The Public Company Accounting Oversight Board (PCAOB) has had one of its busiest years in recent memory, including with respect to standard setting, inspections and enforcement. Below is a summary of notable developments that are worth bearing in mind as audit committees and companies turn to fiscal year 2023 annual reporting and beyond.
- Noncompliance with laws and regulations (NOCLAR). Perhaps the most remarkable development from the PCAOB this year is the proposal, commonly referred to as the NOCLAR proposal, to amend PCAOB auditing standards related to the auditor’s responsibility for considering a company’s noncompliance with laws and regulations, including fraud. While this remains a proposal that has no effect on current audits, if adopted, the proposed changes could have a material effect on many participants in the audit process, including auditors, audit committees, management, external counsel and others.
As articulated in the proposal, the proposed amendments aim to establish and strengthen requirements for:
- Identifying, through inquiry and other procedures, laws and regulations with which noncompliance could reasonably have a material effect on the financial statements;
- Assessing and responding to the risks of material misstatement arising from noncompliance with laws and regulations;
- Identifying whether there is information indicating noncompliance has or may have occurred; and
- Evaluating and communicating when the auditor identifies or otherwise becomes aware of information indicating that noncompliance with laws and regulations, including fraud, has or may have occurred.
Currently, PCAOB auditing standard AS 2405, Illegal Acts by Clients, sets forth the consideration auditors should give to the possibility of illegal acts by an audit client in the audit of financial statements. This auditing standard works in conjunction with Section 10A of the Securities Exchange Act of 1934, which establishes investigation procedures and required communications for when an auditor “detects or otherwise becomes aware of information indicating that an illegal act (whether or not perceived to have a material effect on the financial statements of the issuer) has or may have occurred.”
Under the proposal, and in a significant departure from current requirements, auditors would be required to plan and perform specified procedures to identify whether there is information indicating noncompliance with laws and regulations has or may have occurred and to expand upon the “baseline” identification and communications obligations set forth in Section 10A. For example, the proposal would require the auditor to communicate to management and the audit committee “information indicating that noncompliance with laws and regulations (whether or not perceived to have a material effect on the financial statements) . . . has or may have occurred” (emphasis added). The reporting is required “as soon as practicable,” including before the auditor is able to complete its evaluation of the information to determine whether any noncompliance has or may have occurred and/or whether it is material.
For now, this standard-setting item remains at the proposal phase, for which the comment period ended on August 7, 2023. As of this writing, 139 comment letters have been submitted, with many expressing concerns about the proposal. Commenters included the Business Law Section of the American Bar Association,1 which expressed some concerns with the proposal including as summarized in the following:
Among other concerns, the Proposed Standards (i) place an unworkable responsibility upon accountants to make subjective assessments of often complex and uncertain legal matters, the probability of future events, and the potential impact of those events, all of which are outside the scope of auditors’ typical responsibilities, (ii) endanger the confidentiality and protections of client communications that are foundational components of the lawyer-client relationship and our legal system and which are designed to promote legal compliance, (iii) risk diluting the audit function that is at the core of ensuring the integrity of financial reporting, (iv) would disrupt the separate roles played by the legal and accounting professions that benefit clients, and (v) would do the foregoing by adding costs to the audit process that will far outweigh any limited and speculative perceived benefits.
The PCAOB staff is now reviewing the comments submitted, and it remains to be seen what next steps the PCAOB will take. As such, while none of the topics set forth in the proposal should directly affect upcoming audits of fiscal year 2023 financial statements, it is worth monitoring future developments concerning this proposal and the anticipated effects such developments could have on existing systems and processes within the auditing ecosystem.
- Audit Confirmations. In September, the PCAOB adopted a new auditing standard intended to modernize auditors’ use of confirmations. The new standard replaces the interim standard adopted by the PCAOB in 2003 that was originally issued by the AICPA in 1991.
The process of confirmations generally involves an auditor selecting assertions by a client to be confirmed, sending a confirmation request directly to a confirming party (e.g., financial institution), evaluating the information received and addressing nonresponses and incomplete responses. This audit evidence gathering exercise touches nearly every audit, and the new auditing standard would make a number of modifications to the way auditors have long obtained confirmations. Under current standards, confirmations can either be positive (requiring a response) or negative (requiring a response only if the recipient of the request disagrees with the information in the request).
The new standard includes a host of changes that make the standard more principles-based and adaptable to evolving processes and technology, while continuing to underscore the auditor’s responsibility to maintain control over the confirmation process. The new standard adds a new requirement regarding confirming cash and cash equivalents held by third parties. It also makes clear that the use of negative confirmation requests alone does not provide sufficient appropriate audit evidence, which could have significant implications if a third party fails to respond or provide an affirmative confirmation. This could require the auditor to further engage with the confirming party or perform alternative procedures (e.g., substantive audit procedures), which will need to be factored into the audit plan to manage filing deadlines.
If approved by the Securities and Exchange Commission, the new standard will be effective for financial statement audits for fiscal years ending on or after June 15, 2025.
Inspections and Enforcement Observations
- Audit Inspections Spotlights. Audit inspections are a core element of the PCAOB’s mission, with findings from its activities summarized in two Spotlight pieces – (i) Staff Update and Preview of 2022 Inspection Observations (July 2023) and (ii) Inspection Observations Related to Engagement Quality Reviews (October 2023).
- 2022 Inspection Observations Preview. The PCAOB staff estimates that 40% of the audits it reviewed for 2022 will have one or more Part I.A deficiencies, which reflects an increase from 34% in 2021 and 29% in 2020. The most significant increases were observed among global network firms including within and outside the U.S. Part I.A deficiencies are deficiencies of such significance that PCAOB staff believed the audit firm, at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion on the public company’s financial statements and/or internal control over financial reporting (ICFR).
Common areas of observed deficiencies are similar to those observed in prior inspection years and involved inherently complex areas. Deficiencies in ICFR remain high, which is critical, as auditors often test controls as a basis to reduce the nature, timing and extent of substantive testing. The top five financial statement areas in which the PCAOB observed deficiencies are:
- Revenue and related accounts,
- Accounting estimates,
- Business combinations,
- Inventory, and
- Long-lived assets.
In addition to the top five deficiency areas, the PCAOB report also highlighted some observed deficiencies around audits of cryptocurrency transactions.
PCAOB Chair Erica Y. Williams released a statement regarding the troubling trend of increasing audit deficiency rates. She underscored that these findings were entirely unacceptable, and that the PCAOB will continue to bring disciplinary actions and enforce its rules and standards to improve compliance. She also encouraged clients, including audit committees and investors themselves, to help hold firms accountable. As the staff report discusses, audit committees should be asking their auditors questions, such as:
- Has our audit engagement been inspected, and, if so, would you share the results? Were there any audit areas that required significant discussions with the PCAOB that did not ultimately result in a comment?
- Has the engagement partner been inspected on other engagements? If so, what were the results of that inspection?
- What is the audit firm doing to address overall increased inspection findings?
- Are there any audit procedures that are unnecessarily complicated or not “straightforward” because management is not providing clear, supportable information?
Relatedly, in July, the PCAOB unveiled improvements to its website that now allow users to more easily find and filter inspection reports. As part of the PCAOB’s effort to enhance the transparency of its reports, interested stakeholders can now compare over 3,700 PCAOB inspection reports and apply six new filters to facilitate better searching, including filters by inspection type, Part I.A deficiency rate, and inspection year.
- 2022 EQR Inspection Observations. The observations regarding engagement quality reviews (EQRs) also revealed growing trends in audit deficiencies. EQR refers to the process in which an independent reviewer assesses judgments made by the audit engagement team. The report found that out of the firms that were inspected in 2022, 42% had a quality control critique related to EQRs, a marked increase from 37% in 2020. The deficiencies are not isolated and have been identified among all types and sizes of audit firms and across inspection programs and industry sectors.
Notably, 82% of EQR comments cited that the audit firms’ quality control system failed to provide reasonable assurance that the reviews performed by the audit firms’ EQR reviewers for audit and attestation engagements satisfied the requirements in PCAOB AS 1220, Engagement Quality Review. The PCAOB observed that this “contributed to EQR reviewers not identifying deficiencies in audit responses to areas of significant risks, including fraud risks, that were subsequently identified by PCAOB staff.” Other PCAOB observations in 6% or fewer of EQR comments included deficiencies related to competence, independence, integrity and objectivity of the EQR reviewers; failure to document certain EQR procedures; failure to obtain concurring EQR review approval prior to issuance of the engagement report; and failure to have an EQR reviewer perform any EQR on an audit or attestation agreement.
These failures have led to enforcement actions, as summarized in the PCAOB report. The report also presents several reminders and best practices for auditors in regards to improving audit quality and quality control systems. For audit committees, the report offers the following questions that audit committees may consider discussing with their auditors:
- What policies and procedures does the audit firm have in place to provide reasonable assurance that the EQR reviewer has sufficient competence, independence, integrity, and objectivity to perform the EQR in accordance with the standards of the PCAOB?
- Does the audit firm have individuals with experience in their specific industry that have not served as the engagement partner during either of the two audits preceding the current audit, who can serve as the EQR reviewer? If not, will the auditor go outside of the audit firm to fill this role?
- Were there any significant judgments discussed or challenged by the EQR reviewer? What was the outcome of those discussions?
- Has the auditor obtained concurring approval of issuance from the EQR reviewer prior to the issuance of the engagement report (or communicating its conclusion if no report is issued)?
- Audit Committee Communications. In July 2023, the PCAOB announced that it sanctioned five audit firms for violating PCAOB rules concerning communications with audit committees. The sanctions resulted from an investigative sweep, which is one element of the PCAOB’s approach to strengthening enforcement. Out of the five firms that were sanctioned, three firms were found to have violated PCAOB Rule 3520 for failing to obtain audit committee pre-approval prior to performing services for issuer audit clients, with two of the three also sanctioned for failing to obtain pre-approval of certain tax services as required under PCAOB Rule 3524. The other two firms were sanctioned for failing to make or document their communications with audit committees about the planned participation of other firms and auditors in the audit, as required under AS 1301, Communications with Audit Committees. Each firm consented to the terms of their disciplinary orders and agreed to carry out remedial actions to improve their compliance with PCAOB rules and standards.
Conversations with Audit Committee Chairs
Among the PCAOB’s strategic priorities is direct and regular engagement with audit committees. For the past several years, the PCAOB has held conversations with audit committee chairs and issued spotlight publications, summarizing what the PCAOB heard during those conversations. In September 2023, the PCAOB released its latest Spotlight, summarizing conversations with 211 audit committee chairs during 2022, 85% of whom had not previously engaged with the PCAOB. Over two-thirds had at least six years of audit committee experience and nearly 50% had over ten years of experience. Key takeaways from these conversations include:
- Most audit committee chairs remain alert to the impact that staffing turnover among CPAs, including from the “Great Resignation” can have on a public company’s financial reporting process and on the conduct of audits.
- Working in a remote or hybrid environment continues to require heightened supervision and review.
- Audit committee chairs highly value early, ongoing and proactive communication with their auditors.
- With regard to disclosures of critical audit matters (CAMs), no audit committee chair cited significant disagreement over the CAMs identified by their auditors, and common CAMs include revenue recognition, intangible assets, goodwill and allowances. A small percentage of audit committee chairs questioned whether the disclosure was becoming generic “boilerplate.” Audit committees may want to consider engaging on this point with their auditors.
- Information contained in financial statements remains the focal point of corporate disclosures, but many audit committee chairs are increasingly asking their auditors questions about the reporting of non-GAAP measures among other metrics and measures presented outside the financial statements.
1The Business Law Section’s full comment letter, for which Alan had the honor of leading the drafting team, is available at this link.