Déjà Vu or Deeper Trouble? What the 2024 PCAOB Broker-Dealer Report Tells Us About Audit Quality
If you feel like you’ve read this story before, you’re not alone. For the third year in a row, the PCAOB’s annual report on broker-dealer audits paints a familiar picture: high deficiency rates, recurring issues in revenue testing, and quality control systems that continue to fall short. The 2024 report marks more than a decade of inspections under the interim program - and yet, many of the same red flags remain.
At JGA, we’ve tracked and provided our insights on these annual reports closely for the last several years¹. While we always take the PCAOB’s findings seriously, we also know that behind every statistic is a firm doing its best to navigate complex standards, resource constraints, and evolving expectations. That’s why Jackson Johnson, JGA President & Founding Shareholder, sat down with Tanieke Samuel, JGA Director, to unpack this year’s latest BD report - not just to highlight some noteworthy findings, but to translate them into practical guidance for firms working hard to get it right.
Revenue Testing: A Familiar Story with New Implications
Jackson Johnson (JJ) : The PCAOB flagged revenue testing as a recurring issue again this year - 48% of audits had deficiencies in this area. That’s consistent with 2023, but still a big jump from 34% in 2022. And the deficiencies weren’t limited to one revenue stream - they spanned commissions, advisory fees, 12b-1 fees, and more. Why do you think this continues to be such a challenge?
Tanieke Samuel (TS) : ASC 606 isn’t new. The PCAOB isn’t moving the goalposts. What we’re seeing is that firms are still struggling to test revenue accurately - across all sources. In many cases, they’re not getting a solid understanding of how revenue is generated, and that’s where the breakdown starts. Whether it’s commissions, trailing fees, or advisory income, you have to understand the components and tailor your testing accordingly. And don’t overlook presentation and disclosure - if you’re lumping everything under ‘commissions’ without disaggregating or explaining the sources, that’s a red flag.
Audit Committee Communications: A Missed Opportunity
JJ : One of the more surprising findings this year was the uptick in deficiencies related to audit committee communications. The PCAOB cited failures to communicate the overall audit strategy, use of specialists, significant risks like related parties, and even uncorrected misstatements. These seem like foundational elements. What’s going wrong?
TS : These aren’t gray areas. The standards are clear. But I think some firms are treating these communications as a formality - just rolling forward last year’s template. That’s risky. Audit committee communications should be a strategic touchpoint. You need to clearly explain your audit strategy, surface the right risks, and give the committee what they need to fulfill their oversight role. If you’re using specialists or identifying related party risks, those need to be part of the conversation - not an afterthought.
JJ : This reminds me of recent Actionable Insights we issued earlier this year , where we encouraged firms to move beyond the standard AS 1301 checklist and use the PCAOB’s Spotlight as a conversation starter. Audit committees want more than compliance - they want clarity, prioritization, and meaningful dialogue. When firms treat these communications as a strategic opportunity, they not only meet the standard - they build trust and demonstrate value. Agree?
TS : Absolutely. I’ve seen audit committees respond really well when firms take the time to prepare thoughtfully - bringing key issues to the forefront, previewing the discussion in advance, and even holding deep dives on emerging topics. It’s not just about what you say - it’s about how you engage. That’s what makes the difference.
Journal Entry Testing: Still a Blind Spot
JJ : Journal entry testing continues to be a pain point. The PCAOB noted that firms often fail to test the completeness of the population or apply meaningful fraud risk criteria. In some cases, teams just scan the listing and move on. Why is this still happening?
TS : Some firms think that because they’ve tested certain entries substantively elsewhere, they don’t need to do more. But that misses the point of journal entry testing as a fraud detection tool. You have to start by asking: What fraud risks are relevant to this client? Then design your testing around those risks. Don’t just look for a keyword - think about what would actually raise a red flag in this environment. And document your rationale. That’s what separates a thoughtful procedure from a perfunctory one.
JJ : Are you seeing this as a broker-dealer-specific issue, or is it just as prevalent in issuer audits?
TS : It’s definitely broader.
JJ : Across issuers and BD inspections, we’ve seen comment forms where teams selected journal entries based on high-dollar thresholds or year-end timing but didn’t tie those selections back to the fraud risk discussion. In one case, the team documented their criteria but didn’t evaluate whether the entries actually addressed the override risk they had identified. In another, the team selected entries from a non-representative population and didn’t test completeness. What specifically in BD-only firms are you seeing?
TS : In BD-only firms, especially smaller ones, the journal entry population might be smaller, which can give a false sense of simplicity. That can lead to shortcuts - like scanning instead of testing. In issuer audits, the volume and complexity might be higher, but the same root issue shows up: teams not linking their procedures back to the fraud risk assessment. Whether it’s a BD or an issuer, the key is to critically evaluate your criteria and make sure your testing is responsive to the risks you’ve identified.
QC 1000: Turning Insight Into Action
JJ : With QC 1000 going into effect at the end of the year, firms have a real opportunity to use the PCAOB’s findings as a risk assessment tool. But it’s not just about checking a compliance box - it’s about using these findings to inform a more thoughtful, iterative approach to quality. For example, we’ve emphasized the importance of root cause analysis (RCA) as a foundation for risk assessment.
TS : Exactly. I emphasize to clients that RCA helps firms move beyond surface-level fixes and identify systemic issues that may be contributing to recurring deficiencies. When firms use PCAOB findings as inputs into their RCA process, they’re not just reacting - they’re proactively identifying where their system might be vulnerable. RCA helps connect the dots between what went wrong and why it happened, which is essential for designing controls that actually work. It’s not just about fixing the symptom - it’s about addressing the underlying condition.
JJ : As firms read this report and try to make sense of how to incorporate it into their QC 1000 implementation, how should they approach this?
TS : I would say incorporating the observations from this report and reflecting the applicability to your own practice is the concept of continuous improvement. This is a foundational concept of QC 1000. Implementation is about more than policies - it’s about culture . It’s about how you learn from what’s happening in the field and apply it to how you manage risk across the firm. When risk assessment becomes a living process - not a one-time exercise - firms are better positioned to adapt, improve, and ultimately deliver higher-quality audits. That’s the mindset shift we’re encouraging.
¹See our Actionable Insights on the PCAOB’s annual broker-dealer inspection reports from each year by entering “broker-dealer” on the search bar of the JGA Advisor page on our website.
At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.
For more information, reach out to your JGA audit quality expert .
In a previous article, Back to Basics: Audit Documentation Failures Have Become Dangerous Low Hanging Fruit , we highlighted how audit documentation had quietly re-emerged as a source of regulatory risk after years of relative deprioritization. While PCAOB Auditing Standard 1215, Audit Documentation (AS 1215), has historically been cited less frequently than other standards, our direct experience from recent inspection activity, enforcement actions, and internal inspection results, demonstrate that documentation failures are increasingly treated as indicators of deeper execution, supervision, and quality management breakdowns. In today’s environment, audit documentation is no longer merely a record of work performed. It is the primary evidence inspectors rely on to evaluate whether an engagement was properly planned, executed, and supported at the time the auditor’s report was issued. What has been low-hanging fruit now requires firms to close these gaps and transform them into a load-bearing foundation for audit quality. From Rare Enforcement to Systemic Inspection Risk AS 1215 establishes clear requirements regarding what must be documented, when documentation must be completed, and how engagement files must be assembled and retained. As discussed in our prior article, failures to comply with these requirements were historically viewed as technical or secondary issues, often resulting in inspection comments rather than enforcement action. That distinction is no longer meaningful. Recent enforcement actions involving backdating, improper (both intentionally, and inadvertent) modification of workpapers, and failure to timely assemble a complete audit file reflect an evolving regulatory view. Documentation failures do not simply violate procedural requirements; they call into question the credibility of the audit opinion itself. More importantly, beyond enforcement, documentation deficiencies are increasingly cited as core inspection findings. Inspectors are challenging situations where engagement teams assert that work was performed but cannot demonstrate that work within the archived file. In these cases, the absence of timely, complete, and clear documentation is no longer treated as a formality. It is treated as evidence that the engagement may not have been properly executed, supervised, or supported in accordance with PCAOB standards. This represents a fundamental shirt. Documentation is no longer “low-hanging fruit.” It is a systemic inspection risk that cuts across execution, supervision, and firm-level quality management. From Misconduct to Execution Failures Pervasive documentation failures that do not involve intentional misconduct but still result in non-compliance are increasingly observed. For example, reviewer signoffs occurring near the documentation completion date, rather than contemporaneously with the performance of audit procedures, raise questions about whether effective supervision occurred during the audit or was deferred to meeting archiving deadlines. Similarly, engagement teams may assert that key judgments can be explained verbally, even when those judgments are not clearly documented in the audit file. In today’s environment, the distinction between “we can explain it” and “it is clearly documented” is critical. If procedures, judgments, and conclusions are not evident in the documentation itself, inspectors increasingly conclude that the work was not performed in accordance with PCAOB standards. The issue is not whether the engagement team can explain what they did after the fact. The issue is whether the archived documentation allows an experienced auditor, with no prior connection to the engagement, to understand the procedures performed, evidence obtained, and conclusions reached at the time of the auditor’s report. When documentation fails to reach that standard, inspectors are increasingly concluding that the audit itself was not properly executed, regardless of intent. This reflects an important shift. Documentation failures are no longer viewed primarily as misconduct. They are viewed as symptoms of execution breakdowns, including delayed supervision, compressed review cycles, and audit workflows that defer documentation until the end of the engagement. As a result, AS 1215 has become a direct proxy for how audits are actually performed in practice. How the 14-Day Documentation Completion Requirement Changes the Risk Profile The execution risks are further amplified by the PCAOB’s shortened documentation completion timeline. Recent amendments to AS 1215 reduce the timeframe to assemble a complete and final audit file from 45 days to 14 days after the report release date. While this change may appear procedural, its implications are operational. Under this accelerated timeline, engagement teams no longer have a meaningful post-issuance window to resolve review notes, complete documentation, or finalize supervisory evidence. What were once viewed as “clean-up” activities are now more likely to result in timing violations and non-compliance. This shift places increased emphasis on: Contemporaneous documentation Real-time supervision Realistic workload and staffing models Audit Documentation as a Cornerstone of Audit Quality Audit documentation has long been described as low-hanging fruit in the inspection process. That characterization no longer reflects its role in today’s regulatory environment. Documentation now serves as the primary lens through which regulators assess whether an engagement was properly executed, supervised, and supported. With shortened timelines, expanded quality management expectations, and increased regulatory scrutiny, firms can no longer treat documentation as a downstream activity. It must be embedded into how engagements are planned, staffed, reviewed, and completed. In an environment where inspection conclusions are driven by what is, and what is not, in the audit file, strong documentation is not merely defensive. It is foundational to audit quality. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, please contact your JGA audit quality expert .
Mergers and acquisitions within the accounting firm industry continue to accelerate, driven by succession planning needs, technology investment, talent constraints, geographic expansion, and the pursuit of new service lines. The pace and volume of transactions is being fueled, in large part, by private equity investment in the accounting firm space. Yet as deal activity accelerates, so does a critical reality: the long term success of an acquisition is determined well before the transaction closes—and long after the announcement is made. Experience across the profession shows that insufficient due diligence and poorly executed post acquisition integration are the most common sources of value erosion in accounting firm transactions. What the Regulator is saying and How JGA sees it At the AICPA December 2025 conference on Current SEC and PCAOB Developments, common topics were the presence of private equity in the accounting firm space and the opportunities and challenges that come with this investment. As it relates to private equity, then-acting PCAOB Chair George Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.” At JGA, we expect the PCAOB to increase its inspection focus on a firm’s system of quality management. To the extent that acquisitions present quality risks to a firm, we expect increased attention from the PCAOB in terms of how firms are managing these risks. Due Diligence: Looking Beyond the Numbers Financial performance, partner buy ins, and deal structure naturally receive significant attention during an acquisition. However, professional services firms—particularly those providing audit and assurance services—certain of the greatest risks often reside outside the financial statements. Effective accounting firm due diligence must assess not only what the target firm has earned, but how it has earned it—and whether that performance is sustainable. This includes gaining a deep understanding of: Audit quality history, including inspection and peer review results, Independence, ethics, and regulatory compliance practices, Industries served, industry concentration and related expertise, Client concentration, retention trends, and engagement risk profiles, Partner governance, compensation alignment, and succession readiness, Technology platforms, data security, and scalability, and Firm culture, leadership dynamics, and decision making processes. When these areas are not rigorously evaluated, issues frequently surface after the transaction closing—when remediation is more disruptive, more expensive, and far more visible to regulators, clients, and staff. The Risks of Inadequate Due Diligence Inadequate diligence often leads to unanticipated post transaction challenges, including: Regulatory findings related to legacy engagements, Independence violations requiring retroactive remediation, Client attrition driven by service disruption or cultural misalignment, Talent loss stemming from unclear expectations or compensation inequities, and Technology incompatibilities that impair efficiency and data integrity. Deficiencies inherited through acquisition can affect inspection outcomes, firm reputation, and overall audit quality long after the transaction closes. Integration: Where Value Is Created—or Lost Even when due diligence is performed thoughtfully, post acquisition integration remains the most common point of failure. Integration is often underestimated, treated as an operational exercise rather than a strategic initiative requiring sustained leadership attention. Successful integration goes far beyond combining systems or standardizing branding. It requires deliberate alignment across how the firm operates, governs itself, and delivers quality—particularly in areas such as: Audit methodology and documentation standards Quality management systems and monitoring processes Partner roles, authority, and accountability Talent development, evaluation, and retention Communication with clients, regulators, and staff Absent a structured integration plan, firms risk operating as a collection of semi independent practices rather than a cohesive organization. This fragmentation can undermine consistency, weaken accountability, and complicate regulatory compliance. A Strategic Imperative in a Changing Profession As consolidation continues and regulatory scrutiny intensifies, rigorous due diligence and disciplined integration are no longer optional. They are essential to managing risk, sustaining quality, and realizing the full value of a transaction. For accounting firm leaders, the message is clear: growth through acquisition can be a powerful strategy—but only when supported by a comprehensive understanding of what is being acquired and a deliberate plan for how the combined firm will operate as one. Firms that treat diligence and integration as leadership imperatives—rather than transactional steps—are better positioned to protect audit quality, retain talent, and preserve client trust while achieving growth objectives. JGA’s Role Guiding Firms through these Opportunities For firms seeking to grow through acquisition without sacrificing quality, control, or visibility, JGA is a solution. JGA is uniquely qualified with deep experience working with accounting firms on quality management, governance, and operational transformation. We have proven due-diligence tools built that are designed to be practical, adaptable, and immediately usable—while also supporting long term consistency as firms pursue multiple acquisitions over time. Ready to get started or need help refining your acquisition activities? Contact your JGA audit quality expert today to schedule a consultation and ensure acquisition activities are tailored to your firm’s needs.
WASHINGTON, D.C.: — Johnson Global Advisory (JGA) is proud to sponsor the ALI’s Accountants’ Liability 2026 conference hosted by the American Law Institute (ALI). The two‑day program will take place May 14–15, 2026, in Washington, D.C., with a live webcast option available for remote attendees. This annual conference is a premier forum for accounting firm leaders, in‑house counsel, litigators, and regulators to examine the evolving landscape of accountants’ liability, enforcement priorities, and risk management. The 2026 program will explore how recent regulatory, litigation, and technological developments are reshaping the profession and what firms can do to proactively respond. “We are pleased to once again sponsor the ALI Accountants’ Liability Conference,” said Jackson Johnson, President of Johnson Global Advisory. “This event consistently brings together leading regulators, practitioners, and risk professionals to discuss the most pressing liability and oversight issues facing accounting firms today. We value the opportunity to engage with participants and contribute to these important conversations.” The program will feature nationally recognized panels of practitioners, general counsel, industry professionals, and government officials. Planned discussions will address current and emerging challenges facing accounting firms, including: Regulatory and enforcement priorities impacting the accounting profession Recent trends in accounting‑related litigation PCAOB and SEC perspectives on audits, inspections, and gatekeeper liability The impact of AI, cryptocurrency, and emerging technologies on audit quality and firm risk Best practices for navigating an evolving and uncertain regulatory environment Register by April 13, 2026, to attend in-person and use the code “ JGA2026 ” to save $250 off . OR, for webcast attendance, use the code " JOHNSON " to save $125 off the tuition. Click here to register. To learn more about how Johnson Global partners with in-house and outside counsel to support public accounting firms, we invite you to explore our latest brochure. This resource outlines our approach to independent monitoring and consulting, including how we assist firms in navigating PCAOB and SEC investigations, implementing quality control improvements, and responding to regulatory findings. Download the brochure below to see how our experienced team can help your firm meet today’s compliance challenges and build a stronger foundation for the future. Get a copy of our brochure here . About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.
We’re pleased to share that Joe Lynch , JGA Shareholder, will be presenting in a series of AICPA & CIMA webcasts focused on practical considerations for Quality Management. These sessions are designed to provide guidance in your QM journey. They support key elements such as engagement quality reviews, root cause analysis, and ongoing monitoring and remediation. Register for Upcoming Sessions Session 1 — Quality Management: Engagement Quality Reviews What you’ll learn: Practical considerations for your firm's responsibilities for engagement quality reviews and the reviewers requirements when executing engagement quality reviews under the updated quality management standards, including how to make EQRs scalable and effective. Register for this session here . Session 2 — Quality Management: Performing a Root Cause Analysis What you’ll learn: How root cause analysis supports remediation by identifying underlying drivers of the findings and deficiencies; supporting the design of corrective actions that prevent recurrence. Register for this session here . Session 3 — Quality Management: My System is Set Up — Now What? What you’ll learn: Post-implementation requirements of SQMS No. 1, which include monitoring activities, evaluating findings and deficiencies, remediation, and the annual evaluation process—so your system stays responsive and effective. Register for this session here . These sessions are included with a current Webcast Pass. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.
Joe Lynch, JGA Shareholder, to Provide Insights on Changes to Engagement Quality Review Requirements
JGA is pleased to announce that Joe Lynch , JGA Shareholder, will be a featured guest on the upcoming AICPA & CIMA A&A Focus live webcast on February 4, 2026. Joe has been invited to join the program to provide insights on changes to engagement quality review requirements. This appearance offers a valuable opportunity for viewers to gain practical, real-time guidance on effective EQR practices—an increasingly critical component of audit quality and compliance under the evolving professional standards landscape. Click here for m ore information about the program and registration details. At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, please contact your JGA audit quality expert .
Introduction The accounting firm industry experienced a ground-breaking transaction in August of 2021 when TowerBrook acquired EisnerAmper, which marked the first private equity (“PE”) transaction of a large-scale accounting firm. This transaction was structured using an alternative practice structure (“APS”). Historically, licensing and independence rules have barred non-CPAs from owning accounting firms. Through an APS, a PE firm may invest in the non-attest entity with service lines such as tax advisory and consulting. The CPA partners retain control over the attest functions, which preserves regulatory compliance. While the APS model has been in existence since the 1990s, this August 2021 transaction brought new attention to this structure. What has followed is an extraordinary volume of deal activity. Per the CPA Trendlines (“CPAT”) Cornerstone report posted on November 18, 2025, CPAT has tracked over 115 PE-related transactions from 2020 to 2025, with over 80 transactions in 2025. While PE in the accounting firm space is no longer news, the pace and volume of transactions is certainly news-worthy. Impact of PE Investment The impact of PE investment on the accounting firm space is unprecedented. The APS has enabled PE to fuel billions of capital investment. PE-backed firms provide immediate payouts to partners at appealing valuations while providing access to capital to these firms for merger and acquisition growth, technology investments, and other priorities. Well-capitalized firms now have an improved ability to invest in technological capabilities, attract experienced talent to be more competitive for college graduates, and improve their market position. With new technologies, routine tasks are being automated such as data entry, tie-outs and controls testing, resulting in less time needed to perform certain audit procedures. What the regulators are saying At the AICPA December 2025 conference on Current SEC and PCAOB Developments, common topics were the presence of private equity in the accounting firm space and the opportunities and challenges that come with this investment. PCAOB Acting PCAOB Chair George Botic described that both transformative technologies (e.g., artificial intelligence or “AI”) and the continuing expansion of private equity investments in accounting firms are two developments that bring opportunities and challenges. Mr. Botic noted that while AI has enhanced risk assessment, reduced manual processes and made it possible to efficiently analyze entire populations of data (which can reduce the risk of missing irregularities or unusual patterns), that overreliance on AI may ultimately threaten auditors’ exercise of professional skepticism and judgment. As it relates to private equity, Mr. Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.” SEC SEC Chair Atkins discussed in his remarks that he would like the PCAOB to modify its inspections process to place more reliance on the system of quality management and that inspection of certain engagements would inform the PCAOB if the firm’s system of quality management is effective. He also expressed a view that accountability for audit quality should move upward to firm leadership. How is a firm’s system of quality management (“SQM”) impacted? Today’s transforming environment has far-reaching impacts on a firm’s SQM. This publication will focus on risk assessment, governance and leadership, ethics and independence, resources, engagement performance, and monitoring and remediation.
As we wrap up an incredible year, we’re showcasing the insights that sparked the most conversations and drove the most impact. Here are the Top 10 Actionable Insights from 2025: Use of Other Auditors: Managing Risk and the New PCAOB Standard ISQM 1, SQMS 1: Influencing the Firm on the Benefits Beyond Compliance (Part II) Case Study – Example Successor Auditor Considerations QC 1000 Implementation: Key Themes and Guidance from the PCAOB Workshop Clearing the Roadblocks: Auditing Estimates with Confidence in Small Firms Enhancing Auditor Independence: Key Themes from PCAOB Recent Spotlight The Never-Ending Story: How to Remediate Recurring EQR Findings – Part Deux Cryptic Audits of Crypto Assets: Auditing Digital Assets Innovative Solutions for QC 1000, SQMS 1, & ISQM 1: Quality Management tools in the Marketplace Enhancing Audit Evidence: PCAOB Expectations and What We Are Seeing in Practice
As companies increasingly rely on cloud platforms, external data providers, and integrated third-party systems, the boundary between “internal” and “external” information has blurred. Audit evidence today may originate outside the company, but often arrives through the company, transformed, mapped, merged, or embedded within systems before it reaches the auditor. In response to this evolving landscape, the PCAOB amended AS 1105, Audit Evidence, effective for audits of fiscal years beginning on or after December 15, 2025. Central to these amendments is AS 1105.10A, which introduces a principle-based, risk-scalable framework for evaluating the reliability of electronic information provided by the company. At JGA, we view this development as a natural response to the data ecosystems shaping today’s financial reporting. We also see it rapidly becoming a recurring area of focus by global audit regulators, particularly when the information supports significant risks, revenue, fraud procedures, or management estimates. This article summarizes key themes from the PCAOB’s Board Policy Statement on Evaluating External Electronic Information (issued September 2025) paired with practical observations from JGA’s inspection support and methodology enhancement work with firms across the profession. Why External Electronic Information is a Growing Focus Area Across industries, external platforms now drive core financial and operational processes: payment processors, logistics platforms, third-party fulfillment solutions, subscription systems, industry data services, and more. Although such information originates from outside the company, it is often: Received, stored, or routed through company systems Transformed within spreadsheets or EUCs Merged with internally generated data Exported in formats that allow modification Provided to auditors without a traceable chain to the original source. Our direct experience working with our clients shows that PCAOB inspection teams consistently emphasize that external does not inherently mean reliable. The auditor must understand how the information was obtained, how it was handled, and whether there was a reasonable possibility that it could have been modified before reaching the auditor. Understanding AS 1105.10A The Board Policy Statement highlights two foundational expectations: 1. Auditors should understand the source and flow of the information. Inspection teams frequently question whether the engagement team understood: The true originating source of the data How the company received it (e.g., automated feed vs. manual upload) Whether the information is editable or configurable Whether it passed through multiple systems or spreadsheets How it is used in controls, substantive testing, or significant estimates In JGA’s experience, inspection findings often arise from situations where teams relied on a “system-generated” or “externally sourced” report without fully understanding where it came from or whether it could have been changed. 2. Auditors should address the risk of modification. The standard allows for two broad approaches, testing the information itself or relying on controls, depending on the assessed risk. The standard is intentionally flexible, but this flexibility requires well-supported judgments, especially for information affecting significant accounts or fraud risks. The PCAOB also acknowledged scenarios where separate testing may not be required (e.g., direct-to-auditor feeds or read-only API transfers) but emphasized that this exception applies only when the risk of modification is no more than remote. What We Observe in PCAOB Inspections Through JGA’s transformation activities with firms, we continue to see consistent challenges in the following areas: Reliance on information provided by the company without evaluating whether transformed, filtered, or merged with other data sets. Use of external or industry data in analytics without understanding the methods, assumptions, or relevance to the issuer. External information embedded in significant estimates or complex models without evaluating management’s process for compiling that information. System-generated or external journal entry listings used in fraud procedures without establishing completeness and reliability. In each of these situations, inspection teams focus on whether engagement teams understood how the information was obtained, how it was processed, and whether there was a reasonable possibility of modification before it reached the auditor. Emerging PCAOB Expectations Although the standard is principles-based, several expectations are now appearing consistently in inspections: Reliability cannot be presumed, external information must be evaluated just like any other audit evidence. Understanding the company’s process for receiving and handling external information is foundational. Judgments about whether separate testing is required must be risk-responsive and well-supported. Documentation should clearly articulate the source of the information, the company’s process, and the basis for concluding the information was reliable. These expectations are shaping how firms need to think about IPE testing, data flows, and the role of technology within the audit. Areas Where Firms Often Seek Assistance Across our methodology enhancement and inspection support work, firms consistently ask for help in: Identifying when information is “external electronic information provided by the company”. Determining whether reliance on management’s process is appropriate. Navigating situations where data passes through multiple systems or spreadsheets. Evaluating third-party or industry data used in analytics. Assessing effects on significant risks, especially revenue and fraud. Aligning documentation practices with PCAOB expectations. Many firms have strong processes for testing IPE, but other nuances of the standards require an additional layer of consideration that is still evolving in practice. Looking Ahead As companies build increasingly automated and interconnected systems, auditors must deepen their understanding of those environments to obtain sufficient appropriate evidence. Firms that proactively adapt their methodologies and train engagement teams will be better positioned for both compliance and audit quality. At JGA , we help firms interpret emerging regulatory requirements, strengthen methodologies, and enhance the use of technology and data in the audit. Ultimately, ensure compliance and consistency get to our ultimate goal of helping firms grow and scale responsibly. To learn how we can help your firm navigate these expectations and #AmplifyQuality, visit www.johnson-global.com, or contact a member of your JGA client service team.
WASHINGTON, D.C. Johnson Global Advisory (JGA) is pleased to announce Boyd O’Rourke as a Managing Director, focused on helping audit firms meet their strategic objectives with audit quality in mind. With 30 years of experience in public accounting, Boyd has deep experience in firm management, strategy, risk management, and quality control. Boyd’s skillset complements JGA’s core services by adding new firm strategy and risk management service offerings. “ I have a passion for building high-functioning groups inside accounting firms,” said Boyd. “With private equity firmly in the accounting firm space, service line growth, acquisitions, and consolidation are happening at record speed. JGA’s goal is to help firms manage this growth while limiting exposure to regulatory and business risks. I am excited to advise firms navigating this most-critical period of their journey. ” Most recently, Boyd held multiple senior roles at CBIZ CPAs (formerly Mayer Hoffman McCann P.C.), including Executive Committee Member, National Practice Leader, Chief Risk and Quality Officer, National Director of Quality Control, Mid-west Regional Attest Practice Leader, and National Training Director. “ By most measures, Johnson Global Advisory is a small consulting firm—but over the past eight years, our impact on individual firms and the global profession as a whole has been vastly disproportionate to our size,” said Jackson Johnson, President and Founding Shareholder, JGA. “That is only possible because every professional that joins the JGA team brings deep senior-level experience, technical expertise, and a genuine ability to connect with our clients around the world. I am especially grateful that Boyd O’Rourke has chosen JGA as the platform to share his leadership and expertise to help firms grow and scale. Having known Boyd for several years, I’ve seen firsthand his commitment and executive approach to solving complex problems affecting public accounting firms. His decision to join us is a testament to the unique opportunities JGA offers—and to our shared mission of making a meaningful difference for our clients and the industry .” Boyd is based in the Kansas City area and received his Bachelor of Business Administration in Accounting from the University of Iowa. To learn more about Boyd and the full JGA team, read here . At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing solutions and tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.
In September 2022, we wrote an article discussing the struggle that firms were experiencing at that time in remediating Quality Control (QC) criticisms as it relates to their Engagement Quality Review (EQR) process. This struggle seemingly continues today, as, so far in 2025, the PCAOB has publicly re-released previously issued inspection reports for 32 registered firms, and in 19 of those reports, EQR was a QC criticism that was released to the public as these firms had failed to satisfactorily remediate their EQR QC criticism¹. This means that firms continue to struggle to identify and effectively implement remedial actions to the satisfaction of the PCAOB that demonstrate that they have successfully remediated their non-compliance with AS 1220, Engagement Quality Review . So why are firms still failing to remediate this QC criticism? As we stated previously, having worked with engagement teams and looking at the nuanced and sometimes detailed nature of some of the PCAOB Part I findings, attributing the audit issue to a deficient EQR review can sometimes feel like the regulator is being overly exigent. In fact, in its adopting release to the EQR standard , the Board stated that it “…has been sensitive to commenters' concerns and agrees that the EQR should not become, in effect, a second audit.” This is a difficult concept for EQRs to balance though, as engagement teams often ask us, “As EQR am I required to review every test of design and operating effectiveness for internal controls related to every significant risk? Which substantive workpapers in significant risk audit areas should I review and to what level of detail?” Though not explicitly required in AS 1220, implicitly by the very nature of the EQR attribution, the PCAOB is inherently creating an expectation of a detailed EQR review. After all, AS 1220.09 does require the EQR to “review documentation.” When the PCAOB evaluates a firm’s Rule 4009 remediation response, they pay particular attention to recurring deficiencies. If the same deficiency is long-standing or occurs in subsequent reports, remediation efforts undertaken must be incremental in each remediation submission so as to address the recurring deficiency. Said otherwise, a firm cannot deliver the same training year after year and expect it to drive change; it must change its approach to remediate the recurring deficiencies. We have numerous clients telling us that this is the second or third inspection report that includes an EQR QC criticism. They often ask us, “This time, what can we do that is incremental that we haven’t already done?” Remediation Considerations The new quality control standards (QC 1000, ISQM 1 and SQMS1) require firms to perform root cause analyses for audit deficiencies. In doing so, firms should identify the real root cause behind why EQRs are failing to identify audit deficiencies and then design specific remedial actions to address these root causes. So, remedial action should be in response to the actual root cause of the EQR deficiency – i.e., what is the ultimate root cause of EQR’s not identifying the Part I deficiencies at the time of their review? The following are typical actions that we see firms undertake: a. Training as an Action For many firms, they start out the remedial process by providing training to audit professionals that specifically address the requirements of AS 1220. Some firms attempt this by sourcing online training from the marketplace. If this is the first time your firm has received a Part II EQR criticism, then this action might be effective. However, training designed to remediate quality control deficiencies must be specific to the facts and circumstances of your issue(s). Oftentimes though, when the EQR criticism is long-standing or repetitive, training alone is not sufficient. Key takeaway : Consider developing more robust training that specifically addresses nuances of firm findings and walk through examples of EQR reviews. b. EQR Sign-off Checklist as an Action Another common remedial action is for firms to make enhancements to their methodology, including their EQR sign-off checklist . Most firms subscribe to audit software programs already which have a basic EQR checklist that calls out the requirements under AS 1220. Modification to the EQR checklist and/or creation of addendums that specifically focus on the issues or concerns can be a meaningful improvement and can add rigor to the review process. Key takeaway : Firms should determine whether they need to modify their EQR sign-off checklist and/or create addendums to include specific bullets and questions addressing firm audit deficiencies, specifically calling it out to the EQR’s attention. c. EQR mentoring/coaching program as an Action Many firms have already implemented the previous two actions, and they may continue to see deficiencies in the QC criticism. The PCAOB is expecting firms to do more to ensure quality audits. As we have worked with firms on remediation, we recommend firms consider an EQR mentoring/coaching program . When designed and implemented properly – and timely – we believe this action to be important to a successful remediation of QC deficiencies around the EQR function. Key takeaway : Consider designing and implementing an EQR coaching or mentoring program, paying close attention to key elements important for effective remediation criteria. Other Considerations Given that global audit regulators have raised the bar in expectations on recurring findings – specifically on the EQR process – we cannot stress enough the importance of beginning the remediation process early . Engage the PCAOB in a dialogue immediately once your 12-month remediation period begins, to discuss the planned remedial actions and get feedback on the sufficiency of those actions. Pay particular attention to understanding what is considered timely implementation. Do not underestimate the amount of time it will take to fully implement remedial actions. Key takeaway : Engage the PCAOB early in the remediation process to seek feedback on the sufficiency of the remedial actions (perhaps even before the final report has been issued). EQR as last line of defense Another important point is that EQRs are essentially the last line of defense with regard to audit quality. Said differently, audit quality starts with the audit engagement team and the firm’s entire QC system (training, methodology, tools, etc.) that enables and supports audit engagement teams to perform quality audits. Firms must also consider the remedial actions that also address the PCAOB’s Part I audit deficiency(ies). The EQR QC criticism, while linked to its own standard, is really just the review of the audit work performed under all the other audit standards (e.g., AS 2501, AS 1301, etc.). It is a collective effort, and the EQR as well as the entire engagement team should be considered when remediating all QC criticisms identified in firm inspection reports. It may feel like a never-ending story and perhaps regulators are being overly rigorous, but the reality is this issue is not going away, so firms need to consider what incremental actions they can take to truly ensure EQRs perform quality reviews. At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. ¹ Part I of a PCAOB inspection report contains audit deficiencies; this part is made public when the report is initially published. Part II contains the firm’s QC criticism(s); and this part is not initially released to the public. The firm has one year from the date the report is published to remediate the QC criticism(s). If the remediation is satisfactory to the Board, then Part II is kept private. However, if the firm fails to satisfactorily remediate the QC criticism, the QC criticism in Part II is then released to the public.
