The Changing Face of Auditor Reporting in the Broker-Dealer Industry Free

This paper examines the status of auditor reporting for the broker-dealer (BD) industry and considers how proposed changes to SEC regulations and PCAOB attestation standards would affect the ways in which auditors evaluate and report on BDs. The global financial crisis, several well-publicized scandals, and recent PCAOB inspection findings have cast doubt on the efficacy of current BD audit practices. The ineffectiveness (or non-existence) of internal controls at firms such as Bernard L. Madoff Investment Securities LLC (Madoff Investments), Stanford Financial Group, and PFG Best has resulted in billions of dollars of losses for clients of those firms. While the BD industry is unique and complex, understanding responsibilities of BDs and their auditors is important, as these firms serve the general investing public.¹

This investigation is relevant because recent federal legislation provides greater regulatory oversight of BDs. The Sarbanes-Oxley Act (U.S. House of Representatives 2002) required auditors of non-issuer BDs to register with the PCAOB, but did not specify a deadline for registration. After a series of temporary extensions by the SEC expired, PCAOB registration for auditors of non-issuer BDs became mandatory for audits of fiscal years ending after December 31, 2008 (SEC 2009a). The Dodd-Frank Act (U.S. Congress 2010) then gave the PCAOB the power to implement an inspection program for these auditors. Thus, all BD auditors are now subject to PCAOB inspections, certain quality control standards (e.g., those relating to auditor independence), and industry-specific standards, once those are developed. This is a particularly noteworthy change in the oversight structure, as 84 percent of BD auditors in the 2005–2010 time period did not audit any public issuers of securities and, thus, were not subject to PCAOB inspection during that period. Industry experts with whom we consulted in preparing this paper uniformly agreed that, while audits in this industry sector have received little public attention for many years, increased oversight is causing rapid change. As the BD industry is served by more than 1,800 auditors across a wide spectrum of BD firm size, it is imperative that the profession closely monitor the evolution of regulatory change.²

This paper first considers guidance currently in effect for auditors' evaluations of BD internal controls and compliance with SEC regulations, therefore preceding the implementation of regulatory reforms currently in process. This guidance, basically unchanged since the 1970s, has some elements that are vague and potentially contradictory. These elements may have contributed to audit quality problems in terms of internal control assessment, which are evidenced by recent regulatory related actions that we discuss later in the paper.

Following analysis of current guidance, we next discuss the SEC's proposed amendments to BD reporting rules (SEC 2011) and the related proposed PCAOB attestation standard (PCAOB 2011), which examine limitations of existing regulations and attempt to clarify and streamline requirements for firms and their auditors. The SEC's proposal bifurcates reporting requirements according to whether the BD maintains custody of customer assets (i.e., whether it is a “carrying” firm) at any point in time during the reporting year. The proposed rules require that carrying firms assert their compliance with SEC standards and the effectiveness of internal controls over compliance with these standards, and one of the proposed PCAOB attestation standards clarifies the auditor's responsibility to perform an examination engagement on those assertions. However, under the proposed standard, non-carrying firms will only need to assert that they are exempt from reporting on compliance, and auditors will perform a review engagement on this assertion. While these proposals generally clarify the auditor's responsibilities over BD reporting, we also discuss further questions raised by professionals in their comment letters.³

In the following section, we provide basic background information about the BD industry, discuss the nature of BD business activities, and highlight recently exposed vulnerabilities. We then review the oversight structure and discuss existing standards for BD audits. We then discuss proposed changes to the existing auditing standards, and present our conclusions.

BDs are entities that conduct securities transactions on behalf of clients (brokers) and/or for their own accounts (dealers). Auditors engaged with BD clients need a considerable level of industry-specific knowledge. As an illustration, Chapter 6 of the AICPA's Audit and Accounting Guide: Brokers and Dealers in Securities (AICPA 2012, hereafter “the Guide”) includes 38 pages of information on the auditor's consideration of internal control areas unique to the BD industry.⁴ There are a number of industry-specific factors that make the design and effective operation of internal controls challenging for BDs, and evaluation of those controls challenging for their auditors. The first involves the variety of business activities in which BDs can engage. While the primary activities of BDs continue to include buying and selling corporate stocks and bonds to customers in the traditional sense, the breadth of products offered by BDs has expanded considerably over time.⁵ The breadth of BD business activities adds to the challenge of auditing their transactions, as well as their internal controls over customer orders, transaction execution, records of customer accounts and, perhaps most importantly, safeguarding customer assets.

Second, as noted in more detail in the following section, BDs are responsible to multiple regulators at different levels, all of which apply specific operating and reporting requirements. Third, there are complicating factors associated with BDs' core activities in trading and holding securities. Specifically, the vast majority of securities are no longer physical, thus placing greater reliance on book entries. Also, most BDs use a few depositories to hold customers' securities, and thus rely on the controls at those depositories.⁶ Additionally, while the securities may be “in custody,” the BD may have pledged the securities to meet the BD's needs without the customer's knowledge and permission, placing the customer at risk. Furthermore, many securities that the BDs are responsible for are loaned out on any given day, trades between parties may “fail,” and the volume of daily transactions can be very high.

Recent events highlight the importance of effective auditing in the BD industry. For decades, Madoff Investments falsified financial reports to obscure what is believed to be the largest Ponzi scheme ever uncovered, which its small audit firm was either unable or unwilling to detect or report. In another case, principals at MF Global engaged in a series of risky bets on sovereign bonds. “Faulty controls … prevented the company from knowing that [an estimated $1.6 billion of] customer funds were being used to meet MF Global's needs” (Lucchetti and Steinberg 2013).⁷ While the firm's bankruptcy trustee recently reported recovery of a substantial portion of those funds (e.g., Protess 2013), the firm itself failed, with high monetary and reputational costs to its principals.⁸ Other recent examples of BDs with control failures abound including Peregrine Financial Group, LPL Financial, and Wells Fargo. James Stewart (2011) of The New York Times asks:

These examples emphasize the need for strong internal controls at BDs and highlight the role that auditors can and should play in auditing BD internal controls and the financial reporting process. In the following section, we describe briefly the current oversight structure for BDs, and provide more detailed information concerning existing attestation standards.

In the U.S., BDs are subject to regulation at various levels including the SEC, state authorities, and industry-specific organizations such as the Financial Industry Regulatory Authority (FINRA). Record keeping and filing requirements for BDs are extensive. They are required to maintain detailed records concerning customer accounts, as well as information specific to transaction orders and their subsequent execution. Rule 17a-5 of the Securities Exchange Act of 1934 (SEC 1975) stipulates the various reports that BDs are required to file (including, but not limited to, the annual financial statements), and outlines auditors' responsibilities with regard to these reports.⁹ Currently, Rule 17a-5 requires that BD audits be based on GAAS. Pending implementation of new standards by the PCAOB, the SEC has advised BD auditors to continue to apply AICPA standards.

Under the current wording of SEC Rule 17a-5(g)(1), which was in effect at the time of the aforementioned scandals and continues to be in effect until current regulatory efforts are completed, BD audits “shall be made in accordance with generally accepted auditing standards and shall include a review of the accounting system, the internal accounting control, and procedures for safeguarding securities” (SEC 2013). The audit must include all procedures necessary to enable BD auditors to express an opinion on the financial statements, the computation of net capital and reserve requirements and, for carrying BDs, information relating to the possession or control of customer securities required under SEC (2004) Rule 15c3-3.¹⁰ Further, Rule 17a-5(g)(1) states that “[t]he scope of the audit and review of the accounting system, the internal control and procedures for safeguarding securities shall be sufficient to provide reasonable assurance that any material inadequacies existing at the date of the examination in (a) the accounting system; (b) the internal accounting controls; (c) procedures for safeguarding securities; and (d) the practices and procedures whose review is specified [in Rule 17a-5] would be disclosed” (SEC 2013).¹¹

We note two key aspects of this wording. First, the scope of “material inadequacies” in Rule 17a-5 (SEC 2013) includes both conditions existing in the accounting system and internal accounting controls, as well as procedures specific to the BD's business functions. Second, while this passage stipulates that the auditor should provide reasonable assurance that material inadequacies do not exist, the auditor's responsibility is described as a “review,” consistent with moderate assurance, not reasonable assurance. The Guide (AICPA 2012) follows the wording of Rule 17a-5 (SEC 2013), reflecting practice that has evolved over the years. Further, as detailed in the SEC's proposed amendments and the PCAOB's proposed attestation standard (SEC 2011; PCAOB 2011), the terms “material inadequacy” and “study” are not defined in current auditing/attestation standards. The SEC notes that the requirements of Rule 17a-5 have been “substantially unchanged since 1975” (SEC 2011, 7–8).

The situation described in the preceding paragraphs may have contributed to variations in audit practice for BD engagements. There are three recent sources of evidence that support this concern. First, the SEC's Office of the Chief Accountant issued a letter to the AICPA Stockbrokerage and Investment Banking Expert Panel (SEC 2010), which explicitly stated that attestation standards are to be applied, emphasizing the SEC's expectation of obtaining reasonable assurance over SEC compliance activities defined in Rule 17a-5 (i.e., whether a material inadequacy exists). Professionals that we interviewed when preparing this paper noted that this letter from the SEC likely increased the extent of auditing procedures performed for BD engagements, suggesting either that auditors were unclear about the SEC's expectations or that the SEC's expectations have shifted over time.

Second, the PCAOB has now produced two reports on interim inspections of BD audits (PCAOB 2012; PCAOB 2013), both of which provide evidence indicating concern over audit quality. In 21 of 23 inspections discussed in the 2012 report, “the firms failed to perform sufficient audit procedures to obtain reasonable assurance that material inadequacies existing at the date of the examination were disclosed in the accountant's supplemental report” (PCAOB 2012, 10).¹² The report goes on to say that the “[i]nspections staff noted these firms did not sufficiently test controls related to the broker's or dealer's accounting system, internal accounting controls, and procedures for safeguarding securities. For example, several firms limited their procedures to inquiries of management” (PCAOB 2012). As an example of internal control issues related to recent scandals, such as MF Global, PCAOB inspectors found that, in more than half of the audits inspected, auditors insufficiently evaluated the possibility of management override. The second report (PCAOB 2013) notes that failure to perform procedures to support reasonable assurance over material inadequacies was found in 41 of the 60 inspected engagements.

Finally, the Commodity Futures Trading Commission filed its first lawsuit against an accounting firm related to a BD audit failure, alleging that “the audits failed to adequately test Linn Group's accounting system, internal controls, and procedures for safeguarding assets” (Eaglesham and Rapoport 2013). In the following section, we briefly summarize the main ways in which the SEC's proposed amendments to Rule 17a-5, and the PCAOB's proposed attestation standards, differ from existing guidance, therefore documenting the ongoing evolution of BD regulation.

The SEC's proposed amendments to Rule 17a-5 regulations regarding annual reporting by BDs are intended to “encourage, in connection with broker-dealer audits, greater focus by the auditor on internal control over compliance as it pertains to key regulatory requirements including, in particular, greater focus on broker-dealer custody practices” (SEC 2011, 25). To elicit information as to whether, and how, a BD maintains custody of cash and securities belonging to customers and others, proposed Rule 17a-5 requires all BDs to file a new “Form Custody” with its quarterly FOCUS report.¹³

For carrying BDs, the SEC's proposal also requires the annual SEC filing to include audited financial statements and a “Compliance Report” from the BD containing management's assertions concerning compliance, and internal control over compliance, with SEC “Financial Responsibility Rules” (FRRs), which cover net capital requirements, safeguarding of customer accounts, security counts, and reporting to customers. The Compliance Report also must include an independent auditor's “Examination Report.” According to the PCAOB's proposed standards (PCAOB 2011), the auditor's Examination Report must provide reasonable assurance that management is in material compliance with the SEC's FRRs, or report instances of “material non-compliance,” as well as any MWs in internal control over compliance with the FRRs.¹⁴ This proposal clarifies that the proposed changes will “not affect existing obligations of broker-dealers or their accountants with respect to financial reporting” (SEC 2011, 24). However, the SEC's proposal specifically omits the effectiveness of internal control over financial reporting as one of the assertions required by the BD in the Compliance Report (SEC 2011, 17). However, under the current wording of Rule 17a-5 (SEC 2013), “the accounting system” and “internal accounting controls” are listed among the areas that auditors must assess to determine if MIs exist. For BDs that do not carry customer funds, an “Exemption Report” would be required in lieu of the Compliance Report described above. In this report, management asserts that the BD is exempt from compliance with rules governing custody of customer accounts (i.e., SEC 2004, Rule 15c3-3). The Exemption Report must be accompanied by an independent auditor's “Review Report” that provides moderate assurance that the BD does not have custody of customer funds or securities and, therefore, is in fact exempt. If the BD's exemption assertion is not fairly stated, the auditor must state that the BD is not in compliance with the specified exemption conditions and describe the circumstances. The auditor also must report the circumstances to management and the audit committee and must evaluate the possible impact of identified instances of non-compliance on the financial statement audit.¹⁵ The PCAOB's (2012) report on the first year of BD interim audit inspections shows that, in all 14 of the audits examined in which the BD claimed an exemption under the existing Rule 15c3-3, inspectors found that auditors obtained insufficient evidence that the BD actually complied with exemption conditions, suggesting that clarification of this expectation is necessary.

The PCAOB's proposed attestation standards (PCAOB 2011) reflect the SEC's proposal that creates a bifurcation in reporting based on the BD's responsibilities for customer assets.¹⁶ The SEC's proposed auditor's Examination Report (for non-exempt BDs) or Review Report (for exempt BDs) would replace existing requirements described in the preceding section of this paper. Although all BDs would be required to have a financial statement audit conducted in accordance with PCAOB standards, other reporting requirements would differ between exempt and non-exempt BDs. For carrying BDs, examination engagements would be aligned with the standards of the PCAOB for public company audits. The term “study” of practices and procedures would no longer be used, as PCAOB standards do not allow for a “study” (SEC 2011, 5–6). Under proposed standards (PCAOB 2011), the auditor of an exempt BD would instead express an opinion or conclusion on the BD's assertions of exemption based on sufficient appropriate evidence in accordance with PCAOB standards.¹⁷ Further, proposed attestation standards would require that the auditor conduct a risk-based engagement that is coordinated with the financial statement audit. When conducting examination engagements for non-exempt BDs, auditors must test the effectiveness of controls that are “important to the auditor's conclusion about whether the broker or dealer maintains effective internal control over compliance for each specified “Financial Responsibility Rule” of Rule 17a-5 (PCAOB 2011).¹⁸

In sum, the proposed rules respond to concerns about existing regulation and oversight of BDs by clarifying expectations for audits of carrying BDs. They will likely raise the bar in terms of audit quality for those clients. However, auditors of exempt BDs, under the proposed standards, will only have to provide a financial statement audit opinion and a Review Report based on the BD's Exemption Report, which attests to management's assertion that the BD does not have custody of customer funds or securities.

The SEC's bifurcation of reporting is clearly risk-based. As noted by Daniel Goelzer (2011), a former member of the PCAOB, the BD industry is populated by a few “mega-firms,” and thousands of very small BD firms. On a cost-benefit basis, with limited regulatory resources, it is logical for the SEC to focus attention on BDs that maintain custody of customer funds and securities. Similarly, while the PCAOB has not yet determined the parameters of its inspection program for BD audits, one possibility under discussion is to exempt BDs that do not provide custodial or clearing services (Gradison 2011), as there are thousands of such BDs; therefore, the personnel requirements to sustain even a triennial inspection program would be tremendous. Thus, limiting inspections to carrying/clearing BDs (as well as reducing reporting requirements for non-carrying firms) is understandable based on regulators' resource limitations and scalability of costs to those firms. However, William Gradison (also a former member of the PCAOB) points out that there also is risk associated with non-carrying BDs.¹⁹ He notes that the Securities Investor Protection Corporation (SIPC) has liquidated a number of BDs that were not providing clearing or custodial services, pursuant to a significant number of frauds involving theft of customer assets despite their “non-carrying” status. Thus, while the risk of loss for investors is higher for carrying/clearing BDs, this risk is not confined to those firms alone.

In this section, we summarize comment letters written primarily by auditing professionals regarding PCAOB proposed standards, which highlight issues of concern to the profession and contribute to the iterative process of standards revision that currently is underway. There are 11 comment letters on Proposed Standard 2011-004, which addresses BD attestation engagements (PCAOB 2011).²⁰ While a number of issues are raised in these letters, two themes are pervasive (i.e., mentioned by the Center for Audit Quality [CAQ], as well as by the large public accounting firms), both of which ask for well-defined guidance with respect to challenges specific to the BD industry.

One of these issues is the need for additional guidance as to how auditors should identify “material non-compliance.” In their comment letters, the CAQ and all of the Big 4 firms mention the need for more guidance concerning how to determine when non-compliance reaches a material level. For example, the comment letter from the CAQ (2011a, 5) on the PCAOB's proposed standard notes that “[w]e believe that auditors would benefit from additional guidance related to the determination of material non-compliance including, wherever possible, specific examples regarding the consideration of qualitative and quantitative factors in the context of each of the Financial Responsibility Rules, and matters within each of the Financial Responsibility Rules that the PCAOB considers to be most significant to compliance.”

Another issue expressed in letters from the profession is the association between internal controls over financial reporting (ICFR) and internal controls over other compliance activities. Practically speaking, those controls must overlap to some degree, and commenters seek further information about how a detected deficiency or a material misstatement in financial reporting should affect the compliance audit. This is important because, under proposed standards, only MWs in controls relating to the FRRs (not those in financial reporting) need be disclosed in the Examination Report for non-exempt BDs. For example, the CAQ's comment letter on the SEC's related proposals on BD regulation asks:

The request for additional guidance from the auditing profession reflects uncertainty in current practice.

This manuscript is intended to inform academics and practitioners about the current and proposed status of auditing standards in the BD industry sector, prior to the implementation of upcoming regulatory reforms. BD firms have considerable economic importance as a vehicle through which millions of people invest their savings, and auditing BDs is a unique challenge for the wide array of auditors that provide services in this sector. Recent scandals have drawn the attention of the press, legislators, and regulators to the quality of internal controls in these entities, and to the quality of their audits. Further, the PCAOB now has released two reports on the progress of its inspection program for BD audits (PCAOB 2012, 2013), providing evidence of quality problems among inspected engagements. We provide a view of auditing regulation in the BD industry during a period of change in regulation and auditing standards, and highlight issues important to both academia and practice.

Our review of current and proposed regulations in the BD sector yields mixed findings. PCAOB registration raises the bar by requiring that audit firms comply with quality control standards, such as auditor independence requirements. Firms not able or willing to meet those standards likely have dropped out of the BD audit market and, thus, overall audit quality should improve. Audit quality for all firms should also improve as a result of the PCAOB inspection program and reports, which better clarify regulators' expectations. Audit quality for carrying (non-exempt) firms also should improve as a result of amending the SEC and PCAOB standards, specifically with regard to compliance assertions within the FRRs. However, as expressed in comment letters to regulators by the auditing profession, some key questions about identifying material non-compliance, and the association of material non-compliance with financial misstatements and ICFR, were not addressed by the proposed amendments. Regarding non-carrying (exempt) BDs, proposed standards will result in a reduction in audit assurance, as (beyond the financial statement audit opinion) auditors only will provide moderate assurance regarding the BD management's assertion that they qualify for exemption.

In sum, there is a considerable evolution of BD regulatory oversight underway that will affect both BD filing requirements and the related attestation responsibilities of their auditors. As auditors across the professional spectrum are actively engaged in BD audits, it will be important to monitor and document the evolution from the proposed to the final regulations that will become effective in June 2014. Future research can then assess the impact of these regulatory changes on BDs and the practice patterns of their auditors, which will become evident after several years of experience.