On May 6, the Public Company Accounting Oversight Board (PCAOB) published its Staff Preview of 2018 Inspection Observations. In 2018, the PCAOB inspected over 160 audit firms and reviewed portions of roughly 700 public company audits in the United States and abroad. From the results of these inspections, the board identified several areas of common audit deficiencies. It also observed several good practices related to efforts to improve audit quality.
It’s always useful to monitor the PCAOB’s activities. The latest Staff Preview provides insight into the board’s current areas of inspection focus. Although the latest Staff Preview is primarily focused on identifying deficiencies and good practices related to external auditing firms, it also provides important insights and useful information for reporting companies’ accounting and reporting functions, corporate governance and internal control infrastructure, internal audit functions, and audit committees as they prepare to engage with their auditors.
In this Flash Report, we highlight some of the most notable areas the PCAOB underscored in its brief. The full Staff Preview of 2018 Inspection Observations can be found here.
Areas of Common Audit Deficiencies
In its 2018 inspections, the PCAOB noted several areas of common audit deficiencies. These included:
- Internal control over financial reporting: The PCAOB noted a general lack of adequate testing of control design and operating effectiveness. In many cases, external auditors did not obtain an understanding of or evaluate the control owner’s activities when reviewing the reasonableness of certain estimates and assumptions. In addition, the board observed that external auditors did not select controls for testing that address the specific risks of material misstatement.
- Risk assessment and revenue: The PCAOB noted common deficiencies related to the design and performance of audit procedures that address the assessed risk of material misstatement, particularly when auditing revenue recognition. Such deficiencies included the inadequate testing of whether invoices agreed with contracts, and whether evidence of the delivery of services or products had been obtained. In addition, the board observed that auditors frequently limited testing to revenue transactions above a certain dollar amount or near year-end, without considering the need to test the remainder of the population.
To address these deficiencies, the PCAOB recommends that auditors apply due professional care in areas of significant risk, including the risks of fraud and material misstatement.
- Accounting estimates: The PCAOB identified three areas of deficiency involving accounting estimates, including those for allowance for loan and lease losses (ALLL), accounting for business combinations, and the fair value of financial instruments.
- ALLL: The board observed in financial services audits that auditors often did not evaluate the reasonableness of significant assumptions used in determining the ALLL of impaired loans and did not sufficiently test certain significant inputs used in developing the ALLL. We are confident that the scrutiny in this area will only intensify as the first round of companies impacted by the Current Expected Credit Loss (CECL) standard get ready for a 2020 effective date. (For more information about compliance requirements for the new CECL accounting standard, visit www.protiviti.com/CECL.)
- Accounting for business combinations: When auditing the fair value of assets acquired in a business combination, auditors often did not evaluate the reasonableness of significant assumptions used and did not test the accuracy and/or completeness of company data used to develop the fair value estimates. Highlighting this deficiency is lack of rigor in auditing hard-to-value assets in business combinations, such as intangible assets, trademarks, customer lists, and assumed liabilities such as contingent consideration. Given the pace of M&A transactions, companies that are active in the market will need to be mindful of these issues as they establish and finalize purchase accounting.
- Financial instruments: When auditing unobservable inputs used to measure the fair value of certain financial instruments, such as illiquid (non-traded or lightly traded) equities, auditors frequently failed to obtain an understanding of the specific methods and assumptions underlying these measurements, did not test the accuracy and/or completeness of company data used, and did not appropriately corroborate the company’s fair value measurement when developing an independent estimate. Given the volatility of financial markets, companies will need to take care to ensure the appropriate period-end processes are in place to capture this information in a way that enables auditors to conclude.
- Engagement quality review: The PCAOB observed that many of the above deficiencies were identified in areas covered within the scope of engagement quality reviews (EQRs) but were not noted in those reviews. The board speculates that the EQRs may have relied too heavily on discussions with the engagement team and/or on summary memos, rather than independent collaboration or validation of management assertions.
We believe these noted deficiencies are important, as they point to areas in which companies may experience increased emphasis by their external auditors. Companies should pay particularly close attention to the sufficiency of their documentation of the assumptions underlying their accounting estimates.
Observations in Other Areas of Focus
The PCAOB had additional observations related to technology, the implementation of new accounting and auditing standards, and audit committee communications:
- Cybersecurity risk: The PCAOB noted that in approximately 10% of the inspected audits, the company had experienced a cybersecurity incident during the audit period. In most cases, external auditors considered these incidents in their risk assessments and modified their audit procedures to address potential impacts on controls and data.
- Software audit tools: Although the PCAOB did not observe current widespread use of emerging technologies like artificial intelligence (AI) and robotic process automation (RPA) in its 2018 audit inspections, it did note that audit firms are actively considering such technologies in the development of their future software audit tools. (For further insight on how such emerging technologies are changing the audit landscape, read Protiviti’s recent research reports on the use of artificial intelligence/machine learning and robotic process automation.)
- Implementation of new standards and rules: In its 2018 inspections, the PCAOB investigated how companies are preparing to adopt new accounting standards and how audit firms will implement new auditing standards and methodologies. As discussed in the board’s 2019 Staff Inspections Outlook for Audit Committees, the PCAOB is placing special attention in 2019 on the effectiveness of internal controls designed to address revenue recognition (ASC 606 and IFRS 15), lease accounting (ASC 842 and IFRS 16), current expected credit losses (ASC 326) and financial instrument accounting (ASC 815 and IFRS 9).
The board also discussed with audit firms their preparedness for the 2019 implementation of “critical audit matters” (CAMs). The new standard requires changes to the basic elements of the auditor’s report, including the disclosure of auditor tenure, which are already in effect. In addition, impending changes will require the auditor to communicate CAMs arising from the audit of the financial statements that involved, among other things, especially challenging, subjective or complex auditor judgment, and the response that the auditor had to those matters.
Observations of Good Audit Practices
Lastly, the board identified several good audit practices that would be helpful for reporting companies to know, including:
- Expanding accountability for audit quality beyond the lead engagement partner;
- Developing and refining guidance to help auditors identify and assess risks of material misstatement;
- Revising auditor training and risk awareness programs;
- Providing additional support from experienced personnel not assigned to the audit;
- Establishing a network of specialized professionals to address emerging risks; and
- Providing new or enhanced audit tools in areas of significant judgment.
These “good practices” may be a precursor to issuers regarding things their external auditors may incorporate into the audit process.
The PCAOB inspection process continues to evolve, and it is important that issuers not only prepare for the new areas of emphasis, such as revenue recognition, lease accounting and CECL, but also continue to focus on areas that the PCAOB emphasized in Staff Inspection Briefs of prior years, including auditor independence, information produced by entity (IPE), non-financial assets, ALLL and receivables. Our experience is that while the PCAOB never seems to remove any area of focus from the list, new emerging risks continue to be added annually.
Recent News From the SEC
Last week, the U.S. Securities and Exchange Commission (SEC) voted to propose amendments to its definitions for accelerated filer and large accelerated filer, which could impact compliance with certain specific areas of the Sarbanes-Oxley Act. These proposed changes include:
- Companies with less than $100 million in revenues – not required to have independent audit of internal controls; that is, not required to comply with Section 404(b) of the Sarbanes Oxley Act.
- Transition threshold for accelerated/large accelerated filers to become non-accelerated filer would change from $50 million to $60 million.
- Existing large accelerated filer status threshold would increase from $500 million to $560 million.
The SEC has opened a 60-day comment period on these proposed changes. While we do not believe these changes will be very significant if enacted as proposed, we will provide further details on this in a future Flash Report. In addition, it is unclear as to when the SEC will make these new rules effective.