Call a Spade a Spade: Is there a distinction between PCAOB and AICPA audits?

Dane Dowell • Jan 21, 2022

Firms have a habit of dividing audits between PCAOB/SEC audits and AICPA / private company audits. This permeates methodology, training, staffing, career paths, and honestly, all facets of a firm’s system of quality management. 


I fully acknowledge that there are distinct differences in requirements for a PCAOB audit versus an AICPA audit, especially if the PCAOB audit is integrated under SEC 404 requirements. But let’s also have an honest dialogue and acknowledge that the core audit principles (I’m talking planning and risk assessment, understanding the entity and its controls, and the design of the overall responses to the risks of material misstatement) are VERY similar. 


While 404 may require the testing of internal controls, regardless of the audit opinion or auditing standard, ALL auditors have to understand the company’s processes and controls and evaluate the design and implementation of those controls. The only difference between an integrated and a non-integrated audit is the testing over operating effectiveness of controls. This is true for both PCAOB and AICPA audits. In fact, let’s take a look at the guidance: 


PCAOB: AS 2210.18 and .20 states: The auditor should obtain a sufficient understanding of each component of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures…Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented


AICPA: AU-C Section 315.13 and .14 states: The auditor should obtain an understanding of internal control relevant to the audit…When obtaining an understanding of controls that are relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity's personnel. 


Both PCAOB and AICPA require the same planning procedures. The extent of those procedures will depend on risk and complexity of a client, but the procedures are the same: understand design of controls and determine whether they have been implemented. In fact, the guidance for AICPA indicates that evaluation of design and implementation is more than just inquiry. The PCAOB also states that in controls, inquiry alone is never sufficient. 


If we take a step back, the reason both standards require this understanding of controls is because once an engagement team understands the controls, they can then identify the risks and potential misstatements and from that understanding, appropriately design an audit approach, whether integrated or not. 


Time and again, when helping firms with audit quality, I’ll hear firms say something along the lines of “well, that’s a private company audit, so it’s different.” Is it really though? 


The most unique aspects of a PCAOB audit stem from certain specific SEC and PCAOB independence requirements, specific audit committee communication requirements, and a few other auditor reporting considerations, such as critical audit matters. However, the majority of the audit standards are very similar. This shouldn’t be a surprise since the PCAOB initially took the AICPA auditing standards and adopted them as interim standards until the PCAOB could issue official guidance. While there is some wordsmithing here and there, the core principles remain largely unchanged. Perhaps the most significant difference in the two audit standards is the requirement of the PCAOB to perform a test of detail to address a significant risk and/or fraud risk, regardless of controls reliance, while the AICPA only requires a test of detail if there is no controls reliance. 


There really isn’t much of a distinction otherwise. So why do firms treat AICPA and PCAOB audits so differently? Well, in my opinion, it’s because the PCAOB performs inspections and holds firms strictly to the standard. There is no regulator for the AICPA; rather, enforcement of AICPA standards is accomplished through peer review. Is that really sufficient? Isn’t peer review and the lack of an enforcement agency what ultimately gave rise to the PCAOB in the first place? 


Essentially, firms are dividing audits between PCAOB and AICPA standards because the regulator of PCAOB auditing standards holds firms to a higher bar. Standards are largely the same and yet, we treat them as night and day. Is that really the right approach? When I challenge firms on auditing, generally most will acknowledge that audit is audit is audit, regardless of the standards. But when it comes to how we actually execute audits, firms inherently accept that there is a different standard. If we accept that there are minor differences between a PCAOB and AICPA audit, let’s see how that might change or impact aspects of a firm’s system of quality management. 


Training


Currently, most firms break up their staff into public company and private company auditors and provide different training and career paths for the two populations. Does that really make sense? Perhaps audit training should be the same for all staff. The principles, after all, are largely the same. For those who work on a PCAOB audit, perhaps those staff should also attend a supplemental training where the “bridge” from an AICPA to a PCAOB audit is explained. But that might only be an additional hour or two of training. There just aren’t that many differences otherwise, to merit two distinct training paths. 


In particular, I find this to be overwhelming present within the space of ICFR. Again, both PCAOB and AICPA have the same minimum requirements for understanding the design and implementation of controls and yet, most AICPA auditors never receive in-depth ICFR training. Historically, given most private company audits are non-integrated, perhaps that was okay. But with the ever-increasingly pervasive nature of technology within clients, all auditors need to have a strong understanding of internal controls. This helps to identify risks and plan an appropriate audit response. 


Increasingly, I am seeing engagement teams struggle with adopting “hybrid” approaches to testing data and information coming from systems, but ultimately asserting to a “non-controls reliance” approach. In other words, teams don’t think they’re relying on controls, but they are relying on system generated reports which are inherently relying on controls over a system in order to ensure reliability. When I have conversations with these teams, they are quickly lost. Some assert to the fact that they evaluated the design of ITGCs and believed that they could rely on the system without testing the operating effectiveness. Some assert to the testing completeness and accuracy of information by tying a report back to the system. Well, that’s fine, except you haven’t tested controls over inputs into the system and you have tested controls around the system. These hybrid approaches are popping up more and more and teams don’t have the rhetoric or knowledge to understand internal controls, in particular around systems and information. If teams understood these concepts (because they were invited to ICFR trainings), they might be able to better plan a more appropriate audit approach, taking into account the decision to test or not test controls. It starts first with understanding; knowledge is power. 


Methodology 


Methodology is another area firms distinguish between PCAOB and AICPA audits. Again, I fully acknowledge that there are differences between the two standards and so an audit binder should have supplemental workpapers for a PCAOB audit that “bridge” the gap, such as requirements around independence and audit committee communications, etc. But again, the main audit principles are the same. 


I think it’s appropriate to have two different “workpaper setups” for public and private company audits that ensure engagement teams will meet the minimum requirements. What I find is perhaps less acceptable is to have different methodologies when the standards are largely the same. 


Let’s consider sampling for a moment. I’ve worked with multiple firms that have different sampling methodologies for public and private company audits. In the public company space, the PCAOB often challenges the use of a judgmental sample if the remaining untested balance is material. As a result, firms have moved away from judgmental samples in PCAOB audits and instead pushed teams to either apply targeted sampling (i.e. targeting items until the untested balance is below materiality) or statistical sampling. However, I’ve heard comments that in the private company space, the firm still often uses judgmental samples, and these are considered acceptable. 


Let’s take a look at the sampling guidance for an AICPA audit. AU-C Section 530.06-.08 indicates: 


When designing an audit sample, the auditor should consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn. (Ref: par. .A7–.A11) The auditor should determine a sample size sufficient to reduce sampling risk to an acceptably low level. (Ref: par. .A12–.A14) The auditor should select items for the sample in such a way that the auditor can reasonably expect the sample to be representative of the relevant population and likely to provide the auditor with a reasonable basis for conclusions about the population. (Ref: par. .A15–.A17) 


When taking a deeper look into the referenced guidance (i.e. A14), the AICPA guidance specifically states: 


The decision whether to use a statistical or nonstatistical sampling approach is a matter for the auditor's professional judgment; however, sample size is not a valid criterion to use in deciding between statistical and nonstatistical approaches…An auditor who applies nonstatistical sampling exercises professional judgment to relate the same factors used in statistical sampling in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable with the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters… 


The AICPA does allow for judgmental samples, but it also explicitly states that those samples should consider the same sampling parameters (i.e. tolerable misstatement, expected misstatement, risk of material misstatement, assurance from other substantive procedures, number of sampling units, and stratification, etc.) and should be comparable to a statistical sample. Do you know how many times I’ve seen teams apply “professional judgment” and test only five items or maybe ten items? And when I ask what a statistical sample would yield, the answer is “Way too many. We ran the model and it would have been in the hundreds.” The AICPA explicitly states that “…sample size is not a valid criterion to use in deciding between statistical and nonstatistical approaches.” My response is always, “So how does this judgmental sample take into account risk of material misstatement and materiality?” The answer, to which, is typically silence. No documentation and no response. 


This is just one example of how firms allow for different methodologies for public and private company audits, even though the principles are largely the same. 


Firm Monitoring


Finally, as part of PCAOB and AICPA quality management standards, firms are required to perform internal monitoring procedures. This typically translates into lookback reviews performed during the slower summer months over a sample of audits. 


In its Staff Update and Preview of 2020 Inspection Observations, the PCAOB indicates that it is 


We also observed situations where we identified deficiencies through our inspection procedures that were not identified through an audit firm’s internal inspection procedures directed to the same engagements. Such results may indicate that the audit firm’s QC system related to monitoring does not provide reasonable assurance that the audit firm’s internal inspection program is suitably designed and/or being effectively applied. 


What this tells me is that firms apply a different level of rigor internally than the PCAOB. It comes as no surprise that the PCAOB, being the regulator is by far the most exigent in terms of adhering to standards. Some might argue, it’s overly exigent, but that’s a debate for another time. The point of the matter is that firms are inherently missing the mark when inspecting their own work and are failing to identify quality concerns. 


If firms are failing to identify internal issues, what does that mean for the peer review process for AICPA audits? The auditing profession was self-regulated up until the Enron scandal and the collapse of Arthur Andersen which brought about the advent of the PCAOB and Sarbanes-Oxley. I’m not saying the PCAOB is always right or justified, but that the profession missed the mark once before and if the PCAOB is finding that firms’ internal inspections are not of a sufficient quality, then arguably, peer reviews are not being held to the same rigor. I believe this all stems from the fact that firms, and the industry as whole, views PCAOB and AICPA standards as inherently different and thus, applies an inherently different level of quality. Yes, there is less public exposure in the private company world, but does that mean audits should be performed at a different level of quality? 


When the auditing standards (or the core principles at least) are arguably the same, why do we have such a divergence in application of the standards when we execute on public company and private company audits? At the December AICPA SEC Conference, the SEC’s Division of Enforcement asked the question, “Where are the gatekeepers?” They indicated that there is an erosion of trust in the markets. The Division went on to share numerous examples of accounting concerns and made very clear they are challenging the gatekeepers, which includes the audit firms issuing the opinions. 


Let’s call a spade a spade. An audit is an audit is an audit, regardless of whether it’s a PCAOB audit or an AICPA audit. Yes, there are distinct differences, but the core of an audit is the same. It’s time we as a profession apply the same level of quality to public as well as to private company audits. 


Dane Dowell is a Director at Johnson Global Accountancy who works with PCAOB-registered accounting firms to help them identify, develop, and implement opportunities to improve audit quality. With over 12 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Dowell has extensive experience in audits of ICFR and has worked closely with attorneys in the PCAOB’s Division of Enforcement and Investigations. Prior to the PCAOB, he worked with asset management clients at PwC in Denver, Singapore, and Washington, DC.

By Randall Thompson 10 May, 2024
Johnson Global Advisory (“JGA”) is proud to participate in the world-wide Learning at Work Week May 13th-19th. This annual event supports building learning cultures in workplaces. It aims to put a spotlight on the importance and benefits of continual learning and development. JGA actively supports “learning power” (the theme for this year Learning at Work Week) for our external clients and we’ve been working on some exciting opportunities to learn internally through growing, engaging and connecting opportunities as a team as well. Johnson Global is committed to amplifying quality in the profession. For more information about our training services click here.
By Andrea Reaves 10 May, 2024
Updated 5.13.2024 On May 13, 2024 the PCAOB held an Open Board Meeting - PCAOB to Consider Adopting New Standards on General Responsibilities of the Auditor in Conducting an Audit, Quality Control . The PCAOB considered adopting a new auditing standard – AS 1000, General Responsibilities of the Auditor in Conducting an Audit as well as QC 1000, A Firm’s System of Quality Control. JGA provided comments to the PCAOB on the proposed QC 1000 standard. To read our comments please click here . The PCAOB proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, is available here . The new standard is available for viewing here .  PCAOB Updates PCAOB Solidifies Foundation of Every Audit With Adoption of New Standard on General Responsibilities of the Auditor PCAOB Adopts New Quality Control Standard With a Risk-Based Approach Designed to Drive Continuous Improvement in Audit Quality
By Geoffrey Dingle, Managing Director, Shareholder 02 May, 2024
PCAOB Publishes Spotlight Related to Root Cause Analysis In April 2024, the PCAOB released a Spotlight Root Cause Analysis – An Effective Practice to Drive Audit Quality which continues the Board’s goal of sharing its observations from its inspection and remediation activities, but this time related to Root Cause Analysis (RCA). RCA should not be a new concept to audit firms. In 2020, we published RCA: Seems like EVERYBODY is talking about Root Cause Analysis , where we shared the importance of performing an effective RCA to be able to understand what are the underlying causes of deficiencies which occur at your firm. We wanted to highlight a few important aspects coming through in this April 2024 Spotlight. The Spotlight rightly stated that RCA should be a multifaceted approach . There are a number of different tools, techniques, processes, and philosophies that firms can undertake to perform a RCA. In addition, there may not always only be one factor that is causing a deficiency – it could be a variety of factors such as lack of technical competence, failure of resource allocation at firm level, etc. The Spotlight also identified characteristics of a well-designed RCA process , which are important to highlight as follows: Have a dedicated team with RCA experience perform the RCA as they are more objective and have the requisite background. In helping our clients with RCA, we find by bringing in our objectivity, our PCAOB standards experience coupled with our RCA experience, engagement teams are more willing to be open and honest with their opinions of where they see potential root causes that resulted in deficiencies. Firms use a variety of methods and techniques to gather data which include review of workpapers, interviews with engagement teams immediately after the deficiencies are identified, and review of engagement metrics. All this information combined paints an informative picture of what caused the deficiencies. Firms should not only focus on looking at engagements that had negative quality outcomes, but also focus on looking at engagements which had positive outcomes arising from inspections or the firm’s internal monitoring. By identifying what worked well with some engagement teams, firms can then use that information to drive change with other engagement teams. Lastly, firms should be aware that the task of identifying root causes and implementing a new action to remediate this deficiency does not mean that the job is done. Firms should monitor these remedial actions to determine whether the actions that they undertook are in fact solving the problem. In conclusion, there is no time like the present to strengthen your RCA process . Remediating deficiencies (by providing training, developing new tools and templates, changing processes, etc.) is a time consuming and costly undertaking…you want to make sure that the action you are investing in, is actually going to remedy the problem. In addition, the PCAOB’s standard setting agenda includes a proposal for the new quality control standard that, if adopted, would require firms to perform RCA of its control deficiencies. Our recommendation is to start implementing your RCA process now so that you can refine and modify your RCA process.
By Randall Thompson 22 Apr, 2024
Johnson Global is proud to sponsor My Sister's Place (MSP) 45th Anniversary Celebration on May 15, 2024 in Washington, D.C. MSP has been providing services to the D . C . community to empower survivors of domestic violence and their children, while fostering leadership and education to build a supportive community. MSP's experienced team provides training, case consultation, and advocacy to engage communities to prevent violence and abuse. Click here for more details.
By Randall Thompson 02 Apr, 2024
Johnson Global Advisory (“JGA”) is pleased to sponsor the Allinial Global Executive Team Conference 2024. This four-day event will be from May 19–22 at The Westin Kierland Resort & Spa in Scottsdale, AZ. This premier event for firm management, strategy and growth, and leadership, with a focus on Driving Success and Accelerating Possibilities through collaboration, knowledge sharing, and networking. PROGRAM HIGHLIGHTS A keynote session entitled The Time to Win - Grow Your Firm by Exceeding Clients’ Need for Speed by Hall of Fame speaker and New York Times best-selling author Jay Baer Inspiring sessions focused on how firms can evolve their internal operations and management to facilitate a seamless client experience through lean processes and innovative approaches to talent and technology Half-day virtual programs on Monday, May 20 and Tuesday, May 21 To learn more and register click here. About Johnson Global Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.
By Geoffrey Dingle, Managing Director, Shareholder 27 Mar, 2024
Editor's note: This article is part of a series to highlight the unique experience that JGA professionals possess and deliver to our clients. As busy season winds down, it is an opportune time to reflect on challenges in ensuring audit quality and preparing for a successful outcome to the PCAOB inspections process. There are a myriad of obstacles to audit quality such as time constraints and the complexities of client engagements. Amidst these demands, audit quality remains the utmost priority. Geoff Dingle an author of JGA’s guide, Navigating PCAOB Inspections, Second Edition shares his insights on how firms can effectively prepare for the entire process. The Purpose Registered firms that issue at least one public company audit opinion are subject to inspection at least every three years. Every inspection is different based on the firm, its clients, and PCAOB priorities, but the overall process is the same. It is a long process that takes planning and coordination, and this guide addresses the main phases and pain points. “Through our work at JGA, supporting firms on PCAOB inspections, we are able to witness first-hand the struggles that some firms encounter as they work through the inspection process with the regulator. Although some of this information is available on the PCAOB’s website, we have been able to consolidate our own experiences having supported over 100 firms during their inspections. JGA has a team of alumni from the regulator that have led inspection teams and quality management initiatives, with over 139 years of combined experience at the PCAOB and SEC,” says Dingle. The Process The inspection process often takes more than two years (sometimes as long as four years) from initial notification of an inspection to the final remediation determination. It can take weeks to months to issue comment forms after the inspection week. Report finalization is getting faster but it can still take more than six months to issue an inspection report to a firm. If there are few issues, the PCAOB can respond quickly, but with multiple findings the process oftentimes takes longer. After report issuance Firms have 12 months to remediate Part II findings and provide these remedial plans to the PCAOB for evaluation. Pre-Inspection The PCAOB provides the dates for its intended inspection week. The notification letter includes the period being inspected, questions, and requested documentation about the firm and its clients. There are not many pain points at this stage, but there is typically a four-week deadline to respond. The PCAOB contacts the firm two to three weeks before the inspection starts with the names of the issuers selected for inspection and requests specific information and access to the workpapers for these audits. “We always recommend that firms hold internal meetings to assign responsibilities between the engagement teams and the national office and plan for the inspection. Prep week - the week before the inspection, can be stressful. We suggest that engagement teams go back through their audit files to re-familiarize themselves with the workings of the audit file,” Geoff continues . Key Points About The Process Before COVID, inspections were conducted in-person. Now the majority of the inspections are performed virtually. “With the engagement team and the inspection team not being in the same room, we have observed inefficiencies in getting matters resolved because of the need to coordinate firm personnel and inspection personnel, across various time zones, locations, and schedules,” he mentions. During the inspection week, the PCAOB provides detailed questions to the engagement team regarding the audit file. It’s a mix between written questions sent to the firm and asked questions during meetings. All questions are answered in subsequent meetings. With the remote process, meetings are scheduled to address and answer these questions. “Our own experience is that if a particular line of questions continued for the week (i.e. the engagement team’s response is not satisfying the inspector), then chances are there will probably be an issue that will result in a comment form,” Geoff adds. Be ready for multiple layers of questions on the same subject by providing details based in the working papers and show a deep understanding of the audit. Inspection issues are usually riskier areas involving judgements. Audit documentation should “tell the story” of how auditors came to their conclusions, not just what the conclusion was. Audit documentation should describe in detail what considerations were made by the engagement team in coming to their judgment (i.e. how any contradictory evidence was addressed; why the engagement team went with one model over another, etc.). If judgments are not well documented, the PCAOB has no alternative but to conclude that sufficient procedures were not performed. Comment Forms A few weeks after fieldwork is completed, the inspection team provides comment forms that include a summary of the deficiency and the facts related to the issue. Firms have 10 business days to respond. The Inspection Report Part I inspection findings are in the report’s public portion. Part I.A deficiencies indicate the firm had not supported its opinion on the financial statements, ICFR, or both. Part I.B findings are compliance issues which do not specifically compromise the audit opinion. Part II findings are related to the firm’s system of quality control and are in the report’s nonpublic section and these are not shared with the public. Firms have 12 months to remediate Part II findings before they can become public if the PCAOB concludes that the firm did not adequately remediate. Frequent Part I.A findings in an integrated audit relate to testing controls, testing estimates, and use of service auditor reports. Part I.B findings may result in enforcement cases and include incorrect opinion language, independence breaches, audit committee communication issues, and incomplete or late filing of Form AP. Responding to Findings in Part II of the Inspection Report Ultimately, the firm has 12 months to communicate to the PCAOB how it plans to remediate quality control findings. Geoff provides his insights on the importance of root cause analysis, “In our experience, firms do not do a great job of root cause analysis to identify the remedial action needed for deficiencies because they do not dig deep enough. We review comment forms and related workpapers to understand why the PCAOB issued the comment, and then we interview the engagement teams about root causes, to understand whether the issue was related to areas like staffing, partner workload, supervision and review, technical competence, audit methodology, or firm tools. In fact, firms will soon be compelled to do a rigorous root cause analysis as the proposed quality control standard (QC 1000) requires root cause analysis.” A proactive approach to remediation, specifically quality control findings allows for firms to make corrective actions based on their root cause evaluation and provide time to see the updates work their way through the firm’s audit cycle. Showing examples of the new process goes a long way. See our contribution to Journal Of Accountancy, Quality Management Standards: How to Perform a Root Cause Analysis . “We advise firms to address Part II remediation findings early. If they wait until they receive the report to start remediation, another inspection could start, and a repeat finding could result.” PCAOB guidance details five relevant criteria they use to conclude on the sufficiency of remedial actions. Every firm’s quality control processes are different, so we work with clients to apply the guidance to their own remedial actions and avoid repeat criticisms,” Geoff mentions. In conclusion, the PCAOB has made it clear both through its speeches and its enforcement actions that they will be tougher on enforcing regulation and audit quality. Firms need to plan in advance to make sure the inspection process is as issue-free as it can be. That starts with making sure audits are completed in accordance with the PCAOB auditing standards, not when you get notified of an inspection. Firms should enhance their practice monitoring by engaging firms like JGA to perform in-flight reviews while the audit is happening. In that way, quality is achieved prior to the signing of the audit opinion. Interested in learning more about the PCAOB inspections process and how to prepare? Navigating PCAOB Inspections, Second Edition is a roadmap for firm management and engagement teams through the entire PCAOB inspection and remediation process, to help prepare for inspections and implement continuous audit quality improvements. Geoff Dingle, JGA Managing Director, Shareholder With more than 20 years of experience in the accounting and auditing industry, Geoffrey Dingle works with public accounting firms to help them achieve the highest level of audit quality. Geoff brings a diverse set of experiences to JGA. As an Associate Director for almost 10 years, in the Division of Registrations and Inspections at the PCAOB, he conducted inspections of quality control and issuer audits. In addition, he played a senior role in planning, executing and reporting on the annual inspections of Global Network Firms, including, but not limited to, quality control procedures, review of comment forms, development of the inspection report criticisms and quality control themes, and evaluation and review of Firm root cause analysis and remedial actions. To learn more about Geoff and the JGA Team visit the Meet Our Team page.
By Matthew Rogers, CFE, CFF, Managing Director 29 Feb, 2024
Editor's note: This article is the first in a series to highlight the unique experience that JGA professionals possess and deliver to our clients. What is top of mind for the Public Company Accounting Oversight Board (PCAOB)? The PCAOB has made it clear that it intends to carry out an aggressive inspection program to identify and correct the high rate of audit quality deficiencies it continues to find and refer matters to its Division of Enforcement and Investigations (“DEI”). “ As a consultant, I work with audit firms to establish or enhance their policies and procedures so they deliver audit services at the highest quality level and hopefully avoid regulatory scrutiny from the PCAOB and SEC .” When an auditor or firm has become subject to a PCAOB or SEC investigation, JGA can assist in a number of ways including in their responses to informal document requests, Accounting Board Demands, and subpoenas for workpapers, emails, and other documents. Our consultants also perform workpaper review, provide case assessments and strategy guidance, assist with witness preparation, and help in preparing white papers, Statements of Position, and Wells responses. We also serve as expert witnesses by providing expert reports and expert testimony. Johnson Global professionals consult firms on timely remedial and corrective actions and other activities to obtain PCAOB extraordinary cooperation credit to substantially reduce or eliminate monetary penalties and sanctions. Once there is a PCAOB enforcement inquiry, before a case is brought, we review audit workpapers and documents and evaluate the firm’s quality control system to identify the potential violations, assess the significance of the violations, provide a root cause analysis, and propose remedial solutions. Existing or new clients include individuals and firms who have received a letter from DEI or the SEC’s Enforcement Division announcing an informal inquiry, or that a formal order of investigation has been initiated. “Our vast network, includes attorneys that I know from doing forensic accounting for so many years.” As needed, we assist firms in obtaining counsel with experience working with the PCAOB and SEC, if they do not have one. We work with counsel closely in these matters for counsel to provide legal advice and correspond with the regulator directly on behalf of the firm. Recent Trends PCAOB Reporting - Form AP and Form 3 Compliance We have seen an increase in the number of PCAOB enforcement actions related to PCAOB Form AP (Auditor Reporting of Certain Audit Participants) and PCAOB Form 3 (Special Events). The general requirement for Form AP is to file it within 35 days from the date the firm’s audit report is first included in a Form 10-K or 20-F filed with the SEC. For Form 3, the form must be filed within 30 days after the event. Firms are not filing these on time, commonly because they are not aware of the requirements or forget to file. Once the audit is over, attention can get diverted from Form AP. Form 3 is particularly burdensome because there are 18 specified events to report and monitoring these can be a challenge. Also, these forms may not be filled out correctly. For Form AP, it is easy for the PCAOB to determine whether a firm has timely filed it by comparing SEC filings to the Form AP filing, and the inspections group will routinely do that. It is harder for the Board to identify Form 3 compliance issues because their special events are unique to each firm, but we see instances of that occurring and enforcement matters as a result. When compliance failures occur, we have observed that the DEI will send a letter to the firm with a draft order that will propose a settlement, without even discussing the matter with the firm. We discuss the options with the client and client’s counsel, including the costs associated with litigation, so they can decide. Most clients do not challenge the Board and agree to the censure and fine, which can be $5,000 or more per violation, along with the requirement for a self-review and self-certification of the firm’s quality control policies and procedures relating to PCAOB reporting. The consequences of any compliance failure on these forms can be harsh, even though it was just a mistake. Form compliance is an area where we can help firms to make process changes and put policies and procedures in place to timely file and avoid a repeat failure. We recommend annual training on PCAOB reporting and the implementation of an annual certification process for Form 3 events. For Form AP, we help firms institute tracking and monitoring controls by the designated head of quality. For example, we designed a Form AP tracker that includes the relevant required information for all the firm’s PCAOB clients, along with the estimated filing dates and calendar reminders so there is a process to monitor engagement teams to proactively follow up. We also developed a Form 3 checklist that includes the trigger events and can be used at monthly meetings or by email requiring affirmative responses, so firms are able to proactively identify the events that require a filing. Communications with Audit Committees This is an area where the PCAOB is using sweeps, presumably from information gathered at the audit inspection level. Participation of other auditors in the audit must be communicated to the audit committee, but the PCAOB has noted failures to communicate which firms and individuals were involved and what they did. Another common problem area in audit committee communications is the lack of required preapproval of non-audit and audit related services. Firms may need training to understand the requirements, along with additional quality control policies and procedures. There should be audit program steps in the tools firms use that apply to audit committee communication in PCAOB audits, not those under AICPA or international standards, because the rules are not the same. The PCAOB continues to bring cases in this area, even if it is for one single violation of this PCAOB standard. There is an apparent zero tolerance policy at the PCAOB for violations of this nature. Engagement Quality Review EQR is a hot area now. Firms may not have done one at all, or the quality is not there - either on the front end for risk identification and planning, or at the back end when the audit is done. Our firm has developed and provides an EQR mentoring program , which is a collegial one on one approach to help firms get better, and it includes retraining as partners rotate on engagements. Documentation There are a number of inspection findings relating to AS 1215, Audit Documentation, including firms adding, backdating, or altering workpapers after the report release date. There is a process under the standard for adding documents that includes documenting who made the change, when, and why. We advise firms that have documentation issues to follow the standard because it is not advisable to make it look like a workpaper was always there when it was not. Quality Controls The PCAOB is very focused on this area. When the PCAOB finds a number of violations, firms should consider whether they have quality control issues, including whether there is a strong ‘tone at the top’ related to audit quality. Most PCAOB enforcement actions issued in 2023 either cited a QC failure or required the firm to enhance its QC system as part of the sanction. It can be challenging for firms, especially those with fewer than ten or so PCAOB clients, to determine how much financial and personnel resources to commit to the firm’s system of quality control. The notion of scalability seems to have gone by the wayside resulting in a high fixed cost for entering the PCAOB audit market and maintaining a presence in that space. Some firms are hesitant to invest in compliance measures because of the high costs, but better quality likely will lead to getting more clients and the potential for less trouble down the line. There is a new PCAOB auditing standard on quality control coming soon, and it includes a requirement that assigns individual responsibility and accountability for the QC system. There is awareness, but we are encouraging our clients to get ready for this now. We offer quality control review services and can serve as a quality control confidant, especially for small firms that do not have a QC leader. PCAOB Inspections of China and Hong Kong Firms Last year, the PCAOB published inspection reports of PCAOB-registered firms in China and Hong Kong and announced enforcement actions and a record high level of penalties as a result of violations of PCAOB rules and U.S. securities laws. These included auditors cheating on ethics and other internal examinations, and extensive quality control deficiencies. By 2023, the PCAOB will have inspected up to 99 percent of these firms’ audits. Inspection reports are expected to come out in April 2024 showing more of the same deficiencies. The 2024 PCAOB budget includes resources to continue inspections in this region. U.S. firms should look at these inspection results and enforcement cases to be aware of what the PCAOB found and is continuing to look for. Conclusion PCAOB Chair Williams and the current board continue to deliver a tough message about audit deficiencies and enforcement. The PCAOB is filing enforcement cases not only against firms that pose potential danger for not doing anything right but also for compliance failures, including those relating to PCAOB reporting. Auditors need to invest in audit quality and keep on top of changes in audit standards to avoid PCAOB scrutiny and potential sanctions. Matt has more than 30 years of experience in financial reporting, auditing, and fraud detection and prevention. He held enforcement roles at the SEC and PCAOB, along with leadership roles at national consulting firms where he provided clients with solutions in accounting, auditing, financial reporting, forensic accounting, and litigation support.
By Don Melody, JGA Director 29 Feb, 2024
On January 31, 2024, the PCAOB Staff (the “Staff”) released its first ever Spotlight, Insights Into the PCAOB’s Interim Inspection Program Related to Audits of Broker-Dealers . I commend the Staff for this Spotlight. It provides new insights and more context than their typical annual reports on the broker-dealer inspection program results. To provide some brief background, the broker-dealer inspection Program was created as result of the Dodd-Frank Act, which was enacted into law in 2010. Inspections started in 2011, and the revised Securities Exchange Act Rule 17a-5 was effective in 2013. The most recent Annual Report published in August 2023 reported a 58% deficiency rate for broker-dealer firm inspections conducted in 2022, and stated that the rate was, “unacceptably high.” That compares to a 40% deficiency rate for issuer firm inspections in 2022, so the difference is considerable. See our September 2023 article that talks about the report - Broker Dealer Reruns: Haven’t I Seen This Before? (jgacpa.com) Auditors have, understandably so, argued that they need more guidance from the PCAOB to correct these deficiencies. It looks like the Staff has heard the pleas based on this Spotlight. Here are a few of the key observations by the staff in the report, and our recommendations for firms. PCAOB Finding: Insufficient Understanding of the Broker-Dealer Industry “In addition, broker-dealer specific training for auditors is not widely available. Typically, only larger audit firms offer in-house training and have acquired extensive broker-dealer audit experience that is shared with audit firm personnel. While there are a few vendors who offer quality training, course offerings are limited throughout the year.” The point is that the broker-dealer industry is specialized; you can’t simply be a good auditor and conduct a quality broker-dealer audit without obtaining the requisite understanding of the rules and regulations. For example, the auditor of a broker-dealer also provides an opinion on the supplemental information (e.g. Net Capital Computation, Reserve Formula Computation, etc.), and evaluates whether the supplemental information, including its form and content, is presented in conformity with 17 C.F.R. §240.17a-5 . That involves determining whether the broker-dealer's net capital computation is complete and accurate. Net capital includes assets that are “allowable” or “non-allowable” in the computation. And sometimes an otherwise allowable asset per Rule 15c3-1 may actually be non-allowable if, for example, there isn’t a particular clause in a clearing agreement. And sometimes an asset that is otherwise non-allowable per Rule 15c3-1 can be allowable if certain other conditions are met. The nuances exist in various SEC interpretations released over the last 50 or so years. These nuances are difficult enough for audit professionals with decades of broker-dealer audit experience. If engagement teams don’t gain that specialized knowledge, they won’t know what they don’t know, and will not be set up for success. We continue to see opportunities for engagement teams to have more BD-specific experience on the team. Training is one way to raise the bar, but that leads to the next problem – there simply isn’t a lot of high-quality broker-dealer audit training out there! While providing broker-dealer audit training to our clients, we have found that general training is often not sufficient to meet their needs and/or remediate PCAOB findings. For example, a general training on auditing a common broker-dealer that claims a (k)(2)(ii) exemption and introduces customer transactions to a clearing broker-dealer, will not help an engagement team audit a broker-dealer that specializes in mergers and acquisitions. As the Staff also emphasizes in the Spotlight, there is also an overreliance on standardized audit programs. We don’t look at these topics separately. We work with auditors to tailor their audit programs to the types of broker-dealers they audit and train their engagement staff to apply the programs to the facts and circumstances of their audits. PCAOB Finding: Overreliance on Standardized Audit Programs Inspectors found that standardized audit programs “may not be all encompassing, may reflect only certain criteria in the standards, and may be limited in the scope of procedures to be completed…these programs typically must be tailored to reflect the nature of the broker-dealer’s business operations, internal controls, and financial reporting and attestation risks.” In my time as a PCAOB Inspection Leader, I saw this time and time again. Audit firms subscribe to “off-the-shelf” audit methodology providers and rely on the audit programs they provide. Engagement teams follow the programs, fill them out completely, and still, they don’t conduct sufficient procedures. How can that be? Said differently, the audit programs are a good resource and a great foundation, but they are a guide and simply cannot account for every risk in the audits of your client portfolio. That holds true for any audit, but especially so for unique, complex broker-dealer industry audits. The audit programs are not a substitute for understanding the complexities of the broker-dealer industry (see above regarding the need for industry-specific training). In our work performing practice monitoring reviews for BD audits, we have seen cases where methodology doesn’t get down to the level necessary to force the understanding and documentation of a robust workflow to identify the risks at the assertion level necessary to sufficiently design test procedures. Based on our work with firms, the best path to success is to start with the standardized programs and then tailor them to the types of broker-dealers they audit. For example, if a firm audits broker-dealers that are involved in contractual revenue streams, such as the private placement of securities, we add in steps to address the key elements of revenue recognition within those transactions, such as obtaining evidence of the closing of the transaction, reviewing the contracts for possible claw backs, etc. These are specific considerations that are unlikely to be covered by a standardized audit program. PCAOB Finding: Low-Cost Providers and the Pace of Auditor Changes The staff reported that about a third of all broker-dealer audits have budgets of 40 hours or less and fees of $10,000 or less. These small audits, we believe are the root cause of many audit deficiencies. In the Spotlight, they said everything that is possible without saying it. Take into consideration these points mentioned above : the need for high-quality, broker-dealer industry specific training the need to go beyond the standard audit programs the need to conduct a rigorous risk assessment process that includes obtaining a sufficient understanding of the broker-dealer’s operations revenue transaction cycles related controls that will enable auditors to tailor their planned audit procedures more effectively Now do all of these points in 40 hours or less and collect $10,000. You can start to see why this doesn’t work. Conducting quality audits under that model is not sustainable, especially when the PCAOB levied a record amount of fines in 2023. Auditors would be wise to consider whether retaining a $10,000 audit client under these circumstances is worth the risk of being sanctioned and fined considerably higher dollar amounts. The Spotlight also highlights that about a third of broker-dealers audited by firms inspected during 2022 changed audit firms in the last three years. There are a variety of reasons for changing auditors, but in my experience, cost is the most common reason. Many of the low-cost providers that did not conduct audits in accordance with PCAOB Standards have been sanctioned and shut down by the PCAOB. But there are still some out there. My advice is to enhance your client acceptance and continuance process. The Staff touches on this in the Spotlight as well. Determine whether your firm has the expertise and tools to complete the audit in accordance with the standards. Specifically, when assessing the skills of the potential engagement team personnel, in my previous roles as SEC examiner and PCAOB inspector, I often saw that audits would be accepted and staffed with personnel with a range of broker-dealer industry experience. But not all broker-dealers are the same. Just because a firm has a team that has audited introducing broker-dealers doesn’t mean it should or could accept an engagement of a clearing broker-dealer, or even another exempt broker-dealer that engages in complex trading activities and hold difficult-to-value securities. It’s important to understand the detailed activities of the broker-dealer prior to accepting it as a client to ensure that your firm has the staff with the requisite expertise to complete the audit. In addition, use the acceptance process to set reasonable budgets and charge a fee that will allow you to conduct audits that meet PCAOB Standards. I even recommend sending the PCAOB Spotlight to your clients to start a conversation about the need to invest more time (and money) on audit quality improvements. I’ve been there and understand the challenge – many smaller broker-dealers don’t understand why it takes so many hours to do a quality audit, so show them. If the client refuses to pay the reasonable fee, let the client go to a low-cost provider that will be out of business in a couple years. That will keep you from becoming one of those firms that are out of business in the next couple of years. Other Findings and Next Steps There is a lot more in the Spotlight that can lead to higher quality broker-dealer audits, including applying professional skepticism, gaining experience with PCAOB Standards, having an effective EQR, and establishing a robust client acceptance and continuous process. I recommend spending time reviewing the Staff’s insights and consider how you can use them to increase your firm’s audit quality related to broker-dealer audits. Don has more than 23 years of regulatory examination, audit, and audit regulation experience, focusing on the broker-dealer industry. He previously served as an Inspections Leader in the Broker-Dealer Firm (BDF) Inspection Program at the PCAOB. His key activities as Inspection Leader included transforming the inspection approach, leading inspection teams, assessing auditor and examination procedures, and reviewing comment forms. He also served as Risk Assessment and Selections Leader for the BDF Program, where he was responsible for selecting audit firms/broker-dealer audits for inspection and served as a liaison between BDF Program and the SEC. During his 12-year tenure at the SEC, Don served as Examination Manager / Branch Chief, Broker-Dealer Examinations, in the Chicago Regional Office.
By Randall Thompson 29 Feb, 2024
Johnson Global Advisory (“JGA”) is pleased to sponsor the American Law Institute Continuing Legal Education’s two-day event live in Washington, D.C. and virtually online on May 16th and 17th. Join us and gain insights and perspectives on wide range of hot-button issues. The 2024 conference promises to be better than ever. Hear the latest, engage with colleagues, and stay current in your field. This year’s program is still being finalized but planned topics include: Accounting litigation trends New and proposed accounting standards Artificial intelligence in the accounting profession Quality controls and other emerging regulatory issues ESG/climate accounting Strategic considerations in regulatory investigations Beyond the Big Four SEC perspectives PCAOB inspection program Register today at use the code " JOHNSON " to save $250. Click here to register. About Johnson Global Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.
By Randall Thompson 29 Feb, 2024
Replay this informative program hosted by JGA’s Managing Director and Litigation and Investigations Practice Leader, Matthew Rogers. With more than 25 PCAOB enforcement actions relating to failures to timely filing of a Form AP, the cost of non-compliance can be high. Hear insights that will enable practitioners to better understand the Form AP requirements through lessons learned from PCAOB enforcement actions. Also, explore topics that will help foster discussion about practical solutions for enhancing firm quality controls to minimize the risk of compliance failure. To watch the replay or for additional details about this program please visit this link . Learning Objectives: Understand Rule 3211 and the Form AP Filing Requirements Discover what can go wrong and what are the penalties from past PCAOB Enforcement actions related to Rule 3211 and Form AP Apply best practices to reasonably ensure compliance with Rule 3211 and Form AP After registering you will receive a confirmation email containing information about watching the webcast. About Johnson Global Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.
More Posts
Share by: