An Interview with The Mexican Institute of Public Accountants

This interview of Jackson Johnson, JGA President, by Rogelio Avalos Andrade C.P.C., Chairman of the Quality Oversight Management Committee, was published in the March 2020 Contaduría Pública from Mexican Institute of Public Accountants.

Download the full article here in both Spanish and English.

Jackson Johnson, Founder and President of Johnson Global Accountancy ("JGA"), a firm that provides advisory services to accounting firms to assist them in quality issues and help them to comply with quality standards, is a Certified Public Accountant in California and Massachusetts and member of the American Institute of Certified Public Accountants. With six years in the Division of Registration and Inspections at the PCAOB, he developed his experience in audits of financial statements at Grant Thornton in Boston, Los Angeles, and the member firm in Hong Kong.

RA: Before I start with my questions to Jackson, we introduced him on how the audit practice in Mexico is being regulated and overseen. The Mexican Institute of Public Accountants (IMCP) oversees the audit and assurance practice from within this membership through its Vice-presidency of quality in the professional practice. This Vice-presidency issued the Standard of Quality Control (basically, identical to the ISQC1) and the Standard of Oversight of Quality Control (NRCC for its Spanish acronym), which sets forth the rules to perform inspections to firms to assess compliance with applicable laws, rules and professional standards in their systems of quality control and the documentation of a selection of completed audit and other attestation engagements. The NRCC rules that, those firms that are subject to similar and regular quality control inspections by other foreign regulators (such as the PCAOB), will not be subject to an inspection process by the IMCP. In Mexico, auditors of entities, listed in the Mexican Stock Exchange, are regulated by the National Banking and Securities Commission (CNBV for its Spanish acronym), which performs certain QC inspections on a “case by case” basis only.

Jackson, similar to the peer review practice that you have in the US, would you think that we should include all firms in Mexico, regardless their size and structure, to a quality control inspection process? And why?

JJ: I think there are several factors that would go into this evaluation, it’s important to consider the risks associated with investors and other stakeholders both of the companies being audited as well as the audit firms themselves. Firms that are inspected by the PCAOB within Mexico have stakeholders located in Mexico –and abroad– that have a vested interest in the integrity of those audits. Based on my understanding, however, a firm that is subject to PCAOB inspection may not have their non-PCAOB audits subject to periodic inspection. Those non-PCAOB audits would include public companies that are listed in Mexico with general public exposure. The audit of these companies still poses potential risk to the greater public markets within Mexico. This is an opportunity for firms and the regulatory environment, and stakeholders, to determine the risk of this oversight gap. As we have found in some of our work with non-PCAOB audits of registered firms, there are often differences in the quality of non-public audits as compared to PCAOB-audits. Because of the risk associated with a PCAOB audit, firms often allocate their strongest resources to ensure quality audits. However, because of a lack of regulatory exposure, non-public audits sometimes struggle to maintain strong quality. Firms could and should continue to ensure that they have appropriate quality controls for these audits in this “oversight gap.”

In the model that is set up in the US, non-public audits that are outside the purview of PCAOB are subject to inspection by the AICPA National Peer Review Committee (NPRC). So there is an inspection review process for the firms that only audit private companies, and for the private company audits of firms that are also regulated by the PCAOB. For example, firms in the US that audit both public and private companies are subject to inspection by both regulatory entities.

So I don’t necessarily agree that firms that are subject to similar and regular inspection by foreign regulators should be excluded from IMCP inspection, because that presents too much predictability into what audits are included in the population subject to quality control inspection (only those under foreign jurisdiction).

RA: Jackson, in your capacity as consultants to PCAOB-registered firms, what would you say are the key aspects with respect to an inspection process and their results for smaller PCAOB – registered firms?

JJ: The Big 4 in the US, and any other firms that audit one hundred or more issuers (currently 8 firms in the US) are subject to annual PCAOB inspections. The rest of the PCAOB-registered firms are statutorily required to be inspected once every three years. Based on our experience with our clients, the PCAOB may choose to inspect those smaller firms more frequently than once every three years, depending on the results of previous inspections. Based on our work supporting our clients through the inspection and remediation process, the focus on quality control (QC) tends to be on independence, practice monitoring (also known as internal inspection), and partner admittance and compensation. Inspection teams do touch on all the elements in the QC standards, however, and focus on changes since the last inspection.

The inspection will also include a review of various aspects of audits selected by the inspection team. The inspection team member assigned to each audit will typically select higher risk audit areas and conduct meetings with the engagement team. In addition, they will review audit workpapers to understand the audit procedures performed over risk assessment and the engagement team’s responses to identified risks, including significant and fraud risks.

In preparing for inspections, we have seen firms perform a wide range of activities. Overall, we have found that teams that spend time reviewing the audit files and refamiliarizing themselves with the audit issues are more successful in articulating these issues during the actual inspection. We believe that preparation is key.

Keep in mind that there are a number of changes on the horizon. As I discussed in my recent article summarizing key PCAOB regulatory updates that the Board described at the recent annual AICPA Conference on Current SEC and PCAOB Developments in Washington, D.C., the PCAOB has established a dedicated team that will take a look at QC policies and effectiveness of all of the largest annually-inspected firms to draw comparisons and perhaps identify best practices. ¹ This hasn’t been established or put into place for the triennially inspected firms, including Mexican PCAOB-registered firms.

RA: Is there any scalability for smaller firms to comply with PCAOB standards? Does the PCAOB have different expectations for smaller firms?

JJ: There is an expectation that all firms that audit US public companies, regardless of size, apply the same PCAOB standards throughout their audit practice. Of course, the larger firms have more complexity in how those standards and policies are carried out. For example, consider compliance with US SEC and PCAOB independence rules and regulations. A larger firm with multiple offices and multiple foreign affiliates will need more layers and processes to ensure that non-audit services provided to an entity in one location do not impair the independence of audit services provided to another entity in another location. Further, larger, more complex firms may also be auditing larger, more complex issuers.

In our experience working with our clients, one common area where we see the same expectations are applied in a PCAOB inspection, for both small and large firms, are the tests of internal controls over financial reporting. For example, the level of precision of testing of management review controls is still an area that receives a lot of scrutiny by inspectors and we see these issues and comments surfacing on all inspections that we observe.

RA: What would be common findings as a result of an inspection to a non-PCAOB registered firm and a registered firm?

JJ: Non-PCAOB registered firms are subject to AICPA peer reviews only for external oversight. These re- views tend go into many more administrative aspects of the audit in addition to the audit procedures over the financial statement accounts and disclosures. The AICPA does not publish a significant amount of information regarding thematic issues in peer review results. From our work with clients in which we help firms get through their peer review with as much success as possible, we have noted that the issues tend to be similar and can revolve around matters such as (i) lack of procedures to understand the internal control environment and the financial reporting process; (ii) performing tests using an inadequate sample size; and (iii) inadequate testing of revenue recognition.

The PCAOB does release more information that compiles results of inspections and identified broad themes. The Board’s Staff Preview of 2018 Inspection Observations identified common audit deficiencies from their 2018 inspections that included deficiencies over ICFR, Risk assessment and revenue, audit estimates, including the allowance for loan losses and business combinations, and procedures to perform the engagement quality review, or concurring review.

In our work performing pre- and post-issuance reviews of PCAOB and non-PCAOB audits of various sizes, and assisting firms with their annual internal inspections, we have seen the quality of understanding internal controls is a big opportunity. For example, we have seen reliance on internal control to reduce substantive testing when insufficient work was performed on internal controls. Sometimes, engagement teams believe that gaining an understanding of internal controls –such as performing walkthroughs– gives teams the ability to rely on controls in a certain process or over certain assertions within a process.

RA: What would you think firms frequently struggle with, in respect to carry out effective remediation plans or improvements to their QC Systems, including timing?

JJ: In our work with clients, one of the areas that firms could do better in is root cause analysis. An effective remediation plan is only as good as an effective root cause analysis, otherwise the remedial actions may not be getting to the heart of why a deficiency actually occurred. At JGA we’ve seen a variety of root cause analyses ranging from formal, documented processes to informal conversations. We’ve found that the concept of having a formalized RCA is gaining traction at the triennially-inspected firms, but there’s much work to do in terms of developing what the process looks like and how it can be put into the QC process and consistently implemented. The new PCAOB Board members have indicated that a robust root cause analysis can lead to better identifying the underlying issues as to why an audit or QC deficiency occurred. Any of your readers that have gone through a PCAOB inspection in 2019 and that received a comment form may remember a new section that was added to the comment form asking firms to identify the relevant QC area that may be related to each finding. This is just one way that the PCAOB is driving home the importance of performing an RCA and asking the firms to take more accountability in this area. In addition, the PCAOB is considering incremental requirements to the new concept release on QC standards to require root cause analysis, or a separate standard, to align with proposed ISQM 1 that, as drafted, requires a firm to have a root cause analysis built into their QC system.

RA: As part of the QC inspection process carried by the IMCP, remediation plans are also requested to firms. Not having a robust structure such as PCAOB’s, what would be a good approach to follow-up remedial actions from firms and how to evaluate their effectiveness?

JJ: Firms should continue to incorporate the monitoring of the effectiveness of remediation plans into their internal processes. This should be regardless of how the matter was identified, whether it was from internal inspection, or regulatory inspection. It should also be regardless of whether the external regulator has the capacity to follow up timely and thoroughly on these matters. This can be done through a number of mechanisms. First, firms can enhance their internal inspection process by selecting engagements where a particular matter is applicable, tailoring specific internal inspection procedures to vet out whether the issue is recurring in a subsequent audit of the same engagement, or different engagements with the same risks or audit issues. Further, the procedures performed by the concurring review, or Engagement Quality Review as we call it under PCAOB standards, can be enhanced to include specific procedures to review work pertaining to audit areas where deficiencies occurred in the past.

From a purely regulatory perspective, a cost-effective approach to oversight of remediation actions could be one that’s more detective in nature. For instance, the regulator could consider the results of subsequent inspections and in instances where there are repeat findings (from previous inspections), the regulator could perform additional procedures to understand and evaluate effectiveness of firms’ remedial actions. In addition, the regulator could also risk-rate firms and inspections and focus remediation efforts on either firms with the worst inspections and/or on firms with the most risk exposure from a stakeholder perspective.

RA: Some of the professionals that have been involved in a PCAOB inspection, at least in Mexico, have noted that the reporting and follow-up processes, as a result of inspections, take too much time [sometimes up to two years]. Have you noted any recent changes to the time it takes for Firms to receive draft/final inspection reports?

JJ: I have not noted a significant change to report issuance time, either positive or negative. Based on the board’s remarks at the AICPA conference, the largest annually inspected firms will be the first to receive their reports in a new format, including a new Part I.B which will report on non-compliance with standards in an audit even though the audit opinion was supported. The Board gave examples such as non-compliance with AS 1215, Audit Documentation, or AS 1301 Communications with Audit Committees. From some conversations with clients, the rollout of this new report format has caused some delay with issuance of reports for the largest firms.

RA: Jackson, followed to the earlier question, what would you tell about effectiveness of firms’ remediation plans considering such a long timing in the reporting and follow-up processes?

JJ: Our clients need to be a little creative and be proactive to implement remedial actions timely –meaning before the next year’s audit– when they do not yet have a draft inspection report to clearly articulate the findings from the inspection. While the remediation actions are not required until the issuance of the report, the sooner changes can be implemented the sooner teams can start learning and improving their audits. So we often recommend some element of getting ahead of the report for the sake of making timely improvements to the Firm’s trainings, methodology, and QC policies and procedures. To start, firms have a copy of the comment forms and these comment forms are the basis of the report. Thus, while the criticisms in the report may evolve slightly from the comment forms, they are typically closely aligned and while the procedures the firms first implement may not fully respond to the criticisms in the report, we believe that implementing some remediation actions early is a meaningful way to improve audit quality immediately. We believe that firms in Mexico contemplating making changes to their system of quality control in response to findings from an IMCP inspection could follow a similar approach. Waiting for a report sometimes means waiting another audit year cycle.

RA: On the other hand, how would you describe the major challenges an accounting firm should face to become PCAOB [or an equivalent regulator from other country] compliant?

JJ: Among other matters, we have found working with our foreign-based clients that the most common challenges they face are understanding PCAOB and SEC independence rules and regulations and the “add-on” requirements or restrictions from their local jurisdictions. For example, the rules of cove- red persons, and what are considered prohibited non-audit services are usually more strict under US SEC and PCAOB rules and regulations than we have seen of local foreign jurisdictions. Firms need to have a tool in place to look at these for their US public companies and considering building in safeguards to ensure a qualified individual with experience in independence requirements in United States takes a look at these complex issues when it comes to client acceptance, retention, and communications to audit committees, and performance of any non-audit services, including tax services.

Another area that is typically more challenging is around the understanding of the design and testing of the operating effectiveness of controls for integrated audits. While most understand the concept of controls, we find that many engagement teams struggle to understand how controls work in the context of an integrated audit and how effective or ineffective controls can impact the overall substantive audit approach. The PCAOB has specific standards dedicated solely to understanding and testing the design and operating effectiveness of controls in an integrated audit.

RA: What would you recommend to those firms that, even they are not registered firms before the PCAOB, they have to comply with the requirement to implement a system of quality control?

JJ: I would recommend firms to set a robust tone at the top reinforcing the importance of following the firm’s system of quality controls to ensure that audits are performed in accordance with the relevant standards. A strong tone at the top shows the rest of the firm that the QC manual is more than just a manual; it is a collection of documentation, requirements, and principles that everyone should think about and must adhere to each day they work on their audit clients.

RA: How important the investment to adopt a system of quality control should be for an accounting firm? And, to what extent such an investment could limit a successful implementation?

JJ: A good system of quality of control, reflective of the size, complexity, and nature of a firm’s practice, is very important. This requires an investment of time and money. What I see as even more important as the adoption of a system of QC is the ongoing monitoring of the effectiveness of the system of QC. This is where an investment is worthwhile so that proper identification of why something went wrong, and the steps to fix it, is important. A proper system of QC at a firm, therefore, is an evolutionary one. I think it needs to be evolutionary.

RA: Various firms in Mexico have been inspected by the PCAOB, and over the past year to date, the Board has publicly announced certain enforcement actions to some of the reviewed firms. Given the jurisdiction this takes place, and from your professional perspective, what would you expect from regulators and the IMCP to react on the involved firms and individuals?

JJ: I don’t have any insight into the process IMCP has to consider the findings from PCAOB on Mexican firms. I think it would be important for both the firm and any relevant regulatory bodies to understand the effect of the finding on the firm’s audits, including both the audits subject to the PCAOB findings as well as the audits that fall outside of the PCAOB’s jurisdiction. This would help the firm determine what else beyond any required remedial actions should be considered for these other aspects of the firm’s practice. A full and effective remediation plan would look at the applicability of the findings to the broader practice of the firm.

RA: Given the proposed changes to the International Quality Standards, issued by the IAASB, do you know whether the PCAOB is planning on similar changes to its quality standards? And how challenging you foresee these changes to put in place for auditing firms?

JJ: Yes! The PCAOB has issued a concept release in mid-December 2019 to propose significant changes to its QC standards. The potential approach proposed by the PCAOB in the concept release is based on the proposed International Standard on Quality Management, ISQM 1. This will strengthen the QC standards using an integrated risk-based framework and will help avoid unnecessary differences between PCAOB and IAASB frameworks, and also reduce costly evaluations around those differences to ensure they are addressed in firms that need to comply with both sets of standards. While it should be scalable, it is too early to tell how that would work in practice. The concept release is currently seeking feedback from the public and as a result, we don’t know yet whether ISQM 1 and the new PCAOB concept release will be the final adopted version. I believe the efforts required to implement the new standard –whatever the final standards may be from IASSB and PCAOB– will be well worth it and can help reduce costs in the future since the model is a risk-based approach. There are still a lot of moving parts and it will be some time before we have a final rule for firms to implement.

RA: Jackson, again, I really appreciate the opportunity to have this chat with you. Your comments, feedback and points of view gives us, all what we compose the major professional accountancy organization in Mexico, an encouraging message on what we have to foresee in the near future regarding the improvement of quality, not only in the audit practice, but also, in our overall professional accountancy practices. Thank you very much, and all the success at JGA and your team for the work are currently doing.

This article was featured in the Dossier section of March 2020 Contaduría Pública, a publication of Mexican Institute of Public Accountants.

¹ Recap of PCAOB Hot Topics at the AICPA National Conference

< Older Post

Newer Post >

Monitoring and Remediation: Turning Engagement Deficiencies Into System Improvement

April 28, 2026

In our work with firms, we have seen a clear shift in how monitoring and remediation are viewed under modern quality management frameworks. They are no longer treated as retrospective compliance exercises. Instead, engagement deficiencies are increasingly used as meaningful inputs into an ongoing, risk-based system designed to identify issues early, address them thoughtfully, and reduce the likelihood of recurrence. Regulatory messaging reinforces this evolution. Oversight bodies are signaling a shift in focus from isolated engagement outcomes and more on whether firms have a system of quality management that consistently detects quality risks, responds appropriately, and demonstrates that remediation is working in practice. Based on our experience, while individual engagement deficiencies remain important, the more critical question is becoming how firms analyze, respond to, and learn from those issues over time. Engagement Deficiencies Are Signals, Not Endpoints Engagement deficiencies can surface through many channels, including pre-issuance reviews, internal inspections, post-issuance reviews, peer reviews, and regulatory inspections. Regardless of source, firms benefit most when these findings are evaluated through a consistent quality management lens. In practice, we encourage firms to look beyond whether a single engagement fell short . The more meaningful consideration is whether the deficiency points to potential weaknesses in governance, methodology, training, supervision, resourcing, or monitoring activities. We often observe that when issues are quickly labeled as engagement-specific, without assessing whether they reflect broader quality risks, valuable insight is lost. Modern quality management frameworks are designed to use these signals to strengthen the system, not simply close individual findings. What Effective Monitoring and Remediation Looks Like in Practice Firms that navigate this environment effectively tend to apply a disciplined and repeatable approach when deficiencies are identified. Based on our experience supporting firms across a range of practice areas, several elements consistently make a difference: Assess whether the issue may be systemic Recurring observations across engagements, service lines, or time periods often indicate system-level risk. Similar documentation gaps, inconsistent application of methodology, or supervision challenges rarely arise in isolation. Perform meaningful root cause analysis Effective root cause analysis typically moves beyond surface explanations. Firms benefit from evaluating whether policies and procedures were designed appropriately, implemented as intended, and supported by sufficient training, time, and resources. Design remediation that directly responds to the quality risk Remediation is most effective when it is clearly linked to the underlying risk. Depending on the circumstances, this may include enhancements to methodology, targeted training, revised review requirements, or changes to engagement acceptance, staffing, or oversight processes. Validate remediation through timely monitoring Implementing corrective actions is only part of the process. In our experience, firms are most successful when they also confirm that remediation operates as intended. Follow-up monitoring performed early enough to prevent recurrence is a critical component of this step. Failure to validate remediation remains one of the most common and consequential weaknesses we observe across firms. Case Study: When Remediation Is Not Validated In one situation we encountered, a firm identified engagement deficiencies through post-issuance reviews. The issues mirrored observations that had previously been noted during peer review and were communicated as having been addressed by the group responsible for report issuance. However, responsibility for validation was not clearly assigned, and no follow-up procedures were performed to evaluate whether the revised processes were effective. Subsequent post-issuance reviews, triggered by an organizational change, revealed that similar and additional deficiencies had re-emerged. From a quality management perspective, this was not an engagement execution failure. It reflected a breakdown in monitoring and remediation. The firm had information indicating quality risk but did not adjust its monitoring activities to confirm that remediation was working. Viewed through a system lens, this represents a system-level deficiency rather than an isolated engagement issue. Quality Management Applies Across All Engagement Types Modern quality management frameworks apply across a firm’s assurance and attestation practice, including private company audits, public company audits, SOC engagements, nonprofit audits, and other services. Deficiencies identified in any practice area may signal broader weaknesses in: Governance and leadership Methodology and training Monitoring activities Remediation processes In our experience, firms struggle to maintain an effective system of quality management when certain practices are treated as exempt from system-level evaluation. Key Takeaways Engagement deficiencies are inputs into the system, not endpoints. Recurring issues often indicate systemic quality risk. Remediation should be validated, not assumed. Monitoring activities should evolve as risks emerge. Quality management applies across all engagement types. Firms that treat monitoring and remediation as a continuous feedback loop, rather than a periodic exercise, are typically better positioned to improve engagement quality and respond to evolving regulatory expectations. Looking for an independent perspective on whether engagement deficiencies have been fully addressed? Based on our experience working with firms across assurance and attestation practices, Johnson Global Advisory supports clients by performing independent reviews, validating remediation efforts, and strengthening monitoring processes. If you would like support refining policies, training, workflows, or documentation standards, or would benefit from an objective assessment ahead of regulatory, peer, or internal inspections, contact your JGA audit quality advisor to discuss your needs.

What Regulators Expect to See When AI Is Used

April 28, 2026

Artificial intelligence (“AI”) is no longer experimental in public company audits. From risk assessment and scoping decisions to population testing, anomaly detection, and documentation support, AI enabled tools are increasingly embedded in audit execution and workflow. As use expands, the auditor’s core obligations do not shift to the technology, they remain with the engagement team. If AI is used to inform judgments, influence the nature, timing, or extent of procedures, or summarize and interpret information, auditors must still demonstrate that they obtained sufficient appropriate audit evidence and applied professional skepticism throughout. In practice, auditors must understand what the tool is doing, confirm that inputs are complete and accurate, and evaluate whether the outputs are reliable and fit for purpose in the specific audit context. While the auditing standard devoted solely to AI have not been issued, our experience is that inspectors have been increasingly direct—through staff publications, questions from inspectors in the field, and public remarks—about what they expect to see when AI is used. The expectations are grounded in existing standards and longstanding inspection focus areas: audit evidence, supervision and review, professional skepticism, and firm quality control (now quality management). In other words, AI does not create a “new” audit; it amplifies the need to show your work. Firms that treat AI as a “shortcut”, rely on outputs that cannot be explained or reproduced, or fail to govern and document how tools were selected, configured, and monitored are inviting new risks to support their audit conclusions. Conversely, firms that can clearly articulate the purpose of the tool, how it aligns to audit objectives, how inputs and outputs were validated, and how experienced personnel supervised and challenged the results will be far better positioned during inspection. The table below summarizes what inspectors typically expect to see documented when AI is used in a public company audit. Firms can use these themes to evaluate whether their engagement documentation tells a complete story that an experienced auditor (and an inspector) can follow from objective, to procedure, to results, to conclusion.

Audit Documentation: From Low-Hanging Fruit to Load-Bearing Standard

March 30, 2026

In a previous article, Back to Basics: Audit Documentation Failures Have Become Dangerous Low Hanging Fruit , we highlighted how audit documentation had quietly re-emerged as a source of regulatory risk after years of relative deprioritization. While PCAOB Auditing Standard 1215, Audit Documentation (AS 1215), has historically been cited less frequently than other standards, our direct experience from recent inspection activity, enforcement actions, and internal inspection results, demonstrate that documentation failures are increasingly treated as indicators of deeper execution, supervision, and quality management breakdowns. In today’s environment, audit documentation is no longer merely a record of work performed. It is the primary evidence inspectors rely on to evaluate whether an engagement was properly planned, executed, and supported at the time the auditor’s report was issued. What has been low-hanging fruit now requires firms to close these gaps and transform them into a load-bearing foundation for audit quality. From Rare Enforcement to Systemic Inspection Risk AS 1215 establishes clear requirements regarding what must be documented, when documentation must be completed, and how engagement files must be assembled and retained. As discussed in our prior article, failures to comply with these requirements were historically viewed as technical or secondary issues, often resulting in inspection comments rather than enforcement action. That distinction is no longer meaningful. Recent enforcement actions involving backdating, improper (both intentionally, and inadvertent) modification of workpapers, and failure to timely assemble a complete audit file reflect an evolving regulatory view. Documentation failures do not simply violate procedural requirements; they call into question the credibility of the audit opinion itself. More importantly, beyond enforcement, documentation deficiencies are increasingly cited as core inspection findings. Inspectors are challenging situations where engagement teams assert that work was performed but cannot demonstrate that work within the archived file. In these cases, the absence of timely, complete, and clear documentation is no longer treated as a formality. It is treated as evidence that the engagement may not have been properly executed, supervised, or supported in accordance with PCAOB standards. This represents a fundamental shift. Documentation is no longer “low-hanging fruit.” It is a systemic inspection risk that cuts across execution, supervision, and firm-level quality management. From Misconduct to Execution Failures Pervasive documentation failures that do not involve intentional misconduct but still result in non-compliance are increasingly observed. For example, reviewer signoffs occurring near the documentation completion date, rather than contemporaneously with the performance of audit procedures, raise questions about whether effective supervision occurred during the audit or was deferred to meeting archiving deadlines. Similarly, engagement teams may assert that key judgments can be explained verbally, even when those judgments are not clearly documented in the audit file. In today’s environment, the distinction between “we can explain it” and “it is clearly documented” is critical. If procedures, judgments, and conclusions are not evident in the documentation itself, inspectors increasingly conclude that the work was not performed in accordance with PCAOB standards. The issue is not whether the engagement team can explain what they did after the fact. The issue is whether the archived documentation allows an experienced auditor, with no prior connection to the engagement, to understand the procedures performed, evidence obtained, and conclusions reached at the time of the auditor’s report. When documentation fails to reach that standard, inspectors are increasingly concluding that the audit itself was not properly executed, regardless of intent. This reflects an important shift. Documentation failures are no longer viewed primarily as misconduct. They are viewed as symptoms of execution breakdowns, including delayed supervision, compressed review cycles, and audit workflows that defer documentation until the end of the engagement. As a result, AS 1215 has become a direct proxy for how audits are actually performed in practice. How the 14-Day Documentation Completion Requirement Changes the Risk Profile The execution risks are further amplified by the PCAOB’s shortened documentation completion timeline. Recent amendments to AS 1215 reduce the timeframe to assemble a complete and final audit file from 45 days to 14 days after the report release date. While this change may appear procedural, its implications are operational. Under this accelerated timeline, engagement teams no longer have a meaningful post-issuance window to resolve review notes, complete documentation, or finalize supervisory evidence. What were once viewed as “clean-up” activities are now more likely to result in timing violations and non-compliance. This shift places increased emphasis on: Contemporaneous documentation Real-time supervision Realistic workload and staffing models Audit Documentation as a Cornerstone of Audit Quality Audit documentation has long been described as low-hanging fruit in the inspection process. That characterization no longer reflects its role in today’s regulatory environment. Documentation now serves as the primary lens through which regulators assess whether an engagement was properly executed, supervised, and supported. With shortened timelines, expanded quality management expectations, and increased regulatory scrutiny, firms can no longer treat documentation as a downstream activity. It must be embedded into how engagements are planned, staffed, reviewed, and completed. In an environment where inspection conclusions are driven by what is, and what is not, in the audit file, strong documentation is not merely defensive. It is foundational to audit quality. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, please contact your JGA audit quality expert .

Accounting Firm Acquisitions: Why Due Diligence and Integration Determine Long-Term Success

March 30, 2026

Mergers and acquisitions within the accounting firm industry continue to accelerate, driven by succession planning needs, technology investment, talent constraints, geographic expansion, and the pursuit of new service lines. The pace and volume of transactions is being fueled, in large part, by private equity investment in the accounting firm space. Yet as deal activity accelerates, so does a critical reality: the long term success of an acquisition is determined well before the transaction closes—and long after the announcement is made. Experience across the profession shows that insufficient due diligence and poorly executed post acquisition integration are the most common sources of value erosion in accounting firm transactions. What the Regulator is saying and How JGA sees it At the AICPA December 2025 conference on Current SEC and PCAOB Developments, common topics were the presence of private equity in the accounting firm space and the opportunities and challenges that come with this investment. As it relates to private equity, then-acting PCAOB Chair George Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.” At JGA, we expect the PCAOB to increase its inspection focus on a firm’s system of quality management. To the extent that acquisitions present quality risks to a firm, we expect increased attention from the PCAOB in terms of how firms are managing these risks. Due Diligence: Looking Beyond the Numbers Financial performance, partner buy ins, and deal structure naturally receive significant attention during an acquisition. However, professional services firms—particularly those providing audit and assurance services—certain of the greatest risks often reside outside the financial statements. Effective accounting firm due diligence must assess not only what the target firm has earned, but how it has earned it—and whether that performance is sustainable. This includes gaining a deep understanding of: Audit quality history, including inspection and peer review results, Independence, ethics, and regulatory compliance practices, Industries served, industry concentration and related expertise, Client concentration, retention trends, and engagement risk profiles, Partner governance, compensation alignment, and succession readiness, Technology platforms, data security, and scalability, and Firm culture, leadership dynamics, and decision making processes. When these areas are not rigorously evaluated, issues frequently surface after the transaction closing—when remediation is more disruptive, more expensive, and far more visible to regulators, clients, and staff. The Risks of Inadequate Due Diligence Inadequate diligence often leads to unanticipated post transaction challenges, including: Regulatory findings related to legacy engagements, Independence violations requiring retroactive remediation, Client attrition driven by service disruption or cultural misalignment, Talent loss stemming from unclear expectations or compensation inequities, and Technology incompatibilities that impair efficiency and data integrity. Deficiencies inherited through acquisition can affect inspection outcomes, firm reputation, and overall audit quality long after the transaction closes. Integration: Where Value Is Created—or Lost Even when due diligence is performed thoughtfully, post acquisition integration remains the most common point of failure. Integration is often underestimated, treated as an operational exercise rather than a strategic initiative requiring sustained leadership attention. Successful integration goes far beyond combining systems or standardizing branding. It requires deliberate alignment across how the firm operates, governs itself, and delivers quality—particularly in areas such as: Audit methodology and documentation standards Quality management systems and monitoring processes Partner roles, authority, and accountability Talent development, evaluation, and retention Communication with clients, regulators, and staff Absent a structured integration plan, firms risk operating as a collection of semi independent practices rather than a cohesive organization. This fragmentation can undermine consistency, weaken accountability, and complicate regulatory compliance. A Strategic Imperative in a Changing Profession As consolidation continues and regulatory scrutiny intensifies, rigorous due diligence and disciplined integration are no longer optional. They are essential to managing risk, sustaining quality, and realizing the full value of a transaction. For accounting firm leaders, the message is clear: growth through acquisition can be a powerful strategy—but only when supported by a comprehensive understanding of what is being acquired and a deliberate plan for how the combined firm will operate as one. Firms that treat diligence and integration as leadership imperatives—rather than transactional steps—are better positioned to protect audit quality, retain talent, and preserve client trust while achieving growth objectives. JGA’s Role Guiding Firms through these Opportunities For firms seeking to grow through acquisition without sacrificing quality, control, or visibility, JGA is a solution. JGA is uniquely qualified with deep experience working with accounting firms on quality management, governance, and operational transformation. We have proven due-diligence tools built that are designed to be practical, adaptable, and immediately usable—while also supporting long term consistency as firms pursue multiple acquisitions over time. Ready to get started or need help refining your acquisition activities? Contact your JGA audit quality expert today to schedule a consultation and ensure acquisition activities are tailored to your firm’s needs.

JGA to Sponsor ALI's Accountants' Liability 2026 Conference

By Jackson Johnson • February 24, 2026

WASHINGTON, D.C.: — Johnson Global Advisory (JGA) is proud to sponsor the ALI’s Accountants’ Liability 2026 conference hosted by the American Law Institute (ALI). The two‑day program will take place May 14–15, 2026, in Washington, D.C., with a live webcast option available for remote attendees. This annual conference is a premier forum for accounting firm leaders, in‑house counsel, litigators, and regulators to examine the evolving landscape of accountants’ liability, enforcement priorities, and risk management. The 2026 program will explore how recent regulatory, litigation, and technological developments are reshaping the profession and what firms can do to proactively respond. “We are pleased to once again sponsor the ALI Accountants’ Liability Conference,” said Jackson Johnson, President of Johnson Global Advisory. “This event consistently brings together leading regulators, practitioners, and risk professionals to discuss the most pressing liability and oversight issues facing accounting firms today. We value the opportunity to engage with participants and contribute to these important conversations.” The program will feature nationally recognized panels of practitioners, general counsel, industry professionals, and government officials. Planned discussions will address current and emerging challenges facing accounting firms, including: Regulatory and enforcement priorities impacting the accounting profession Recent trends in accounting‑related litigation PCAOB and SEC perspectives on audits, inspections, and gatekeeper liability The impact of AI, cryptocurrency, and emerging technologies on audit quality and firm risk Best practices for navigating an evolving and uncertain regulatory environment Register by April 13, 2026, to attend in-person and use the code “ JGA2026 ” to save $250 off . OR, for webcast attendance, use the code " JOHNSON " to save $125 off the tuition. Click here to register. To learn more about how Johnson Global partners with in-house and outside counsel to support public accounting firms, we invite you to explore our latest brochure. This resource outlines our approach to independent monitoring and consulting, including how we assist firms in navigating PCAOB and SEC investigations, implementing quality control improvements, and responding to regulatory findings. Download the brochure below to see how our experienced team can help your firm meet today’s compliance challenges and build a stronger foundation for the future. Get a copy of our brochure here . About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.

Joe Lynch, JGA Shareholder, to Present in AICPA & CIMA Quality Management Webcast Series

By Jackson Johnson • February 24, 2026

We’re pleased to share that Joe Lynch , JGA Shareholder, will be presenting in a series of AICPA & CIMA webcasts focused on practical considerations for Quality Management. These sessions are designed to provide guidance in your QM journey. They support key elements such as engagement quality reviews, root cause analysis, and ongoing monitoring and remediation. Register for Upcoming Sessions Session 1 — Quality Management: Engagement Quality Reviews What you’ll learn: Practical considerations for your firm's responsibilities for engagement quality reviews and the reviewers requirements when executing engagement quality reviews under the updated quality management standards, including how to make EQRs scalable and effective. Register for this session here . Session 2 — Quality Management: Performing a Root Cause Analysis What you’ll learn: How root cause analysis supports remediation by identifying underlying drivers of the findings and deficiencies; supporting the design of corrective actions that prevent recurrence. Register for this session here . Session 3 — Quality Management: My System is Set Up — Now What? What you’ll learn: Post-implementation requirements of SQMS No. 1, which include monitoring activities, evaluating findings and deficiencies, remediation, and the annual evaluation process—so your system stays responsive and effective. Register for this session here . These sessions are included with a current Webcast Pass. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

Joe Lynch, JGA Shareholder, to Provide Insights on Changes to Engagement Quality Review Requirements

By Jackson Johnson • January 20, 2026

JGA is pleased to announce that Joe Lynch , JGA Shareholder, will be a featured guest on the upcoming AICPA & CIMA A&A Focus live webcast on February 4, 2026. Joe has been invited to join the program to provide insights on changes to engagement quality review requirements. This appearance offers a valuable opportunity for viewers to gain practical, real-time guidance on effective EQR practices—an increasingly critical component of audit quality and compliance under the evolving professional standards landscape. Click here for m ore information about the program and registration details. At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, please contact your JGA audit quality expert .

Quality Management in 2026: Considerations to Successfully Adapt to a Transforming Environment

January 20, 2026

Introduction The accounting firm industry experienced a ground-breaking transaction in August of 2021 when TowerBrook acquired EisnerAmper, which marked the first private equity (“PE”) transaction of a large-scale accounting firm. This transaction was structured using an alternative practice structure (“APS”). Historically, licensing and independence rules have barred non-CPAs from owning accounting firms. Through an APS, a PE firm may invest in the non-attest entity with service lines such as tax advisory and consulting. The CPA partners retain control over the attest functions, which preserves regulatory compliance. While the APS model has been in existence since the 1990s, this August 2021 transaction brought new attention to this structure. What has followed is an extraordinary volume of deal activity. Per the CPA Trendlines (“CPAT”) Cornerstone report posted on November 18, 2025, CPAT has tracked over 115 PE-related transactions from 2020 to 2025, with over 80 transactions in 2025. While PE in the accounting firm space is no longer news, the pace and volume of transactions is certainly news-worthy. Impact of PE Investment The impact of PE investment on the accounting firm space is unprecedented. The APS has enabled PE to fuel billions of capital investment. PE-backed firms provide immediate payouts to partners at appealing valuations while providing access to capital to these firms for merger and acquisition growth, technology investments, and other priorities. Well-capitalized firms now have an improved ability to invest in technological capabilities, attract experienced talent to be more competitive for college graduates, and improve their market position. With new technologies, routine tasks are being automated such as data entry, tie-outs and controls testing, resulting in less time needed to perform certain audit procedures. What the regulators are saying At the AICPA December 2025 conference on Current SEC and PCAOB Developments, common topics were the presence of private equity in the accounting firm space and the opportunities and challenges that come with this investment. PCAOB Acting PCAOB Chair George Botic described that both transformative technologies (e.g., artificial intelligence or “AI”) and the continuing expansion of private equity investments in accounting firms are two developments that bring opportunities and challenges. Mr. Botic noted that while AI has enhanced risk assessment, reduced manual processes and made it possible to efficiently analyze entire populations of data (which can reduce the risk of missing irregularities or unusual patterns), that overreliance on AI may ultimately threaten auditors’ exercise of professional skepticism and judgment. As it relates to private equity, Mr. Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.” SEC SEC Chair Atkins discussed in his remarks that he would like the PCAOB to modify its inspections process to place more reliance on the system of quality management and that inspection of certain engagements would inform the PCAOB if the firm’s system of quality management is effective. He also expressed a view that accountability for audit quality should move upward to firm leadership. How is a firm’s system of quality management (“SQM”) impacted? Today’s transforming environment has far-reaching impacts on a firm’s SQM. This publication will focus on risk assessment, governance and leadership, ethics and independence, resources, engagement performance, and monitoring and remediation.

Year in Review: Here are the Top 10 Actionable Insights of 2025

By Jackson Johnson • December 30, 2025

As we wrap up an incredible year, we’re showcasing the insights that sparked the most conversations and drove the most impact. Here are the Top 10 Actionable Insights from 2025: Use of Other Auditors: Managing Risk and the New PCAOB Standard ISQM 1, SQMS 1: Influencing the Firm on the Benefits Beyond Compliance (Part II) Case Study – Example Successor Auditor Considerations QC 1000 Implementation: Key Themes and Guidance from the PCAOB Workshop Clearing the Roadblocks: Auditing Estimates with Confidence in Small Firms Enhancing Auditor Independence: Key Themes from PCAOB Recent Spotlight The Never-Ending Story: How to Remediate Recurring EQR Findings – Part Deux Cryptic Audits of Crypto Assets: Auditing Digital Assets Innovative Solutions for QC 1000, SQMS 1, & ISQM 1: Quality Management tools in the Marketplace Enhancing Audit Evidence: PCAOB Expectations and What We Are Seeing in Practice

Enhancing Audit Evidence: PCAOB Expectations and What We Are Seeing in Practice

November 24, 2025

As companies increasingly rely on cloud platforms, external data providers, and integrated third-party systems, the boundary between “internal” and “external” information has blurred. Audit evidence today may originate outside the company, but often arrives through the company, transformed, mapped, merged, or embedded within systems before it reaches the auditor. In response to this evolving landscape, the PCAOB amended AS 1105, Audit Evidence, effective for audits of fiscal years beginning on or after December 15, 2025. Central to these amendments is AS 1105.10A, which introduces a principle-based, risk-scalable framework for evaluating the reliability of electronic information provided by the company. At JGA, we view this development as a natural response to the data ecosystems shaping today’s financial reporting. We also see it rapidly becoming a recurring area of focus by global audit regulators, particularly when the information supports significant risks, revenue, fraud procedures, or management estimates. This article summarizes key themes from the PCAOB’s Board Policy Statement on Evaluating External Electronic Information (issued September 2025) paired with practical observations from JGA’s inspection support and methodology enhancement work with firms across the profession. Why External Electronic Information is a Growing Focus Area Across industries, external platforms now drive core financial and operational processes: payment processors, logistics platforms, third-party fulfillment solutions, subscription systems, industry data services, and more. Although such information originates from outside the company, it is often: Received, stored, or routed through company systems Transformed within spreadsheets or EUCs Merged with internally generated data Exported in formats that allow modification Provided to auditors without a traceable chain to the original source. Our direct experience working with our clients shows that PCAOB inspection teams consistently emphasize that external does not inherently mean reliable. The auditor must understand how the information was obtained, how it was handled, and whether there was a reasonable possibility that it could have been modified before reaching the auditor. Understanding AS 1105.10A The Board Policy Statement highlights two foundational expectations: 1. Auditors should understand the source and flow of the information. Inspection teams frequently question whether the engagement team understood: The true originating source of the data How the company received it (e.g., automated feed vs. manual upload) Whether the information is editable or configurable Whether it passed through multiple systems or spreadsheets How it is used in controls, substantive testing, or significant estimates In JGA’s experience, inspection findings often arise from situations where teams relied on a “system-generated” or “externally sourced” report without fully understanding where it came from or whether it could have been changed. 2. Auditors should address the risk of modification. The standard allows for two broad approaches, testing the information itself or relying on controls, depending on the assessed risk. The standard is intentionally flexible, but this flexibility requires well-supported judgments, especially for information affecting significant accounts or fraud risks. The PCAOB also acknowledged scenarios where separate testing may not be required (e.g., direct-to-auditor feeds or read-only API transfers) but emphasized that this exception applies only when the risk of modification is no more than remote. What We Observe in PCAOB Inspections Through JGA’s transformation activities with firms, we continue to see consistent challenges in the following areas: Reliance on information provided by the company without evaluating whether transformed, filtered, or merged with other data sets. Use of external or industry data in analytics without understanding the methods, assumptions, or relevance to the issuer. External information embedded in significant estimates or complex models without evaluating management’s process for compiling that information. System-generated or external journal entry listings used in fraud procedures without establishing completeness and reliability. In each of these situations, inspection teams focus on whether engagement teams understood how the information was obtained, how it was processed, and whether there was a reasonable possibility of modification before it reached the auditor. Emerging PCAOB Expectations Although the standard is principles-based, several expectations are now appearing consistently in inspections: Reliability cannot be presumed, external information must be evaluated just like any other audit evidence. Understanding the company’s process for receiving and handling external information is foundational. Judgments about whether separate testing is required must be risk-responsive and well-supported. Documentation should clearly articulate the source of the information, the company’s process, and the basis for concluding the information was reliable. These expectations are shaping how firms need to think about IPE testing, data flows, and the role of technology within the audit. Areas Where Firms Often Seek Assistance Across our methodology enhancement and inspection support work, firms consistently ask for help in: Identifying when information is “external electronic information provided by the company”. Determining whether reliance on management’s process is appropriate. Navigating situations where data passes through multiple systems or spreadsheets. Evaluating third-party or industry data used in analytics. Assessing effects on significant risks, especially revenue and fraud. Aligning documentation practices with PCAOB expectations. Many firms have strong processes for testing IPE, but other nuances of the standards require an additional layer of consideration that is still evolving in practice. Looking Ahead As companies build increasingly automated and interconnected systems, auditors must deepen their understanding of those environments to obtain sufficient appropriate evidence. Firms that proactively adapt their methodologies and train engagement teams will be better positioned for both compliance and audit quality. At JGA , we help firms interpret emerging regulatory requirements, strengthen methodologies, and enhance the use of technology and data in the audit. Ultimately, ensure compliance and consistency get to our ultimate goal of helping firms grow and scale responsibly. To learn how we can help your firm navigate these expectations and #AmplifyQuality, visit www.johnson-global.com, or contact a member of your JGA client service team.