On October 8, the Public Company Accounting Oversight Board (PCAOB) published its Staff Update and Preview of 2019 Inspection Observations. In 2019, the PCAOB inspected approximately 175 audit firms and reviewed portions of roughly 710 public company audits in the United States and abroad. Through the inspections, the board identified potential areas of improvement for all firms and good practices that enhance audit quality. It also reviewed how auditors are responding to technology-related developments.
Monitoring the PCAOB’s activities is always useful. It provides a window into the board’s evolving inspections regime and thinking around quality control standards for auditing firms. The latest inspection findings shed light not only on the PCAOB’s current areas of inspection focus, but also its ongoing effort to constantly improve its inspection process. These inspections also may offer insight as to potential adjustments to auditing procedures in forthcoming audits. Although primarily focused on identifying deficiencies and good practices related to external auditing firms, the published findings include the perspectives of a target team established last year to focus on multi-location audits. It also contains observations on audit communications based on discussions in 2019 with audit committee chairs.
In this Flash Report, we highlight some of the most notable areas the PCAOB underscored in the findings. The full Staff Update and Preview of 2019 Inspection Observations can be found here.
Recurring Audit Deficiencies
In its 2019 inspections, the PCAOB noted several areas of recurring deficiencies. These include:
- Revenue: The PCAOB observed frequent deficiencies related to the design and performance of audit procedures that address the assessed risks of material misstatement related to revenue. For example, it identified audit deficiencies in testing revenue accounted for under the new revenue accounting standard where:
- Auditors did not consider other relevant factors in conjunction with an underlying contract when validating performance obligations or allocating prices.
- Auditors did not evaluate whether the issuer had an enforceable right to payment prior to recognising revenue.
- Auditors, in determining when revenue recognition was appropriate, did not perform any procedures to test the issuer’s evaluation about whether products sold to a specific customer had an alternative use.
- Independence: The PCAOB continues to identify violations of financial relationship requirements of Rule 2-01 of SEC Regulations S-X. Specifically, certain inspected firms are reporting a high rate of noncompliance by firm personnel reporting their financial relationships during the confirmation process. Other deficiencies primarily relate to PCAOB Rule 3524, Audit Committee Preapproval of Certain Tax Services and PCAOB Rule 3526, Communication with Audit Committees Concerning Independence.
- Accounting estimates: The following common audit deficiencies involving accounting estimates were identified:
- Allowance for loan losses (ALL) — Auditors did not evaluate the reasonableness of qualitative factors considered by management in calculating the general reserve related to the ALL. In some cases, the audit procedures were limited to inquiry of the issuer’s personnel to understand the factors considered in computing the reserve and comparing the current reserve to the prior year to determine if the change in the reserve was in line with information auditors obtained orally through discussions with the issuer’s personnel without corroborating the information with appropriate audit evidence.
- Accounting for acquired assets — Auditors did not sufficiently test the reasonableness of the projections used in determining the valuation of acquired assets. As one specific example, auditors limited their procedures to inquiry of the issuer’s personnel and comparing one year of forecasted projections to actual results.
- Accuracy of data — Auditors did not test the accuracy and/or completeness of the issuer’s data used to develop significant accounting estimates.
- Internal control over financial reporting (ICFR): The PCAOB continues to observe deficiencies related to testing ICFR across firms. The common audit deficiencies in this area include the following:
- Auditors did not sufficiently evaluate whether controls with a review element selected for testing operated at a level of precision that would prevent or detect material misstatements.
- Auditors did not identify and test controls that sufficiently addressed the risks of material misstatement related to relevant assertions of certain significant accounts. For example, the issuer may have multiple streams of revenue, but the controls identified and tested by the auditor only addressed risks related to one of these streams.
- Auditors selected and tested management review controls over accounting estimates but did not identify and test controls over the accuracy and completeness of system-generated reports which were used by control owners to establish effective operation of these controls.
Observations in Other Areas of Focus
In its update, the PCAOB offers additional observations related to cybersecurity risk, technology, multi-location audits based on inspections conducted by a target team, and audit committee communications:
- Cybersecurity risk: In reviewing the audits of issuers that experienced a cybersecurity incident during the audit period, that PCAOB noted that in certain cases the auditor evaluated the severity and impact of the cyber incident but did not consider whether the incident affected the auditor’s identification or assessment of risks of material misstatement. In other cases, the auditor did not consider whether modifications to the nature, timing or extent of audit procedures were necessary and whether the cyber incident could be indicative of deficiencies in ICFR.
- Technology-related developments: The PCAOB reviewed how audits are using and responding to emerging technologies such as distributed ledger technology (DLT) and new software audit tools:
- Distributed ledger technology — Although in 2019 the PCAOB observed limited use of DLT or recording of digital assets, it learned that some of the annually inspected firms have provided training to staff and implemented consultation processes when their audit clients use DLT, receive consideration in the form of digital assets, or hold investments in digital assets. In some triennially inspected firms, the board observed that some issuers used DLT to support recording a digital asset in their general ledger. In some instances, the auditor did not perform procedures to evaluate the relevance and reliability of audit evidence obtained over the existence and valuation of digital assets, more specifically, crypto assets, recorded at year-end.
- Software audit tools — While many firms continue to develop and use software audit tools and maintain policies and procedures to test the design and operation of software audit tools before they are used, certain firms allow engagement teams to utilise third-party tools that have not been tested for design and operation by the firm. In certain audits reviewed, engagement teams that were observed using these tools failed to test the reliability of data used as audit evidence.
- Target team activities: The board established a target inspection team last year to work on current audit risks and emerging topics focused on multi-location audits based in the United States and also on issuer audits at annually inspected firms in which the U.S. firm played a role but was not the principal auditor. The team provided the following observations:
- Improved audit quality due to consistent communication — The team observed improved audit quality when there is regular, consistent communication between the principal auditor and the other auditors. Examples of how these communications have been done include clear referral instructions, site visits by the principal auditor, and involvement of an additional local engagement quality reviews (EQR) by the other auditors.
- Areas needing further improvements — The target team identified several areas where further improvements could be made between the principal auditor and other auditors. These include enhancing documentation of required procedures, complying with the requirements of PCAOB Rule 3211, Auditor Reporting of Certain Audit Participants, and improving engagement letter templates to exclude indemnification clauses.
- Good practices observed — The target team identified a number of good practices related to: performing EQRs of audits conducted by other auditors; assigning a partner experienced in International Financial Reporting Standards (IFRS) as an additional review on work referred to a U.S. firm; automating the collection of global hours to compile the information required for Form AP filings; and using site visits to obtain additional information.
- Audit committee communications: In its discussions with audit committee chairs of the U.S. issuers whose audits were selected for review, the board heard that audit committees have frequent and thorough communication with their auditor. However, it also learned during inspections of certain triennially inspected firms that not all significant risks identified during audit planning – including changes to those risks – were communicated to the audit committee.
Observations of Good Audit Practices
Lastly, the PCAOB identified several good audit practices (procedures, techniques or methodologies) within the audit firms themselves, that would be helpful for reporting companies to know, including:
- Conducting interactive meetings and coaching workshops
- Earlier involvement of the engagement quality reviewer
- Narrative descriptions of quality control protocols
- Increased partner involvement when planning tests of controls
- Use of firm specialists during audit planning to assist with the risk assessment
- Implementing coaching programmes and refining audit tools for specific audit areas
Inspection Process Transformation
The PCAOB inspection process continues to evolve. Last year, the board initiated a transformation, incorporating unpredictability into more areas of its inspection process, deploying a team to target specific areas of focus or emerging risk across firms, expanding its inspection procedures to compare approaches firms are taking to monitor their systems of quality control, designing a new format for its inspection reports, and enhancing its engagement with audit committee chairs of certain U.S. issuers whose audits were inspected.
This PCAOB staff update may lead to a reassessment of risks by the auditor as well as adjustments to the nature, timing and extent of audit procedures in future audits. Accordingly, while auditors will undoubtedly find this periodic information useful as they plan and perform their audits, reporting companies and their audit committees may also find it insightful as they evolve their financial reporting protocols, dynamically consider inherent and emerging risks, consider personnel skills enhancement and development, and ultimately engage with their auditors on a proactive, open and frequent basis.