Twenty Years After SOX Was Signed Into Law, SEC Chief Says ‘Who Audits the Auditors’ Still Matters

During a webinar co-hosted earlier today by the Center for Audit Quality commemorating the 20th anniversary of the Sarbanes-Oxley Act being enacted, Securities and Exchange Commission (SEC) Chair Gary Gensler said it might be time for the SEC and the Public Company Accounting Oversight Board (PCAOB) to take a “fresh look” at auditor independence rules.

Gensler reflected back on the history and importance of SOX, which was signed into law on July 30, 2002 by President George W. Bush following the accounting scandals at Enron, WorldCom, Adelphia, and Tyco.

At the time, Gensler was on the staff of Sen. Paul Sarbanes (D-MD), who along with Rep. Michael Oxley (R-OH) were co-sponsors of the bill that would eventually be named after the two lawmakers. The law would also lead to the creation of the PCAOB, which would be tasked with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.

“The late Sen. Paul Sarbanes, my hometown senator from Maryland, was the new chair of the Senate Banking Committee. I was honored to have a front-row seat, working as his senior advisor on this legislation,” he said.

The ultimate goal of Sarbanes-Oxley was to restore trust in the U.S. financial system, Gensler said, but in the 20 years since SOX became law, he asked: What have we learned? What has worked? What is still a work in progress?

Two things that are still works in progress, he said, are updating outdated auditing standards and strengthening auditor independence regulations.

Here is an excerpt from the speech Gensler made today regarding those two topics:

Auditing standards
First, the Enron crisis revealed a key problem: the quality of auditing standards.
Candidly, the relationships between issuers and auditors, between standard-setters and auditing firms, were too clubby.
It matters who sets the standards. It matters who “audits the auditors.”
Auditing standards were set by the American Institute of Certified Public Accountants, a professional association. The profession was writing its own rules. That’s an inherent conflict.
Additionally, auditing firms were tasked with “inspecting” each other. Naturally, such inspections had conflicts, failing to identify serious shortcomings in auditor independence and audit quality.
To correct course, the Sarbanes-Oxley Act established the PCAOB, an independently funded board under the regulatory oversight of the SEC.
The PCAOB is tasked with setting enhanced auditing standards. For practical purposes, Congress permitted the then-new PCAOB to carry over existing AICPA standards on an interim basis. The expectation was that the Board would produce a more appropriate set of standards going forward.
Historically, though, the PCAOB has been too slow to update auditing standards.
Twenty years later, most of those interim standards remain.
In May 2022, the PCAOB announced that it plans to update almost all of the remaining interim standards. I look forward to these critical auditing standard updates.
While they have their work cut out for them, I believe that Chair Erica Williams and the board can live up to Congress’s original vision with respect to standard-setting. I hope we can make some progress before Sarbanes-Oxley can legally drink.
Auditing inspections, investigations, and enforcement
In addition, the PCAOB is tasked with inspecting and investigating auditing firms for compliance with auditing standards and, when necessary, bringing enforcement actions.
Inspections, investigations, and enforcement are critical components of instilling trust in our capital markets. Under the current leadership, the PCAOB has a chance to reinvigorate its enforcement program.
The work to improve auditing standards, coupled with rigorous enforcement of auditor’s professional and ethical requirements, is essential for investor protection.
Sarbanes-Oxley gave the SEC fair fund authority to return monies directly to harmed investors. Over the past eight years, the SEC has returned more than $5 billion to harmed investors.
Accounting and auditing cases also are an important focus of the SEC’s enforcement program. We recently charged Ernst & Young LLP with cheating by its auditors (on Certified Public Accountant ethics exams, no less!) and with withholding evidence of this misconduct in our investigation. This action underscores the importance for accounting firms of fulfilling their gatekeeper functions in the spirit and letter of Sarbanes-Oxley.
Auditor independence
Another problem the Enron crisis revealed was weak auditor independence.
In many cases, including Enron, audit firms had lucrative consulting engagements with the companies they were auditing.
Thus, Sarbanes-Oxley directed the SEC to take steps to create a stronger barrier between auditors and other parts of their firms’ business when dealing with audit clients, with some exceptions.
A number of firms spun out their consulting businesses in the days shortly before and after Sarbanes-Oxley. Over the past 20 years, however, many of these firms went on to rebuild them again. PCAOB inspections continue to identify independence—and lack of professional skepticism—as perennial problem areas.
Those advisory practices not only have grown; they also have gotten more complex. Given the growth in the size and complexity of non-audit services, it is important that audit firms maintain a culture of ethics and integrity—placing the highest priority on auditor independence throughout the firm, not just in the audit practice.
As SEC Acting Chief Accountant Paul Munter recently noted, “staff have seen situations of decreased vigilance when it comes to auditor independence.”
I have asked the PCAOB to consider adding updates for auditor independence standards to their agenda. We may need to take a fresh look at the SEC’s auditor independence rules as well. In the meantime, I encourage firms to review and enhance their independence protocols with respect to their auditing and consulting practices.

You can read Gensler’s entire speech here. You can watch the webinar here.