PCAOB Issues Staff Update and Preview of 2022 Inspection Observations

On July 25, the Public Company Accounting Oversight Board (PCAOB) published its Staff Update and Preview of 2022 Inspection Observations. In 2022, the PCAOB inspected approximately 157 audit firms and reviewed portions of 710 public company audits in the United States and abroad. Through the inspections, the board identified potential areas of improvement for all firms as well as good practices that enhance audit quality. It also reviewed how auditors are responding to technology-related developments. 

Monitoring the PCAOB’s activities is critically important for SEC registrants, as it provides a window into the board’s comprehensive inspections program and methodologies around evaluating quality control standards for auditing firms. The latest report highlights troubling trends in inspection results and sheds light on the PCAOB’s current areas of inspection focus and its ongoing effort to improve continuously its inspection process. 

In addition, these inspections may offer insight as to potential adjustments to auditing procedures in forthcoming audits. Although primarily focused on identifying deficiencies and good practices related to external auditing firms, the findings are of great import to registrants, their audit committees and others charged with governance in their planning, execution and overall diligence relating to both financial reporting and internal controls compliance protocols. Although the PCAOB regulates the public accounting profession, its observations and reports have downstream implications for registrants in terms of time, costs and preparations for their annual audits and quarterly reviews. 

In this Flash Report, we highlight some of the most notable areas the PCAOB underscored in the findings. The full Staff Update and Preview of 2022 Inspection Observations can be found here.

Key findings

In its 2022 inspections, the PCAOB noted several key findings:

Audit deficiencies rose in 2022

The board labels this as a concerning trend. The staff expects that 40% of audits reviewed will have Part 1.A deficiencies, up from 34% in 2021 and 29% in 2020. Of note, the most significant increase is within the Global Network Firms (GNF) category. Part 1.A deficiencies are those that are of such significance that the board believes the audit firm, at the time it issued its audit reports, had not obtained sufficient audit evidence to support its opinion(s) on the issuer’s financial statements and/or internal control over financial reporting (ICFR).

The staff specifically notes that it continues to observe deficiencies similar to those identified in prior years. The board acknowledges that many of these deficiencies are in areas that are inherently complex and include greater risks of material misstatements. Thus, they demand more attention from the auditor. Of particular note, the staff states that as the assessed risk of material misstatement increases, the amount of evidence that the auditor should obtain also increases.

The common deficiencies the PCAOB notes in its report relate to ICFR, the audited financial statements and other areas:

Deficiencies pertaining to auditing/testing ICFR – Deficiencies in controls testing remain a common occurrence, specifically related to the following:

• The auditors did not sufficiently evaluate whether controls with a review element selected for testing operated at a level of precision sufficient to prevent or detect material misstatements. In these instances, the auditors did not sufficiently evaluate the review procedures the control owners performed. When evaluating this testing, the staff is looking, in part, at the consideration of the relationship of risk of material misstatement to the evidence obtained when performing the control testing.
• The engagement team did not perform procedures to test the accuracy and completeness of the information produced by the company and used by the auditor as the population for testing user access and change management controls.
• The auditors did not identify and test controls that are important to the auditor’s conclusions about whether the issuer’s controls sufficiently address the assessed risk of misstatement to each relevant assertion. In many cases, the auditors did not identify and test controls over the accuracy and completeness of data used by the control owner in the operation of a control.
• The board notes that these testing failures can be critical errors because the auditor’s testing of controls is often used as the basis for reducing the nature, timing and extent of substantive testing, also known as a control reliance approach. Therefore, any deficiencies in the testing of controls may affect the nature, timing and extent of substantive testing to obtain sufficient appropriate audit evidence.

Deficiencies in auditing specific financial statement areas – Top areas of concern for the board remain relatively consistent, with cryptocurrency representing an emerging area of concern.

• Revenue and related accounts – The board notes that it most frequently sees deficiencies pertaining to basic accounting principles and fundamental auditing, such as appropriate response to significant fraud risk, sampling of transactions, confirmation procedures of related receivables, sufficient or appropriate procedures to test the accuracy and completeness of data or reports used as evidence in an audit procedure, and sufficient evaluation of review procedures performed by a control owner when taking a controls reliance approach.
• Accounting estimates – The board observed deficiencies across a broad range of financial statement accounts and transactions related to accounting estimates. The most common observations related to business combinations and goodwill and intangible assets, including other long-lived assets. Among other specific observations: no risk assessment procedures performed for an estimate that includes a significant assumption; no substantive procedures beyond inquiry; insufficient evaluation of significant assumptions; insufficient evaluation of significant differences and/or conclusions reached between the work performed by a company’s specialist and the auditor-engaged specialist; and insufficient testing of data.
• Business combinations – The board notes instances of insufficient or no risk assessment procedures related to an acquisition and inappropriate or no basis for a conclusion that no risk exists; insufficient procedures to evaluate whether significant financial statement disclosures are complete and accurate; insufficient evaluation of the work of an auditor-engaged specialist; insufficient documentation related to the work performed by an auditor-engaged specialist; and insufficient or inappropriate evaluation of departures from accounting standards.
• Inventory – Common deficiencies in auditing inventory include insufficient procedures to test the existence of inventory, and insufficient or inappropriate procedures to test the accuracy and completeness of issuer-prepared reports used in the auditor’s substantive procedures.
• Long-lived assets – Common deficiencies include no or insufficient risk assessment procedures to consider qualitative and/or quantitative factors; sufficient procedures not performed to use the work of the company’s specialist; insufficient or inappropriate evidence gathered to obtain reasonable assurance about whether material weaknesses existed as of the date of management’s assessment; insufficient substantive testing performed; and insufficient procedures to evaluate the public company’s intent and ability, related to carrying out a specific course of action, related to an assumption.
• Cryptocurrency transactions – The board notes that the audit often failed to: evaluate whether the public company’s omission or inaccuracies of the disclosures of the relevant accounting framework for revenue were appropriate; perform procedures to assess the appropriateness of mining revenue recognition; perform procedures to evaluate whether the classification of digital assets was appropriate; and evaluate the relevance and reliability of quantity and pricing information used by the public company to recognise mining revenue and used by the auditor as audit evidence.

Other areas of deficiencies – The most common areas of Part 1.B deficiencies include, but are not limited to, the following:

• Critical audit matters (CAMs) – Deficiencies found by 2022 inspections are primarily related to instances in which auditor procedures to determine whether matters were CAMs did not include every matter that was communicated, or was required to be communicated, to the issuer’s audit committee and that related to accounts or disclosures that were material to the financial statements. In limited instances, some auditors performed no procedures regarding CAMs.
• Audit committee communications – The board observed that deficiencies in this area are broadly ranged across all firms and include instances where the auditor did not communicate to the public company’s audit committee issues such as significant risks identified during the auditor’s risk assessment procedures, including fraud risks; overall audit strategy and timing; prior to the issuance of the auditor’s report, a complete list of material weaknesses identified during the audit; and uncorrected and corrected misstatements identified by the auditor.
• Fraud – PCAOB staff found instances where auditors did not perform journal entry or equivalent procedures; did not perform sufficient procedures to test the completeness of the population used to select journal entries for testing (a fundamental audit step); and did not consider the characteristics of potential fraudulent entries or other adjustments in identifying and selecting specific journal entries and other adjustments for testing.

Noncompliance with PCAOB standards and rules rose in 2022

In another troubling trend, the staff expects that approximately 46% of audits reviewed will have one or more Part 1.B deficiencies related to PCAOB standards, up from 40% in 2021 and 26% in 2020. Part 1.B deficiencies are those that relate to instances where the audit firm did not obtain sufficient appropriate audit evidence to support its opinion(s). 

Audit firms can learn from good practices

The staff did observe positive practices that it believes may be effective in enhancing an audit firm’s quality control system and overall audit quality. These include but are not limited to:

• Risk assessment – The board noted that higher-quality audit work was associated with effective risk assessment procedures, such as:
  • Using clear, concise and understandable documentation linking risks identified and the audit response;
  • Developing a risk assessment that is supported by an in-depth understanding of the issuer and its business;
  • Tailoring risks by considering various risks for different components, portfolios, locations and revenue streams;
  • Producing robust walkthrough documentation that includes clear, easily understood descriptions of the likely sources of misstatement identified and linkage to the control tested or audit response.
• Utilisation of individuals with specialised skill or knowledge – Utilising auditor-engaged specialists and subject-matter experts may drive audit quality as it allows teams to utilise specialised knowledge and skillsets in certain technical areas of the audit.

Our point of view – actions for public companies to take

As noted, this PCAOB report highlights identified deficiencies and good practices related to external auditing firms. However, for issuers, understanding the auditor’s focus will inform the rigor and robustness of management’s own risk assessment process over financial reporting and internal control compliance. Beefing up processes, controls and documentation over management’s review processes and the completeness and accuracy of the information used in conjunction with those processes are table stakes.

Understanding potential CAMs opens a window to the depth of the review the auditor might take, and thus to the registrant’s preparations. Further, issuers must factor in inflationary and recessionary pressures that may negatively impact intangible asset and goodwill valuations, skew estimation results, and lead to possible asset impairments. Finally, in light of variable economic conditions, registrants must be cognisant of performance pressures that may lead to motivations to commit fraud and perhaps inflate earnings.

It is critical to understand the potential issues early so that preparers are positioned to act timely in addressing them.

In closing

The PCAOB inspection process continues to evolve, and it is important that issuers not only prepare for the new areas of emphasis, such as cryptocurrency, but also continue to focus on issues that the PCAOB emphasised in Staff Inspection Briefs of prior years. These high-risk issues include such matters as revenue recognition, estimation processes and areas that involve valuation methodologies. In light of the 2022 PCAOB inspections, it is reasonable to expect the audit firms to double down on these areas. Registrants need to be prepared for meaningful interaction with their external auditors that are responsive to these observations.

About Protiviti

Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, analytics, digital, legal, HR, governance, risk and internal audit through our network of more than 85 offices in over 25 countries.

Named to the 2023 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 80 percent of Fortune 100 and nearly 80 percent of Fortune 500 companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.