The Public Company Accounting Oversight Board’s Division of Registration and Inspections has recently released a Staff Preview of 2018 Inspection Observations (Preview), based on the PCAOB staff’s inspection of over 160 audit firms in 2018, covering portions of approximately 700 public company audits. The Preview includes observations of good auditor practices, common audit deficiencies and other observations from the 2018 inspection activities. The discussion in the Preview is intended to offer useful information to auditors as they prepare for upcoming audits and to audit committees as they engage with their auditors.
Starting on a positive note, the Preview highlights six good practices by audit firms that contributed to improvements in audit quality:
- Expanding accountability for audit quality beyond the lead engagement partner;
- Developing and refining guidance to help auditors identify and assess risks of material misstatement;
- Revising training programs;
- Providing additional support from experienced personnel not assigned to the audit;
- Establishing a network of specialized professionals to address emerging risks; and
- Providing new or enhanced audit tools in areas of significant judgment.
Turning to areas of common audit deficiencies, the PCAOB staff highlighted the following four items:
- Internal Control over Financial Reporting (ICFR) – common deficiencies included the failure of auditors to select controls for testing that support specific risks of misstatement and failure to sufficiently test the design and operating effectiveness of controls that include a review element (e.g., the auditor failed to evaluate the activities performed and factors considered by the owner of the control). As the Preview notes, control testing is “critical” to an audit, given that it supports opinions as to the effectiveness of ICFR in an integrated audit and informs the approach taken with respect to substantive testing.
- Risk Assessment and Revenue – “frequent deficiencies” in this area involved the failure of auditors to properly design and perform audit procedures commensurate with the assessed risk of material misstatement, particularly in the context of auditing revenue. The PCAOB staff cautioned that “auditors should apply due professional care in areas of significant risks, including the risk of fraud.”
- Accounting Estimates – deficiencies in this area reflected instances where auditors failed to exercise professional skepticism and failed to involve senior engagement team members where necessary, particularly around accounting estimates involving “unobservable inputs, complex valuation models, and/or subjective judgments,” such as allowance for loan and lease losses, accounting for business combinations, and the fair value of financial instruments.
- Engagement Quality Review – these failures typically arose where the engagement quality reviewer placed undue reliance on discussions with the engagement team or limited their review to summary memos that did not contain sufficient detail to allow for the exercise of due professional care in the review. Deficiencies in this area translated to audit deficiencies not being caught by engagement quality reviewers.
The Preview discusses other PCAOB staff observations during the 2018 inspections cycle, including the auditors’ response to cybersecurity risks, use of software audit tools, response to implementation of new accounting and auditing standards and rules, and communications with audit committees. Among other highlights, the PCAOB staff observed that auditors generally considered cybersecurity incidents in their risk assessments and modified their audit procedures when dealing with audits of companies that have experienced a cybersecurity incident. The PCAOB staff emphasized that auditors should continue, as part of their risk assessment process, to “take steps to be become aware of cybersecurity incidents at the companies they audit.” Specifically addressing smaller, triennially inspected audit firms, the PCAOB staff observed a higher incidence of deficiencies with regard to filing timely and complete Form APs and communicating to audit committees the significant risks identified in the audit. As the Preview notes, these deficiencies can leave audit committees and others without complete and accurate information to best perform their duties.