disclosure requirement is that auditors of carrying BDs must attest to ICCs throughout the year, not just at year-end. This additional disclosure (not required for public companies) provides accountability, and it gives auditors a basis for motivating improvements to clients' compliance processes. Research could examine the extent of remediation prior to year-end or across years, and factors associated with this remediation.

While such research is important in understanding audit quality in the BD sector, the nature of publicly available data limits opportunities for archival research. For example, the SEC permits BDs to redact income statement information, thereby restricting the ability to measure financial reporting/audit quality with accrual-based measures.¹⁷ Furthermore, relevant proxies for BD size and operating activity are limited without using income statement measures, as the most relevant income-generating balance sheet measure (assets under management) is not publicly disclosed. Schnader et al. (2018) assess auditors' internal control reporting by measuring whether those reports provide an early warning of future FINRA sanctions. In addition to FINRA sanction data, researcher access to disaggregated PCAOB inspection data would provide valuable evidence on BD audit quality. While data constraints limit archival research, experimental and survey methods could provide insight by focusing on the perspectives and/or actions of BD personnel, auditors, and users in the current regulatory environment.

Second, research should investigate factors associated with the persistently high rate of BD audit inspection deficiencies. Schnader et al. (2018) and PCAOB inspection reports (e.g., PCAOB 2017) provide one such factor, as they both note lower audit quality for firms with no issuer clients. This pattern is consistent with a lack of experience with testing internal control effectiveness and with PCAOB standards, but it remains unclear why audit quality differences have proved largely intractable thus far. Schnader et al. (2018) further note differences in disclosure by firms considered industry “specialists” (i.e., those with large BD client portfolios that are not members of global networks). This finding suggests a tradeoff of auditor independence versus expertise. Future research should corroborate their findings using other audit quality measures. Future studies could also provide additional insight by examining audit quality differences at the office level, as has been done for public companies.

In closing, we note that the change in oversight for private entity BD audits has implications beyond the BD sector. The AICPA's Enhancing Audit Quality initiative and its proposed audit performance improvements suggest an acknowledgment of quality concerns regarding audits of non-public entities (e.g., AICPA 2015a, 2015b). Prior research, however, is largely silent on the quality of these audits in the U.S. As the BD industry is the first and only industry where private company audits are subject to PCAOB oversight, PCAOB inspections in this sector provide an unprecedented window on the many thousands of private company audits that are still conducted under AICPA guidelines, raising concerns about audit quality for non-public entities in general.